SEPA: Increasing Direct Debit Risk?

Treasury management, whether in banks or business, is about the fulfilment of concrete objectives while managing myriad risks – a job that the single euro payments area (SEPA) is designed to make cheaper and easier. The anticipated result is that fewer and better processes will mean fewer ‘mechanical’ risks and a more centralised view of treasury risk. However, it also means the emergence of a greater magnitude of threat to businesses, payment institutions and banks in terms of their exposure to fraud losses and disrupted payments.

SEPA Direct Debits (SDDs) continue to cause misgivings in treasury departments, transposing a borderless national model to a market that remains stubbornly international. The risks, in respect of individual payments, are superficially similar. However, on an international scale, the ‘what ifs?’ are bigger.

For example, the core Pan-European Direct Debits (PEDDs) scheme offers a refund window extending to 13 months for unauthorised deductions, much like national systems, while the business-to-business (B2B) scheme offers less by way of rectification in cases other than straight, unauthorised transactions. In respect of either set-up, it’s arguable that this magnifies the operational uncertainties with regards to cash flow, inherent in the guaranteed direct debit system – but on an international scale. Wide-ranging, deterministic mechanisms for redress are a laudable, necessary part of any scheme – but may place an increased burden on both banks and business service users in the event of systemic events.

Secondly, the PEDD scheme is designed to operate on the basis of existing inter-institutional trust. There’s nothing in the scheme that necessarily obliges banks to verify the issuer or, indeed, orders under the scheme. Even where electronic mandates (e-mandates) are provided for, the bank has the option – without obligation – of running a check with the customer.

The potentially toxic ingredient in the mix is the nature of much high-level payments crime. All that’s required by a fraudster is a set of bank details, name and address for any European citizen or organisational signatory. This is a set of details that is subject to regular compromise: all it takes is for a bank statement to be lost in the post. More to the point, these details are regularly lost in batches, as backup or data processes go awry. Indeed, there should be no doubt about this second point: data loss in the financial services and retail context is still characterised by mass compromise and the subsequent sale of data in batches. This is often in batches priced according to account balance (which is how, incidentally, banks identify many such incidents). The risk seems set to become more complex since the series of new approved payment institutions, with many offering new authentication methods and technologies (voice signatures, etc) crowding the market in 2010. In infosecurity terms, more data transactions, novel technology and systemic complexity inevitably mean more new risks, notwithstanding the admission of these organisations to card issuers’ networks.

What this adds up to is an environment where the risk of mass compromise is increased and the principle of guaranteed payments is weakened. A mistake or data breach in respect of direct debits could have a huge financial impact. As a Europe-wide system emerges, the magnitude of the risk is increased. Fraud arising from direct debit compromise was, even pre-SEPA, responsible for around 10% of UK account identity fraud. With the emergence of a Europe-wide infrastructure, direct debit crime must now be treated as a commercial and even systemic risk. According to research commissioned by NICE Actimize, 20% of businesses in the automated clearing house (ACH) system, which forms the nearest analogue to SEPA in terms of scale and technology, are aware of having fallen victim to fraud via ACH transfers.

The Response

The response of businesses, in light of the US ACH experience, has been predictable. More than half of businesses would be willing to switch their custom to a financial institution if it could provide better fraud prevention than their current provider. Businesses overwhelmingly (85%) demanded that banks should provide the same level of customer transactional risk monitoring to businesses as they do to consumer accounts. That means that every irregular or seemingly innocuous direct debit that fits into a suspicious, broader pattern of transactions or poses a statistically identifiable risk – probably invisible to the counterparty – would trigger a request for review.

Given that the capability already exists for incorporating multi-channel transactional data, we can expect market pressures to be brought to bear. It’s unavoidable that PEDD has already hit and will continue to hit bank revenues, simply because of investment required and capped fees. Service users know they’ll pay a heavy price if unauthorised mandates are not proactively identified and stopped by banks. The efficient processing of outbound ‘R’ transactions – returns, reversals, rejections and refunds – will also be a major evolutionary control for banks.

Joined Up Treasury – Joined Up Threats

One of the most noticeable trends in financial crime is that transactions are increasingly likely to be only one aspect of a single financial crime. So, for example, where an illegal transaction might hitherto have been set up via a (potentially unwitting) third party to an illicit recipient or a proxy, these days, sophisticated techniques are now employed to enable the transfer of money through channels such as securities markets. Banks, regulators and financial businesses are, nonetheless, historically very vigilant about potential individual vectors of financial crime. So, for example, card payments are heavily protected by hardware, software and surveillance, to guard against the relatively simple risk of card fraud or cloning. The same may be said of the payments industry where account holder names and accounts are routinely matched against potential illicit recipients of funds, in order to prevent money laundering or sanction-busting: indeed one of the stated aims is to improve surveillance.

Yet while both European payment institutions and payees remain relatively aware of the increase in consumer-focused direct debit attacks (even pre PEDD) across different vectors, the same cannot be said of all participants in respect of the anticipated rise in the risk and complexity of inter-institution or B2B payments fraud. A transfer that is in all other respects legitimate may present a risk that is only apparent in the context of other aspects of customer or counterparty behaviour or transactions.

Treasuries – in both companies and financial institutions – are not immune, being both a potential ‘victim’ of fraud – particularly where a guaranteed instrument is in use – and an example of only one of the channels through which illicit transactions can be routed.


What does this mean in practice? Banks, and even service users, stand to suffer more painful consequences in the event of large-scale failures or fraud, both in terms of treasury management and customers. In the absence of strengthened verification, banks and institutional service users need to have a centralised view of operational risk factors across business areas – including the apparently safe territory of direct debit.


Related reading