What you need to know about Germany’s new online banking system

What you need to know about Germany's new online banking system
Online banking in Germany is about to become easier - and more secure. Photo: DPA
Privacy sensitive souls in Germany can breathe a sign of relief as banking becomes easier and more secure through a new EU-wide directive. Here's what you need to know.

Many bank customers in Germany will soon have to say goodbye to an old habit.

When they do online banking from their home computers, they will no longer be able to complete their transfers by entering a six-digit sequence of digits they have received – often by post – on a paper list.

Such lists with numbered transaction numbers (TANs) will be abolished as part of a major EU-wide banking makeover. Banks will not be allowed to offer this so-called iTAN procedure for transfers starting on September 14th.

As of September 14th, such paper tan lists – in which one number at a time can be used once – will become obsolete. Photo: DPA

READ ALSO: Everything that changes in September 2019 in Germany

Why will the paper lists be abolished?

The change is part of the so-called European Payment Services Directive (with a Star Wars-esque sounding acronym of PSD2). Through it, Brussels aims to make payment transactions in the EU more convenient and secure for consumers.

Among other things, the directive stipulates that the transaction numbers required for online banking must be “generated dynamically” in future, which is not possible through a sequence of numbers that has already been printed on paper.

So what does this mean for bank customers?

For online banking and shopping on the Internet, the legal obligation of “strong customer authentication” will apply in future.

This means that every customer must prove his or identity in two of the following ways: “knowledge” (a secret number or PIN), “possession” (for example by  smartphone or the original payment card) or “being” (biometric features such as a fingerprint). 

In order to release a bank transfer online, for example, you first need a PIN, and can then have a TAN sent to your mobile phone by SMS.

What else will change for customers?

The “PSD2” also breaks the banks' monopoly on access to account data. In future, financial institutions will also have to allow third-party providers such as financial start-ups (fintechs) to access their customers' data. 

For example, there are companies that compare overnight money rates from different banks and offer money transfers there. Others help consumers save by automatically putting small amounts aside. 

German banks are not exactly dancing with joy about the new regulation. Anyone who knows how much money customers have in their account and what they spend it on can easily offer them other services – such as construction financing, loans or insurance.

What about payments by credit card?

Privacy-sensitive Germans can take a sigh of relief here. In future, consumers will also have to identify with two factors when making card payments on the Internet. 

The requirements for using credit cards are particularly strict, because the number and check digit of these cards can be tracked relatively easily – for example, when they are used in a restaurant. Therefore, just having possession of the card is not enough. 

READ ALSO: Germany orders online bank N26 to take new steps against money laundering

According to the new rules, consumers need two additional security factors for credit card payments when shopping online: a password and a TAN, for example. 

Because the system switch is a problem for retailers, the financial supervisory authority Bafin is temporarily allowing the previous (and simpler) security regulations to apply.

How do you get the TAN for approving online payments in the future?

Bank customers need a specially created TAN for each order. The customer can, for example, have this TAN sent to him or her by SMS to a mobile phone number previously deposited with the bank (“mobileTAN”/”mTAN”). A special TAN generator can also be used. 

In combination with the bank card, this small device generates a TAN for online banking (“chipTAN procedure”). Some institutes offer a “PhotoTAN” procedure: A barcode appears in the customer's online banking system and is photographed with a mobile phone. A TAN is then generated and the booking is processed after the customer approves it.

How is the current system insecure?

Criminals continue trying to persuade bank customers to reveal PINs and TANs, for example by setting up fake websites or luring consumers onto the wrong webpage by email or SMS. If the printed iTAN lists sent by post fall into the wrong hands, criminals can plunder the account.

 “If you handle the TAN list carefully and secure your computer according to current standards, the TAN list offers sufficient protection. However, if your TAN list falls into the hands of third parties, no security can be guaranteed,” writes Postbank.

The new system aims to keep criminals away from your money. Photo: DPA

OK, but there’s got to be a way criminals can intercept the new procedure, right?

So-called dynamic authentication procedures have the advantage that a TAN – unlike the printed iTAN list – is created anew each time. These numbers are then linked to the respective order and are valid for a limited period of time. 

However, there are also concerns. 

“Although the 'mTan' procedure is practical and user-friendly, it also carries some risks,” warns Germany’s Federal Office for Information Security. “Under certain circumstances, criminals can intercept or redirect the SMS messages sent for authentication. There is a risk that the TAN contained in the SMS will be misused.”


To transfer – überweisen

Generated dynamically – dynamisch generiert

Secret number – (die) Geheimnummer

Tracked – ausgespäht

Check digit – (die) Prüfziffer

We're aiming to help our readers improve their German by translating vocabulary from some of our news stories. Did you find this article useful? Do you have any suggestions? Let us know.

Member comments

Become a Member to leave a comment.Or login here.