pajOwO 
i'm surprised to have seen no discussion so far about the fact that all european banks will start massively leaking trans peoples deadnames in october. so let's change that! (🧵 thread with more information)
quick note to start: this is just my understanding from reading the epc documents on vop. this is glossing over a lot of detail. i might make mistakes, if they are relevant to the larger message, please correct me in a reply.
starting october 2025 banks taking part in sepa (aka all banktransfers between european banks) need to perform verification of payee (vop).
verification of payee means that if you ("requester") send money to someone your banks checks in with the bank of the person you're sending money to ("payee") and tells you if the name you entered matches the iban. a simple check to make sure you're not sending money to the wrong person, right?
well not so much for people who use another name than their legal name, for example many trans people. every time someone tries to send them money, a warning is shown that the names do not match. so you either have to give people your deadname or at least out yourself and warn them beforehand that this will happen. but it gets even worse!
because your bank not only tells you whether the name you entered is correct or not. if the name you entered is close enough to the name associated with the iban ("close match"), you also get told that name. great if you mistyped, but horrible if your legal name should stay private!
but what qualifies as a "close match"?
the european payments council (who make the rules for this) leave that to the banks to decide for themselves, so the real implementation might differ. but they give some guidance on how these rules should look.
so if your bank account is registered to your deadname (which often is the case), all someone has to know (or guess) is your last name and the initial of your legal name. since the last name might very well be public, this takes a bad actor at most 26 tries.
and if your legal name is close enough to your real name (or has the same initial), it might even be shown to everyone sending you money.
this is the part of the thread where i would like to offer some hope or solutions on how people can protect themselves. but i don't know any. so if you have good solutions that work for most people or know how to prevent a specific bank from leaking that information, please add a post to this thread :)
Someone was so kind to play around a bit with their banks implementation and reported the following:
> • It depends on the recipient's bank. (I've seen different behaviours from the same source to different destinations.)
> • Some banks suggest "Jane Alice Doe" when just given "Doe", others will report no match for "Doe" but provide the full name when given "J. Doe".
> • For shared (spouse) accounts, "Smith" got no match, "A. Smith" got "Adam Smith" and "E. Smith" got "Eve Smith".
>>>
> • It depends on the recipient's bank. (I've seen different behaviours from the same source to different destinations.)
> • Some banks suggest "Jane Alice Doe" when just given "Doe", others will report no match for "Doe" but provide the full name when given "J. Doe".
> • For shared (spouse) accounts, "Smith" got no match, "A. Smith" got "Adam Smith" and "E. Smith" got "Eve Smith".
>>>
> • The banks that require an initial seem to only apply the initials matching for "J. Doe", not "J Doe".
> • In the cases where I was able to test it, I could omit up to two letters before failing the match. ("Andr Jones" ➔ "Andrea Jones", "And Jones" ➔ no match)
this matches up with what I saw with my bank
Zora@pajowu i player a bit around, too.
With all three of my banks accounts just the surname is sufficent for a close match.
Any of my first names (also multiple if them and regardless of order) together with the surname gives an exact match.
On the shared account with my spouse, the last name gives a close match with their name (potentially because their name is lexographically smaller(?)).
A close match always leaks the full name including all first names.
With all three of my banks accounts just the surname is sufficent for a close match.
Any of my first names (also multiple if them and regardless of order) together with the surname gives an exact match.
On the shared account with my spouse, the last name gives a close match with their name (potentially because their name is lexographically smaller(?)).
A close match always leaks the full name including all first names.
spooky Ske-Lil-ton 🦇@pajowu one of my banks (Sparkasse) told me that they only check that for Girokonten, not for any other accounts (which matches the EU guidelines iirc)
So giving out the IBAN of other account types (like Tagesgeldkonto in Germany) could maybe help with keeping your deadname from being leaked
So giving out the IBAN of other account types (like Tagesgeldkonto in Germany) could maybe help with keeping your deadname from being leaked
@pajowu do we know who (sending bank or receiving bank) checks for the differences between the "official account holder name" and the name used as the recipient of the transaction?
(i.e. does the receiving bank always send out the full name and tells the receiving bank to do the check and show the fitting message?
Or does the receiving bank get a name from the sending bank and does the checks and then either sends back "no match", "near match, <official name>" or "match"?)
(i.e. does the receiving bank always send out the full name and tells the receiving bank to do the check and show the fitting message?
Or does the receiving bank get a name from the sending bank and does the checks and then either sends back "no match", "near match, <official name>" or "match"?)
@pajowu I think that would be relevant if specific people with accounts at specific banks want to know in which case their "passport name"/possible deadname gets leaked
@pajowu the diagram above makes it look like the bank that will be sending the money only receives the matching result (so no name at all in the case of "no match"), but I'm not sure if that diagram is that precise?
That would mean, that the bank where the account is handles the matching. Meaning my name would always be leaked in the same cases and that it would not depend on the bank that is used to send me money
(Which also seems like the more sensible implementation)
@Larymir yes, that's correct
@pajowu ah, great!
This means it's easy to create an overview how different banks do those checks and then people can at least try to minimize the risk of leaking names they don't want leaked
(We just need somebody with a Girokonto account at that bank who is willing to try that out and then provides the results)
It still sucks that this is necessary. But at least that's better than the bank who sends the money being relevant for the behavior
@Larymir the matching happens at the receiving bank.
Xayo@pajowu also matches my experience …
- initials get completed, but only with a trailing dot
- if both chosen and dead name are present and start with the same initial, deadname is preferred
- with multiple first names, one seems to be enough to get them all
- last name alone isn't enough
- it all depends on the receiving bank — one didn't implement it (yet), so every attempt at validation simply gave an error
- the way other account types are implemented varies from bank to bank
it is a mess.
see https://toot.kif.rocks/@xayomer/115322004852978383 and https://toot.kif.rocks/@xayomer/115322620061011981
floy
inactive ␇-707570-aurora@pajowu they do allow "Complaint on the schemes" in their contact form:
https://www.europeanpaymentscouncil.eu/contact
Wrote a few lines about the danger for trans people specifically, both mentally and physically, and that I'm disappointed that this seemingly was not thought of.
Casey@pajowu What’s your understanding of whether secondary names may also be leaked when either one of multiple given/chosen names are entered correctly?
Mitsunee@pajowu I feel like I'm somewhat mostly dodging this by getting my name change done about a month after coming out (I already declared intent to make use of SBGG in March, so the 3 months waiting period are over already, just couldn't get an earlier appointment sadly) and my new name is a shortened version of my old name, so even if, I don't really care too much about my deadname being out there and I should be able to get things changed soon enough.
terru@pajowu fwiw i asked my bank about this, and they offered to add my usual name to what they use to do the matching so both should be allowed now. I guess we'll see how well that works in October 🙈
lenchen unsustainable@pajowu
at least in germany there were banks that allow name/gender change with a dgti supplemental id, but that was pre sbgg, not sure if they still handle it the same way now, but may be worth looking into
wouldn't solve the leaking problem, but at least the deadnaming problem i think? (only germany, and not certain)
trissc̈hen@therealkuu @pajowu also only some banks
Keith Wansbrough@pajowu no solutions, but this has been the case in the UK for at least a few years now, so there should be actual experience reports