Skip to content

Can You Trust Direct Debit?

March 11, 2012

Revised 18 March 2012

Many if not most of us pay utility and some other bills by direct debit, and most of the time this works fine and saves trouble. However there are problems that you should be aware of, problems which I believe could be reduced if the banking industry displayed a more responsible attitude to security. There are two issues: fraud, and poor and unfair practices on the part of companies who take your money on direct debits.

Before going into these issues I need to describe how the scheme is supposed to work. Overall responsibility for the Direct Debit Scheme lies with BACS Payment Schemes Limited which describes itself as follows:

“Bacs was founded in 1968, and has been at the heart of the payments industry ever since. We are a not for profit, membership based body owned by 15 of the leading banks and building societies in the UK and Europe.

No one has more authority when it comes to Direct Debit than we do. Indeed, we are responsible for the schemes behind the clearing and settlement of automated payments in the UK, including Bacs Direct Credit as well as Direct Debit. We have a proud record of maintaining the integrity of payment related services throughout four decades…For more information about Bacs visit”

Bacs is a company limited by guarantee and is wholly owned by some of the UK and Europe’s leading banks and building societies. As at 17 March 2012, these were: Allied Irish Bank, Bank of England, Barclays Bank, Citibank NA, Coutts & Co, Clydesdale Bank Plc, Danske Bank, HBOS,(Halifax and Bank of Scotland), HSBC Bank plc, Lloyds Banking Group, Nationwide Building Society, NatWest, Northern Rock, Santander, The Co-operative Bank, and The Royal Bank of Scotland, see:

A Direct Debits should be contrasted with a standing order. The latter is an instruction to your bank to pay a defined amount at defined intervals to a company or other organisation. It is true that, commonly the customer is asked to send the mandate to the organisation, so they can record the details, but until the bank subsequently receives the signed mandate it should not act on it. Alternatively the customer can set up or vary a standing order by phoning the bank.

A standing order can be a pain for the recipient organisation to administer. Even it is for subscriptions to a club, the subscription level can change. The organisation then has to persuade the customer/member to change the standing order. Such clubs are beginning to change to Direct Debits. Direct Debit solve the the organisation’s problem, but it swings too far against the interests of the customer, as we will see.

According to my bank a Direct Debit is a contract between the customer and the organisation. It allows the organisation to take money from the customer’s bank account on prior notice of the amount, date and frequency. Banks and building societies offer a guarantee, which (if you do not have a copy) you can see at This provides that “If an error is made in the payment of your Direct Debit, by the organisation or your bank or building society, you are entitled to a full and immediate refund of the amount paid from your bank or building society…” The bank will then attempt to claim the money off the organisation. However “If you receive a refund you are not entitled to, you must pay it back when the organisation asks you to.” The guarantee does not say how it is to be established whether or not the customer was entitled to the refund. It seems to imply that if the organisation asserts that the customer was not entitled to the refund, the bank can simply take the money back. The guarantee also says, “You can cancel a Direct Debit at any time by simply contacting your bank or building society. Written confirmation may be required. Please also notify the organisation.” I see two problems. Firstly I argue below that it should be possible to at least get the Direct Debit suspended by phone, and secondly, what is the legal meaning of the sentence, “Please also notify the organisation.” Is it a condition of the arrangement being cancelled, or is it merely advice?

How do direct debits get set up? You can fill out and sign a paper mandate, but in my experience that is not the normal way things are done. You simply phone the organisation, give them the information they ask for, and they inform your bank. There must be a de factor standard for what information has to be provided; I cannot imagine 15 banks coming to separate bilateral arrangements with each organisation (or service user in Bacs’ jargon), but Bacs declined to tell me in answer to an email what that standard is. On their website they refer to the “Services Users’ Guide and Rules to the Direct Debit Scheme”, , but you need a password to see it, and the public cannot get hold of a password. I would very much like to know why.

I phoned a bank and asked what if a direct debit has been set up in my name that I do not recognise? Apart from the (temporary) refund, what would the bank do? I was told they would ask for evidence… a signed mandate? I asked what if it was done by phone – silence. I then phoned British Telecom as a representative service user. The person I spoke to said the bank would if asked, request a voice recording of the call in which the direct debit was arranged, and of course this would be provided.

So what are the consequences?

a. Fraud

Direct Debit fraud is significant and growing. In 2010 Liverpool Victoria revealed that over 97,000 Brits had fallen victim to criminals setting up fraudulent direct debits from their accounts, and believed this number was set to escalate over the next three years…

“LV= has revealed that over 97,000 Brits have fallen victim to criminals setting up fraudulent direct debits from their accounts, with this number set to escalate over the next three years, according to new research.

The findings from the home insurer, conducted by the Centre for Economics and Business Research (CEBR), show that so far this year 26,000 Brits found fraudsters taking out regular direct debit payments in their name, with an average of £540 going missing before they noticed and stopped it.

Over the last four years, the number of criminals gaining access to victims’ bank accounts directly in order to set up regular payments has risen by 288% from just 6200 reported cases in 2006. This huge increase has been driven by the introduction of Chip and PIN meaning it’s harder for fraudsters to steal someone else’s card and pass it off as their own.

Direct debit payment fraud now accounts for around 10.6% of all identity fraud cases, rising from 0.01% of all cases in 2001. And the LV= report reveals the problem is set to grow to 41,000 cases a year by 2013, equating to a 57% rise in the coming three years…”

Typically it would appear that fraudsters used the direct debits to pay for mobile phone contracts or gym memberships.

The press release goes on, “…LV= home insurance ( ) customers who think they might have been stung by fraudsters can contact our home insurance fraud ( ) helpline for advice…” Could this be the reason they commissioned the research?

Another reference to this research can be found at,

A comment was left by Jonathan Williams (presumably from CEBR),

“From our research many corporates still report direct debit fraud as theft and therefore report it to the police instead of informing their bank or a clearinghouse such as Bacs. It is therefore not surprising that these organisations don’t get to see the true picture. What businesses have to bear in mind, however, is that, as cheques decline and efficiency becomes paramount in this new age of austerity, there is a general drive in both the private and public sector to move more and more payments to Direct Debit. A proportion of these will be fraudsters posing as legitimate customers and this report provides a first estimate of this fraction.

It is good to see a corporate talking openly about the problems of preventing fraud. Only by facing up to the challenges, including what measures could be applied to manage the problem, can the payments industry start to take control. The key is further verification of the data provided. Direct Debit originators should check the account numbers appear to be valid, but best practice is to confirm the link to the owner of the account and authenticate the prospective consumer and, ideally, his or her address.

Fraud considerations, especially in today’s financial climate, need to be top of the agenda for financial institutions and corporates. In order to prevent a rise in direct debit fraud, companies need to adopt the relevant data validation tools to verify a customer’s account at the point of entry. Connecting an individual’s identity to their bank account and address is one solution; only by linking these three pieces of information can corporates really be sure of their consumer information, and more importantly the source or destination of their customer’s funds. Preventing fraud is like repairing a burst pipe – it is only when all the holes have been plugged that there will be no leakage.”

It seems he was somewhat optimistic. When I tacked Bacs about this I was told, “We are not aware of the fraud figures you have quoted from Liverpool Victoria and therefore cannot comment specifically.” They did not express any interest in the research, nor when I had supplied references to the research did they acknowledge that.

When I asked the FSA whether they monitored Direct debit fraud they replied: “We do not regulate the Direct Debit Guarantee Scheme as this is the jurisdiction of the Bacs Payment Schemes Limited (BACS)…”

Another indication that the payments industry have failed to take onboard the issue of direct debit fraud can be seen on the website of UK Payments Administration Ltd. In answer to a Freedom of Information enquiry the FSA wrote:

“We do not hold any information on the level of direct debit fraud. This is
because the FSA does not collect data on direct debit fraud as it is
collected by UK Payments Administration Ltd. Their latest statistical
release is available on their website at the following link:

However I can find no statistics on Direct Debit fraud on that site.

So what is it like to be a customer facing the fact that fraudsters have caused money to leave your account? In 2009 Snowdonia Tourist Services found out, .

“A TOURISM agency lost hundreds of pounds after fraudsters set up fake direct debits to take cash from its accounts.

In the last two months the accounts of Snowdonia Tourist Services were plundered after three fraudulent direct debits were set up in the name of mobile phone companies.

A further six direct debits were set up in the names of publishing companies to take cash from the accounts of STS, which is based in Porthmadog.

The agency is Tourist Board accredited and has more than 150 holiday cottages and apartments on its books… But STS’s company directors said they’d never authorised any of the direct debits…

The family has been reimbursed with cash taken in two of the cases through the bank’s guarantee scheme. But they say they’ve been let down by the authorities and have been left with no protection against the same thing happening again, as [the bank] does not inform customers about new direct debits…”

An STS director added, ““If you notice an odd direct debit and ask the bank to explain, you’re given the phone number of the company to start sorting it out yourself. Once you’ve convinced that company that you’ve not set up the direct debit, you have to phone the bank back to arrange an indemnity refund.” – hardly in the spirit of the Guarantee. BUT even that is better than the service faced by a customer of one building society who didnt recognise a direct debit in favour of an organisation referred to as DNTC. When she asked what the initials stood for the call centre operator said he couldn’t identify the name of the organisation ‘try google’. How is that compatible with the Direct debit’ guarantee?

The only advice the family received from their bank was to keep checking their accounts – not entirely straightforward in their case, as I found out when I phoned them recently. There are an awful lot of transactions to check and (as is the case with my bank statements) there is no reference number to identify the agreement – only the name of the service user – so if you have more than one genuine direct debit with one company then it gets complicated.

STS also asked the bank not to allow any future direct debits on their account. The answer was that it was not possible, nor was it possible for STS to be informed when a new direct debit was set up.

I asked Bacs whether it was open to a participating bank to institute better security checks. They replied, “The scheme does not dictate to banks what procedures they might want to adopt particular [sic] in regard to fraud…”

Bacs also wrote, “Direct Debit service users must take reasonable precautions to validate that the payer is who they say they are in order to mitigate against instances of error and fraud occurring.” I am sure they do their best; after all it seems they often take the hit for fraud.

But who is best able to do this, the service user or the bank which has special passwords to verify the customer’s identity?

It seems to me that the banking industry has had its own way for far too long, pushing all the problems onto customers and ‘service users’. There is a simple remedy. Customers should be required to confirm new direct debit arrangements with their bank, and banks should be forbidden from acting on direct debit instructions until this is done. This should make fraud much harder.

Are there any groups representing the interests of the latter two groups? It would seem not.

There is UK Payments Administration Ltd (formerly APACS (Administration)) This is a private limited service company providing people, facilities and expertise to the UK payments industry. Their website claims ‘2011 fraud losses continue downward trend (7 March 12) ‘. However I followed this link I was unable to find any reference to direct debit fraud.

There is the Payments Council which is a private company limited by guarantee of its members. It is a voluntary membership organisation governed by published rules. Voting rights are restricted to Payment Service providers. The Bank of England is an observer member.

You would think that if there were any significant user groups one of the above would refer to them, but they do not.

Can the FSA or the OFT help? Probably not, but that’s my next enquiry.

Fraud is not all you have to worry about. Regrettably but predictably, I believe that some of the companies you deal with, will try to impose unfair contacts on you. For example they reserve the right to change their terms of service, and use this to retrospectively introduce swingeing cancellation charges. A court would probably agree this is an unfair contract, but of course you need evidence of what the terms of service were when you entered into the contract. How many people keep this? These companies will make life harder for you by wrongly taking money out of your account using a direct debit agreement. The trouble is that although I have heard of a number of instances of this, I have no documentary evidence and so cannot be more specific.

Finally, moving a little off topic, just to point out the dangers of RFID enabled credit cards, see, and the video at which explains how you can hack a credit card with a reader bought on ebay for $8. True, you can protect against this somewhat by keeping your cards in steel wallets, or wrapped in cooking foil, but what if someone is behind you in a supermarket or ATM queue with one of these readers?

Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: