Imagine that you are opening a bank account online, and you are presented with the following tick box:
- Allow large businesses to debit arbitrary sums of money from your account without your authorisation.
Call me old-fashioned, but I doubt that anyone would tick that box. But for UK accounts, the equivalent of that box exists, and it is ticked by default. It’s known as the “AUDDIS” system and the chances are that it got used when you gave the phone company your sort code and account number to set up a direct debit for your broadband or mobile contract. The phone company transferred the information to your bank via AUDDIS and was then enabled to take direct debit payments from you.
Or not. Last week, Hearst Newspapers set up a direct debit for our company account. The trouble is, I had no prior contact with Hearst Newspapers. Either someone miskeyed our account number or it was a fraud attempt – I have no way of knowing which, and neither does my bank, HSBC, whose employee told me that that they had no knowledge of how the direct debit was set up, because they just receive the AUDDIS data from Hearst.
Here’s what Bacs, the providers of AUDDIS, have to say about it:
AUDDIS automates the transfer of Direct Debit Instructions from collecting organisations to the paying banks and building societies via the Bacs service. The organisation keeps the original signed Instruction and electronically sends the details to the customers’ bank to validate and, if accepted, set up the Instruction on its database.
By automating the exchange of Instruction details between organisations and banks, manual handling is reduced leading to fewer errors. Instruction details are processed faster and more efficiently, eliminating the need for the customer’s bank to re-key the details.
The problem is that the system also eliminates the customer’s bank from the process of performing basic security checks, such as, for example, checking that the name given when the direct debit was set up actually matches the name on the account. Assuming that my case was one of error rather than fraud, I think it’s highly unlikely that someone else took out a magazine subscription in the name of “Bachtrack Ltd”, and I feel strongly that HSBC should have been able to check this.
If you ask your bank about this, they are likely to tell you that you shouldn’t worry because “direct debits are covered by the Direct Debit Guarantee.” Beware, however: the Direct Debit Guarantee will not necessarily behave in the way you hope it does.
For a start, the Guarantee only applies to direct debit mandates that you have set up: it does not apply to mandates fraudulently set up by someone else. Of course, the vendor has a legal obligation to refund your money, but it could easily take you many hours of negotiating a large company’s opaque telephone systems in order to persuade them to do so. In our case, had the direct debit gone through, HSBC would have been perfectly at liberty to refer the problem to their fraud department and keep us waiting more or less indefinitely while their investigation was in progress.
Even for legitimate direct debits where the Guarantee applies, the terms are very much weighted towards the vendor and away from the consumer. The wording states that “If an error is made in the payment of your direct debit … you are entitled to a full and immediate refund of the amount paid from your bank or building society”. That sounds fine until you realise that it’s conditional on the bank agreeing that an error has been made: it’s not enough simply for you to tell them. And even if the bank agree that there has been an error and process your refund, there’s nothing to stop your vendor simply taking the payment again – until you actually cancel the entire mandate. And even that may not save you: in one case that came before the Financial Ombudsman, the bank processed a large payment the day after the mandate had been cancelled, but the ombudsman found in the bank’s favour because the consumer had signed terms and conditions permitting the payee to take money from his account. If, like most of us, you don’t read the small print before ticking the “I agree to the licence terms” box, you’re vulnerable.
So what should you do about this? I’ve done my best by instructing HSBC to refuse all direct debits not explicitly authorised by me. They haven’t obeyed this to the letter – in the case of Hearst Magazines, they notified me but said that if the payment was OK, I didn’t need to take any action – but at least it’s a step in the direction of self-protection. I suggest you ask your bank to accept the same instruction, and see what they say. At least, you’ll know what you’re up against.