Have it Your Way!

Have it Your Way!

The EPC e-Mandate option: a secure way to authorise a SEPA Direct Debit payment

20 April 12

Share This
Different models exist in the today with regard to the mandates used to authorise a direct debit collection

With a mandate the payer (debtor)1 authorises a biller (creditor) to collect payment by direct debit. At the same time the mandate authorises the payer's bank (debtor bank) to debit the payer's account when a direct debit collection is presented.

The pre- direct debit models existing on national level today fall into two broad categories as regards the process of issuing a mandate:

  1. The "creditor-driven" mandate flow: (1) the payer (debtor) completes and signs a paper-based mandate and (2) sends it directly to the biller (creditor). The biller (creditor) is responsible for storing the original mandate, together with any information regarding amendments relating to the mandate or its cancellation. In this scenario, the payer's bank (debtor bank) does not receive any mandate-related information from its customer nor is the payer's bank (debtor bank) responsible for checking the right of a biller (creditor) to collect payment from a payer's account. This model is used in a large number of Member States today.
  2. The "debtor-driven" mandate flow: (1) the biller (creditor) informs the payer's bank (debtor bank) that the payer (debtor) indicated to wish making payments by direct debit; (2) the payer's bank (debtor bank) then issues the actual mandate and informs the payer (debtor) accordingly; e.g. the mandate stays with the payer's bank (debtor bank). When a biller (creditor) presents a direct debit collection to the payer's bank (debtor bank), the payer's bank (debtor bank) might choose to check the authorisation of the biller (creditor) to collect payment based on the mandate.
The Direct Debit Schemes are based on the creditor-driven mandate flow

The Direct Debit Schemes ( ) are based on the first model; e.g. the creditor-driven mandate flow. The Schemes thus build on the same business assumptions and basic trust between the parties involved as the established pre- , national direct debit model used for decades in a large number of Member States. To protect the payer (debtor) from unwanted debits to his account, the Core Direct Debit Scheme - exceeding the requirements of the Payment Services Directive (PSD) - grants payers (debtors) a "no-questions-asked" refund right during the eight weeks following the debiting of a payer's account: during this time any funds collected by Direct Debit will be credited back to the payer's account upon request. In the event of unauthorised direct debit collections, the payer's right to a refund extends to thirteen months as stipulated in the PSD.

The timelines underlying  a direct debit collection as defined in the current version of the Core Direct Debit Scheme Rulebook allow the payer's bank (debtor bank) to offer services presently offered in some EUcountries; e.g. verification of mandates by the payer's bank (debtor bank). To give even more comfort to those bank customers who are used today to the debtor-driven mandate flow, the will also deliver an optional "New Mandate Check" functionality to be included in the next release of the Direct Debit Scheme Rulebooks to be published in November 2010. The "New Mandate Check" functionality provides an extended timeline for the optional verification of mandate information by the payer's bank (debtor bank) thus increasing its ability to widen its mandate management in relation to its customers. This feature could also serve as basis for banks and communities of banks to develop further Additional Optional Services (AOS) building on this functionality and facilitating migration from legacy direct debit systems to the Direct Debit.

Last but not least: payment service providers servicing billers (creditor banks)) must ensure that only trustworthy billers (creditors) are able to collect payments via Direct Debit. This is also in the interest of banks as they would have to cover any losses resulting from fraudulent and / or erroneous direct debits.

The e-Mandate option in the Direct Debit Schemes: meeting the needs of payers used to a debtor-driven mandate flow

To help in meeting the preferences of payers (debtors) living in those Member States currently applying the debtor-driven mandate flow, the option to create mandates through the use of electronic channels - called e-Mandates - was included in the Direct Debit Schemes. The e-Mandate option in the Direct Debit provides an additional means of authorising direct debit collections. The e-Mandate solution is based on secure, widely used online banking services offered by banks today. The e-Mandate solution is an optional service supported and offered by banks to their customers.

The e-Mandate: advantages for payers (debtors) making payments by Direct Debit

When issuing an e-Mandate, payers (debtors)can re-use their online banking credentials or other bank-provided electronic access channels for completing the mandate online with the biller (creditor). No additional means of identification are necessary. When issuing an e-Mandate, the payer (debtor) wishing to pay by Direct Debit avoids the inconvenience of printing, signing and mailing a paper form to the biller (creditor) by using a fully electronic process instead.

When a payer (debtor) issues an e-Mandate, the mandate information stays directly with the payer's bank (debtor bank). Thus the payer's bank (debtor bank) has the option to verify the authorisation of a direct debit collection presented by a biller (creditor) - as is the case today in those Member States using pre- direct debit models based on the debtor-driven mandate flow.

The e-Mandate: advantages for billers (creditors) collecting payments by Direct Debit

The inclusion of the e-Mandate feature in the Direct Debit Schemes offers a variety of benefits for billers (creditors) as well: the solution allows fully automated end-to-end processing of e-Mandates including issuing, amendment and cancellation of such mandates while the collection process stays the same as defined in the Schemes. The e-Mandate is agreed on in a secure way; the confirmation of the payer's  right to access the account indicated by the payer (debtor) to the biller (creditor) is confirmed by the payer's bank (debtor bank). In addition, the e-Mandate process allows automatic storage and retrieval of e-Mandate data.

The e-Mandate: advantages for banks offering Direct Debit services

The e-Mandate option increases the attractiveness of Direct Debit services offered by payers' banks (debtor banks) servicing payers (debtors) making payments by Direct Debit and by billers' banks (creditor banks) servicing billers (creditors) collecting payment by Direct Debit. Payers' banks (debtor banks) can offer additional mandate management services to their customers based on the e-Mandate option.

The e-Mandate process: this is how it works

Banks offering Direct Debit services may choose to act as a payer's bank (debtor bank) or as a biller's bank (creditor bank) or in both roles when offering the e-Mandate related services. Billers (creditors) are free to use this process when offered by the biller's bank (creditor bank). Payers (debtors) making payment by Direct Debit  are free to use this process provided that the e-Mandate option is supported both by their bank (debtor bank) and by the biller (creditor) and biller's bank (creditor bank) involved in the e-Mandate to be issued.

Typically, issuing an e-Mandate takes place in the following manner: a payer (debtor) such as a consumer, for example, chooses to purchase goods or services from a service provider, i.e. a utility company. The service provider; e.g. the biller (creditor), offers the payer (debtor) the option to pay by Direct Debit and to authorise the Direct Debit collection(s) based on an electronic mandate. In a first step, the payer (debtor) must enter all the required data including the Bank Identifier Code (BIC) of his own bank (debtor bank) on the biller's website. The biller (creditor) then submits the e-Mandate proposal to the payer's bank (debtor bank).

At the same time, the payer (debtor) is routed from the biller's website to the website of his own bank (debtor bank). The payer's bank (debtor bank) validates the BIC and the payer chooses the IBAN (International Bank Account Number) of the account that shall be debited. In addition, the payer's bank (debtor bank) verifies the payer's account access rights: the payer (debtor) must identify and authenticate himself with his online banking credentials as agreed with his bank. After successful authentication, the payer (debtor) confirms the e-Mandate to his own bank (debtor bank). This last step of confirming the e-Mandate is essentially equivalent to the signing of a paper-based mandate. The payer (debtor) is then routed back to the biller's website.

In addition, the payer's bank (debtor bank) delivers the "signed" e-Mandate to the biller (creditor). The biller's website acknowledges the receipt of the e-Mandate and confirms this to the payer (debtor). Moving on, biller (creditor) and payer (debtor) exchange goods or services and payments as agreed.

Multiple signatories of e-Mandates in the business-to-business environment

The example given above illustrates the process taking place when a consumer issues an e-Mandate. The e-Mandate option is also available to businesses purchasing goods and services from other businesses and who wish to make related payments by Direct Debit. In the business environment, however, authorisation of a payment usually requires the sign-off by several persons.

The Business to Business Direct Debit Scheme Rulebook version 2.0 ( ) to take effect in November 2011 includes the option to provide authorisation by several persons with a mandate issued electronically whilst increasing the timeline for the payers' bank (debtor bank) to verify the authenticity of an electronic mandate featuring multiple signatures.

The bottom line is: the e-Mandate option included in the Direct Debit Schemes enables payers' banks (debtor banks) to emulate the services that payers (debtors) are accustomed to who live in countries where pre- direct debit models are based on the debtor-driven mandate flow.

The e-Mandate option will also be included in the new optional Direct Debit Fixed Amount Scheme currently being developed by the . A link to an article in the previous issue of the Newsletter providing detailed information on this new optional Scheme is included below.

The security architecture of the e-Mandates e-Operating Model

The payer's bank (debtor bank) validates the e-Mandates issued by a payer (debtor) wishing to make payments by Direct Debit either itself or through a validation service provider acting on behalf of the payer's bank (debtor bank). The routing service necessary to facilitate the communication between all parties involved in the process is supplied to the biller (creditor) by the biller's bank (creditor bank) or by one or more routing service provider(s) acting on behalf of the biller's bank (creditor bank). The biller (creditor) and his bank should have an agreement on the conditions for use of routing service(s).

The messages sent from the biller (creditor) via the routing service to the validation service of the payer's bank (debtor bank) are routed via open networks by making use of the Internet. In order to make this message exchange reliable and secure, the has defined a standard for this messaging which is called the " e-Mandates e-Operating Model". This is a high-level definition describing message flows, a data model and general requirements as regards the solution itself and the parties executing it. In addition, the detailed specifications of the e-Mandates e-Operating Model facilitate consistent implementation of the e-Mandate feature by the parties involved in the process. Last but not least, the e-Mandates e-Operating Model establishes a secure environment based on defined security requirements. The messages exchanged via the e-Mandates e-Operating Model must be compliant with the ISO 20022 standards2 set out in the e-Mandate-Service Implementation Guidelines for the Core Direct Debit Scheme and the Business to Business Direct Debit Scheme, respectively. Links to these Implementation Guidelines are set out below.

The e-Mandates e-Operating Model also spells out the requirements to be met by -approved Certification Authorities (CAs). It is the role of the -approved Certification Authorities to securely qualify legitimate validation service providers and routing service providers. The CAs will issue certificates to validation service providers and routing service providers that meet the requirements of the e-Mandates e-Operating Model. The -approved Certification Authorities provide a common trust (and hence liability) model enabling secure message flows between the validation service providers and the routing service providers facilitating the e-Mandate service. Thanks to the Certification Authorities, there is no need for the parties involved in the e-Mandate process flow to establish bilateral agreements.

The will allow any Certification Authority approved by the according to a dedicated approval process, based on well accepted international standards, to provide certificates to validation service providers and routing service providers. The public key certificates identifying -approved Certification Authorities for e-Mandate Services are published in a so called Trust-Service Status List (TSL) for e-Mandate Services. The has contracted a Trust Body to establish and publish this Trust Service List on the web site.

Any Certification Authority that wants to get -approval can submit its registration request to the with indication of its auditor. If the auditor is not yet accredited by the , the auditor must be accredited by the according to the requirements outlined in the document "Approval Scheme for Approved CAs" (a link is included below). The auditor prepares an audit report confirming that the examination was conducted in accordance with the standards and specifications published by the and the candidate CA will sign an agreement with the clarifying the liabilities between the and this CA. Once the has granted approval, the CA will be published as " -approved CA for e-Mandates" on the web site.

Enjoy secure and convenient Direct Debit - either way

The process of defining Direct Debit Schemes to suit the needs of corporate enterprises, small and medium-sized businesses, public administrations and consumers across 32 countries can be compared to designing a car: the basic model must meet key market requirements. At the same time, the Schemes must be flexible enough to include options to make suitable additions. This concept guarantees maximum choice to customers without forcing the majority of customers to buy special features they do not need. The Schemes evolve in accordance with this concept.

The inclusion of the e-Mandate option in the Direct Debit Schemes effectively illustrates this principle. The e-Mandate option caters in particular to bank customers used to pre- direct debit models that are based on the debtor-driven mandate flow. At the same time, the e-Mandate option is compatible with a direct debit process based on a creditor-driven mandate flow as established in the majority of countries today.

Bridging different payment cultures is not an easy thing to accomplish. The Direct Debit does it.

Björn Flismark is the Chair of the Information Security Support Group. Javier Santamaría is the Chair of the Payment Schemes Working Group. Ulrike Linde is a member of the e-Mandate Task Force.


Related links:

SEPA e-Mandates Storyboard for suppliers

SEPA e-Mandates Storyboard for Consumers

EPC e-Mandates e-Operating Model Detailed Specification v1.01 approved

SEPA Core Direct Debit Scheme e-Mandate Service Implementation Guidelines v 3.4

SEPA Business to Business Direct Debit Scheme e-Mandate Service Implementation Guidelines v 1.3

Approval Scheme for EPC Approved CAs

The e-Mandate Service Implementation Guidelines pertaining to the Rulebooks to take effect in November 2011 are also already available:

SEPA Core Direct Debit Scheme e-Mandate Service Implementation Guidelines v 4.0

SEPA Business to Business Direct Debit Scheme e-Mandate Service Implementation Guidelines v 2.0


Related article in previous issue:

Optional SEPA Direct Debit Scheme in the Pipeline. Additional SDD Scheme provides maximum planning security to consumers and billers (EPC Newsletter, Issue 5, January 2010)


1 The Direct Debit Scheme Rulebooks refer to the payer as the debtor and to the payer's bank as debtor bank. The biller is referred to as the creditor  and the biller's bank is referred to as the creditor bank.

2 See www.iso20022.org.

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.