IBAN and Identity Data Exposed: What Is the Real Risk?

ByLai Ly

Lire en FRANCAIS >>>

More than 1.2 million bank accounts in France are affected by the unauthorized access to data from the FICOBA database, according to the official statement issued by the authorities.

IBANs (International Bank Account Number) and identity details were accessed without authorisation.

What are the actual risks, and how should they be prioritised?

Our analysis distinguishes between real risks and perceived risks and ranks them accordingly.

It draws in particular on risk analysis, European payment mechanisms, the regulatory framework, and data published by the Banque de France and the European Central Bank (ECB).

Such an approach is essential in cybersecurity to avoid unnecessary panic and adopt proportionate responses.

This analysis is primarily written from a business perspective, although it also applies to individuals. For readers outside the EU, it is advisable to check with your bank which controls apply in your jurisdiction.

Key takeaways

  • An IBAN and identity details do not allow direct access to a bank account. Multiple controls within the European banking and payment systems create a strong barrier against unauthorized access.
  • The risk of fraudulent SEPA direct debits is very low. Controls imposed on creditors, transaction traceability, and refund mechanisms discourage abuse.
  • The main risk lies in the exploitation of identity: manipulation and identity theft. Accurate and complete personal data make scams more targeted and convincing.
  • Identity theft can have serious and long-lasting consequences. It may lead to financial, legal, and reputational impacts for the victim.

What FICOBA Data Were Accessed?

The FICOBA database (Fichier des comptes bancaires et assimilés), managed by the French public finance authority, records all bank accounts opened with financial institutions in France.

It contains administrative information used to identify account holders and their associated accounts. For further details, see the appendix “Content of the FICOBA database”.

According to the authorities, the data accessed in this incident include:

  • Account holder identity details: surname (or company name), first name, date and place of birth
  • Postal address
  • Bank account details (IBAN)

Importantly, the FICOBA database does not contain:

  • Account balances
  • Transaction history
  • Account activity

Direct Access to a Bank Account or Transfers: Very Low Risk

An IBAN alone does not allow access to a bank account, nor does it allow someone to initiate a transfer from that account.

It is important to remember that an IBAN is a public identifier designed to be shared. It circulates in many commercial exchanges and may already be known to third parties.

The disclosure of an IBAN alone is therefore generally not considered sensitive information.

Even when combined with full identity details, IBAN and identity information alone do not provide direct access to an account or allow a transfer to be initiated.

Several banking controls must be passed first, strengthened by European regulations introduced since 2015, particularly those relating to strong customer authentication and identity management.

To access online banking, an IBAN is typically not required. The minimum credentials needed are not included in the FICOBA database. These usually consist of: a customer identifier, a password and a authentication device (most often a mobile phone) or biometric authentication.

For in-branch transactions, an IBAN is also insufficient. Banks must verify the client’s identity using elements not contained in FICOBA, such as official ID documents, signatures, or internal customer information.

To execute a transfer, the debtor’s bank also performs additional anti-fraud checks, including unusual transaction amounts, unusual destination countries and unfamiliar recipients.

Daily transfer limits, often defined according to the customer’s profile, further restrict the amount that can be moved.

These technical safeguards within the European banking and payment system constitute a strong barrier against unauthorised access to bank accounts.

Fake SEPA Direct Debits: Low Risk

The SEPA (Single Euro Payments Area) direct debit is the main payment mechanism allowing a creditor to initiate a debit from a debtor’s account without direct access to that account.

In theory, a fraudster with an IBAN and identity details might attempt to exploit this mechanism.

In practice, doing so at scale is relatively difficult without a fraudulent infrastructure.

Strict regulatory checks on creditors

Before issuing direct debits, a creditor must work through a bank or payment provider participating in the SEPA system. These institutions apply strict regulatory controls, including:

  • mandatory identity verification of the creditor (KYC – Know Your Customer)
  • allocation of a unique SEPA creditor identifier by the creditor’s bank (ICS – SEPA Creditor Identifier)
  • continuous automated monitoring of suspicious behaviour.

Traceability of direct debits

Each debit is identifiable through codes such as ICS (creditor identifier), RUM (unique mandate reference) and IBAN.

This makes it possible to trace the transaction back to the creditor and the issuing bank, which facilitates investigations and dispute procedures.

Strong regulatory protection for the payer

In cases of fraudulent direct debits, regulations provide protection.
For individuals, reimbursement is possible up to 13 months after the debit date.
For businesses, reimbursement conditions depend on the type of direct debit used.

  • Under SEPA Core — used by individuals and widely by SMEs — the payer can request a refund without justification within 8 weeks, or obtain reimbursement within 13 months in the case of an unauthorised debit (for example, if the mandate does not exist or is invalid).
  • The SEPA B2B scheme, used between companies, does not allow automatic reimbursement once the debit has been executed. However, security is stronger because the debtor’s bank must verify that the mandate has been previously registered by its client before authorising the debit.

While fake SEPA debits are technically possible in theory, the combination of regulatory controls and payer protections makes the risk rather low.

Statistics published by the Banque de France and the ECB confirm that direct debit fraud remains very marginal, particularly compared with card fraud.

According to the Banque de France, the fraud rate for direct debits reached 0.0021% of the total value of debits in the first half of 2025 (around €2 per €100,000), up from 0.0014% a year earlier. It should also be noted that fake SEPA debits represent only a subset of all direct debit fraud cases.

This increase may reflect new fraud attempts and evolving tactics, but it remains extremely limited relative to the overall volume of SEPA transactions.

The Real Risk: Exploitation of Identity

The accuracy and completeness of identity data from the FICOBA database represent real value for a fraudster.

Human manipulation: more credible targeted scams

The most likely exploitation involves social engineering, including techniques such as phishing designed to obtain the victim’s cooperation so that they themselves approve a transaction, believing it to be legitimate.

The more accurate the information used, the more credible a fraudulent message or phone call becomes.

Within organisations, finance and administrative teams are often targeted because they are able to authorise payments or sensitive operations.

According to the Banque de France, manipulation fraud represents 40% of the total value of payment fraud in France in the first half of 2025, and it has been increasing steadily since 2021.

The primary risk therefore becomes human and organisational rather than technical.

Identity Theft: Serious and Long-Lasting Consequences

Identity theft occurs when a fraudster impersonates a victim to carry out fraudulent actions using the credibility associated with that identity.

For companies, several types of fraud involving identity theft are well documented.

Trade credit fraud

A fraudster orders goods from suppliers in the company’s name. The products are delivered elsewhere, but invoices are sent to the victim company.
Consequences: unpaid invoices, disputes with suppliers, damage to commercial relationships.

Financing fraud (leasing or long-term rental)

The fraudster signs financing agreements using the company’s identity in order to obtain equipment or vehicles with no intention of paying the instalments.
Consequences: unpaid financing contracts attributed to the company, disputes with lenders.

Deterioration of financial ratings

Payment incidents linked to such fraud may be reported to credit insurers, banks, and financial information databases (such as Allianz Trade or Coface).
Consequences: lower credit rating, reduced supplier credit, stricter payment conditions.

Unlike fraudulent direct debits, which are usually detected on bank statements and reimbursed by the bank, these situations may remain undetected for several months and only emerge during a dispute, formal notice, or financing refusal.

The consequences can therefore be more severe and longer-lasting, sometimes involving financial, legal, and reputational damage.

Victims may become involved in complex and lengthy investigations or legal procedures before the situation is fully clarified.

Practical Vigilance Measures

Several simple practices can reduce the likelihood of fraud attempts linked to IBAN and identity data, and limit their impact:

  • regularly monitor bank and accounting transactions
  • report any suspicious activity to your bank
  • remain cautious about unusual requests or communications
  • verify requests through official channels of the organisations concerned.

Conclusion

The data contained in the FICOBA database cannot by themselves bypass banking security systems.

The primary risk does not lie in direct account access or fake SEPA direct debits.

It lies in the use of a real identity to manipulate individuals or initiate fraudulent actions in someone else’s name without their knowledge.

Understanding this distinction helps assess the threat correctly and adopt proportionate security measures without unnecessary alarm.

Appendix

Content of the FICOBA Database

Sources : DGFiP (Direction générale des finances publiques) et CNIL (Commission nationale de l’informatique et des libertés). 

Information about the account holder

  • Name and first names
  • Date and place of birth
  • Address
  • For a legal entity: company name, address, legal form and SIRET number (French establishment identification number)
  • Tax identification number

Information about the account

  • Type of account:
    • Current account, savings account, securities account
    • Individual account, joint account, undivided account
    • Bank safe-deposit box
  • Bank account number (IBAN)
  • Bank holding the account
  • Opening and closing dates

The database does not contain:

  • Account balances
  • Bank transaction history
  • Contents of safe-deposit boxes

How a SEPA Direct Debit Works

Unlike a bank transfer, which is initiated by the account holder, a direct debit is initiated by the creditor (for example an energy supplier, telecommunications operator, or public administration).

This system is based on a simple automated principle:

  • the creditor sends a debit request to the banking system
  • the debtor’s bank executes the debit
  • the mandate is held by the creditor, not by the debtor’s bank.

The debtor’s bank generally does not hold the mandate and does not verify it during execution, except under the SEPA B2B scheme.

This design is intentional: it enables the automation of millions of legitimate direct debits every day across the SEPA area.

Sources

  • Directive (EU) 2015/2366 (PSD2) — main European framework for payment services and electronic payment security.
  • Regulation (EU) 260/2012 (SEPA) — technical requirements for euro transfers and direct debits.
  • Commission Delegated Regulation (EU) 2018/389 — regulatory technical standards on strong customer authentication (SCA).
  • Observatory for the Security of Payment Means Reports 2024 and first half of 2025 — Banque de France.
  • 2025 Report on Payment Fraud — European Central Bank.
  • Content of the FICOBA database — CNIL. Articles L133-1 and following of the French Monetary and Financial Code — liability in the event of unauthorised transactions.

Author
Lai Ly
Financial Services sector Specialist
SMEs Cybersecurity Governance Specialist

Contributor
Stéphane Hivert
SMEs Cybersecurity Specialist
E-commerce, Industrials sector Specialist

Disclaimer

This report is provided for informational purposes only and reflects the author’s opinion at the time of analysis.
It does not constitute legal or regulatory advice and does not guarantee the absence of risks or vulnerabilities.
Threats and risk levels may evolve over time.
Any decisions taken on the basis of this report remain the sole responsibility of the reader.