The following report is so unbelievable that it could have come from the famous Paulaner garden – if I hadn’t known the person concerned for over 10 years. That’s how I know that what I’ve described actually happened. So take a deep breath – and let’s go!
What happened?
For more than 15 years, a long-standing business partner has maintained his business bank account with a large German private and business customer bank – let’s call it X-Bank in this article. X-Bank recently called my business partner to say that they regretted that, “due to the system”, the termination of the bank account would arrive by post the following day. Unfortunately, the only way to prevent this was for the bank to send an email with a password-protected attachment in a few minutes. By opening the attachment (using the password sent by telephone), filling in the information requested in the attachment and sending it back to the bank immediately, my business partner could still prevent the termination at the last minute.
Sounds like a social engineering attack? My business partner thought so too – and had the presence of mind to call in a colleague while the call was still in progress. During the call, he researched the X-Bank website – which explicitly warned against such calls and the story being told. Together they came to the conclusion that it must be a case of fraud – even though the number on the display was undoubtedly that of X-Bank (which, as they both knew, fraudsters can easily falsify). Consequently, the two ended the call.
Surprise: the next day, a letter of termination from X-Bank actually arrived in the post. Unfortunately, the business relationship had to be terminated with reference to various sections of the German Banking Act. So the phone call the day before was genuine – and not a fraudulent call, as suspected – and as often happens.
What happened next …
My business partner was understandably completely “off his rocker”. He called X-Bank and described the case: He had first received a phone call the day before, which he thought was fraudulent, and on the day he called X-Bank, he had received their written termination of the bank account – and asked to follow up and stop the termination. After all, a company without bank details can only work to a limited extent … . The lady on the phone couldn’t find anything in the system at first glance and asked for a little patience. After a brief search, she got back to me; unfortunately this was true, the termination had taken place because my business partner had not fulfilled his obligation to provide proof of the beneficial owner of his company’s bank account details. There had been a postal request from X-Bank weeks earlier to provide the relevant information, which my business partner had not complied with. And the day before, there had also been a telephone call from “the specialist department” to prevent the termination “at the last minute”…
Wait a minute, said my business partner – he had indeed submitted the information as requested – even in the same week in which he was asked to do so. He had filled out the multi-page form, printed it out as requested and sent it back to X-Bank with his handwritten signature. Several weeks had passed between the mailing and the telephone call with X-Bank.
Unfortunately, there was nothing she could do, said the lady from X-Bank on the phone. The information was not visible in the system, which is why the termination would now take effect. When my business partner asked if she could please take it back, he received the succinct answer that this was unfortunately not possible in the system. It was an automatic process that she could not stop.
Several phone calls with various representatives of X-Bank later, it emerged that my business partner’s reply to X-Bank’s request for information had indeed been received, as the bank admitted. Unfortunately, there had been a processing backlog and my business partner’s information was still in the inbox. All bank accounts for which the information on the beneficial owner had not been entered into the system by a certain deadline would be automatically terminated. When asked what could be done now – and whether the X-Bank representative could somehow reverse the termination – the answer was: nothing. As the other employee had already communicated a few days earlier, it was a non-reversible process. Unfortunately, she could not offer any form of compensation. There was also no apology or any expression of regret on the part of the bank.
Case analysis
Let’s note: X-Bank terminates a bank account that has existed for more than 15 years – because, through its own fault, it was unable to enter the information on the beneficial owner of my business partner’s company into its systems for several weeks. By means of an automatic process that cannot be stopped by manual intervention by bank employees.
Isn’t that possible? That’s what I thought too. All the more reason for a brief analysis. For me, the scenario described has two dimensions:
– The professional one, from the perspective of IT security; and
– the internal bank processes.
Let’s first look at the bank’s internal processes. On the one hand, I wonder how it can be possible in 2024 that “system-side automatisms” lead to a long-standing customer relationship being terminated – and no one is able to stop this termination manually. And further: how can it be that a customer submits requested, regulatory information on time – and then it simply remains at the bank? I can already see the usual standard excuses in front of me: “due to an unexpectedly high volume of requests, we were unfortunately unable to ….”. Honestly, X-Bank? You are bearing the consequences of your obligations to BaFin on the backs of your customers – by terminating bank accounts just like that? Because you were unable to enter existing information into your systems? There’s only one word for that – it’s simply ridiculous!
And now to IT security: we go to great lengths to sensitize people to dangers and attacks from cyberspace. The phone call described at the beginning is now one of the classic ways of persuading unsuspecting bank customers to disclose their access data. The procedure was even described on the X-Bank website under the heading “Current security information”. So how does a well-known bank like X-Bank come up with the idea of using exactly the same “scam” to approach customers as fraudsters? I wanted to congratulate my business partner – who is outside the IT security sector – on his demonstrated sensitivity to cyber threats – and found that in this case the call was genuine. How could that be? Who at X-Bank makes such decisions to have employees call customers and tell them that their bank account is about to be terminated? That can’t really be true. Yes, it can – at X-Bank!
Conclusion
X-Bank now has one less entrepreneur client. And I seriously doubt the competence of the people working there. It is inexplicable to me how one of the largest banks in Germany can behave in such an amateurish manner – both in terms of IT security and in terms of dealing with its customers. I’m sure that any medium-sized company that treats its customers in this way could close down within a very short time. Not X-Bank. And I shake my head when I walk past the large billboard advertising messages.
Tags
Share post
Thomas Neeff 
