F R A U N H O F E R - I N S T I T U T F Ü R A R b E I T S w I R T S c H A F T U N d O R g A N I S AT I O N I A O
Thomas Renner, Maximilien Kintz, Falko Kötter, Jan Finzen
E-MANDATES FOR SEPA DIRECT DEBIT OppORTUNITIES FOR bANkS, cREdITORS ANd SERvIcE pROvIdERS
With the SEPA migration end date set for February 2014, banks and creditors need to adapt their systems to support the management of SEPA Direct Debit (SDD) mandates.
This white paper is targeted at banks, creditors, and service providers seeking a solution that streamlinestheir processes and complies with the new SEPA requirements and recommendations. It presents possiblealternatives and discusses their respective advantages and limitations.
The investigated alternatives are:
• (Scanned) paper mandates and two-corner model mandate solutions• Three-corner model-based mandates that make use of a digital signature, and• Four-corner model solutions for e-mandates which directly involve the debtor bank
and the creditor bank.
Thesesolutionsareassessedbasedonargumentstakingintoaccountthemandatevalidity,theefficiencyfor all involved actors (debtor, debtor bank, creditor and creditor bank), and the reachability of potential debtors and creditors.
E-MANDATES FOR SEPA DIRECT DEBIT Opportunities for Banks, Creditors and Service Providers
Thomas Renner, Maximilien Kintz, Falko Kötter, Jan Finzen
Fraunhofer IAO Stuttgart December 2013
This work was sponsored by EBA CLEARING and conducted by Fraunhofer IAO. It can be found online at www.e-business.iao.fraunhofer.de.
Fraunhofer IAO 2 | 15
E-mandates for SEPA Direct Debit
Management summary
With the SEPA migration end date set for February 2014, banks and creditors need to migrate to new systems for the management of SEPA Direct Debit (SDD) mandates.
This white paper is targeted at banks, creditors, and service providers seeking a solution that streamlines their processes and complies with the new SEPA requirements and recommendations. It presents possible alternatives and discusses their respective advantages and limitations.
Some aspects of the mandate management process are not specifically new to SEPA and are common to all possible solutions: the collection and the storage of the SDD mandate is at the responsibility of creditors, and digitalization of mandates is the most obvious way to reduce the costs of SDD management. Thus, the whitepaper focuses on e-mandate solutions.
The investigated alternatives are
- (Scanned) paper mandates and two-corner model mandate solutions - Three-corner model-based mandates that make use of a digital signature, and - Four-corner model solutions for e-mandates which directly involve the debtor
banks and the creditor banks.
The solutions are assessed based on the following arguments:
- Guarantee that the mandate is recognized by the debtor bank and the creditor bank,
- Security of the systems, in particular in terms of signature, - Efficiency of the management for involved debtor banks or service providers, - Efficiency for creditor banks, - Efficiency for creditors, - Ease of use for debtors, and - Reachability of target creditor or debtor group.
E-mandate solutions based on the use of the four-cornel model for e-authorization provide a secure solution that implements all legal requirements and at the same time are both simple to manage by banks and easy to use by customers (debtors and creditors). Their success is, of course, dependent on banks’ participation in the solution. However, initiatives such as MyBank (which potentially embraces all European financial institutions) can in a short term solve the reachability issue.
Based on the assessment of the different types of solutions, Fraunhofer IAO recommends adapting the solution to the potential risk associated with the e-mandate. Whenever possible, a four-corner model-based solution appears most appropriate and guarantees valid mandates accepted by all participants. In case of low-risk transactions, two-corner model-based approaches may offer a reasonable cost-benefit ratio and a universal reach.
3 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
Table of contents
Management summary ............................................................................................. 2
Table of contents ....................................................................................................... 3
1 Background: Importance of e-mandates ....................................................... 4 1.1 Definition of e-mandates .................................................................................... 4 1.2 Business opportunities ........................................................................................ 4 1.3 Requirements for e-mandates ............................................................................ 5
2 Comparison of solutions ................................................................................. 6 2.1 Two-corner model .............................................................................................. 6 2.2 Three-corner model ............................................................................................ 9 2.3 Four-corner model ........................................................................................... 11
3 Conclusion...................................................................................................... 14
Fraunhofer IAO 4 | 15
E-mandates for SEPA Direct Debit
European banks, creditors and service providers are currently seeking a solution to easily issue direct debit mandates once the SEPA migration has occurred. It is, however, often unclear if the new European mandates solutions will be as easy to use as some current national systems. There are as well questions regarding the possibility of using Direct Debits in the fast growing e-commerce and m-commerce businesses unable to manage paper mandates. This indicates a need for information about possible solutions for SEPA e-mandates.
1.1 Definition of e-mandates
In its e-Mandates e-Operating Model, the European Payment Council (EPC) defines e-Mandates as follows:
The e-Mandate service is an optional feature complementing the Core SDD Scheme. [E-
mandates] allow Debtors and Creditors to exchange mandates in a fully electronic way,
presenting advantages for Debtors, Creditors, Creditor Banks, and Debtor Banks.1
1.2 Business opportunities
Mandates for direct debits have already been widely used, but were limited to national payments. As SEPA mandates are valid throughout Europe, they represent a highly interesting option for creditors, service providers and banks working or seeking to work with European customers.
By implementing an efficient European e-mandate solution, many new business opportunities arise for the involved stakeholders. They can take advantage of a wider target group and the easier management of e-mandates as opposed to paper mandates.
Needless to say, as e-commerce shows no sign of slowing its growth (in 2012, e-commerce in the European Union grew by 19%2), SDD e-mandates represent a useful new electronic payment solution for various use cases, for example subscription-based business models.
1 EPC e-Mandates e-Operating Model - High Level Definition, version 1.5 approved, page 6 from March 31st,
2009: http://www.europeanpaymentscouncil.eu/knowledge_bank_detail.cfm?documents_id=400 2 http://www.ecommerce-europe.eu/press/2013/05/press-release-european-e-commerce-to-reach-312-billion-
in-2012-19-growth
1 Background: Importance of e-mandates
5 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
1.3 Requirements for e-mandates
The main requirements that e-mandates have to comply with are summarized in the following table.
Requirement Description
Mandate acceptance What level of assurance does the solution give the creditor that the
debtor bank will accept the e-mandate in case of dispute?
Indeed, the acceptance of the e-mandate as a valid one is the
debtor bank’s call. This has an impact on the dispute delay: if not
accepted, the delay for refund is up to 13 months after collection
instead of eight weeks.
Security Is the e-mandate signed in an appropriate way? Can e-mandates
be easily forged or not? How high is the risk or fraud level
associated with the particular e-mandate solution? Does the e-
mandate use a basic or qualified electronic signature?1 Note that
the EPC recommends using qualified electronic signatures, but if
the participants agree, other forms of signatures can be used as
well.
Efficiency for debtor
banks
How efficiently can the e-mandate process be managed by debtor
banks? Are both, debtor and creditor banks immediately informed
that the e-mandate is issued and accepted? Can the debtor bank
rely on the e-mandate as a valid instruction from the debtor to
accept SEPA Core Direct Debit collection(s) on the debtor’s
account? Note that in any case, for SDD core transactions (i.e. B2C
transactions), the debtor bank makes the final decision on the
validity of the e-mandate.
Efficiency for creditor
banks
If a creditor goes out of business and was operating with invalid e-
mandates, the creditor bank is liable and may have to refund the
debtors. Thus it is important for the creditor bank to be informed
of the validity of e-mandates.
Efficiency for creditors Is the solution easy to use and secure for creditors (i.e. merchants)?
Can the e-mandates be considered trustworthy and enforceable?
Can they easily integrate the solution into their websites? Can they
easily process and manage e-mandates? How does the e-mandate
solution provide payment certainty and reduce the risk of the
debtor claiming the e-mandate’s invalidity (e-signature process)?
Ease of use for debtors Is the e-mandate solution easy to use for debtors (i.e. customers)?
Can they easily issue (and possibly manage) e-mandates?
Reach Is the e-mandate solution recognized by a large number of banks
and creditors or not? Is it limited to a country, a group of countries,
or participants to a specific system?
1 Qualified electronic signatures are advanced electronic signatures based on a qualified certificate. Detailed
requirements for advanced electronic signatures and qualified certificates are defined in the European
directive 1999/93/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML)
Fraunhofer IAO 6 | 15
E-mandates for SEPA Direct Debit
2 Comparison of solutions
Solutions for implementing SDD e-mandates can be categorized depending on the number of parties involved when issuing a new mandate. We distinguish between two-corner model solutions (mandates issued only between creditor and debtor), three-corner solutions, where additionally the debtor bank is involved, and four-corner solutions, where both the debtor bank and the creditor bank are involved. Note that for each of the models, an additional service provider can be involved.
2.1 Two-corner model
In a two-corner model solution for SDD e-mandates, the mandate is issued directly between the creditor (or merchant) and debtor (or customer). The debtor bank and creditor bank are not involved. This is the case for example with classic paper mandates.
The classic paper mandate works as follows: a paper form is completed by the debtor, signed and sent to the creditor. It is not an e-mandate.
Possible “electronic” implementations of a two-corner model for e-mandates are scanned paper mandates as well as solutions relying on an electronic signature instead of a written one.
The following picture presents an overview of the process for two-corner model-based e-mandates.
A typical two-corner model process for e-mandates
Debtor Creditor
Debtorbank
Creditorbank
Solution provider
2. Signed mandate
1. Mandate form
7 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
Scanned paper mandates
A scanned “e-mandate” consists of a paper mandate that is then scanned and stored in electronic manner by the bank. It is therefore not fully electronic, and it can be questioned whether it is an e-mandate according to the EPC definition. Scanned “e-mandates” are an intermediary solution between conventional paper mandates and real e-mandate systems.
Their advantages and disadvantages are very similar to those of paper mandates. The main difference is that they allow a slightly easier mandate management, once scanned.
Electronic signatures
Solutions relying on electronic signatures for issuing e-mandates typically work as follows:
The debtor signs a PDF (or other electronic) document using a certificate or other electronic signature method. The validity of the mandate is guaranteed by a trusted third-party which takes care of the authentication process, e.g. by sending an authentication token to the debtor via SMS.
One advantage of this method is that the strength of the authentication, and indirectly the related costs, can be adapted depending on the risk associated with the mandate. A limitation is that a third party possibly unknown to the customers can be responsible for the authentication.
As the banks and in particular the debtor banks are not involved, the IBAN of the debtor account is supplied by the debtor himself or herself. This is a possible source of error or even fraud, as IBAN validation techniques cannot necessarily guarantee that the given account number is indeed that of the debtor.
Depending on how precisely these solutions are implemented, these advantages and disadvantages can be increased or mitigated. Indeed, the authorization and signature may or may not rely on a multi-factor authentication; it may be integrated in the online banking site of the debtor bank or provided by a third party on an external website, etc.
Fraunhofer IAO 8 | 15
E-mandates for SEPA Direct Debit
Fulfilment of requirements
The following table summarizes how scanned paper mandates fulfil the requirements previously identified for SEPA e-mandates.
Requirement Two-corner model
Mandate acceptance The debtor bank and the creditor bank are not involved at all; therefore there is no guarantee that the mandate cannot be disputed.
Security Depending on solution, authentication can be strong or (very) weak. Risk of error or fraud as IBAN is specified by the debtor, not by the debtor bank.
Efficiency for debtor banks
Management process can be complicated and risk can be high, as debtor bank is not involved when issuing the mandate.
Efficiency for creditor banks
Management process can be complicated and risk can be high, as creditor bank is not involved when issuing the mandate.
Efficiency for creditors
The solution is relatively easy to use.
Ease of use for debtors
Highly dependent on chosen solution, some are easier to use than others. The debtor, however, needs to enter his IBAN, the solution is not fully automated.
Reach Universal (with possible limitations depending on type of signature used).
9 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
2.2 Three-corner model
In a three-corner model solution for SDD e-mandates, in addition to the creditor and the debtor, the debtor bank can be involved in two ways:
- The debtor bank can be involved in the mandate process. It is then responsible for validating the signature of the mandate, typically because the debtor identifies himself using his online banking portal.
- The debtor bank can be involved indirectly by being asked to validate a payment by card or SCT, to authenticate the author of the mandate. In that case, the debtor bank does not validate the mandate, only the identity of the issuer.
The creditor bank is not involved.
Three-corner solutions can be implemented in various ways. In some cases, a third party provider can be involved in the authentication process. Some solutions for example rely on Visa 3D Secure1. For others, the debtor first has to perform a small (typically 0.01 €) payment to the creditor using a solution such as iDEAL2. This small payment acts as a confirmation of the debtor’s identity.
The basic process followed by three-corner solutions is presented in the figure below.
Three-corner model process for e-mandates
1 http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx 2 http://www.ideal.nl/?lang=eng-GB
Solution provider
1. Mandate form
Debtor Creditor
Debtorbank
Creditorbank
2. Authentication 3. Signed mandate
Fraunhofer IAO 10 | 15
E-mandates for SEPA Direct Debit
Fulfilment of requirements
The following table summarizes how three-corner model solutions fulfil the requirements.
Requirement Three-corner model
Mandate acceptance Such solutions can be interesting for the creditor, as the debtor bank is informed in the standard process. However, the creditor bank is not involved at all.
Security The security of the digital signature is highly dependent on the technique used: some can be considered relatively secure, some cannot. Depending on the implementation of the solution, the IBAN is supplied by the debtor or the debtor bank. In the first case, a risk of error or fraud is present.
Efficiency for debtor banks
These solutions are fully electronic and can involve the debtor bank in the mandate process, which then makes mandates easy to manage for debtor banks. Note that if, as can be the case for some solutions, the debtor bank is not involved in the mandate process but only for authentication of the debtor, these advantages do not apply.
Efficiency for creditor banks
The creditor bank is not involved, has no visibility on the validity of the mandate and thus at risk if the creditor goes out of business.
Efficiency for creditors
Creditors may need to adapt their interface to the specific implementation of the solution. They can then rely on legally valid digital signatures for enforceable e-mandates.
Ease of use for debtors
Such solutions can be considered easy to use for customers. They work using already known authentication methods for online banking or online payments.
Reach The solution needs to be supported by the debtor bank.
11 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
2.3 Four-corner model
The last category of solutions for SEPA e-mandates investigated is the so-called four-corner model-based solution. With these solutions, all four involved parties are informed in real time of the issuance and validity of the mandate.
Four-corner model solutions for e-mandates work as follows:
1. A debtor, on a creditor website, starts the process by selecting the debtor bank.
2. The creditor sends a request to the creditor bank’s routing service. 3. The request is sent to the debtor bank. 4. The debtor, who has been redirected to his own bank, is presented with an
authorisation request. 5. The debtor authorizes the mandate. Two-factor authentication can be used. 6. The authorisation is confirmed to the creditor bank. 7. The authorisation is confirmed to the creditor. 8. The creditor can then in turn confirm to the debtor that the mandate has been
properly issued.
The process can be visualized as on the following figure:
Four-corner model process for e-mandates1
1 Based on MyBank process flow for SDD
Debtor Creditor8. Confirmation
1. Initiation
Debtorbank
Creditorbank
2. Request4. Signature request
5. Signature
3. Request
6. Confirmation
7. Confirmation
Fraunhofer IAO 12 | 15
E-mandates for SEPA Direct Debit
Major advantages of this model are:
- There is no external party involved; all communication is between debtor and creditor bank, debtor and creditor.
- The customer is not redirected to an unknown website to perform the authentication, but instead to his familiar online banking website.
- All parties are informed in real time of the authorization of the mandate, so there is no doubt as to its validity.
- Debtor banks can, if they choose to implement such a feature, allow their customers to easily review and manage all issued mandates on their online banking interface.
- Four-corner model-based solutions are also useful for split payments: as both debtor and creditor banks are involved in the process, such payments are easy to manage.
A limitation of such a solution is, however, that it needs to be implemented by all involved banks and by the creditors.
Several providers plan to offer four-corner model-based mandates, sometimes in some specific countries, sometimes with the plan to be available in the whole SEPA area between early 2014 and 2015. iDEAL is planning a SEPA e-mandate solution for mid-2015. SIBS1, Bank of Austria2 (with the EPS e-Mandate Service) and GEMME@SEPAMAIL3 plan country-specific solutions respectively in Portugal, Austria and France. MyBank by EBA CLEARING will launch a SEPA-wide SDD e-mandate solution early 2014.
1 http://www.sibs-international.com/ 2 http://www.bankaustria.at/ 3 http://www.sepamail.eu/
13 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
Fulfilment of the requirements
The following table summarizes how four-corner model solutions fulfil the requirements.
Requirement Four-corner model
Mandate acceptance Both creditor bank and debtor bank are involved in the mandate process and informed in real time of its issuance.
Security In general, such solutions can be considered secure, as they rely on secure communications between banks and debtor and creditor. Depending on the implementation, the IBAN can be provided by the debtor bank, thus drastically reducing error or fraud risks.
Efficiency for debtor banks
Once implemented, four-corner model solutions provide qualified signatures that can be used for mandates associated not only with low but also with higher risks. The e-mandates issued are fully electronic. They can be described in standard ISO 20022 format and are easy to integrate and process.
Efficiency for creditor banks
Creditor banks are informed in real time of the issuance and validity of the mandate, which makes four-corner model solutions the preferred approach.
Efficiency for creditors
Creditors first need to implement the solution. Once this step is performed, they can however take advantage of cheap secure fully electronic and easy to manage mandates.
Ease of use for debtors
The issuance of a mandate with a four-corner typically relies on the use of the standard online banking website from the debtor bank. The debtor simply needs to select his or her bank on the creditor’s site, to log in to online banking and confirm the mandate (possibly with two factor authentication).
Reach Mandates issued by this method apply to banks actively participating in the specific implementation of the four-corner model. This guarantees that the mandates will be recognized and accepted by both banks, and that the shorter delay for possible refunds applies, but can limit the reach of the solution.
Fraunhofer IAO 14 | 15
E-mandates for SEPA Direct Debit
The following table summarizes the fulfilment of the requirements legal compliance, security, efficiency for debtor banks, efficiency for creditor banks, efficiency for creditors, ease of use for debtors, and reach, for the two-, three- and four-corner model-based solutions.
Mandate
acceptance Security
Efficiency for debtor
banks
Efficiency for creditor banks
Efficiency for creditors
Ease of use for debtors Reach
Two-corner
? Universal
Three-corner ? Participants
Four-corner Participants
Two-corner model-based solutions are universal, but also more risky for debtor and creditor banks as they are not involved in the mandate creation process. The fact that the mandate has to be filled by the debtor is also a source of possible errors, or even fraud. Three-corner model solutions can mitigate these risks by involving in some cases the debtor bank. Their reach is then however limited as the solution needs to be supported by the debtor bank. Finally, four-corner model solutions guarantee that all four involved parties are informed in real time of the issuance of an e-mandate, thus reducing the risks of invalid mandates to a minimum. At the same time, both debtor banks and creditor banks need to actively participate in the solution.
This leads Fraunhofer IAO to recommend creditors to support a variety of solutions:
- Universal two-corner model solutions can be used for low-risk mandates (associated to small payment amounts, or considered low risk by the creditor for specific business reasons)
- Secure four-corner model solutions should be used whenever possible, and in particular for mandates associated to possibly high payment amounts.
Using the same justification, banks and payment service providers are encouraged to support four-corner model solutions, so that low-risk and easy to manage mandates can be broadly used.
3 Conclusion
15 | 15 Fraunhofer IAO
E-mandates for SEPA Direct Debit
Presentation of Fraunhofer IAO
Fraunhofer is Europe’s largest application-oriented research organization. Fraunhofer undertakes applied research,
consulting and development of direct utility to private and public enterprises and of wide benefit to society on a non-profit basis. A staff of some 22,000, predominantly qualified
scientists and engineers, works with an annual research budget of 1.9 billion euros.
One of the major units of Fraunhofer is Fraunhofer IAO, located in Stuttgart, Germany. The activities of Fraunhofer IAO focus on investigation of current topics in the field of
technology management. The Competence Center Electronic Business at Fraunhofer IAO
carries out projects, among others, in the following areas:
Development of e-business strategies to support
business processes within or between companies and organisations;
Development and evaluation of process technology
innovations; Technology evaluation studies and product
benchmarking; Design, development, testing and rollout of
networked IT and online solutions,
Development and evaluation of e-business standards.
Further information about Fraunhofer IAO can be found at www.iao.fraunhofer.de.
Presentation of EBA CLEARING and MyBank
EBA CLEARING was established in June 1998 by 52 major European and international banks with the mission to own
and operate the EURO1 large-value payment system. Today, EBA CLEARING counts 63 shareholder banks and,
through its EURO1, STEP1 and STEP2 systems, offers both high-value and low-value clearing and settlement services to a wide community of banks in the European Union.
EBA CLEARING has developed MyBank, a real time e-authorization solution based on the four-corner model. It
allows safe and simple online and mobile payments from the account all over Europe by using SEPA payment instruments.
MyBank for SEPA Credit Transfers was launched on March 25th, 2013. MyBank for SEPA Direct Debit e-mandates is scheduled to go live in February 2014.
Supporting MyBank therefore opens new possibilities for payment service providers to offer not only an e-authorization
solution for SEPA payments and e-mandates, but generally a secure authorization system with a large number of applications.
Further information on MyBank can be found at www.mybankpayments.eu.
Discover MyBank Video at www.youtube.com/watch?v=UKbudxpvhWM.
With the SEPA migration end date set for February 2014, banks and creditors need to adapt their systems to support the management of SEPA Direct Debit (SDD) mandates.
This white paper is targeted at banks, creditors, and service providers seeking a solution that streamlinestheir processes and complies with the new SEPA requirements and recommendations. It presents possiblealternatives and discusses their respective advantages and limitations.
The investigated alternatives are:
• (Scanned) paper mandates and two-corner model mandate solutions• Three-corner model-based mandates that make use of a digital signature, and• Four-corner model solutions for e-mandates which directly involve the debtor bank
and the creditor bank.
Thesesolutionsareassessedbasedonargumentstakingintoaccountthemandatevalidity,theefficiencyfor all involved actors (debtor, debtor bank, creditor and creditor bank), and the reachability of potential debtors and creditors.