IBAN and Identity Data Exposed : What Is the Real Risk ?

Lire en FRANCAIS

More than 1.2 mil­lion bank accounts in France are affect­ed by the unau­tho­rized access to data from the FICOBA data­base, accord­ing to the offi­cial state­ment issued by the author­i­ties.

IBANs (Inter­na­tion­al Bank Account Num­ber) and iden­ti­ty details were accessed with­out autho­ri­sa­tion.

What are the actu­al risks, and how should they be pri­ori­tised ?

Our analy­sis dis­tin­guish­es between real risks and per­ceived risks and ranks them accord­ing­ly.

It draws in par­tic­u­lar on risk analy­sis, Euro­pean pay­ment mech­a­nisms, the reg­u­la­to­ry frame­work, and data pub­lished by the Banque de France and the Euro­pean Cen­tral Bank (ECB).

Such an approach is essen­tial in cyber­se­cu­ri­ty to avoid unnec­es­sary pan­ic and adopt pro­por­tion­ate respons­es.

This analy­sis is pri­mar­i­ly writ­ten from a busi­ness per­spec­tive, although it also applies to indi­vid­u­als. For read­ers out­side the EU, it is advis­able to check with your bank which con­trols apply in your juris­dic­tion.

Key takeaways

  • An IBAN and iden­ti­ty details do not allow direct access to a bank account. Mul­ti­ple con­trols with­in the Euro­pean bank­ing and pay­ment sys­tems cre­ate a strong bar­ri­er against unau­tho­rized access.
  • The risk of fraud­u­lent SEPA direct deb­its is very low. Con­trols imposed on cred­i­tors, trans­ac­tion trace­abil­i­ty, and refund mech­a­nisms dis­cour­age abuse.
  • The main risk lies in the exploita­tion of iden­ti­ty : manip­u­la­tion and iden­ti­ty theft. Accu­rate and com­plete per­son­al data make scams more tar­get­ed and con­vinc­ing.
  • Iden­ti­ty theft can have seri­ous and long-last­ing con­se­quences. It may lead to finan­cial, legal, and rep­u­ta­tion­al impacts for the vic­tim.

What FICOBA Data Were Accessed ?

The FICOBA data­base (Fichi­er des comptes ban­caires et assim­ilés), man­aged by the French pub­lic finance author­i­ty, records all bank accounts opened with finan­cial insti­tu­tions in France.

It con­tains admin­is­tra­tive infor­ma­tion used to iden­ti­fy account hold­ers and their asso­ci­at­ed accounts. For fur­ther details, see the appen­dix “Con­tent of the FICOBA data­base”.

Accord­ing to the author­i­ties, the data accessed in this inci­dent include :

  • Account hold­er iden­ti­ty details : sur­name (or com­pa­ny name), first name, date and place of birth
  • Postal address
  • Bank account details (IBAN)

Impor­tant­ly, the FICOBA data­base does not con­tain :

  • Account bal­ances
  • Trans­ac­tion his­to­ry
  • Account activ­i­ty

Direct Access to a Bank Account or Transfers : Very Low Risk

An IBAN alone does not allow access to a bank account, nor does it allow some­one to ini­ti­ate a trans­fer from that account.

It is impor­tant to remem­ber that an IBAN is a pub­lic iden­ti­fi­er designed to be shared. It cir­cu­lates in many com­mer­cial exchanges and may already be known to third par­ties.

The dis­clo­sure of an IBAN alone is there­fore gen­er­al­ly not con­sid­ered sen­si­tive infor­ma­tion.

Even when com­bined with full iden­ti­ty details, IBAN and iden­ti­ty infor­ma­tion alone do not pro­vide direct access to an account or allow a trans­fer to be ini­ti­at­ed.

Sev­er­al bank­ing con­trols must be passed first, strength­ened by Euro­pean reg­u­la­tions intro­duced since 2015, par­tic­u­lar­ly those relat­ing to strong cus­tomer authen­ti­ca­tion and iden­ti­ty man­age­ment.

To access online bank­ing, an IBAN is typ­i­cal­ly not required. The min­i­mum cre­den­tials need­ed are not includ­ed in the FICOBA data­base. These usu­al­ly con­sist of : a cus­tomer iden­ti­fi­er, a pass­word and a authen­ti­ca­tion device (most often a mobile phone) or bio­met­ric authen­ti­ca­tion.

For in-branch trans­ac­tions, an IBAN is also insuf­fi­cient. Banks must ver­i­fy the client’s iden­ti­ty using ele­ments not con­tained in FICOBA, such as offi­cial ID doc­u­ments, sig­na­tures, or inter­nal cus­tomer infor­ma­tion.

To exe­cute a trans­fer, the debtor’s bank also per­forms addi­tion­al anti-fraud checks, includ­ing unusu­al trans­ac­tion amounts, unusu­al des­ti­na­tion coun­tries and unfa­mil­iar recip­i­ents.

Dai­ly trans­fer lim­its, often defined accord­ing to the customer’s pro­file, fur­ther restrict the amount that can be moved.

These tech­ni­cal safe­guards with­in the Euro­pean bank­ing and pay­ment sys­tem con­sti­tute a strong bar­ri­er against unau­tho­rised access to bank accounts.

Fake SEPA Direct Debits : Low Risk

The SEPA (Sin­gle Euro Pay­ments Area) direct deb­it is the main pay­ment mech­a­nism allow­ing a cred­i­tor to ini­ti­ate a deb­it from a debtor’s account with­out direct access to that account.

In the­o­ry, a fraud­ster with an IBAN and iden­ti­ty details might attempt to exploit this mech­a­nism.

In prac­tice, doing so at scale is rel­a­tive­ly dif­fi­cult with­out a fraud­u­lent infra­struc­ture.

Strict regulatory checks on creditors

Before issu­ing direct deb­its, a cred­i­tor must work through a bank or pay­ment provider par­tic­i­pat­ing in the SEPA sys­tem. These insti­tu­tions apply strict reg­u­la­to­ry con­trols, includ­ing :

  • manda­to­ry iden­ti­ty ver­i­fi­ca­tion of the cred­i­tor (KYC – Know Your Cus­tomer)
  • allo­ca­tion of a unique SEPA cred­i­tor iden­ti­fi­er by the creditor’s bank (ICS – SEPA Cred­i­tor Iden­ti­fi­er)
  • con­tin­u­ous auto­mat­ed mon­i­tor­ing of sus­pi­cious behav­iour.

Traceability of direct debits

Each deb­it is iden­ti­fi­able through codes such as ICS (cred­i­tor iden­ti­fi­er), RUM (unique man­date ref­er­ence) and IBAN.

This makes it pos­si­ble to trace the trans­ac­tion back to the cred­i­tor and the issu­ing bank, which facil­i­tates inves­ti­ga­tions and dis­pute pro­ce­dures.

Strong regulatory protection for the payer

In cas­es of fraud­u­lent direct deb­its, reg­u­la­tions pro­vide pro­tec­tion.
For indi­vid­u­als, reim­burse­ment is pos­si­ble up to 13 months after the deb­it date.
For busi­ness­es, reim­burse­ment con­di­tions depend on the type of direct deb­it used.

  • Under SEPA Core — used by indi­vid­u­als and wide­ly by SMEs — the pay­er can request a refund with­out jus­ti­fi­ca­tion with­in 8 weeks, or obtain reim­burse­ment with­in 13 months in the case of an unau­tho­rised deb­it (for exam­ple, if the man­date does not exist or is invalid).
  • The SEPA B2B scheme, used between com­pa­nies, does not allow auto­mat­ic reim­burse­ment once the deb­it has been exe­cut­ed. How­ev­er, secu­ri­ty is stronger because the debtor’s bank must ver­i­fy that the man­date has been pre­vi­ous­ly reg­is­tered by its client before autho­ris­ing the deb­it.

While fake SEPA deb­its are tech­ni­cal­ly pos­si­ble in the­o­ry, the com­bi­na­tion of reg­u­la­to­ry con­trols and pay­er pro­tec­tions makes the risk rather low.

Sta­tis­tics pub­lished by the Banque de France and the ECB con­firm that direct deb­it fraud remains very mar­gin­al, par­tic­u­lar­ly com­pared with card fraud.

Accord­ing to the Banque de France, the fraud rate for direct deb­its reached 0.0021% of the total val­ue of deb­its in the first half of 2025 (around €2 per €100,000), up from 0.0014% a year ear­li­er. It should also be not­ed that fake SEPA deb­its rep­re­sent only a sub­set of all direct deb­it fraud cas­es.

This increase may reflect new fraud attempts and evolv­ing tac­tics, but it remains extreme­ly lim­it­ed rel­a­tive to the over­all vol­ume of SEPA trans­ac­tions.

The Real Risk : Exploitation of Identity

The accu­ra­cy and com­plete­ness of iden­ti­ty data from the FICOBA data­base rep­re­sent real val­ue for a fraud­ster.

Human manipulation : more credible targeted scams

The most like­ly exploita­tion involves social engi­neer­ing, includ­ing tech­niques such as phish­ing designed to obtain the victim’s coop­er­a­tion so that they them­selves approve a trans­ac­tion, believ­ing it to be legit­i­mate.

The more accu­rate the infor­ma­tion used, the more cred­i­ble a fraud­u­lent mes­sage or phone call becomes.

With­in organ­i­sa­tions, finance and admin­is­tra­tive teams are often tar­get­ed because they are able to autho­rise pay­ments or sen­si­tive oper­a­tions.

Accord­ing to the Banque de France, manip­u­la­tion fraud rep­re­sents 40% of the total val­ue of pay­ment fraud in France in the first half of 2025, and it has been increas­ing steadi­ly since 2021.

The pri­ma­ry risk there­fore becomes human and organ­i­sa­tion­al rather than tech­ni­cal.

Identity Theft : Serious and Long-Lasting Consequences

Iden­ti­ty theft occurs when a fraud­ster imper­son­ates a vic­tim to car­ry out fraud­u­lent actions using the cred­i­bil­i­ty asso­ci­at­ed with that iden­ti­ty.

For com­pa­nies, sev­er­al types of fraud involv­ing iden­ti­ty theft are well doc­u­ment­ed.

Trade cred­it fraud

A fraud­ster orders goods from sup­pli­ers in the company’s name. The prod­ucts are deliv­ered else­where, but invoic­es are sent to the vic­tim com­pa­ny.
Con­se­quences : unpaid invoic­es, dis­putes with sup­pli­ers, dam­age to com­mer­cial rela­tion­ships.

Financ­ing fraud (leas­ing or long-term rental)

The fraud­ster signs financ­ing agree­ments using the company’s iden­ti­ty in order to obtain equip­ment or vehi­cles with no inten­tion of pay­ing the instal­ments.
Con­se­quences : unpaid financ­ing con­tracts attrib­uted to the com­pa­ny, dis­putes with lenders.

Dete­ri­o­ra­tion of finan­cial rat­ings

Pay­ment inci­dents linked to such fraud may be report­ed to cred­it insur­ers, banks, and finan­cial infor­ma­tion data­bas­es (such as Allianz Trade or Coface).
Con­se­quences : low­er cred­it rat­ing, reduced sup­pli­er cred­it, stricter pay­ment con­di­tions.

Unlike fraud­u­lent direct deb­its, which are usu­al­ly detect­ed on bank state­ments and reim­bursed by the bank, these sit­u­a­tions may remain unde­tect­ed for sev­er­al months and only emerge dur­ing a dis­pute, for­mal notice, or financ­ing refusal.

The con­se­quences can there­fore be more severe and longer-last­ing, some­times involv­ing finan­cial, legal, and rep­u­ta­tion­al dam­age.

Vic­tims may become involved in com­plex and lengthy inves­ti­ga­tions or legal pro­ce­dures before the sit­u­a­tion is ful­ly clar­i­fied.

Practical Vigilance Measures

Sev­er­al sim­ple prac­tices can reduce the like­li­hood of fraud attempts linked to IBAN and iden­ti­ty data, and lim­it their impact :

  • reg­u­lar­ly mon­i­tor bank and account­ing trans­ac­tions
  • report any sus­pi­cious activ­i­ty to your bank
  • remain cau­tious about unusu­al requests or com­mu­ni­ca­tions
  • ver­i­fy requests through offi­cial chan­nels of the organ­i­sa­tions con­cerned.

Conclusion

The data con­tained in the FICOBA data­base can­not by them­selves bypass bank­ing secu­ri­ty sys­tems.

The pri­ma­ry risk does not lie in direct account access or fake SEPA direct deb­its.

It lies in the use of a real iden­ti­ty to manip­u­late indi­vid­u­als or ini­ti­ate fraud­u­lent actions in some­one else’s name with­out their knowl­edge.

Under­stand­ing this dis­tinc­tion helps assess the threat cor­rect­ly and adopt pro­por­tion­ate secu­ri­ty mea­sures with­out unnec­es­sary alarm.

Appendix

Content of the FICOBA Database

Sources : DGFiP (Direc­tion générale des finances publiques) et CNIL (Com­mis­sion nationale de l’informatique et des lib­ertés). 

Infor­ma­tion about the account hold­er

  • Name and first names
  • Date and place of birth
  • Address
  • For a legal enti­ty : com­pa­ny name, address, legal form and SIRET num­ber (French estab­lish­ment iden­ti­fi­ca­tion num­ber)
  • Tax iden­ti­fi­ca­tion num­ber

Infor­ma­tion about the account

  • Type of account :
    • Cur­rent account, sav­ings account, secu­ri­ties account
    • Indi­vid­ual account, joint account, undi­vid­ed account
    • Bank safe-deposit box
  • Bank account num­ber (IBAN)
  • Bank hold­ing the account
  • Open­ing and clos­ing dates

The data­base does not con­tain :

  • Account bal­ances
  • Bank trans­ac­tion his­to­ry
  • Con­tents of safe-deposit box­es

How a SEPA Direct Debit Works

Unlike a bank trans­fer, which is ini­ti­at­ed by the account hold­er, a direct deb­it is ini­ti­at­ed by the cred­i­tor (for exam­ple an ener­gy sup­pli­er, telecom­mu­ni­ca­tions oper­a­tor, or pub­lic admin­is­tra­tion).

This sys­tem is based on a sim­ple auto­mat­ed prin­ci­ple :

  • the cred­i­tor sends a deb­it request to the bank­ing sys­tem
  • the debtor’s bank exe­cutes the deb­it
  • the man­date is held by the cred­i­tor, not by the debtor’s bank.

The debtor’s bank gen­er­al­ly does not hold the man­date and does not ver­i­fy it dur­ing exe­cu­tion, except under the SEPA B2B scheme.

This design is inten­tion­al : it enables the automa­tion of mil­lions of legit­i­mate direct deb­its every day across the SEPA area.

Sources

  • Direc­tive (EU) 2015/2366 (PSD2) — main Euro­pean frame­work for pay­ment ser­vices and elec­tron­ic pay­ment secu­ri­ty.
  • Reg­u­la­tion (EU) 260/2012 (SEPA) — tech­ni­cal require­ments for euro trans­fers and direct deb­its.
  • Com­mis­sion Del­e­gat­ed Reg­u­la­tion (EU) 2018/389 — reg­u­la­to­ry tech­ni­cal stan­dards on strong cus­tomer authen­ti­ca­tion (SCA).
  • Obser­va­to­ry for the Secu­ri­ty of Pay­ment Means Reports 2024 and first half of 2025 — Banque de France.
  • 2025 Report on Pay­ment Fraud — Euro­pean Cen­tral Bank.
  • Con­tent of the FICOBA data­base — CNIL. Arti­cles L133‑1 and fol­low­ing of the French Mon­e­tary and Finan­cial Code — lia­bil­i­ty in the event of unau­tho­rised trans­ac­tions.

Author
Lai Ly
Finan­cial Ser­vices sec­tor Spe­cial­ist
SMEs Cyber­se­cu­ri­ty Gov­er­nance Spe­cial­ist

Con­trib­u­tor
Stéphane Hivert
SMEs Cyber­se­cu­ri­ty Spe­cial­ist
E‑commerce, Indus­tri­als sec­tor Spe­cial­ist

Disclaimer

This report is pro­vid­ed for infor­ma­tion­al pur­pos­es only and reflects the author’s opin­ion at the time of analy­sis.
It does not con­sti­tute legal or reg­u­la­to­ry advice and does not guar­an­tee the absence of risks or vul­ner­a­bil­i­ties.
Threats and risk lev­els may evolve over time.
Any deci­sions tak­en on the basis of this report remain the sole respon­si­bil­i­ty of the read­er.