Is IBAN verification a KYC requirement?

IBAN verification is not explicitly named as a KYC requirement in most AML regulations, but it is a necessary component of the customer due diligence (CDD) and transaction monitoring obligations those regulations impose. AML frameworks (EU AMLD5, UK MLR 2017, US BSA) require firms to identify and verify counterparties and to monitor transactions for suspicious activity. An unverified IBAN — one that has not been checked against a known bank and confirmed as belonging to the stated counterparty — represents a gap in due diligence that regulators expect to be closed.

What records must compliance teams keep for IBAN verification?

AML regulations typically require retention of KYC and transaction records for five years from the end of the business relationship. For IBAN verification records, this means retaining: the date and outcome of the format validation (with the bank name and BIC returned), the result of any Verification of Payee query, the sanctions screening result and lists checked, and documentation of any discrepancy identified and how it was resolved. Under GDPR data minimisation principles, store the bank name and BIC rather than the full IBAN string where possible.

What is the GDPR lawful basis for processing IBANs in KYC?

For most payment-related KYC processing, the lawful basis is contract (Article 6(1)(b) — processing the IBAN is necessary to perform a contract with the data subject) or legal obligation (Article 6(1)(c) — processing is required by AML regulations). Where fraud prevention or audit purposes justify retention beyond what the contract requires, legitimate interests (Article 6(1)(f)) provides a basis subject to a documented legitimate interests assessment. Consent is not appropriate for IBAN processing in payment contexts, because payment must proceed regardless of whether the individual later withdraws consent.

How does enhanced due diligence (EDD) affect IBAN verification?

Enhanced due diligence applies to higher-risk counterparties — politically exposed persons (PEPs), entities in FATF grey or black list jurisdictions, or transactions above defined thresholds. For these counterparties, IBAN verification goes beyond format validation and bank lookup: it includes source of funds documentation, senior management sign-off, more frequent re-verification, and closer monitoring of ongoing transactions. An IBAN at a bank in a non-cooperative jurisdiction is itself an EDD trigger, even if the counterparty does not otherwise appear high-risk.

KYC and IBAN Verification: What Compliance Teams Need to Know

Know Your Customer (KYC) compliance and IBAN verification are often treated as separate workflows — KYC handled by the onboarding team, IBAN validation handled by accounts payable or the payment platform. In practice, they address the same underlying risk: ensuring that money moves to and from the entity you believe you are dealing with. This guide explains how KYC obligations intersect with IBAN verification, what compliance teams need to verify beyond the format check, and how to build a defensible audit trail without slowing down legitimate payments.

What Is the Relationship Between KYC and IBAN Verification?

KYC is the process of identifying and verifying the identity of a customer or counterparty before entering into a business relationship. Anti-money laundering (AML) regulations — the EU's AMLD series, the UK's Money Laundering Regulations 2017, the US Bank Secrecy Act — require financial institutions and many non-bank businesses to perform KYC as a condition of processing payments.

IBAN verification sits at the intersection of KYC and payment operations. When a customer or supplier provides an IBAN, verifying that IBAN means confirming three things: that the IBAN is structurally valid (format check), that it belongs to a real bank account at a known institution (bank lookup), and that the account holder is who they claim to be (identity verification). Most payment processes cover the first layer well and neglect the second and third.

From a regulatory standpoint, accepting a payment from or sending a payment to an IBAN without performing adequate due diligence can expose a business to AML liability — even if the business itself is not the direct target of the scheme. Regulators expect that firms know who their counterparties are and can demonstrate that they took reasonable steps to verify it.

What KYC Checks Apply to IBAN-Based Payments?

The depth of KYC checks required depends on the risk classification of the counterparty and the nature of the payment relationship.

Standard due diligence (SDD) applies to most retail and SME relationships. For an individual, this means collecting name, date of birth, and address, and verifying them against a government-issued identity document. For a business, it means confirming the entity's legal name, registration number, registered address, and beneficial ownership structure (ultimate beneficial owner, or UBO, with greater than 25% economic interest). The IBAN provided should be validated and the associated bank name recorded.

Enhanced due diligence (EDD) applies to higher-risk counterparties: politically exposed persons (PEPs), entities in high-risk jurisdictions (FATF grey or black list countries), transactions above defined thresholds, and unusual payment patterns. EDD requires additional verification steps — source of funds documentation, senior management sign-off, and more frequent re-verification.

Simplified due diligence (SDD-lite) is permitted in narrow circumstances — regulated financial institutions, listed companies, government entities — where the counterparty is subject to their own equivalent AML framework.

How Should Compliance Teams Verify an IBAN as Part of KYC?

IBAN verification within a KYC process should proceed in layers:

Step 1 — Format validation. Confirm that the IBAN passes the MOD-97 check digit algorithm, that the country code appears in the SWIFT IBAN Registry, and that the length is correct for the issuing country. The ibanchecker.cash API performs this check in real time and returns a structured result. Log the validation result — timestamp, IBAN hash (not the IBAN itself), validation outcome — as part of the KYC record.

Step 2 — Bank identification. Extract the bank identifier from the IBAN BBAN and cross-reference it against the SWIFT BIC directory. Record the bank name and BIC. This establishes which institution holds the account and allows you to assess whether the institution is subject to adequate AML supervision. An IBAN at a bank in a non-cooperative jurisdiction should trigger enhanced review. Use the ibanchecker.cash SWIFT directory to look up institution details by BIC.

Step 3 — Account holder identity match. Where available, use Verification of Payee (VoP) or Confirmation of Payee (CoP) to confirm that the account holder's name matches the KYC name on file. A no-match result requires investigation before the relationship proceeds. Where VoP is not available, a micro-deposit with callback confirmation is the next best alternative.

Step 4 — Sanctions screening. Screen the IBAN, account holder name, and associated entity against current OFAC, EU Consolidated, UN, and relevant national sanctions lists. This step must be performed at onboarding and repeated at defined intervals (at minimum when a change occurs, and at least annually for ongoing relationships).

Step 5 — Adverse media and PEP screening. For higher-risk counterparties, check the account holder against PEP databases and adverse media sources. A politically exposed person receiving payments via an IBAN in a low-tax jurisdiction is a risk factor that standard format validation will not surface.

What Records Should Compliance Teams Maintain for IBAN Verification?

AML regulations typically require firms to retain KYC and transaction records for at least five years from the end of the business relationship (EU AMLD5, UK MLR 2017, US BSA). For IBAN verification within the KYC process, the record should include:

The date and outcome of the IBAN format validation, with the bank name and BIC returned at the time of validation. Store the bank name — not the IBAN itself — to minimise the scope of personal data retained.
The result of any Verification of Payee or Confirmation of Payee query: match, close match, or no match.
The sanctions screening result and the lists checked, with the date of the check.
Any discrepancy identified during verification and how it was resolved — who reviewed it, what evidence was obtained, who approved the decision to proceed.
Re-verification events: when the IBAN was re-validated, what the result was, and whether it differed from the previous validation.

Under GDPR (EU) and the UK GDPR, the IBAN itself constitutes personal data for individuals. Records containing full IBAN strings should be stored under appropriate access controls and subject to data minimisation principles — retain what is necessary for regulatory compliance, and no more. The ibanchecker.cash API processes all IBANs in memory and does not retain any IBAN data, which supports a data-minimisation approach where the validation result (bank name, BIC, validity) is stored rather than the raw IBAN.

How Do KYC Requirements Differ for B2B vs. Consumer Payment Flows?

For B2B payment platforms — ERP systems, accounts payable automation, treasury management — KYC applies to the counterparties (suppliers, customers, payees) rather than to end users of the platform. The obligation is to verify who you are paying before initiating payment, and to monitor the ongoing relationship for suspicious patterns. A change to a supplier's IBAN is a trigger event that requires re-verification and should be logged with the change management record.

For consumer-facing payment platforms — digital wallets, remittance apps, neobanks — KYC applies to the end user (payer) and, in cross-border scenarios, to the beneficiary where the Travel Rule applies (transfers above €1,000 in the EU, $3,000 in the US). Platform operators must validate beneficiary IBANs and collect beneficiary name and address information for qualifying transfers.

For marketplace and escrow platforms — where the platform holds funds on behalf of users before disbursing to a beneficiary IBAN — IBAN verification is a pre-disbursement control. Before any payout, validate the beneficiary IBAN and confirm that it has not changed since the last verification. Integrating the ibanchecker.cash API into your disbursement pipeline ensures that validation happens automatically on every payout, without adding manual steps to the process.

What Are the Consequences of Inadequate IBAN Verification in KYC?

Regulatory enforcement for AML failures is growing. The European Banking Authority (EBA) reported €1.3 billion in AML fines across EU member states in 2023. In the UK, the FCA imposed record penalties for inadequate transaction monitoring and KYC failures. The common thread in these cases is that firms could not demonstrate a documented, consistently applied verification process — not that fraud occurred, but that the firm had no defensible evidence that it tried to prevent it.

IBAN verification records are a component of that evidence. When a regulator reviews a payment file and asks how you confirmed that the beneficiary was who they claimed to be, "we trusted the email" is not an adequate answer. A logged validation result, a recorded sanctions screen, and a documented change management process are what distinguish a compliant payment operation from one that is exposed to regulatory action.

Last updated: June 2026