How to Verify a Bank Account Number: IBAN and Sort Code Validation
How to verify bank account numbers using IBAN validation, Confirmation of Payee (CoP), and sort code checks. APP fraud data, CHAPS/BACS controls, and automated verification workflows for UK businesses.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokAuthorised push payment (APP) fraud cost UK victims GBP 459.7 million in 2023, according to UK Finance. A significant share of those losses stemmed from payments sent to bank accounts where the account holder did not match the intended recipient. Verifying bank account details before executing a payment is no longer optional. It is a core component of fraud prevention, supplier onboarding, and regulatory compliance across financial services, procurement, and accounts payable functions.
This guide covers the structure of UK and international bank account identifiers, the verification methods available, the regulatory requirements under FCA and Pay.UK rules, and the practical steps to automate bank account validation in your workflows.
This article is provided for informational purposes and does not constitute legal advice. Consult a qualified professional for situation-specific guidance.
UK Bank Account Identifiers: Sort Code and Account Number
The United Kingdom uses a dual-identifier system for domestic payments. The sort code (6 digits, formatted as XX-XX-XX) identifies the bank branch, while the account number (8 digits) identifies the individual account. Together, they route payments through the BACS, Faster Payments, and CHAPS networks.
For international payments and SEPA transactions, UK accounts are represented as IBANs. The UK IBAN is 22 characters long and follows a defined structure.
UK IBAN Structure
| Element | Position | Length | Example |
|---|---|---|---|
| Country code | 1-2 | 2 letters | GB |
| Check digits | 3-4 | 2 digits | 29 |
| Bank code | 5-8 | 4 letters | NWBK |
| Sort code | 9-14 | 6 digits | 601613 |
| Account number | 15-22 | 8 digits | 31926819 |
IBAN Structures Across Major European Countries
IBAN length and composition vary by country. Any validation system must account for these national differences.
| Country | Prefix | Length | Structure after check digits | Legacy format |
|---|---|---|---|---|
| United Kingdom | GB | 22 | 4 (bank letters) + 6 (sort code) + 8 (account) | Sort code + Account number |
| France | FR | 27 | 5 (bank) + 5 (branch) + 11 (account) + 2 (key) | RIB |
| Germany | DE | 22 | 8 (Bankleitzahl) + 10 (account number) | BLZ + Kontonummer |
| Netherlands | NL | 18 | 4 (bank letters) + 10 (account number) | Rekeningnummer |
| Spain | ES | 24 | 4 (bank) + 4 (branch) + 2 (check) + 10 (account) | CCC |
| Portugal | PT | 25 | 4 (bank) + 4 (branch) + 11 (account) + 2 (check) | NIB |
The IBAN Check Digit Algorithm (MOD 97-1)
The IBAN check digits at positions 3-4 are calculated using the MOD 97-1 algorithm defined in ISO 7064. This mathematical validation detects over 98% of transcription errors, including single-character substitutions and adjacent-digit transpositions.
The validation process follows four steps. First, move the first four characters (country code and check digits) to the end of the string. Second, convert all letters to numbers using the mapping A=10, B=11 through Z=35. Third, compute the remainder when dividing the resulting number by 97. Fourth, if the remainder equals 1, the check digits are valid.
This verification catches data entry mistakes but provides no assurance about whether the account exists, is active, or belongs to the expected party.
Confirmation of Payee: The UK Standard for Name Matching
Confirmation of Payee (CoP) is a name-checking service operated by Pay.UK. It verifies whether the name provided by the payer matches the name registered on the receiving account. CoP has been mandatory for the six largest UK banking groups since 2020 and was extended to all payment service providers directed by the Payment Systems Regulator (PSR) from October 2024.
How CoP Works
When a payer initiates a payment through online or mobile banking, the sending bank transmits the payee's name, sort code, and account number to the receiving bank. The receiving bank compares the name against its records and returns one of four responses: exact match, close match (minor discrepancy such as a nickname), no match, or account not found.
If the response is "no match" or "close match," the payer receives a warning and must actively choose to proceed with the payment. This friction point reduces APP fraud by giving the payer an opportunity to reconsider before funds leave their account.
CoP Limitations
CoP verifies the name on the account but does not confirm the identity of the account holder. A fraudster who opens an account under a stolen identity will pass CoP checks if the name on the account matches the name the victim expects. CoP also does not cover all UK accounts; business accounts at smaller institutions may not yet participate in the network.
APP Fraud and the Regulatory Landscape
The FCA and the PSR have progressively tightened requirements around payment verification in response to rising APP fraud. From 7 October 2024, a mandatory reimbursement requirement obliges sending payment service providers to reimburse APP fraud victims up to GBP 85,000 within five business days, with costs shared between sending and receiving firms.
This reimbursement mandate creates a direct financial incentive for banks and payment firms to invest in pre-payment verification. Firms that fail to implement CoP and other fraud detection measures face both regulatory sanctions and reimbursement liabilities.
CHAPS and BACS Controls
For high-value CHAPS payments, the Bank of England requires enhanced due diligence on beneficiary details. BACS Direct Debit originators must validate sort code and account number combinations through the Extended Industry Sort Code Directory (EISCD) before submitting instructions. These controls reduce rejected payments and provide a first layer of account validation.
Common Bank Account Fraud Patterns
Bank account fraud takes several forms, each exploiting different gaps in verification processes.
Invoice Redirection Fraud
A fraudster intercepts or impersonates a legitimate supplier and sends updated bank details, typically attached to a genuine-looking invoice. The paying company updates its records and sends the next payment to the fraudster's account. This is the most common form of APP fraud targeting businesses, accounting for a substantial portion of the GBP 459.7 million reported by UK Finance.
Account Takeover
The fraudster gains access to a legitimate business email account and sends payment instructions from a trusted address. Because the email is authentic, the request bypasses social engineering defences.
Mule Accounts
Fraudsters recruit or coerce individuals to open bank accounts in their own names, then use these accounts to receive fraudulent payments. The account passes CoP name checks if the payer has been given the mule's name as the expected payee.
Practical Verification Workflow
An effective bank account verification process operates at three levels, each adding assurance.
Level 1: Format Validation
Validate the sort code against the EISCD to confirm it is a valid, active sort code assigned to a participating bank. Validate the account number length (8 digits for UK accounts). For IBANs, run the MOD 97-1 check digit calculation. This level catches data entry errors.
Level 2: Account Existence Check
Query the receiving bank's systems to confirm the account exists and is capable of receiving payments. For UK domestic payments, this is achieved through CoP or through sort code and account number validation services. For international IBANs, dedicated API services query the correspondent banking network.
Level 3: Name Matching and Identity Verification
CoP provides name matching for UK accounts. For international payments or higher-risk transactions, supplement CoP with identity verification and KYC checks. Cross-reference the account holder's name with corporate registry data, proof of address documentation, and existing supplier records.
Automating Bank Account Verification
Manual verification of bank details does not scale. A procurement team processing hundreds of supplier invoices monthly cannot realistically call each supplier's bank to confirm account ownership. Automation addresses this gap by integrating bank account validation directly into accounts payable and onboarding workflows.
Automated document validation systems extract IBANs and sort codes from invoices, contracts, and supplier registration forms. The extracted data is validated against format rules, checked for existence, and matched against the declared beneficiary name. Any change in bank details for an existing supplier triggers an alert and a secondary confirmation workflow.
This automated approach eliminates the delay between receiving bank details and verifying them. It also creates a complete audit trail of every verification performed, supporting compliance with internal controls and regulatory expectations.
The integration with broader customer due diligence processes ensures that bank account verification is not treated as an isolated check but as part of a comprehensive onboarding and monitoring programme.
Frequently Asked Questions
Does passing the IBAN check digit validation mean the account is legitimate?
No. The MOD 97-1 algorithm verifies the mathematical consistency of the IBAN structure. It confirms the check digits are correct for the given account number, but it does not confirm the account exists, is active, or belongs to the expected party. A fraudster can provide a syntactically valid IBAN for an account they control.
Is Confirmation of Payee mandatory for all UK payments?
CoP is mandatory for all payment service providers that are directed participants or have been directed by the PSR. Since October 2024, this covers virtually all major UK banks and building societies. However, some smaller institutions and certain account types may not yet be fully covered. Payers should treat a "not available" CoP response as a risk indicator.
What should a business do when a supplier requests a change of bank details?
Never update bank details based solely on an email or letter. Contact the supplier using a previously verified phone number (not a number provided in the change request). Verify the new bank details through CoP or an IBAN verification API. Require dual authorisation for any bank detail change in your accounts payable system. Document the verification in your audit trail.
How do IBAN verification APIs work?
IBAN verification APIs accept an IBAN as input and perform multi-level checks: format validation, check digit computation, bank code lookup (confirming the bank exists and participates in the relevant payment network), and in some cases name matching against the account holder. Response times are typically under two seconds. These APIs can be integrated into ERP systems, payment platforms, and onboarding workflows.
What is the difference between IBAN validation and bank account verification?
IBAN validation checks the format and check digits of the IBAN string. Bank account verification goes further by confirming the account exists, is active, and belongs to the declared party. Validation catches typos; verification catches fraud. Both are necessary for a secure payment process.