It was brought to our attention recently that businesses using Go Cardless could be leaving themselves exposed to fraudulent activity.
When users sign up to use the service, they provide their bank details. Go Cardless then passes your authorisation to the bank. The direct debit is in place and the supplier is paid. Although there are no physical checks in place to ensure they do, the supplier is supposed to notify you in advance of a payment leaving your bank. Super convenient and ultra-easy you might think.
Sadly, anything ultra-easy is often abused and according to Santander Bank anyone with your bank details who is a user of Go Cardless type systems can set up a direct debit on your bank account. The authorisation process to ascertain whether this direct debit is authentic is almost non-existent.
Check out this transcript of a call with ‘Iain’ from Santander:
You: Is the email address cross-referenced to the one on the bank account?
Iain: when you provide the company with your sort code and account number you are authorising them to set-up the direct debit. They send the request to Santander and we authorise it
You: Does that mean that anyone with the account number and sort code can set up a Direct debit?
You: So, what is the security protocol the Santander has to avoid unauthorised persons setting up direct debits?
Iain: You are covered under the direct debit guarantee however we recommend you only give your account information to companies you trust.
You: So there isn’t any Security that Santander has to follow to check with the account holder that the requested Direct debit is authorised by them?
Iain: Due to the guarantee on direct debits, no
So you may think the direct debit guarantee will be enough, but what isn’t reflected in this chat is the fact this won’t stop the money being taken from your account in the first place. Can you afford this to happen to your business?
Be careful where you display your bank details and ALWAYS regularly check your bank account outgoings.
Get in touch if you need any advice here on terms and conditions of your payment provider.