The organisation responsible for the oversight of SEPA Direct Debit, the European Payments Council (EPC), states in a clarification letter that a "mandate may be an electronic document". This practical guide will help you with compliance requirements to create this electronic document and offer online SEPA Direct Debit on your website.
To create fully compliant payment pages for your customers, you will need to:
- Serve your payment pages over HTTPS
- Collect the First Name, Last Name, Account Holder Name, Address and IBAN or local bank details
- Make sure your customers are aware that payments are powered by GoCardless in the footer of the page.
- Display the SEPA Direct Debit electronic mandate before submission
- Agree to a timeline for pre-notification
- Give the Unique Mandate Reference to the payer
Why? Ensures customer details are transmitted securely
How? Configure your website to only accept secure (SSL) connections
Why? This is the minimum information required to set up a SEPA Direct Debit
How? Collect this information on a payment page
The Account Holder Name can be different from the payer’s name (for example in a B2B transaction) but you may suggest the concatenated First Name and Last Name.
If local details are collected they must be used to derive the customer's IBAN, and for cross-border Direct Debit collections the customer's BIC must also be collected or derived (until November 2016).
It is recommended you collect the full address, but you may collect just their city or post-code.
Optionally, you may also want to collect the customer's email and address as there are notification requirements before payment is taken under a SEPA Direct Debit.
Collecting outside of EEA SEPA Countries?
There are 5 non-EEA SEPA countries: Switzerland, Monaco, Mayotte, St Pierre, Miquelon. If your business is collecting from of these countries it is a requirement to collect the following:
- Full street address of the payer including street name, city and post code
- BIC code of payer’s bank
Make sure your customers are aware that payments are powered by GoCardless in the footer of the page.
Why? To comply with data protection law, you must let your customers know about third party data controllers that power your website.
How? You can do this by displaying the text below in your page footer:
Payments by GoCardless. Read the GoCardless privacy notice
Without that upfront notice, we could both be violating the law. (Read more here)
If that’s not technically possible, at a minimum you should include a reference to GoCardless in your website privacy notice. That text should be:
We use GoCardless to process your Direct Debit payments. More information on how GoCardless processes your personal data and your data protection rights, including your right to object, is available at gocardless.com/legal/privacy/
If you are a GoCardless partner, you must include the ‘Payments by’ notice set out above on your payment pages, or, at a minimum, enable the merchant to provide a link to their privacy notice at the detail intake stage.
Why? Confirm the payer’s approval of the mandate
How? Display a compliant electronic mandate before the form is submitted
You must show the customer an electronic mandate for approval. The formatting of the mandate is at your discretion, but you must include the following fields:
- The heading: “SEPA Direct Debit Mandate”
- Your creditor information: Creditor Identifier, Name, Address
- The customer information: Account Holder Name, Address, IBAN
- SEPA information: Unique Mandate Reference placeholder (to be generated after SEPA-confirmation-reference), Date of signing
The following legal text must also be included in the mandate and must not be changed (except for the input of the creditor name):
“By signing this mandate form, you authorise (A) (NAME OF CREDITOR) to send instructions to your bank to debit your account and (B) your bank to debit your account in accordance with the instruction from (NAME OF CREDITOR).
As part of your rights, you are entitled to a refund from your bank under the terms and conditions of your agreement with your bank. A refund must be claimed within 8 weeks starting from the date on which your account was debited. Your rights are explained in a statement that you can obtain from your bank.”
You can see a compliant electronic mandate confirmation page below:
Once a customer has confirmed the electronic mandate, you should create a timestamp of the transaction, as well as store their IP address or a log of the transaction.
If your website is in English, you may keep it as your default language. If you need to translate to another language, you must use the official translation to European languages available on the European Payments Council website.
Why? Define the timeline required to send a pre-notification to your customer before upcoming charges
How? Include the statement below on the mandate page
Pre-notifications are meant to ensure the client is aware of the payment and has funds in his/her bank account. You can agree a pre-notification period with your customer, but it must be no longer than 14 days before the payment. Best practice is to send pre-notifications three days before.
For example, you could include the following statement on your confirmation screen: “By confirming, you are agreeing to be pre-notified X calendar days before a charge.”
Why? This reference will always appear on a customer’s bank statement and will help them identify a mandate.
How? Option 1: On a payment confirmation screen:
Best practice is to also add a link to a PDF copy of the mandate in the appropriate language.
How? Option 2: Include the reference in the confirmation email:
Best practice is to include the following information in your confirmation email:
- Your contact details
- A PDF copy of the mandate or a link to retrieve the PDF mandate
GoCardless is an end-to-end SEPA Direct Debit provider and can completely handle SEPA compliance on your behalf, or guide you through your own custom integration.
GoCardless offers off-the-shelf payment pages that:
- are fully scheme rules compliant
- allow payers to enter local details, rather than their IBAN
- have been translated into multiple different languages (and automatically detect your customer's language)
- can be customised with your business name and logo
Alternatively, if you want to design and host your own payment pages you can use the GoCardless Pro API to do so, and your Account Executive will support you during your implementation of the SEPA compliance guidelines.