Frequently asked questions

Fraud prevention programme

Why does GoCardless have a fraud prevention programme?

On a regular basis, we see users attempt to commit fraud using GoCardless. When successful, these attempts can be devastating to GoCardless, our merchants, and their customers. Some attempts come from individuals, and others from teams of well-funded and sophisticated hackers. Some are local to our headquarters here in the UK, but many come from nefarious actors around the world.We have internal teams of people dedicated to detecting and preventing fraud of all kinds. Our fraud prevention programmes involve both manual investigations and machine learning, tracking lots of different types of data to help predict losses and prevent them before they occur.

What tools does GoCardless use to prevent fraud?

We continually improve our fraud prevention programme, and we’re always looking for ways to make it more accurate, more efficient, and more successful at protecting us, our merchants, and their customers. The tools we use to do that include:

• Data sources that help us understand some characteristics about our users and how they interact with our product. Read on to learn what data helps us do this.

• Modelling tools that help us understand and distinguish between legitimate patterns of behaviour and fraudulent ones.

• Investigation resources that allow us to verify that individuals are who they say they are.

What are Verified Mandates? How do they protect the payers account? 

Verified Mandates is our authentication tool that is powered by Open Banking. We use Verified Mandates as a part of our fraud prevention tools to prevent nefarious actors from paying for things with bank accounts that don’t belong to them. When a payer is using GoCardless with a merchant they may be asked to verify that the account belongs to them in these steps: 

• Payer starts a checkout flow to setup a mandate

• Payer is prompted to log into their bank account to confirm their identity through Verified Mandates and authorise the set up of a bank mandate.

• Payer will be presented with account information including their balance to verify the correct bank account. Bank balance is only presented back to the payer to confirm the correct account (BACS scheme only).

• Merchant will receive verification or account and payer can continue to complete the payment as usual 

What does GoCardless do if these tools indicate potential fraud?

If our tools indicate a risk that an interaction might be fraudulent, we take steps to limit or validate that interaction. We may ask the individual additional questions, or we might take other steps that help us verify that they are who they say they are. For example, we may ask them to confirm or prove that they have access to the bank account, email address or phone number they used to sign up.In other cases, we may decide to block an interaction or transaction automatically. If an individual feels these decisions were wrongly applied, they can reach out to us to ask for a re-evaluation by submitting a request. We will consider their concerns and make a decision on whether to reverse it.

What data does GoCardless collect to prevent fraud?

We collect data for new and existing merchants that helps us understand their risk profile. We collect and analyse the data shared when they sign up, and we also receive data from third-party sources that help us identify patterns of suspicious activity. That might include:

• certain characteristics about their browser, device or network,

• patterns of anomalous behaviours while they interact with our services

• the characteristics of the transaction, or

• a comparison of details and transactions with sources previously found to be fraudulent.

In the future, we will also collect this information about payers on our services to offer the same protections against fraud.

That sounds a bit vague. Can you provide more detail?

We’re as transparent as we can be about our programmes, but we also have to avoid tipping fraudsters off about how exactly they might circumvent our controls.We’ve done a lot of research on the privacy and security concerns about browser fingerprinting, and we’ve taken it on board to design a programme that meets our legitimate fraud prevention needs while also protecting the personal data of our users.

What is GoCardless doing to protect merchants and payers, and limit the data?

We aim to limit the data we collect about merchants and payers to what we need to protect the businesses we serve, their customers and GoCardless. We are often dealing with very sophisticated attempts to commit fraud, the impact of which can be devastating to both businesses and individuals, so we do need to ensure we collect the data required to effectively detect and prevent these cases.This may appear intrusive to the legitimate users of our services, and it is a difficult trade off that we take seriously given the importance of privacy and data protection.Our programme is designed to ensure that:

• We collect only what is needed and limit what we collect by design. We don’t use this data for other purposes.

• We protect the information we collect through appropriate security and privacy practices. For example, we limit who has access to the data and ensure it is protected in transit and at rest.

• We thoroughly evaluate the security and privacy of the solutions offered by our third-party sources, to help ensure we can trust them to treat your data and privacy with as much care as we do at GoCardless.

• We anonymise and delete the data we collect at regular intervals to mitigate risk of breaches, and we respect data subject rights related to the data.