The digital architecture that supports each of our banking transactions claims to be very solid. But even marble can crack, so banks are constantly looking for ways to defend against fraud while streamlining operations. This is how the two most famous codes in financial language were born: the IBAN and the BIC. The first, they explain from the OCU, is the acronym for International Bank Account Number, a number with a uniform structure and variable length that allows anyone with a bank account to carry out operations, such as transfers or direct debits.
In Spain, the IBAN has two letters (ES) followed by 22 numbers, which are control digits, identifying the bank from which they come and the user’s account. Born as an agreement between banks for the single European payment area (called SEPA), the IBAN has already crossed borders and is used in more than 80 countries. Similarly, the BIC, Bank Identifier Code, is used, a code with 8 or 11 alphanumeric digits used by banks and which is essential for automated international payments outside the European banking area.
The risk of fraudulent use of the IBAN is not very high, but it does exist, as explained by BNP Paribas Cash Management: the vast majority (60% of cases) occurs through the so-called SEPA direct debit, it is a payment method automated to pay single or recurring invoices through a signed mandate. Alberto Zumajo, sales manager at Worldline Iberia Financial Services, an electronic banking provider, adds that fraud can occur when the debtor reports an account number that is wrong or that it belongs to another owner. “There is a possibility of sending a receipt to a person who has not accepted the direct debit of that payment.” Previously, there had to be a data theft, because the orders need a series of minimum data to validate the operation, for example through a cyber attack.
Sharing bank account details, in theory, shouldn’t be risky, because the only thing you can do with the IBAN is a deposit. But thieves have found a way to foist improper charges on companies through corporate email fraud, as the Bank of Spain guides explain.
The way they act is as follows: by exchanging information about invoices via email, criminals impersonate the provider in charge of sending them. Then, they modify these invoices by changing the IBAN of the account to which the money transfer must be made. The transfers, clarifies the Bank of Spain, are “irrevocable payment orders, and entities cannot order the return without the consent of the owner who has benefited.” Although, when that happens, the bank must contact the entity to which the money has arrived to try to recover it if it is suspected that it may have been stolen.
From the OCU they share several tips to protect themselves from these thefts, such as periodically reviewing the movements of the accounts. “If you see a direct debit receipt that does not match you, make use of the possibility given by the regulations to return it within a period of eight weeks, counted from the date it is charged to your account.” A receipt charge without a signed authorization can be claimed within 13 months from the date of the charge. In any case, prevention is better than cure, as Zumajo recalls, “because of the costs involved in claiming debts.”
Reinforcement in the controls
Thanks to the European regulation PSD2 (Second Payment Services Directive), banks and other payment provider entities have to use strong customer authentication systems. “With the acceleration of digital payments after the pandemic, there has been an increase in the number of operations and amount of SEPA debits and also an increase in risk,” they explain from Worldline, and give as an example a tool that they have developed to electronically sign a SEPA mandate through electronic banking. “The user does not enter his account number and there is no possibility of impersonating the client”, and automatically obtains the IBAN of his account.