What is an IBAN?
An IBAN (International Bank Account Number) is a standardised international format for identifying bank accounts. It was developed by the International Organization for Standardization (ISO) and the European Committee for Banking Standards (ECBS) and is defined in the ISO 13616 standard.
The IBAN combines the country code, check digits and the domestic bank details into a single standardised string that can be processed by any bank in the SEPA zone and beyond.
Structure of a German IBAN
A German IBAN always follows this structure:
DE 02 12030000 0000202051 ↑ ↑ ↑ ↑ CC CD BLZ Account number (Country) (Check) (Bank code) (Account)
- CC (Country Code):
DE– two-letter ISO 3166-1 country code - CD (Check Digits): Two-digit number calculated using the Mod-97 algorithm
- BLZ (Bank Code): Eight-digit German Bankleitzahl
- Account Number: Ten-digit German account number (zero-padded)
German IBANs always have exactly 22 characters. Any IBAN that is longer or shorter is immediately invalid for a German account.
History of IBAN introduction
The IBAN was made mandatory for all SEPA credit transfers as part of the SEPA migration, completed in February 2014 for retail payments. From that date, the old national account number formats became officially obsolete for SEPA transfers.
The IBAN Explained Step by Step
Country code
The first two characters of an IBAN are always the two-letter ISO 3166-1 alpha-2 country code of the country where the account is held. For Germany this is DE, for Austria AT, for France FR.
Check digits (Mod-97 algorithm explained)
Characters 3 and 4 of an IBAN are two decimal check digits, calculated using the ISO 7064 Mod-97-10 algorithm. Here is how validation works:
- Move the first four characters to the end of the IBAN string
- Replace each letter with its numeric equivalent (A=10, B=11, ..., Z=35)
- Calculate the remainder of dividing the resulting number by 97
- If the result is 1, the IBAN check digits are valid
Bank code
In the German IBAN, characters 5–12 (8 digits) represent the Bankleitzahl (BLZ) – the German bank sort code that identifies the specific bank. The BLZ is assigned by the Deutsche Bundesbank.
Account number
Characters 13–22 of a German IBAN (10 digits) represent the domestic account number, zero-padded on the left to fill exactly 10 digits.
What is a BIC?
A BIC (Bank Identifier Code), also known as SWIFT code, is an international standard (ISO 9362) for identifying banks in international financial transactions. A BIC consists of 8 or 11 characters:
SSKM DE MM XXX ↑ ↑ ↑ ↑ Bank CC Loc Branch (4) (2) (2) (3)
- Bank code (4 chars): Identifies the bank (e.g.
SSKMfor Stadtsparkasse München) - Country code (2 chars): ISO 3166-1 country code (e.g.
DE) - Location code (2 chars): Identifies the city or region
- Branch code (3 chars, optional):
XXXmeans the primary office
Where to find your BIC
- Your bank's website (Contact or Bank details section)
- Your bank statement or account passbook
- Your online banking portal (account details section)
- The Deutsche Bundesbank's bank sort code directory
Is BIC Required for GiroCode?
Optional since SEPA migration 2016
Since the completion of the SEPA migration in 2016, the BIC is no longer required for domestic and cross-border SEPA transfers within the SEPA zone. The IBAN alone is sufficient to route the payment to the correct bank and account.
In the EPC QR standard (version 002), the BIC field (line 5 of the payload) is therefore optional. We recommend leaving the BIC empty for simplicity – it keeps the payload shorter and the QR code less dense.
When is BIC still needed?
- Some legacy banking systems: Older banking software or payment processors may still require a BIC. When in doubt, include the BIC.
- Certain EPC version 001 implementations: Some older banking apps that only support EPC version 001 expect a BIC in the payload.
- Bank-specific requirements: A small number of banks in certain SEPA countries still require a BIC for incoming transfers.
IBAN Validation Explained
Mod-97 algorithm step by step
Using the example IBAN DE89370400440532013000:
- Move first 4 characters to end:
370400440532013000DE89 - Replace letters with numbers (A=10, B=11, ..., Z=35): D=13, E=14
- Calculate modulo 97 – if the result is 1, the IBAN is valid
Code example for IBAN validation in JavaScript
function validateIBAN(iban) {
iban = iban.replace(/s/g, '').toUpperCase();
if (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]+$/.test(iban)) return false;
const rearranged = iban.slice(4) + iban.slice(0, 4);
const numericString = rearranged
.split('')
.map(ch => isNaN(ch) ? ch.charCodeAt(0) - 55 : ch)
.join('');
const remainder = BigInt(numericString) % 97n;
return remainder === 1n;
}Common IBAN input errors
- Transposing two adjacent digits
- Missing leading zeros in the account number part
- Including spaces (IBANs should have no spaces in data fields)
- Using the wrong IBAN length
- Confusing letters and numbers (e.g. letter O vs digit 0)
IBAN Formats by Country
| Country | Code | Length | Example format |
|---|---|---|---|
| Germany | DE | 22 | DEkk bbbb bbbb cccc cccc cc |
| Austria | AT | 20 | ATkk bbbb bccc cccc cccc |
| Switzerland | CH | 21 | CHkk bbbb bccc cccc cccc c |
| France | FR | 27 | FRkk bbbb bggg ggcc cccc cccc cxx |
| Spain | ES | 24 | ESkk bbbb gggg xxcc cccc cccc |
| Netherlands | NL | 18 | NLkk bbbb cccc cccc cc |
| Belgium | BE | 16 | BEkk bbbc cccc ccxx |
IBAN Security
Is it safe to share your IBAN?
Sharing your IBAN is generally safe and is necessary for receiving SEPA transfers. Your IBAN is like your postal address for money – people need it to send you payments. The EPC QR standard (GiroCode) is specifically designed for sharing payment details, so embedding your IBAN in a QR code on an invoice is a normal and accepted practice.
What can someone do with your IBAN?
With only your IBAN, another person can:
- Send you money – the primary intended use
- Set up a SEPA Direct Debit mandate – this is the main risk
They cannot withdraw money from your account or initiate a transfer using only your IBAN. SEPA transfers are push payments – only the account holder can initiate an outgoing transfer.
IBAN for direct debit vs. transfer
The main risk of sharing your IBAN is that a fraudulent actor could use it to set up an unauthorised SEPA Direct Debit (SDD) mandate. However, SEPA regulations provide strong consumer protection:
- Unauthorised direct debits can be reversed within 8 weeks (with valid mandate) or 13 months (without valid mandate)
- Banks are obligated to refund reversed direct debits immediately upon request
Privacy with GiroCode
Unlike some other payment methods (e.g. PayPal), SEPA bank transfers via GiroCode do not expose your payment data to any third-party payment processor. The transaction data flows only between the payer's bank and your bank.
Use GiroCode Professionally – Software Recommendations
Anyone who wants to use GiroCodes professionally on invoices will eventually need good accounting or invoicing software. Creating GiroCodes manually is fine for occasional use – but for regular invoicing, an automated solution quickly pays off.
We recommend two proven tools that natively support GiroCodes:
sevDesk
sevDesk is one of Germany's leading accounting platforms for freelancers and SMEs. Invoices with automatically generated GiroCode can be created in just a few clicks and sent directly by email. The software is DATEV-compatible and supports the small business regulation.
Try sevDesk free *FastBill
FastBill offers a simple, speed-focused invoicing platform. With FastBill you can create a professional invoice including a GiroCode in under two minutes – directly in the browser, no installation needed. Ideal for freelancers and small teams.
Try FastBill free for 14 days ** Affiliate link – If you purchase through this link, we receive a small commission at no extra cost to you.
For occasional use or as a starting point, we recommend our free GiroCode Generator – completely local, no registration required.