Tokenized Account Numbers (TANs)

Some financial institutions that support OAuth-based connections may return a Tokenized Account Number (TAN) when users link their accounts. A TAN is a standard account and routing number secure substitution that can be used for ACH and RTP transfers, and is reconciled by the issuing bank at settlement. Each application or merchant a user connects with receives a unique TAN instead of the user’s actual account number. This enables stronger access controls, allowing the user to monitor or revoke a specific connection’s ability to initiate payments. TANs are provisioned with an extended time-based validity.

TANs behave differently from standard account numbers in several important ways:

• Detection: You can identify whether a TAN is returned by checking the virtualAccountRoutingPair field in the GET Transaction API response. The real last 4 digits of the account will be provided, if available.
• Institution support: TANs are currently used by select institutions (e.g., Chase and PNC), with others like U.S. Bank expected to follow.
• Limitations: TANs are only valid for ACH and Instant Payment rails. They cannot be used for wires or check processing and may not be supported by all fraud or account verification vendors.
• Routing pairing: Each TAN must be used with the specific routing number provided. Mismatched routing numbers, even from the same bank, can cause failures.
• UI guidance: Because users don’t recognize TANs, you should always show the real last 4 digits of the account as provided, or if not available, the account number should be masked in end-user interfaces.

📘

Info

TAN Expiration
At this time, no TANs are scheduled to expire. Trustly will provide advance notice if banks decide to change this.