Direct debit security criticised
What can you do if direct debits are set up on your account without permission?
The direct debit guarantee means customers should not lose out financially if mistakes are made on the system. But how easy is it for someone to try to defraud?
In May, Richard Beilby, from Bedfordshire, noticed a direct debit had been set up on his account for £11.45 per month to pay money to BT.
Richard had not set this up, so he told his bank - HSBC - and got it to cancel the instruction and return his money.
But more direct debits started coming, as he told Radio 4's Money Box programme: "There was a second one in June for John Lewis Pet Insurance. And again they refunded that one."
Two more payments were then set up without his knowledge, one to IPC Media for a football magazine and one for Jamie Oliver magazine.
So he asked the people who the run the direct debit system - BACS - what information is required to set up a direct debit.
BACS replied in an email: "A direct debit (DD) can be set up when the correct combination of sort code and account number is passed to your bank. Your bank then allow the DD to be set up if they deem it to be legitimate.
"The BACS/direct debit system does not check who the owner of an account is (eg that the name on the paper form/electronic form matches that on the bank account) as the system does not have access to any bank accounts. It is something that your bank may check when we forward the details onto them."
Most direct debits are automated, with the firm taking the payment sending the customer's details electronically to the bank.
These paperless direct debits are authorised without a signature.
Richard was shocked by the idea that having his sort code and account number could be enough to set up a direct debit on his account: "It's all now centrally processed and nobody knows what's going on. It's too centralised because those checks are being ignored."
Richard's bank, HSBC, said it cannot stop rogue direct debits being set up but it now alerts Richard by letter if a new instruction is received.
And it said it is the merchant which should be checking the details: "We don't see the account name on automated DD payments. We only see the account number, sort code and the unique DD code which is linked to the DD mandate, so are unable to check this against the name."
"In Mr Beilby's case the direct debits linked to his account were set up through well-established service providers using the industry's automated service. We are sorry that he has been inconvenienced in this way and we are discussing with him the options to reduce the chances of it happening again."
Money Box asked the firms that had set up the direct debits where their responsibilities lay.
They said they had systems to validate the details of their customers.
John Lewis said it would investigate: "John Lewis Insurance takes cases of incorrect direct debit and suspected fraud very seriously.
"All such cases which are brought to our attention are investigated thoroughly and as a matter of urgency by our underwriters who have specialist teams in place to deal with such issues and a full refund to the true account holder will be issued where appropriate."
However, the firms would not reveal to Richard the name or names of the people who had set up the direct debits because of data protection.
Fraud prevention expert Andrew Goodwill says it is generally too easy for people to abuse the direct debit system: "There's very little security in the process of initiating a direct debit at all. The banks are the guardians of our money. They should be making sure that anybody who takes it has the authority to do so."
Adrian Fox, a Santander customer, also told Money Box he had had direct debits set up in error on his account.
However BACS denied that this sort of fraud was common: "While it is, of course, distressing to the account holder concerned, occurrences of this are very, very rare. And, for those rare cases where something like this happens, we have the guarantee in place to protect the account holder and I understand Mr Beilby did indeed receive a refund using this."