For members


What you need to know about Germany’s new online banking system

Privacy sensitive souls in Germany can breathe a sign of relief as banking becomes easier and more secure through a new EU-wide directive. Here's what you need to know.

What you need to know about Germany's new online banking system
Online banking in Germany is about to become easier - and more secure. Photo: DPA

Many bank customers in Germany will soon have to say goodbye to an old habit.

When they do online banking from their home computers, they will no longer be able to complete their transfers by entering a six-digit sequence of digits they have received – often by post – on a paper list.

Such lists with numbered transaction numbers (TANs) will be abolished as part of a major EU-wide banking makeover. Banks will not be allowed to offer this so-called iTAN procedure for transfers starting on September 14th.

As of September 14th, such paper tan lists – in which one number at a time can be used once – will become obsolete. Photo: DPA

READ ALSO: Everything that changes in September 2019 in Germany

Why will the paper lists be abolished?

The change is part of the so-called European Payment Services Directive (with a Star Wars-esque sounding acronym of PSD2). Through it, Brussels aims to make payment transactions in the EU more convenient and secure for consumers.

Among other things, the directive stipulates that the transaction numbers required for online banking must be “generated dynamically” in future, which is not possible through a sequence of numbers that has already been printed on paper.

So what does this mean for bank customers?

For online banking and shopping on the Internet, the legal obligation of “strong customer authentication” will apply in future.

This means that every customer must prove his or identity in two of the following ways: “knowledge” (a secret number or PIN), “possession” (for example by  smartphone or the original payment card) or “being” (biometric features such as a fingerprint). 

In order to release a bank transfer online, for example, you first need a PIN, and can then have a TAN sent to your mobile phone by SMS.

What else will change for customers?

The “PSD2” also breaks the banks' monopoly on access to account data. In future, financial institutions will also have to allow third-party providers such as financial start-ups (fintechs) to access their customers' data. 

For example, there are companies that compare overnight money rates from different banks and offer money transfers there. Others help consumers save by automatically putting small amounts aside. 

German banks are not exactly dancing with joy about the new regulation. Anyone who knows how much money customers have in their account and what they spend it on can easily offer them other services – such as construction financing, loans or insurance.

What about payments by credit card?

Privacy-sensitive Germans can take a sigh of relief here. In future, consumers will also have to identify with two factors when making card payments on the Internet. 

The requirements for using credit cards are particularly strict, because the number and check digit of these cards can be tracked relatively easily – for example, when they are used in a restaurant. Therefore, just having possession of the card is not enough. 

READ ALSO: Germany orders online bank N26 to take new steps against money laundering

According to the new rules, consumers need two additional security factors for credit card payments when shopping online: a password and a TAN, for example. 

Because the system switch is a problem for retailers, the financial supervisory authority Bafin is temporarily allowing the previous (and simpler) security regulations to apply.

How do you get the TAN for approving online payments in the future?

Bank customers need a specially created TAN for each order. The customer can, for example, have this TAN sent to him or her by SMS to a mobile phone number previously deposited with the bank (“mobileTAN”/”mTAN”). A special TAN generator can also be used. 

In combination with the bank card, this small device generates a TAN for online banking (“chipTAN procedure”). Some institutes offer a “PhotoTAN” procedure: A barcode appears in the customer's online banking system and is photographed with a mobile phone. A TAN is then generated and the booking is processed after the customer approves it.

How is the current system insecure?

Criminals continue trying to persuade bank customers to reveal PINs and TANs, for example by setting up fake websites or luring consumers onto the wrong webpage by email or SMS. If the printed iTAN lists sent by post fall into the wrong hands, criminals can plunder the account.

 “If you handle the TAN list carefully and secure your computer according to current standards, the TAN list offers sufficient protection. However, if your TAN list falls into the hands of third parties, no security can be guaranteed,” writes Postbank.

The new system aims to keep criminals away from your money. Photo: DPA

OK, but there’s got to be a way criminals can intercept the new procedure, right?

So-called dynamic authentication procedures have the advantage that a TAN – unlike the printed iTAN list – is created anew each time. These numbers are then linked to the respective order and are valid for a limited period of time. 

However, there are also concerns. 

“Although the 'mTan' procedure is practical and user-friendly, it also carries some risks,” warns Germany’s Federal Office for Information Security. “Under certain circumstances, criminals can intercept or redirect the SMS messages sent for authentication. There is a risk that the TAN contained in the SMS will be misused.”


To transfer – überweisen

Generated dynamically – dynamisch generiert

Secret number – (die) Geheimnummer

Tracked – ausgespäht

Check digit – (die) Prüfziffer

We're aiming to help our readers improve their German by translating vocabulary from some of our news stories. Did you find this article useful? Do you have any suggestions? Let us know.

Member comments

Log in here to leave a comment.
Become a Member to leave a comment.


German online bank N26 shutters US service

German online bank N26 said Thursday it was closing its operation in the United States next year, as regulators in Europe place the "fintech" start-up under increased scrutiny.

The N26 logo on a bank card.
The N26 logo on a bank card. Photo: picture alliance/dpa | Christophe Gateau

N26’s 500,000 customers in the US would be able to use their services until January 11th, 2022, the bank said in a statement, after which it would cease to operate in a market it first entered in 2019.

Instead the Berlin-based operation would “sharpen its focus on its European business”, where it already operates in 24 countries and is exploring expansion into more eastern European markets.

N26 said it would also look to launch new “investment products in the coming year” to sit along side its current account service.

Founded in 2013, N26 offers free, online-only banking services to around seven million clients and is one of Germany’s most high-profile financial technology or “fintech” firms.

In October, the bank raised $900 million from private investors, and announced a plan to hire a further 1,000 employees to reinforce its product development, technology and cybersecurity teams.

READ ALSO: German online bank N26 to create 1,000 jobs

At home, N26 has been in the crosshairs of the German banking watchdog BaFin since 2018 after a local news media investigation found that it was possible to open account with forged IDs.

Earlier in the month, the regulator said it was upping its oversight operations at N26, appointing a special representative to monitor the bank’s progress towards solving issues in “risk management with regard to IT and outsourcing” identified by BaFin.

The regulator also limited the number of new customers N26 could take on to 50,000 a month until the shortcomings were addressed.

N26 was already being monitored by BaFin over failures in the start-up’s anti-money laundering system.

BaFin issued N26 with a 4.25-million-euro ($4.8-million) penalty earlier this year in connection with around 50 “suspicious transactions” the bank failed to report promptly enough.