The Security Headache Behind BIN / IBAN Sponsorships

One of the most fascinating things about the fintech industry is how fast it moves while still being rooted in the legacy banking system – and finding legitimate ways around all the regulatory red tape that comes with it.

Hiding Tech for a Better UX

Banking is hard, and licensing is prohibitively expensive for good reasons. 

The average customer doesn’t see, nor do they want to see, all the moving parts behind their favorite application: We just want them to work, instantaneously or magically. 

A customer’s experience should always be smooth and fast. Smoother and faster than in the days of traditional banking, anyway.

It’s a clever illusion driven by business innovation because the fintech applications we know and use in our everyday lives are not necessarily banks themselves – and yet they issue cards or give their customers virtual bank accounts.

Introducing Sponsorship Schemes

How do neobanks offer these products? The answer is sponsorship schemes. 

The way it works is that a regulated bank offers the fintech company a range of BINs or IBAN numbers, while allowing use of the fintech’s own branding. 

For example, you can have a Wise account or a Revolut card, but in actual fact the issuer would be the sponsor bank.

There are a myriad number of providers offering such sponsor services, and the system works quite well from the customer’s point of view.

However, it does raise a persistent and annoying issue – that of “incorrect” BIN or IBAN lookups…

Why IBAN Checks Aren’t Foolproof

The first six or eight digits of a card number are known as the issuer identification number (IIN), also known as the bank identification number (BIN). These identify the card-issuing institution, which issued the card to the cardholder. The rest of the number is allocated by the card issuer.

Similarly, the IBAN number is an internationally agreed system of identifying bank accounts across national borders. 

It consists of 34 alphanumeric characters including a country code; two check digits; and a number that includes the domestic bank account number, branch identifier, and routing information, if needed.

When we transact online, almost every player involved in processing the payment will perform some sort of check on our card number (or in the case of wire transfers, the bank account number). 

If we are using a fintech, the BIN (or IBAN) lookup will still return the issuing bank based on these numbers, and not the fintech service we are using.

This can cause all sorts of problems, as payments can get rejected for safety reasons. Plus, normally, having a foreign bank account compared to our nationality or geo-IP address would seem risky. 

Conversely, as these fintech services are easy to sign up for, they are popular among fraudsters as well as good, lawful users. If none of this is taken into account, your risk profile will be incomplete for a given transaction, making it difficult to get to the right conclusions.

How SEON Does BIN Lookups

At SEON, we do our best to keep our BIN data up to date, but testing a few providers such as bindb.com and binlist.net gave us varying results for a range of cards such as those acquired through Monzo or Revolut.

As these sorts of services keep popping up, the problem is unlikely to go away any time soon. And that’s why we constantly test other providers to keep our records up to date so you don’t have to worry.

Here is an example of what your fraud fighters would see in our dashboard:

In the meantime, as a merchant, you just have to be mindful of the problem and communicate with your customers accordingly. 

We recently wrote a breakdown of BIN lookup and how it can be used for fraud detection. Check it out if you want to learn more!

We also have an article about IBAN lookups to detect fraud