This guide will help you with the compliance requirements for offering SEPA Direct Debit to your customers.
This practical guide will help you with compliance requirements to create this electronic document, and offer SEPA Direct Debit to your customers on your website.
To create compliant payment pages for your customers, you will need to:
Serve your payment pages over HTTPS.
Collect your customers' first name, last name, account holder name, address, and IBAN (or local bank details).
Make sure your customers are aware that payments are powered by GoCardless (in the footer of the page).
Display the SEPA Direct Debit electronic mandate before submission.
Agree to a timeline for pre-notification.
Give the Unique Mandate Reference to the payer.
Note: The GoCardless payment pages are used as an example throughout this guide.
1) Serve your payment pages over HTTPS
Why? Ensures customer details are transmitted securely.
How? Configure your website to only accept secure (SSL) connections.
2) Collect the first name, last name, account holder name, address, and IBAN (or local details)
Why? This is the minimum information required to set up a SEPA Direct Debit.
How? Collect this information on a payment page.
The account holder name can be different from the payer’s name (for example in a B2B transaction) but you may suggest the concatenated first name and last name.
If local details are collected, they must be used to derive the customer's IBAN. And for cross-border Direct Debit collections, the customer's BIC must also be collected or derived (until November 2016).
It is recommended you collect the full address, but you may collect just your customer's city or post code.
You may also want to collect the customer's email and address, as there are notification requirements before payment is taken under a SEPA Direct Debit.
Are you collecting SEPA payments outside of EEA SEPA countries?
There are 5 non-EEA SEPA countries: Switzerland, Monaco, Mayotte, St Pierre, and Miquelon. If your business is collecting from any of these countries, it is a requirement to collect the following:
Full street address of the payer (including street name, city, and post code)
BIC code of payer’s bank
3) Make sure your customers are aware that payments are powered by GoCardless
Why? To comply with data protection law, you must let your customers know about third party data controllers that power your website.
How? You can do this by displaying the italicised text below in your page footer:
Payments by GoCardless. Read the GoCardless privacy notice.
Without that upfront notice, both your business and GoCardless could be violating the law. (Read more here.)
If adding this text to the website footer is not technically possible, at a minimum you should include a reference to GoCardless in your website privacy notice. That text should be:
We use GoCardless to process your Direct Debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at gocardless.com/legal/privacy/.
If you are a GoCardless partner, you must include the ‘Payments by’ notice set out above on your payment pages, or, at a minimum, enable the merchant to provide a link to their privacy notice at the detail intake stage.
4) Display the SEPA Direct Debit electronic mandate before submission
Why? To confirm the payer’s approval of the mandate.
How? Display a compliant electronic mandate before the form is submitted.
You must show your customer an electronic mandate for approval. The formatting of the mandate is at your discretion, but you must include the following fields:
The heading “SEPA Direct Debit Mandate”
Your creditor information: Creditor Identifier, Name, Address
The customer information: Account Holder Name, Address, IBAN
SEPA information: Unique Mandate Reference placeholder (to be generated after SEPA-confirmation-reference), Date of signing
The following legal text must also be included in the mandate and must not be changed (except for the input of the creditor name):
“By signing this mandate form, you authorise (A) (NAME OF CREDITOR) to send instructions to your bank to debit your account and (B) your bank to debit your account in accordance with the instruction from (NAME OF CREDITOR).
As part of your rights, you are entitled to a refund from your bank under the terms and conditions of your agreement with your bank. A refund must be claimed within 8 weeks starting from the date on which your account was debited. Your rights are explained in a statement that you can obtain from your bank.”
You can see a compliant electronic mandate confirmation page here:
Once a customer has confirmed the electronic mandate, you should create a timestamp of the transaction, as well as store their IP address or a log of the transaction.
If your website is in English, you may keep it as your default language. If you need to translate to another language, you must use the official translation to European languages available on the European Payments Council website.
5) Agree to a timeline for pre-notification
Why? To define the timeline required to send a pre-notification to your customer before upcoming charges.
How? Include the example statement below (in italics) on the mandate page.
By confirming, you are agreeing to be pre-notified X calendar days before a charge.
Pre-notifications are meant to ensure the client is aware of the payment and has funds in his/her bank account. You can agree a pre-notification period with your customer, but it must be no longer than 14 days before the payment. Best practice is to send pre-notifications three days before.
6) Give the Unique Mandate Reference to the payer
Why? This reference will always appear on a customer’s bank statement and will help them identify a mandate.
How? Option 1 - On a payment confirmation screen:
Best practice is to also add a link to a PDF copy of the mandate in the appropriate language.
Option 2 - Include the reference in the confirmation email:
Best practice is to include the following information in your confirmation email:
Your contact details
A PDF copy of the mandate or a link to retrieve the PDF mandate
SEPA Direct Debit and GoCardless
GoCardless is an end-to-end SEPA Direct Debit provider and can completely handle SEPA compliance on your behalf, or guide you through your own custom integration.
GoCardless offers off-the-shelf payment pages that:
Are fully compliant with scheme rules
Allow payers to enter local bank details, rather than their IBAN
Are available in multiple languages (and automatically detect your customer's language)
Can be customized with your business name and logo
Alternatively, if you want to design and host your own payment pages you can use the GoCardless Pro API to do so. Your Account Executive will support you during your implementation of the SEPA compliance guidelines.
To find out more about collecting SEPA Direct Debit payments, or to register your interest with GoCardless, visit our homepage.