Paid with GoCardless? Read our FAQ for customers
On a regular basis, we see users attempt to commit fraud using GoCardless. When successful, these attempts can be devastating to GoCardless, our merchants, and their customers. Some attempts come from individuals, and others from teams of well-funded and sophisticated hackers. Some are local to our headquarters here in the UK, but many come from nefarious actors around the world.
We have internal teams of people dedicated to detecting and preventing fraud of all kinds. Our fraud prevention programmes involve both manual investigations and machine learning, tracking lots of different types of data to help predict losses and prevent them before they occur.
We continually improve our fraud prevention programme, and we’re always looking for ways to make it more accurate, more efficient, and more successful at protecting us, our merchants, and their customers. The tools we use to do that include:
If our tools indicate a risk that an interaction might be fraudulent, we take steps to limit or validate that interaction. We may ask the individual additional questions, or we might take other steps that help us verify that they are who they say they are. For example, we may ask them to confirm or prove that they have access to the bank account, email address or phone number they used to sign up.
In other cases, we may decide to block an interaction or transaction automatically. If an individual feels these decisions were wrongly applied, they can reach out to us to ask for a re-evaluation by submitting a request. We will consider their concerns and make a decision on whether to reverse it.
We collect data for new and existing merchants that helps us understand their risk profile. We collect and analyse the data shared when they sign up, and we also receive data from third-party sources that help us identify patterns of suspicious activity. That might include:
In the future, we will also collect this information about payers on our services to offer the same protections against fraud.
We’re as transparent as we can be about our programmes, but we also have to avoid tipping fraudsters off about how exactly they might circumvent our controls.
We’ve done a lot of research on the privacy and security concerns about browser fingerprinting, and we’ve taken it on board to design a programme that meets our legitimate fraud prevention needs while also protecting the personal data of our users.
We aim to limit the data we collect about merchants and payers to what we need to protect the businesses we serve, their customers and GoCardless. We are often dealing with very sophisticated attempts to commit fraud, the impact of which can be devastating to both businesses and individuals, so we do need to ensure we collect the data required to effectively detect and prevent these cases.
This may appear intrusive to the legitimate users of our services, and it is a difficult trade off that we take seriously given the importance of privacy and data protection.
Our programme is designed to ensure that:
Help & resources
GoCardless (company registration number 07495895) is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017, registration number 597190, for the provision of payment services.
GoCardless SAS, an affiliate of GoCardless Ltd (company registration number 834 422 180, R.C.S. PARIS), is authorised by the ACPR (French Prudential Supervision and Resolution Authority), Bank Code (CIB) 17118, for the provision of payment services.