Every valid IBAN carries its own checksum, computed using the ISO 13616 mod-97 algorithm. Understanding how it works makes it much easier to debug a validation failure, or to implement IBAN validation yourself without depending on a third-party library.
The four steps of mod-97 validation
The algorithm always follows the same four steps, whether you are validating an existing IBAN or computing fresh check digits for a newly generated one.
- Move the first 4 characters (country code + check digits) to the end of the string
- Replace every letter with its numeric equivalent: A=10, B=11, ... Z=35
- Treat the resulting digit string as one large integer and compute its remainder when divided by 97
- A valid IBAN always produces a remainder of exactly 1
Worked example: Germany
Take the well-known example IBAN DE89 3704 0044 0532 0130 00 (compact: DE89370400440532013000).
Move the first 4 characters (DE89) to the end: 370400440532013000DE89. Replace letters with numbers (D=13, E=14): 370400440532013000131489. Compute that number mod 97, and the result is 1 — confirming the IBAN is structurally valid.
What this does and does not prove
A passing mod-97 check confirms the IBAN is correctly formatted for its country. It does not confirm that the account number actually exists at a real bank — that check only happens inside the banking network itself, not in client-side or application-level validation.
This is exactly why fake, checksum-valid IBANs are useful for testing: they exercise your format-validation logic correctly, and since they're randomly generated and not checked against any bank's account records, they should never be submitted to a real payment network.
Khushbu
Full-Stack Developer & Founder
I build tools I wish existed — fast, free, and private. Every tool runs in your browser because I believe your data should stay yours.
Tools mentioned in this guide