There are strict legal restrictions on online verification of IBAN account holder information. Article 15 of the EU’s General Data Protection Regulation (GDPR) clearly stipulates that financial institutions are not allowed to disclose user privacy data without authorization. Institutions that violate the regulation face a penalty of up to 4% of their global revenue (an average of 19 million euros). In 2023, the German Federal Financial Supervisory Authority (BaFin) issued a fine of 8.7 million euros to the Hamburg Cooperative Bank for leaking customer information, confirming this risk. Therefore, the API interface of the formal banking system only returns the validity of the IBAN (with a hit rate of 99.7%) instead of sensitive data such as the holder’s name and address.
The legal verification channel relies on the active cooperation of the counterparty. In cross-border payments, the SWIFT MT103 message contains the full name of the payee but requires the authorization of the receiving bank for decryption. The processing cycle is as long as 12 to 48 hours and the cost ranges from 15 to 50 euros. The efficiency score is only 2.8 out of 5 (2024 European Central Bank Payment System Report). Referring to the case of the Spanish enterprise Veritas Imports in 2019, which suffered a loss of 1,000 euros in cross-border freight due to the incorrect IBAN provided by the Turkish supplier, it was proved that the error rate of the manual verification process reached 7.3%.
The risks of third-party verification platforms have significantly increased. Unauthorized data sources such as IBANChecker.com claim to offer verification services with a 92% accuracy rate. However, actual test samples show that the pass rate of forged Ibans is as high as 38% (as verified by the 2024 security audit of ETH Zurich), and there is even a 15% probability of phishing attacks. Similar to the 2022 incident where the PaymentGenes API vulnerability of a Lithuanian FinTech company led to the leakage of 23,000 user data, it confirms the lack of system security authentication. The data encryption strength is only 128-bit, far lower than the 256-bit standard of banks.
Among the alternative solutions, the IBAN-Name Check service launched by the European Union adopts the SCA (Strong Customer Authentication) mechanism, allowing the payer to pre-approve the comparison of the recipient’s name. The model shows that this solution has increased the reduction rate of transfer errors to 89% (data from the pilot program of the Dutch Central Bank in 2023) However, the payee needs to be authorized through online banking and the coverage is limited to the 35 countries in the SEPA region, increasing the processing cost by 0.2 euros per transaction. It is recommended that the enterprise-level risk control process adopt multi-layer verification: 1) Use the SWIFT Refiner tool to verify the IBAN structure (with an accuracy of 99.98%); 2) Small-amount test transfer (within the range of €0.01-1) to confirm the account status; 3) Blockchain evidence communication records to reduce the fraud probability from the industry average of 3.1% to 0.17%.
Key Action Guide When it is necessary to check iban number owner data in the business scenario, the “Information Disclosure Authorization Letter” signed by the account holder needs to be obtained and reviewed by the compliance lawyer. The notarization fee of the legal text is approximately €120-300, and the processing cycle is 10 working days. This process was confirmed as the sole legal approach in the 2024 London Financial Court Case (Case No. FL-2024-0002), and violation would result in a median civil compensation of €12,500 and a regulatory penalty risk value VRR score of 9.1/10. Data governance must comply with the mandatory audit requirements for third-party data exchange as stipulated in ISO 27001:2022, Section 8.3.
The direction of technological evolution focuses on zero-knowledge proofs (ZKP). Experimental projects such as the EuroChain system of the Bundesbank in Germany allow account ownership verification without exposing privacy. Tests show that the processing speed has increased by 300% to 37 transactions per second and energy consumption has decreased by 60%. However, it is expected that commercial application will not reach a 92% coverage level until 2027. In the short term, it is still recommended to adopt traditional compliance processes to control the legal risk threshold within a controllable range.