A guest blog by Don Hollingum from Direct Debit 101. For more information visit: www.directdebit101.co.uk
Why use Direct Debit?
Direct Debit has been working for thousands of businesses, both large and small for over 50 years, and its usage continues to grow both in terms of the number of organisations that use it and the number of payments collected – in excess of 4.5 billion payments were collected in 2019.
One of the key reasons for the longevity of this payment product is that it works effectively for both the party owing the money (the payer) and the beneficiary of the money (the collecting organisation). There is also significant flexibility within Direct Debit that, when used to its full potential, can be made to suit the needs of payers regardless of their income profile.
Direct Debit and Fraud
Fraud has been and continues to be a topic that is front of mind and rightly so.
Fraudsters are invariably one step ahead of those introducing preventative measures with fraudsters targeting either the weakest link or the area that provides the biggest gains. Ideally from a fraudsters perspective both.
As we have seen of late fraudsters are quite prepared to take advantage of tragic events such as the Corvid19 pandemic.
Where can fraud occur for users of Direct Debit?
There are five key areas where fraud can manifest itself within Direct Debit:
- At point of payer sign up
- Within a collecting organisations internal processes
- During the transmission of data
- At the payers payment services provider (PSP)
- Action and or inaction by the payer
Lets explore some of the theme’s within these areas
1) At the point of sign up – this is where the collecting organisation (or its agent) collects the payers details to enable a Direct Debit Instruction (DDI) to be set up and subsequent payments collected.
Not only must the collecting organisation undertake Know Your Customer (KYC) procedures, it is imperative that actions are taken to ensure that the account details provided are those of the customer/payer and that the person providing the account details is authorised to action payment instructions from the account.
These requirements are articulated in the Direct Debit Scheme rules and are of particular relevance where AUDDIS (the AUtomated Direct Debit Instruction Service) is used to forward the payers authority, the DDI, to the payers PSP, and are referred to as “Verification”. Both Verification and also Validation have been referenced previously in an article on this blog.
A previous article has also referenced Strong Customer Authentication (SCA) and whilst SCA doesn’t specifically apply to the UKs Direct Debit Scheme, primarily because the payers PSP is not a party to the DDI sign-up process nor the initiation of Direct Debit collections, parallels can be drawn regarding the need to ensure payment collections are appropriately authorised.
Providing goods and services where the Direct Debit collections are not authorised or not taken from the correct persons account, in addition to enabling fraud, also leads to repetitional damage for the collecting organisation and also either unpaid Direct Debits or indemnity Claims, in other words losses.
2) Within a collecting organisations internal processes – whilst perhaps being an unpalatable thought for collecting organisations, the possibility of fraud within its own organisation cannot be overlooked. Businesses will doubtless have their own internal processes and procedures but from a Direct Debit perspective potential risks include unauthorised access to data and and insufficient controls around things such as PKI cards, often used to authorise the submission of payment collection files.
3) During the transmission of data – Bacs has in place designated systems and solutions for the submission of data files both to and from the central system and these have proved to be extremely robust over time. Collecting organisations are required to use specifically approved software and as such the risks of fraudulent intervention are extremely low. Collecting organisations must however ensure that their control procedures are robust for payment files before they are submitted and after any output is received
4) At the payers payment services provider (PSP) – it is unlikely that Direct Debit collections would be the subject of fraudulent activity in this space given that it is the collecting organisation that creates and submits payment collection files which pass through Bacs secure systems prior to being fed into a PSPs own infrastructure.
Staff at PSPs do however engage with Direct Debit processes in other ways including the validation of claims for refunds under the Direct Debit Guarantee and they will employ their own procedures to ensure that such claims are valid.
As with collecting organisations, PSPs will have their own internal processes and procedures applicable not just to Direct Debits but all payment mechanisms.
5) Action and or inaction by the payer – here we are focussed primarily on abuse, also termed fraud in some cases, where perhaps a payer knowingly denies knowledge of authorising a DDI, claims not to recognise the collecting organisation, denies receiving advance notice, or seeks a refund from their PSP under the Direct Debit Guarantee in circumstances where the Guarantee is not applicable, e.g., as a way of resolving a contractual dispute.
Whilst it is difficult to obtain accurate data across all of the above categories it is generally understood that the level of fraud associated with Direct Debit is low, particularly when considering that there were in excess of 4.5 billion payments collected in 2019.
UK Finance collates data on a wide range of payment related fraud and produces an annual report on fraud levels.
It is worthy of note that the level of identified/reported for Direct Debit related fraud has historically been very, very low.