Exclusive Student Offer

Prime for Young Adults

Get a 6-month trial with premium college perks & fast delivery.

Start Free Trial
Listen Anywhere

Audible Standard Trial

Get 30 days of audiobooks free. Cancel anytime, keep your books.

Claim Free Books

The IBAN check is intended to make transfers more secure – but some banks disclose more data than necessary. This overview shows why full names can become visible, what risks this poses and how you can protect yourself.

Why the new IBAN check even exists

When a transfer is initiated today, a lot more happens in the background than before. Before a payment is made, banks now check whether the name provided actually matches the IBAN entered. This recipient check – often referred to as “Verification of Payee” – is intended to reduce incorrect transfers and make manipulation of account data more difficult. Netzpolitik.org describes that the comparison is automated and takes place immediately before a payment is made.

The technical process follows a clear scheme: The paying person’s bank transmits the name entered together with the IBAN to the receiving person’s bank. This checks the combination and classifies the result as “Match”, “Close Match” or “No Match”. The response determines whether the payment is carried out without notice or whether the sender receives a warning. The European Payments Committee (EPC) recommends standardized cleaning of name data in order to better catch everyday input errors. Liability is particularly relevant from a legal point of view: the credit institution is only responsible for a correct assignment if there is a clear “match”; In all other cases, the risk still lies with the sender, as netzpolitik.org explains.

At the same time, the EPC recommendations show that the rules are technically oriented but not mandatory. Banks can define their own checking mechanisms within this framework – a scope for design which, according to Chip, means that the IBAN check in practice varies from institution to institution.

What data banks actually disclose when making transfers

Research shows that banks have very different decisions about how much information they disclose as part of the recipient check. Chip describes that some institutions show the full, officially registered name of the receiving person with the combination of IBAN and last name – and sometimes even with IBAN plus initial.

Netzpolitik.org gives an example in which at a large credit institution just entering the IBAN and last name was enough to make the entire name visible. According to Chip, at other banks even the first letter of the first name is enough to reveal all stored names. The problem is that account holders are not informed if their full names are accessible in this way. This can be particularly critical if little-used middle names or previous official names become unintentionally visible.

“Close Match”: the core problem of data disclosure

The so-called close match is actually only intended to compensate for small deviations so that transfers are not canceled due to minor typing errors. Netzpolitik.org describes that this includes swapped letters, minor spelling variations or initials. The EPC expressly emphasizes that in the case of a close match, banks should only return the data that was previously entered – i.e. no additional first names or additional account holders.

In practice, however, many banks deviate from this recommendation and disclose more information than is necessary. This makes the recipient check partly similar to identity information. Criticism even comes from the developer of the close match principle at SurePay, who points out that disclosing full names can create an additional security risk and contradicts the idea of ​​a data protection-friendly “privacy by design” implementation.

Data protection, banking secrecy & options for action for customers

Banking secrecy generally obliges banks to maintain confidentiality, but allows for certain exceptions – for example in the case of legal obligations to investigate or provide information or through written consent from the customer. Netzpolitik.org describes that the recipient check creates a tension between security requirements and data protection because banks decide for themselves how much information they disclose.

Although the EPC recommends economical feedback, it leaves the actual implementation to the institutes. However, customers can take action themselves and check the data they have stored – for example by making a test transfer with slightly changed information, by providing self-disclosure or by contacting their own bank directly. Incorrect or unnecessary name components can be corrected. As Netzpolitik.org emphasizes, the risk of possible data disclosure ultimately depends on how carefully the respective bank has implemented the IBAN check.

Jonas Vogt, editorial team at finanzen.net

ttn-28

Get Audible 30-Day Free Trial

As an Amazon Associate, we earn from qualifying purchases.