Workflow · 8 min read
IBAN check before every payment — best-practice workflow.
How a modern B2B workflow handles IBAN changes, fingerprint comparison and audit trail in under 30 seconds — without phone calls, without Excel, without trust breaches.
Published on 11 May 2026 · 8 min read · SigID product team
An IBAN change at a supplier is the most common vector for payment fraud in the B2B world. Whoever is sloppy here risks five to seven-digit losses. This article presents a workflow that runs in under 30 seconds and at the same time produces an auditor-proof trail.
Why IBAN changes are so critical
The typical scam is simple: an attacker takes over the managing director's e-mail account, sends a note to accounting and announces a new IBAN. Accounting changes the entry, the next payment runs to a phantom account. On average affected companies lose six-digit amounts — and have to explain the incident to their auditors.
Step 1: IBAN fingerprint instead of clear text
In the first step SigID does not store the raw IBAN but a salted hash. Comparison against the stored fingerprint still works, reading the IBAN out of the database is no longer trivial. Even an attacker with read access cannot use the hash.
Step 2: fingerprint check on every payment
Before every payment execution, the ERP connector compares the IBAN stored in the ERP against the SigID fingerprint. If they match, the payment runs through in seconds. If they differ, the payment is paused and a challenge is triggered.
Step 3: challenge with dynamic linking
The challenge is sent to the responsible person's Trust App. She sees in clear text: previous recipient, new IBAN, amount. She confirms or rejects. Confirmation is signed via passkey and dynamic linking — the signature is valid only for this exact case.
Step 4: audit event with risk-level high
On confirmation, an audit event of type iban.update with risk-level high and reference to the signed challenge is created. The event enters the audit hash chain and gets a unique audit-id. At the next audit, the case can be reconstructed in full.
Step 5: four-eyes principle on demand
For particularly critical suppliers or very high amounts, the four-eyes principle can be activated. Then two consecutive Trust-App signatures are required before the audit event becomes final. The second person also sees clear-text data and confirms independently.
Step 6: webhook back into the ERP
As soon as the audit event is released, SigID calls the ERP webhook and delivers the audit-id as a reference. The ERP sets the supplier master to the new IBAN fingerprint, attaches the audit-id to the booking and releases the payment.
Total duration and effect
The entire workflow runs in the Trust App in under 30 seconds. With four-eyes active, roughly 60 seconds are added for the second person. Compared with the classic e-mail-phone-Excel loop with intermediate callbacks, companies typically save 80 to 90 percent of processing time — and gain an auditor-proof trail.
When the workflow pays off
We recommend the workflow from the first supplier with critical payout volume. For clients with more than 50 active suppliers SigID typically amortizes within the first quarter — only through saved processing time and avoided wrong payouts.
Conclusion
IBAN checks do not have to be expensive, slow or cumbersome. Configured well once, you run 30-second workflows in daily operations and hand the auditor a complete trail. The next step: create a demo supplier in SigID and try the workflow on a real case.
An overview of all trust modules lives in the Trust Center.