Verify Bank Account Numbers: BSB, Account Number
Verify bank account numbers with BSB validation, PayID, and NPP checks. 2025 APP fraud data, ASIC consumer protection
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokPayment redirection fraud cost Australian victims over AUD 80 million in 2024, according to the ACCC Scamwatch Annual Report 2024. A significant share of those losses stemmed from payments sent to bank accounts where the account holder did not match the intended recipient. Verifying bank account details before executing a payment is no longer optional. It is a core component of fraud prevention, supplier onboarding, and regulatory compliance across financial services, procurement, and accounts payable functions.
To validate an Australian bank account, verify the BSB (Bank-State-Branch) number (6 digits, formatted as XXX-XXX) against the BSB directory maintained by the Australian Payments Network (AusPayNet), which confirms the BSB is active and identifies the financial institution and branch. Format validation alone catches transcription errors but does not confirm the account exists or belongs to the expected party -- full verification requires PayID lookup or an account verification service through the New Payments Platform (NPP).
This guide covers the structure of Australian bank account identifiers, the verification methods available, the regulatory framework, and the practical steps to automate bank account validation in your workflows.
This article is provided for informational purposes and does not constitute legal advice. Consult a qualified professional for situation-specific guidance.
Australian Bank Account Identifiers: BSB and Account Number
Australia uses a dual-identifier system for domestic payments. The BSB (Bank-State-Branch) number (6 digits, formatted as XXX-XXX) identifies the financial institution and branch, while the account number (typically 6-9 digits, varying by institution) identifies the individual account. Together, they route payments through the BECS (Bulk Electronic Clearing System), Direct Entry, and NPP (New Payments Platform) networks.
For international payments, Australian accounts are represented as IBANs in some contexts, although Australia has not officially adopted IBAN as a domestic standard. International wire transfers to Australia typically use the SWIFT/BIC code of the receiving bank combined with the BSB and account number.
BSB Structure
| Element | Format | Length | Example |
|---|---|---|---|
| Bank identifier | First 2 digits | 2 digits | 06 (Commonwealth Bank) |
| State identifier | Third digit | 1 digit | 2 (NSW) |
| Branch identifier | Last 3 digits | 3 digits | 123 |
| Full BSB | XXX-XXX | 6 digits | 062-123 |
Major Australian Bank BSB Prefixes
| Bank | BSB Prefix Range |
|---|---|
| Commonwealth Bank of Australia (CBA) | 06xxxx |
| Westpac | 03xxxx, 73xxxx |
| ANZ | 01xxxx |
| National Australia Bank (NAB) | 08xxxx |
| Macquarie Bank | 18xxxx |
| Bendigo and Adelaide Bank | 63xxxx |
IBAN for International Transfers
While Australia does not use IBAN domestically, Australian businesses sending payments internationally must validate IBANs for overseas recipients. IBAN length and composition vary by country. Any validation system must account for these national differences.
| Country | Prefix | Length | Structure after check digits | Legacy format |
|---|---|---|---|---|
| United Kingdom | GB | 22 | 4 (bank letters) + 6 (sort code) + 8 (account) | Sort code + Account number |
| France | FR | 27 | 5 (bank) + 5 (branch) + 11 (account) + 2 (key) | RIB |
| Germany | DE | 22 | 8 (Bankleitzahl) + 10 (account number) | BLZ + Kontonummer |
| Netherlands | NL | 18 | 4 (bank letters) + 10 (account number) | Rekeningnummer |
| New Zealand | NZ | 18 | 4 (bank) + 4 (branch) + 7 (account) + 3 (suffix) | Bank-Branch-Account-Suffix |
The IBAN Check Digit Algorithm (MOD 97-1)
For international IBAN validation, the check digits at positions 3-4 are calculated using the MOD 97-1 algorithm defined in ISO 7064. This mathematical validation detects over 98% of transcription errors, including single-character substitutions and adjacent-digit transpositions.
The validation process follows four steps. First, move the first four characters (country code and check digits) to the end of the string. Second, convert all letters to numbers using the mapping A=10, B=11 through Z=35. Third, compute the remainder when dividing the resulting number by 97. Fourth, if the remainder equals 1, the check digits are valid.
This verification catches data entry mistakes but provides no assurance about whether the account exists, is active, or belongs to the expected party.
CheckFile's automated document verification platform extracts BSB numbers, account numbers, and IBANs from invoices, bank statements, and supplier documents, then validates them against format rules and bank registries in an average of 4.2 seconds (CheckFile platform data, March 2026). Across 2.4 million documents verified, the platform achieves a 98.7% OCR accuracy rate and a 94.3% field extraction rate, reducing manual bank detail verification time by 83%.
PayID and the New Payments Platform (NPP)
PayID is a name-checking service that operates on Australia's New Payments Platform (NPP). It allows payers to verify the account holder's name before sending a payment, using a registered identifier such as a phone number, email address, ABN, or organisation name.
How PayID Works
When a payer initiates a payment through online or mobile banking using a PayID, the sending bank queries the NPP PayID registry. The registry returns the name of the account holder associated with that PayID. The payer can confirm that the name matches their intended recipient before authorising the payment.
If the name does not match expectations, the payer receives a warning and can choose not to proceed. This friction point reduces payment redirection fraud by giving the payer an opportunity to reconsider before funds leave their account.
PayID Limitations
PayID verifies the name on the account but relies on the payee having registered a PayID. Not all accounts have a PayID associated with them. For traditional BSB and account number payments (without PayID), there is no automatic name-matching service equivalent to the UK's Confirmation of Payee. This gap is a recognised vulnerability in Australia's payment verification infrastructure.
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotAPP Fraud and the Regulatory Landscape
The ACCC and ASIC have progressively tightened expectations around payment verification in response to rising scam losses. The Australian Government's National Anti-Scam Centre, established within the ACCC in 2023, coordinates scam disruption and intelligence sharing across the financial sector.
ASIC's enforcement focus on scam prevention has intensified, with regulatory action against financial institutions for inadequate scam detection and prevention measures. The Australian Banking Association (ABA) has introduced the Scam-Safe Accord, under which major banks have committed to implementing enhanced verification measures including confirmation of payee capabilities.
In 2024, the Australian Government announced plans for a mandatory industry code for scam prevention, which will impose binding obligations on banks, telecommunications providers, and digital platforms to detect, prevent, and respond to scams. This regulatory direction creates a direct incentive for businesses to invest in pre-payment verification.
BECS and NPP Controls
For BECS Direct Entry payments, originators should validate BSB and account number combinations against the BSB directory before submitting payment files. The NPP provides real-time settlement with PayID verification capability. These controls reduce rejected payments and provide a first layer of account validation.
Bank account verification methods compared
| Verification level | What it checks | Fraud prevention capability | Speed | Regulatory standing |
|---|---|---|---|---|
| BSB format validation | BSB is valid and active | Catches transcription errors only | Instant | Necessary but insufficient |
| Account number format check | Account number length is valid for the institution | Basic error detection | Instant | Basic requirement |
| PayID lookup | Name matching against receiving account | Prevents misdirected payments | 2-5 seconds | Best practice (ABA Scam-Safe Accord) |
| Full account verification (API) | Account existence, name match, status | Comprehensive fraud prevention | Under 5 seconds | Best practice for high-value payments |
Common Bank Account Fraud Patterns
Bank account fraud takes several forms, each exploiting different gaps in verification processes.
Invoice Redirection Fraud
A fraudster intercepts or impersonates a legitimate supplier and sends updated bank details, typically attached to a genuine-looking invoice. The paying company updates its records and sends the next payment to the fraudster's account. This is the most common form of payment redirection fraud targeting Australian businesses. According to Scamwatch, payment redirection and business email compromise scams consistently rank among the highest-loss scam categories for Australian businesses.
Account Takeover
The fraudster gains access to a legitimate business email account and sends payment instructions from a trusted address. Because the email is authentic, the request bypasses social engineering defences.
Mule Accounts
Fraudsters recruit or coerce individuals to open bank accounts in their own names, then use these accounts to receive fraudulent payments. The account passes PayID name checks if the payer has been given the mule's name as the expected payee.
Practical Verification Workflow
An effective bank account verification process operates at three levels, each adding assurance.
Level 1: Format Validation
Validate the BSB against the AusPayNet BSB directory to confirm it is a valid, active BSB assigned to a participating financial institution. Validate the account number length for the specific institution. For IBANs (international payments), run the MOD 97-1 check digit calculation. This level catches data entry errors.
Level 2: Account Existence Check
For domestic payments, use PayID (where available) or institution-specific verification services to confirm the account exists and is capable of receiving payments. For international IBANs, dedicated API services query the correspondent banking network.
Level 3: Name Matching and Identity Verification
PayID provides name matching for accounts with a registered PayID. For payments without PayID or for higher-risk transactions, supplement with identity verification and KYC checks. Cross-reference the account holder's name with ASIC company records, proof of address documentation, and existing supplier records.
Automating Bank Account Verification
Manual verification of bank details does not scale. A procurement team processing hundreds of supplier invoices monthly cannot realistically call each supplier's bank to confirm account ownership. Automation addresses this gap by integrating bank account validation directly into accounts payable and onboarding workflows.
Automated document validation systems extract BSB numbers, account numbers, and IBANs from invoices, contracts, and supplier registration forms. The extracted data is validated against format rules, checked for existence where possible, and matched against the declared beneficiary name. Any change in bank details for an existing supplier triggers an alert and a secondary confirmation workflow.
This automated approach eliminates the delay between receiving bank details and verifying them. It also creates a complete audit trail of every verification performed, supporting compliance with internal controls and regulatory expectations.
The integration with broader customer due diligence processes ensures that bank account verification is not treated as an isolated check but as part of a comprehensive onboarding and monitoring programme.
For a comprehensive overview, see our industry document verification guide. Our platform processes over 180,000 documents per month with a 94.8% fraud detection rate and a false positive rate of 2.8%, delivering results in an average of 4.2 seconds.
Take action
CheckFile verifies 180,000 documents per month with 98.7% OCR accuracy. Test the platform with your own documents โ results within 48h.
Frequently Asked Questions
Does passing BSB format validation mean the account is legitimate?
No. BSB validation confirms that the BSB number is a valid, active code assigned to a financial institution. It does not confirm the account exists, is active, or belongs to the expected party. A fraudster can provide a valid BSB with an account number they control.
Is PayID verification mandatory for all Australian payments?
PayID is not currently mandatory, but it is increasingly expected as best practice under the ABA Scam-Safe Accord and anticipated regulatory requirements. Major Australian banks have committed to implementing confirmation of payee capabilities. Businesses should treat payments without PayID verification as carrying higher risk.
What should a business do when a supplier requests a change of bank details?
Never update bank details based solely on an email or letter. Contact the supplier using a previously verified phone number (not a number provided in the change request). Verify the new bank details through PayID or direct confirmation with the supplier's bank. Require dual authorisation for any bank detail change in your accounts payable system. Document the verification in your audit trail. Report suspected fraud to Scamwatch and your bank.
How do IBAN verification APIs work?
IBAN verification APIs accept an IBAN as input and perform multi-level checks: format validation, check digit computation, bank code lookup (confirming the bank exists and participates in the relevant payment network), and in some cases name matching against the account holder. Response times are typically under two seconds. These APIs can be integrated into ERP systems, payment platforms, and onboarding workflows.
What is the difference between BSB validation and bank account verification?
BSB validation checks the format and validity of the BSB number against the AusPayNet directory. Bank account verification goes further by confirming the account exists, is active, and belongs to the declared party. Validation catches typos; verification catches fraud. Both are necessary for a secure payment process.
This article is for informational purposes only and does not constitute legal advice. Regulatory obligations change over time. Consult a qualified professional for advice specific to your compliance requirements.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.