This practical guide will help you with the compliance requirements for offering SEPA Direct Debit on your website.
The organisation responsible for the oversight of SEPA Direct Debit, the European Payments Council (EPC), states in a clarification letter that a "mandate may be an electronic document". This practical guide will help you with compliance requirements to create this electronic document and offer online SEPA Direct Debit on your website.
To create fully compliant payment pages for your customers, you will need to:
Serve your payment pages over HTTPS
Collect the First Name, Last Name, Account Holder Name, Address and IBAN or local bank details
Make sure your customers are aware that payments are powered by GoCardless in the footer of the page.
Display the SEPA Direct Debit electronic mandate before submission
Agree to a timeline for pre-notification
Give the Unique Mandate Reference to the payer
1. Serve your payment pages over HTTPS
Why? Ensures customer details are transmitted securely
How? Configure your website to only accept secure (SSL) connections
2. Collect the First Name, Last Name, Account Holder Name, Address, and IBAN or local details
Why? This is the minimum information required to set up a SEPA Direct Debit
How? Collect this information on a payment page
The Account Holder Name can be different from the payer’s name (for example in a B2B transaction) but you may suggest the concatenated First Name and Last Name.
If local details are collected they must be used to derive the customer's IBAN, and for cross-border Direct Debit collections the customer's BIC must also be collected or derived (until November 2016).
It is recommended you collect the full address, but you may collect just their city or post-code.
Optionally, you may also want to collect the customer's email and address as there are notification requirements before payment is taken under a SEPA Direct Debit.
Collecting SEPA payments outside of EEA SEPA Countries?
There are 5 non-EEA SEPA countries: Switzerland, Monaco, Mayotte, St Pierre, Miquelon. If your business is collecting from of these countries it is a requirement to collect the following:
Full street address of the payer including street name, city and post code
BIC code of payer’s bank
3. Make sure your customers are aware that payments are powered by GoCardless in the footer of the page.
Why? To comply with data protection law, you must let your customers know about third party data controllers that power your website.
How? You can do this by displaying the text below in your page footer:
Payments by GoCardless. Read the GoCardless privacy notice
Without that upfront notice, we could both be violating the law. (Read more here)
If that’s not technically possible, at a minimum you should include a reference to GoCardless in your website privacy notice. That text should be:
We use GoCardless to process your Direct Debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at gocardless.com/legal/privacy/
If you are a GoCardless partner, you must include the ‘Payments by’ notice set out above on your payment pages, or, at a minimum, enable the merchant to provide a link to their privacy notice at the detail intake stage.
4. Display the SEPA Direct Debit electronic mandate before submission
Why? Confirm the payer’s approval of the mandate
How? Display a compliant electronic mandate before the form is submitted
You must show the customer an electronic mandate for approval. The formatting of the mandate is at your discretion, but you must include the following fields:
The heading: “SEPA Direct Debit Mandate”
Your creditor information: Creditor Identifier, Name, Address
The customer information: Account Holder Name, Address, IBAN
SEPA information: Unique Mandate Reference placeholder (to be generated after SEPA-confirmation-reference), Date of signing
The following legal text must also be included in the mandate and must not be changed (except for the input of the creditor name):
“By signing this mandate form, you authorise (A) (NAME OF CREDITOR) to send instructions to your bank to debit your account and (B) your bank to debit your account in accordance with the instruction from (NAME OF CREDITOR).
As part of your rights, you are entitled to a refund from your bank under the terms and conditions of your agreement with your bank. A refund must be claimed within 8 weeks starting from the date on which your account was debited. Your rights are explained in a statement that you can obtain from your bank.”
You can see a compliant electronic mandate confirmation page below:
Once a customer has confirmed the electronic mandate, you should create a timestamp of the transaction, as well as store their IP address or a log of the transaction.
If your website is in English, you may keep it as your default language. If you need to translate to another language, you must use the official translation to European languages available on the European Payments Council website.
5. Agree to a timeline for pre-notification
Why? Define the timeline required to send a pre-notification to your customer before upcoming charges
How? Include the statement below on the mandate page
Pre-notifications are meant to ensure the client is aware of the payment and has funds in his/her bank account. You can agree a pre-notification period with your customer, but it must be no longer than 14 days before the payment. Best practice is to send pre-notifications three days before.
For example, you could include the following statement on your confirmation screen: “By confirming, you are agreeing to be pre-notified X calendar days before a charge.”
6. Give the Unique Mandate Reference to the payer
Why? This reference will always appear on a customer’s bank statement and will help them identify a mandate.
How? Option 1: On a payment confirmation screen:
Best practice is to also add a link to a PDF copy of the mandate in the appropriate language.
How? Option 2: Include the reference in the confirmation email:
Best practice is to include the following information in your confirmation email:
Your contact details
A PDF copy of the mandate or a link to retrieve the PDF mandate
SEPA Direct Debit and GoCardless
GoCardless is an end-to-end SEPA Direct Debit provider and can completely handle SEPA compliance on your behalf, or guide you through your own custom integration.
GoCardless offers off-the-shelf payment pages that:
are fully scheme rules compliant
allow payers to enter local details, rather than their IBAN
have been translated into six different languages (and automatically detect your customer's language)
can be customised with your business name and logo
Alternatively, if you want to design and host your own payment pages you can use the GoCardless Pro API to do so, and your Account Executive will support you during your implementation of the SEPA compliance guidelines.