pajOwO 
i'm surprised to have seen no discussion so far about the fact that all european banks will start massively leaking trans peoples deadnames in october. so let's change that! (๐งต thread with more information)
quick note to start: this is just my understanding from reading the epc documents on vop. this is glossing over a lot of detail. i might make mistakes, if they are relevant to the larger message, please correct me in a reply.
starting october 2025 banks taking part in sepa (aka all banktransfers between european banks) need to perform verification of payee (vop).
verification of payee means that if you ("requester") send money to someone your banks checks in with the bank of the person you're sending money to ("payee") and tells you if the name you entered matches the iban. a simple check to make sure you're not sending money to the wrong person, right?
well not so much for people who use another name than their legal name, for example many trans people. every time someone tries to send them money, a warning is shown that the names do not match. so you either have to give people your deadname or at least out yourself and warn them beforehand that this will happen. but it gets even worse!
because your bank not only tells you whether the name you entered is correct or not. if the name you entered is close enough to the name associated with the iban ("close match"), you also get told that name. great if you mistyped, but horrible if your legal name should stay private!
but what qualifies as a "close match"?
the european payments council (who make the rules for this) leave that to the banks to decide for themselves, so the real implementation might differ. but they give some guidance on how these rules should look.
so if your bank account is registered to your deadname (which often is the case), all someone has to know (or guess) is your last name and the initial of your legal name. since the last name might very well be public, this takes a bad actor at most 26 tries.
and if your legal name is close enough to your real name (or has the same initial), it might even be shown to everyone sending you money.
this is the part of the thread where i would like to offer some hope or solutions on how people can protect themselves. but i don't know any. so if you have good solutions that work for most people or know how to prevent a specific bank from leaking that information, please add a post to this thread :)
Someone was so kind to play around a bit with their banks implementation and reported the following:
> โข It depends on the recipient's bank. (I've seen different behaviours from the same source to different destinations.)
> โข Some banks suggest "Jane Alice Doe" when just given "Doe", others will report no match for "Doe" but provide the full name when given "J. Doe".
> โข For shared (spouse) accounts, "Smith" got no match, "A. Smith" got "Adam Smith" and "E. Smith" got "Eve Smith".
>>>
> โข It depends on the recipient's bank. (I've seen different behaviours from the same source to different destinations.)
> โข Some banks suggest "Jane Alice Doe" when just given "Doe", others will report no match for "Doe" but provide the full name when given "J. Doe".
> โข For shared (spouse) accounts, "Smith" got no match, "A. Smith" got "Adam Smith" and "E. Smith" got "Eve Smith".
>>>
> โข The banks that require an initial seem to only apply the initials matching for "J. Doe", not "J Doe".
> โข In the cases where I was able to test it, I could omit up to two letters before failing the match. ("Andr Jones" โ "Andrea Jones", "And Jones" โ no match)
this matches up with what I saw with my bank
spooky Ske-Lil-ton ๐ฆ@pajowu one of my banks (Sparkasse) told me that they only check that for Girokonten, not for any other accounts (which matches the EU guidelines iirc)
So giving out the IBAN of other account types (like Tagesgeldkonto in Germany) could maybe help with keeping your deadname from being leaked
So giving out the IBAN of other account types (like Tagesgeldkonto in Germany) could maybe help with keeping your deadname from being leaked
@pajowu do we know who (sending bank or receiving bank) checks for the differences between the "official account holder name" and the name used as the recipient of the transaction?
(i.e. does the receiving bank always send out the full name and tells the receiving bank to do the check and show the fitting message?
Or does the receiving bank get a name from the sending bank and does the checks and then either sends back "no match", "near match, <official name>" or "match"?)
(i.e. does the receiving bank always send out the full name and tells the receiving bank to do the check and show the fitting message?
Or does the receiving bank get a name from the sending bank and does the checks and then either sends back "no match", "near match, <official name>" or "match"?)
@pajowu I think that would be relevant if specific people with accounts at specific banks want to know in which case their "passport name"/possible deadname gets leaked
@pajowu the diagram above makes it look like the bank that will be sending the money only receives the matching result (so no name at all in the case of "no match"), but I'm not sure if that diagram is that precise?
That would mean, that the bank where the account is handles the matching. Meaning my name would always be leaked in the same cases and that it would not depend on the bank that is used to send me money
(Which also seems like the more sensible implementation)
@Larymir yes, that's correct
@pajowu ah, great!
This means it's easy to create an overview how different banks do those checks and then people can at least try to minimize the risk of leaking names they don't want leaked
(We just need somebody with a Girokonto account at that bank who is willing to try that out and then provides the results)
It still sucks that this is necessary. But at least that's better than the bank who sends the money being relevant for the behavior
@Larymir the matching happens at the receiving bank.