EU direct debit rules open to fraud, says consumer group


The potential benefits of the Single Euro Payments Area (SEPA) are in danger of being outweighed by the risks as consumer groups’ warnings fall on deaf ears, according to a letter sent by European consumers’ organisation BEUC to MEPs and diplomats yesterday (25 January).

The letter is the result of a breakdown of dialogue on security and governance between European consumers and the European Payments Council (EPC), the banking consortium that drafted SEPA. 

“The European Payments Council is creating SEPA without the end-user,” Anne Fily, head of BEUC’s legal and economic department, told EURACTIV, criticising the EPC’s bank-centric attitude. End-users are retailers, SMEs, consumers and insurance companies. 

BEUC argues that end-users’ concerns have been continually falling on deaf ears and for that reason it has left the EPC-led stakeholder forum on SEPA’s implementation. 

In addition the group is angered by the Council’s decision to revisit the “right to refund” rule, according to which a payer will be reimbursed after eight weeks in the event of fraud. 

Fily told EURACTIV that the EPC will try to seek further restrictions to this rule, which the group already deems “curative and not preventative”. 

“We have agreed to study the concerns of the end-user committee with all the attention they need,” Herman Segers, secretary-general of the EPC, told EURACTIV. But he admitted these issues have been bones of contention for over a year. 

Legally the EPC is a non-profit organisation and decisions are made during the group’s quarterly plenary involving 76 members of Europe’s banking industry. 

SEPA direct debits open to fraud 

“We have a lot of concerns regarding SEPA Direct Debit (SDD),” BEUC’s Fily told EURACTIV, underlining that SEPA’s Creditor Mandate Flow model (CMF) is “massively open to fraud”. 

In layman’s terms, the CMF prevents the debtor bank from intervening once a payment has left an account and the creditor is in full control of the transaction. 

Previously direct debits were authorised by the bill payer and the recipient, like a utility company or mobile phone operator, but not by banks. 

Under SEPA, banks will also have to authorise a payment, making it more difficult for a bill payer, for example, to prove fraud after the event and get their money back, argues Marc Rothemund from Brussels-based think-tank CEPS (Centre for European Policy Studies). 

The rules for SEPA payments are described in the EPC rulebooks and banks are supposed to commit to these rules by signing an adherence agreement. 

BIC and IBAN not enough 

One of the benefits of the Payments Services Directive, the EU’s umbrella law on harmonising payments, and of SEPA, is that payments only require an International Bank Account Number (IBAN) and a Bank Identifier Code (BIC). 

However, critics argue this is not enough information to guard against fraud. 

A case in the German high court illustrates the point, according to Marc Rothemund. 

The German court found that in order to clearly identify an account, banks would have to verify an account holder’s name and postal address on top of the IBAN and BIC. 

The German court has now been overruled by the translation into national law of the EU’s PSD, and the German national umbrella consumer group, VZBV, has warned German users to be prudent due to these changes under the PSD. 

Across the EU, SEPA direct debit has had a sluggish take-off and banks cite both cost and security concerns as reasons for the slow migration. 

“Unless a host of improvements are made, we do not see how consumers would express any interest in migrating from national Direct Debit schemes to SEPA Direct Debit,” BEUC said in yesterday’s letter. 

Europe has been on the cusp of a payments revolution since 2007, when it established a single rulebook setting the same payment standards and obligations across the 31-member EU/EEA and Switzerland. 

But the Payments Services Directive (PSD) and a voluntary payments scheme, the Single Euro Payments Area (SEPA), were given a guarded welcome by the industry and member states, and banks have been slow to implement both initiatives. 

The most significant difference between the PSD and SEPA is that the PSD applies to the 30 EU/EEA countries and Switzerland and SEPA applies to euro payments in the 16-member euro zone. 

Without the PSD, however, SEPA would have no legal basis. SEPA, which applies to eurozone countries, harmonises technical standards on domestic and cross-border direct debits and credit transfers. 

The deadline for implementing the scheme was November 2009, but six countries have needed more time so far. 

Subscribe to our newsletters