[lxgr]

> Every bank check lists the bank account number, which serves as the only information needed for a party to issue a request to withdraw money from that account.

The same principle (i.e. knowing an account number means being able to debit it) works surprisingly well in many European countries for direct debits, and the account number is considered even less of a secret than it is in the US. For example, many freelances routinely print it on their invoices sent out to clients, have it as part of their e-mail signature, or even prominently feature it on their website.

What makes it work is that, under the SEPA Direct Debit framework, the risk of fraud and insufficient funds is 100% on the party initiating the direct debit. An accountholder can literally click a button on their bank's app or website and they get the funds back immediately, no questions asked, within 8 weeks of the original debit date.

This, in turn, means that it is in the initiating party's self-interest to only accept this form of payment in high-trust situations, and not just like a low-fee replacement for credit and debit cards that shifts some amount of fraud risk to the accountholder or their bank.

[marcosdumay]

> What makes it work is that, under the SEPA Direct Debit framework, the risk of fraud and insufficient funds is 100% on the party initiating the direct debit.

It also helps that the accountholder has to allow each party that will debit money from their account. By default, those requests are denied.

AFAIK, the US works the other way around.

[organsnyder]

> AFAIK, the US works the other way around.

"Positive pay" is available for checking accounts in the US, though I've never heard of it used outside of business accounts, and only then by request (and probably extra fees).

[Denvercoder9]

> By default, those requests are denied.

This depends on your bank, mine allows them by default.

[oblio]

Which European bank is it?

[lxgr]

> By default, those requests are denied.

That's not the case in Germany, at least.

[RandomLensman]

Banks don't need a SEPA mandate to allow a direct debit?

[germanier]

The SEPA mandate is between the parties in the transaction. While banks require their existence, it is usually not shared with the banks involved.

[RandomLensman]

So only a creditor ID is needed if someone has a set of IBANs and then things will be processed?

[germanier]

A creditor ID and a direct debit agreement with some bank, yes. After you have those, (usually) the banks won't verify individual transactions.

[oblio]

Do you mean that if I know a German bank account number I can just withdraw money for me?

Be right back, asking some German friends for their bank account numbers.

Jokes aside, you're probably wrong. There's NO way I can just pull money from their bank account just by knowing their bank account number.

[lozenge]

As a person you can only send them money. As a business you can initiate a direct debit which withdraws money. However you are attesting that they signed a direct debit agreement with you and provided their account number and agreed on the amount to pay.

This is the same as a credit card - you can charge any card with just the number and a couple of basic details, however if there's a complaint "I found these CC details on a random website" isn't accepted, you need to show the card holder agreed to the charge. If you don't provide the evidence the transaction is reversed.

[jeltz]

That is usually not how credit cards work anymore. Sure, you can try to charge any card but if it is issued by a European bank it will very likely be denied and you will be asked to do a Strong Customer Authentication.

Same applies to SEPA direct debit. Here in Sweden most (all?) banks requires the customer to sign digitally before any direct debit mandate is created.

[oblio]

That's a distinction without a difference.

I obviously don't care about people sending me money, I care about people requesting money from me.

Individuals can't do it and business can only <<ask>> for money, that's different.

[germanier]

Yes, if you set up a direct debit agreement with a bank you can do that. If you'd actually try what you suggest it will be revoked quickly and charges filed as your identity is known.

[lxgr]

> Jokes aside, you're probably wrong.

What GP says is accurate.

> Do you mean that if I know a German bank account number I can just withdraw money for me?

You most likely can't, because if you have to ask this you don't have an agreement with a SEPA Direct Debit originating bank that lets you :)

And even if you decide to open one now: Given the risks involved for the originating bank, they will heavily scrutinize your business case and demand considerable collateral and/or payout time limits.

[summarity]

Yes, yes you can. Name + IBAN is all you need to enter even large recurring payments.

[oblio]

I don't believe that.

Let's say I have account number 1234 and my name is John Doe.

You're telling me that, no strings attached, no repercussion, Mike Hacker can set up a large recurring payment from my account, without my approval?

I'd need solid proof of how that would work.

[jon-wood]

Yes. That is a thing that can be done, here’s Stripe’s documentation on how to set up a Direct Debit mandate: https://stripe.com/docs/payments/payment-methods/bacs-debit?...

The thing that’s being missed here is that direct debits can be disputed in the same way a credit card payment can, and by default the customer wins. Their money will be refunded immediately by the bank, who will then go after you to get it back.

[lxgr]

Most importantly, you need a bank that will let you submit any DD requests.

[janosdebugs]

This does have a minor drawback on the service provider side as allowing people to sign up for a service with direct debit is hard to get right, so many services prefer to offer credit card payment even if it is more expensive. There is no way for you to verify that a person signing up is actually the account holder save for doing the "we debited 1c on your account" thing, which takes a few days.

[lxgr]

Yes, and that's arguably by design. If you need confirmation of funds, cardholder/accountholder authentication, and a dispute mechanism that doesn't side with the customer in 100% of scenarios, SEPA Direct Debit is probably not the payment method you want.

> the "we debited 1c on your account" thing

This doesn't actually work with SEPA Direct Debits, since there is no such thing as "disputing a reversal" or "compelling evidence": If the accountholder says "funds back, please", the involved banks have to oblige.

In fact, direct debits are so reversible/non-final that it's SOP for bankruptcy managers to claw back all of the last 8 weeks' worth of direct debits drawn on a bankrupt person's or entity's account, which can be quite surprising for debtors.

In other words, it's possibly a better mental model to think of direct debits as a request for a wire in 8 weeks that gets earmarked for approval by default if enough funds are present, but that accountholders can cancel at any point in time, as far as finality (but not liquidity) is concerned.

[janosdebugs]

The main problem is that if the service provider has no proof that they legitimately had a contract signature, the account holder can reverse the transaction for much longer.

[Denvercoder9]

> What makes it work is that, under the SEPA Direct Debit framework, the risk of fraud and insufficient funds is 100% on the party initiating the direct debit.

Additionally, you need to have a direct debit agreement with your bank to be able to initiate a direct debit. You need to show at least some legitimate banking history (and a government-issued ID) to get one, and they come with limits on how many and how much you can debit per period, and your bank will terminate the agreement if your reversal rate is higher than normal.

[jeltz]

At least with my bank, and I think most banks here in Sweden, I need to approve people before they can make direct debits.

[lxgr]

How do you approve a payee with your bank? At the time you grant them permission to debit your account, or at the time of the first payment?

There is no technical channel for the former within the SEPA Direct Debit framework (i.e. the first time the payer's bank learns about a mandate is with the first direct debit), so I'm wondering if this is a different/domestic direct debit scheme.