[Validator] Structure of BIC changed with ISO 9362:2022 #51975

luxemate · 2023-10-10T14:16:45Z

Symfony version(s) affected

all

Description

I have found some preview of the new standard, which can be interpreted as:

Party prefix is 4 upper-case alphanumeric characters (A to Z and 0 to 9 only)

We found out about the issue in production, because someone was tying to use an IBAN from UAE bank, which has BIC E097AEXXXXX.

How to reproduce

Use BIC E097AEXXXXX with the BicValidator.

Possible Solution

Use ctype_alnum for the first 4 characters.

Additional Context

Proof from iban.com

Element description from the updated standard

Conventions used in the format column

The following conventions are used in this document:

character representations:
- a: upper-case letters (alphabetical characters A to Z only);
- n: digits (numeric characters 0 to 9 only);
- c: upper-case alphanumeric characters (A to Z and 0 to 9 only).
length indications:
- nn!: fixed length;
- nn: maximum length.

The text was updated successfully, but these errors were encountered:

OskarStark · 2023-10-10T20:35:16Z

friendly ping @mvhirsch as you contributed the BicValidator IIRC

mvhirsch · 2023-10-11T09:08:17Z

The validator was implemented using the ISO 9362:2014 standard, because I implemented it back in 2015. I'm happy to see updates, but I do not have access to any official document for ISO 9362:2022. The ISO 9362:2014 described the first 4 characters to be alphabetical only, IIRC.

According to ISO Database (OBP):

the style of the BIC structure in Clauses 4 and 5 has been aligned with the style used in the ISO 17442 series;

I don't know the ISO 17442 either, making it hard for me giving any advice on this.

Sadly the BIC isn't officially registered by SWIFT (maybe a "non-connected" BIC?): https://www2.swift.com/bsl/?bicSearch_bic=E097AEXXXXX

No validator I tried on the internet is able to validate it. According to some research, it may seem to be the Al Maryah Community Bank, which itself states it's BIC is E097AEXX (using the 8 chars variant). This is BIC is also invalid as the above according to the BicValidator.

Without access to official documents I can not recommend anything from my side.

luxemate · 2023-10-11T10:00:02Z

@mvhirsch I've provided a link to a preview of ISO 9362:2022 in the first message. Not sure how legit is it, but looks like one. I've also found info on SWIFT website (https://www.swift.com/standards/data-standards/bic-business-identifier-code) that states:

The BIC is an 8 character code, defined as ‘business party identifier’, consisting of the business party prefix (4 alphanumeric), the country code as defined in ISO 3166-1 (2 alphabetic), and the business party suffix (2 alphanumeric).

The branch identifier is a 3 character optional element that can supplement the 8 character BIC, used to identify specific locations, departments, services or units of the same business party.

Is it official enough?

mvhirsch · 2023-10-16T11:59:53Z

I just implemented your suggestion, it now fails on previously valid BICs within the test cases.

SWIFT refers to the ISO 9362. As I stated above: without access to that document, I'm not able to help you here.

Neither I can access a big trusted & validated BIC database after so many years. I'm really not able to help here (beside the fact I can manage a code review, if you provide a PR).

derrabus · 2023-10-16T12:27:20Z

Apparently, the validator needs an update. I've added the "help wanted" label.

If someone needs this validator to be updated, please have have a look behind that 40 CHF paywall and send a PR.

Seb33300 · 2023-10-18T04:51:54Z

If someone needs this validator to be updated, please have have a look behind that 40 CHF paywall and send a PR.

I think you forgot to provide the link?
https://www.iso.org/standard/84108.html

maxbeckers · 2023-10-26T11:38:23Z

As far as I know it was not used for a long time, but it was already defined in ISO-9362-2014 that the first 4 characters of the BIC may also contain numbers.

MatTheCat · 2024-03-08T18:17:46Z

Okay don’t ask me how I found it but the change from alphabetic to alphanumeric four first characters comes from the second edition (from 1994).

ISO 9362:2022 says a valid BIC contains

4 upper-case alphanumeric characters (party prefix)
2 upper-case letters (country code)
2 upper-case alphanumeric characters (party suffix)

These three parts form a business party identifier.

It can then be followed by 3 upper-case alphanumeric characters (branch identifier).

From https://www.swift.com/swift-resource/9586/download:

SWIFT, as RA, has no plan to issue BICs with
numeric characters in the first 4 characters.

If applications have implemented restrictions
on the allowed characters, it would be good
practice to remove this restriction at the
occasion of a software update to respect the
standard specification of 4 alpha-numeric
characters.

Maybe there can be other Registration Authorities outside of ISO ¯\_(ツ)_/¯

Implementation-wise, this means the ctype_alpha check on the four first characters can be removed (since the whole BIC is checked by ctype_alnum).

Removing a check means that BICs previously considered valid would still be. However, Bic::INVALID_BANK_CODE_ERROR would then become useless, and data sets expecting this code valid.

… (MatTheCat) This PR was merged into the 5.4 branch. Discussion ---------- [Validator] Allow BICs’ first four characters to be digits | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #51975 | License | MIT While a lot of sources claim a BIC’s first four characters must be letters, this is not the case since ISO 9362:1994. The confusion may come from SWIFT (ISO 9362’s registration authority) saying that > [We have] no plan to issue BICs with numeric characters in the first 4 characters. [Source](https://www.swift.com/swift-resource/9586/download) (clicking this link will trigger a download) However, the next paragraph says > If applications have implemented restrictions on the allowed characters, it would be good practice to remove this restriction at the occasion of a software update to respect the standard specification of 4 alpha-numeric characters. As `@luxemate` stumbled on such a valid BIC (see linked issue), this PR removes the `Bic::INVALID_BANK_CODE_ERROR` check. This constant won’t be referenced anymore so it may be deprecated and removed later. Commits ------- 0d824a7 [Validator] Allow BICs’ first four characters to be digits

luxemate added the Bug label Oct 10, 2023

carsonbot added Status: Needs Review Validator labels Oct 10, 2023

OskarStark added the Status: Waiting feedback label Oct 12, 2023

derrabus added Status: Reviewed Help wanted Issues and PRs which are looking for volunteers to complete them. and removed Status: Needs Review Status: Waiting feedback labels Oct 16, 2023

MatTheCat mentioned this issue Mar 9, 2024

[Validator] Allow BICs’ first four characters to be digits #54219

Merged

nicolas-grekas closed this as completed Mar 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Validator] Structure of BIC changed with ISO 9362:2022 #51975

[Validator] Structure of BIC changed with ISO 9362:2022 #51975

[Validator] Structure of BIC changed with ISO 9362:2022 #51975

[Validator] Structure of BIC changed with ISO 9362:2022 #51975

Comments

Symfony version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Proof from iban.com

Element description from the updated standard

Conventions used in the format column