E-MANDATES FOR SEPA DIRECT DEBIT

F R A U N H O F E R - I N S T I T U T F Ü R A R b E I T S w I R T S c H A F T U N d O R g A N I S AT I O N I A O

Thomas Renner, Maximilien Kintz, Falko Kötter, Jan Finzen

E-MANDATES FOR SEPA DIRECT DEBIT OppORTUNITIES FOR bANkS, cREdITORS ANd SERvIcE pROvIdERS

With the SEPA migration end date set for February 2014, banks and creditors need to adapt their systems to support the management of SEPA Direct Debit (SDD) mandates.

This white paper is targeted at banks, creditors, and service providers seeking a solution that streamlinestheir processes and complies with the new SEPA requirements and recommendations. It presents possiblealternatives and discusses their respective advantages and limitations.

The investigated alternatives are:

• (Scanned) paper mandates and two-corner model mandate solutions• Three-corner model-based mandates that make use of a digital signature, and• Four-corner model solutions for e-mandates which directly involve the debtor bank

and the creditor bank.

Thesesolutionsareassessedbasedonargumentstakingintoaccountthemandatevalidity,theefficiencyfor all involved actors (debtor, debtor bank, creditor and creditor bank), and the reachability of potential debtors and creditors.

E-MANDATES FOR SEPA DIRECT DEBIT Opportunities for Banks, Creditors and Service Providers

Thomas Renner, Maximilien Kintz, Falko Kötter, Jan Finzen

Fraunhofer IAO Stuttgart December 2013

This work was sponsored by EBA CLEARING and conducted by Fraunhofer IAO. It can be found online at www.e-business.iao.fraunhofer.de.

http://www.e-business.iao.fraunhofer.de/

Fraunhofer IAO 2 | 15

E-mandates for SEPA Direct Debit

Management summary

With the SEPA migration end date set for February 2014, banks and creditors need to migrate to new systems for the management of SEPA Direct Debit (SDD) mandates.

This white paper is targeted at banks, creditors, and service providers seeking a solution that streamlines their processes and complies with the new SEPA requirements and recommendations. It presents possible alternatives and discusses their respective advantages and limitations.

Some aspects of the mandate management process are not specifically new to SEPA and are common to all possible solutions: the collection and the storage of the SDD mandate is at the responsibility of creditors, and digitalization of mandates is the most obvious way to reduce the costs of SDD management. Thus, the whitepaper focuses on e-mandate solutions.

The investigated alternatives are

- (Scanned) paper mandates and two-corner model mandate solutions - Three-corner model-based mandates that make use of a digital signature, and - Four-corner model solutions for e-mandates which directly involve the debtor

banks and the creditor banks.

The solutions are assessed based on the following arguments:

- Guarantee that the mandate is recognized by the debtor bank and the creditor bank,

- Security of the systems, in particular in terms of signature, - Efficiency of the management for involved debtor banks or service providers, - Efficiency for creditor banks, - Efficiency for creditors, - Ease of use for debtors, and - Reachability of target creditor or debtor group.

E-mandate solutions based on the use of the four-cornel model for e-authorization provide a secure solution that implements all legal requirements and at the same time are both simple to manage by banks and easy to use by customers (debtors and creditors). Their success is, of course, dependent on banks’ participation in the solution. However, initiatives such as MyBank (which potentially embraces all European financial institutions) can in a short term solve the reachability issue.

Based on the assessment of the different types of solutions, Fraunhofer IAO recommends adapting the solution to the potential risk associated with the e-mandate. Whenever possible, a four-corner model-based solution appears most appropriate and guarantees valid mandates accepted by all participants. In case of low-risk transactions, two-corner model-based approaches may offer a reasonable cost-benefit ratio and a universal reach.

3 | 15 Fraunhofer IAO


Table of contents

Management summary ............................................................................................. 2

Table of contents ....................................................................................................... 3

1 Background: Importance of e-mandates ....................................................... 4 1.1 Definition of e-mandates .................................................................................... 4 1.2 Business opportunities ........................................................................................ 4 1.3 Requirements for e-mandates ............................................................................ 5

2 Comparison of solutions ................................................................................. 6 2.1 Two-corner model .............................................................................................. 6 2.2 Three-corner model ............................................................................................ 9 2.3 Four-corner model ........................................................................................... 11

3 Conclusion...................................................................................................... 14



European banks, creditors and service providers are currently seeking a solution to easily issue direct debit mandates once the SEPA migration has occurred. It is, however, often unclear if the new European mandates solutions will be as easy to use as some current national systems. There are as well questions regarding the possibility of using Direct Debits in the fast growing e-commerce and m-commerce businesses unable to manage paper mandates. This indicates a need for information about possible solutions for SEPA e-mandates.

1.1 Definition of e-mandates

In its e-Mandates e-Operating Model, the European Payment Council (EPC) defines e-Mandates as follows:

The e-Mandate service is an optional feature complementing the Core SDD Scheme. [E-

mandates] allow Debtors and Creditors to exchange mandates in a fully electronic way,

presenting advantages for Debtors, Creditors, Creditor Banks, and Debtor Banks.1

1.2 Business opportunities

Mandates for direct debits have already been widely used, but were limited to national payments. As SEPA mandates are valid throughout Europe, they represent a highly interesting option for creditors, service providers and banks working or seeking to work with European customers.

By implementing an efficient European e-mandate solution, many new business opportunities arise for the involved stakeholders. They can take advantage of a wider target group and the easier management of e-mandates as opposed to paper mandates.

Needless to say, as e-commerce shows no sign of slowing its growth (in 2012, e-commerce in the European Union grew by 19%2), SDD e-mandates represent a useful new electronic payment solution for various use cases, for example subscription-based business models.

1 EPC e-Mandates e-Operating Model - High Level Definition, version 1.5 approved, page 6 from March 31st,

2009: http://www.europeanpaymentscouncil.eu/knowledge_bank_detail.cfm?documents_id=400 2 http://www.ecommerce-europe.eu/press/2013/05/press-release-european-e-commerce-to-reach-312-billion-

in-2012-19-growth

1 Background: Importance of e-mandates

http://www.europeanpaymentscouncil.eu/knowledge_bank_detail.cfm?documents_id=400

http://www.ecommerce-europe.eu/press/2013/05/press-release-european-e-commerce-to-reach-312-billion-in-2012-19-growth

http://www.ecommerce-europe.eu/press/2013/05/press-release-european-e-commerce-to-reach-312-billion-in-2012-19-growth



1.3 Requirements for e-mandates

The main requirements that e-mandates have to comply with are summarized in the following table.

Requirement Description

Mandate acceptance What level of assurance does the solution give the creditor that the

debtor bank will accept the e-mandate in case of dispute?

Indeed, the acceptance of the e-mandate as a valid one is the

debtor bank’s call. This has an impact on the dispute delay: if not

accepted, the delay for refund is up to 13 months after collection

instead of eight weeks.

Security Is the e-mandate signed in an appropriate way? Can e-mandates

be easily forged or not? How high is the risk or fraud level

associated with the particular e-mandate solution? Does the e-

mandate use a basic or qualified electronic signature?1 Note that

the EPC recommends using qualified electronic signatures, but if

the participants agree, other forms of signatures can be used as

well.

Efficiency for debtor

banks

How efficiently can the e-mandate process be managed by debtor

banks? Are both, debtor and creditor banks immediately informed

that the e-mandate is issued and accepted? Can the debtor bank

rely on the e-mandate as a valid instruction from the debtor to

accept SEPA Core Direct Debit collection(s) on the debtor’s

account? Note that in any case, for SDD core transactions (i.e. B2C

transactions), the debtor bank makes the final decision on the

validity of the e-mandate.

Efficiency for creditor

banks

If a creditor goes out of business and was operating with invalid e-

mandates, the creditor bank is liable and may have to refund the

debtors. Thus it is important for the creditor bank to be informed

of the validity of e-mandates.

Efficiency for creditors Is the solution easy to use and secure for creditors (i.e. merchants)?

Can the e-mandates be considered trustworthy and enforceable?

Can they easily integrate the solution into their websites? Can they

easily process and manage e-mandates? How does the e-mandate

solution provide payment certainty and reduce the risk of the

debtor claiming the e-mandate’s invalidity (e-signature process)?

Ease of use for debtors Is the e-mandate solution easy to use for debtors (i.e. customers)?

Can they easily issue (and possibly manage) e-mandates?

Reach Is the e-mandate solution recognized by a large number of banks

and creditors or not? Is it limited to a country, a group of countries,

or participants to a specific system?

1 Qualified electronic signatures are advanced electronic signatures based on a qualified certificate. Detailed

requirements for advanced electronic signatures and qualified certificates are defined in the European

directive 1999/93/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML)

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31999L0093:en:HTML



2 Comparison of solutions

Solutions for implementing SDD e-mandates can be categorized depending on the number of parties involved when issuing a new mandate. We distinguish between two-corner model solutions (mandates issued only between creditor and debtor), three-corner solutions, where additionally the debtor bank is involved, and four-corner solutions, where both the debtor bank and the creditor bank are involved. Note that for each of the models, an additional service provider can be involved.

2.1 Two-corner model

In a two-corner model solution for SDD e-mandates, the mandate is issued directly between the creditor (or merchant) and debtor (or customer). The debtor bank and creditor bank are not involved. This is the case for example with classic paper mandates.

The classic paper mandate works as follows: a paper form is completed by the debtor, signed and sent to the creditor. It is not an e-mandate.

Possible “electronic” implementations of a two-corner model for e-mandates are scanned paper mandates as well as solutions relying on an electronic signature instead of a written one.

The following picture presents an overview of the process for two-corner model-based e-mandates.

A typical two-corner model process for e-mandates

Debtor Creditor

Debtorbank

Creditorbank

Solution provider

2. Signed mandate

1. Mandate form



Scanned paper mandates

A scanned “e-mandate” consists of a paper mandate that is then scanned and stored in electronic manner by the bank. It is therefore not fully electronic, and it can be questioned whether it is an e-mandate according to the EPC definition. Scanned “e-mandates” are an intermediary solution between conventional paper mandates and real e-mandate systems.

Their advantages and disadvantages are very similar to those of paper mandates. The main difference is that they allow a slightly easier mandate management, once scanned.

Electronic signatures

Solutions relying on electronic signatures for issuing e-mandates typically work as follows:

The debtor signs a PDF (or other electronic) document using a certificate or other electronic signature method. The validity of the mandate is guaranteed by a trusted third-party which takes care of the authentication process, e.g. by sending an authentication token to the debtor via SMS.

One advantage of this method is that the strength of the authentication, and indirectly the related costs, can be adapted depending on the risk associated with the mandate. A limitation is that a third party possibly unknown to the customers can be responsible for the authentication.

As the banks and in particular the debtor banks are not involved, the IBAN of the debtor account is supplied by the debtor himself or herself. This is a possible source of error or even fraud, as IBAN validation techniques cannot necessarily guarantee that the given account number is indeed that of the debtor.

Depending on how precisely these solutions are implemented, these advantages and disadvantages can be increased or mitigated. Indeed, the authorization and signature may or may not rely on a multi-factor authentication; it may be integrated in the online banking site of the debtor bank or provided by a third party on an external website, etc.



Fulfilment of requirements

The following table summarizes how scanned paper mandates fulfil the requirements previously identified for SEPA e-mandates.

Requirement Two-corner model

Mandate acceptance The debtor bank and the creditor bank are not involved at all; therefore there is no guarantee that the mandate cannot be disputed.

Security Depending on solution, authentication can be strong or (very) weak. Risk of error or fraud as IBAN is specified by the debtor, not by the debtor bank.

Efficiency for debtor banks

Management process can be complicated and risk can be high, as debtor bank is not involved when issuing the mandate.

Efficiency for creditor banks

Management process can be complicated and risk can be high, as creditor bank is not involved when issuing the mandate.

Efficiency for creditors

The solution is relatively easy to use.

Ease of use for debtors

Highly dependent on chosen solution, some are easier to use than others. The debtor, however, needs to enter his IBAN, the solution is not fully automated.

Reach Universal (with possible limitations depending on type of signature used).



2.2 Three-corner model

In a three-corner model solution for SDD e-mandates, in addition to the creditor and the debtor, the debtor bank can be involved in two ways:

- The debtor bank can be involved in the mandate process. It is then responsible for validating the signature of the mandate, typically because the debtor identifies himself using his online banking portal.

- The debtor bank can be involved indirectly by being asked to validate a payment by card or SCT, to authenticate the author of the mandate. In that case, the debtor bank does not validate the mandate, only the identity of the issuer.

The creditor bank is not involved.

Three-corner solutions can be implemented in various ways. In some cases, a third party provider can be involved in the authentication process. Some solutions for example rely on Visa 3D Secure1. For others, the debtor first has to perform a small (typically 0.01 €) payment to the creditor using a solution such as iDEAL2. This small payment acts as a confirmation of the debtor’s identity.

The basic process followed by three-corner solutions is presented in the figure below.

Three-corner model process for e-mandates

1 http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx 2 http://www.ideal.nl/?lang=eng-GB

Solution provider

1. Mandate form

Debtor Creditor

Debtorbank

Creditorbank

2. Authentication 3. Signed mandate

http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx

http://www.ideal.nl/?lang=eng-GB



Fulfilment of requirements

The following table summarizes how three-corner model solutions fulfil the requirements.

Requirement Three-corner model

Mandate acceptance Such solutions can be interesting for the creditor, as the debtor bank is informed in the standard process. However, the creditor bank is not involved at all.

Security The security of the digital signature is highly dependent on the technique used: some can be considered relatively secure, some cannot. Depending on the implementation of the solution, the IBAN is supplied by the debtor or the debtor bank. In the first case, a risk of error or fraud is present.


These solutions are fully electronic and can involve the debtor bank in the mandate process, which then makes mandates easy to manage for debtor banks. Note that if, as can be the case for some solutions, the debtor bank is not involved in the mandate process but only for authentication of the debtor, these advantages do not apply.


The creditor bank is not involved, has no visibility on the validity of the mandate and thus at risk if the creditor goes out of business.


Creditors may need to adapt their interface to the specific implementation of the solution. They can then rely on legally valid digital signatures for enforceable e-mandates.


Such solutions can be considered easy to use for customers. They work using already known authentication methods for online banking or online payments.

Reach The solution needs to be supported by the debtor bank.



2.3 Four-corner model

The last category of solutions for SEPA e-mandates investigated is the so-called four-corner model-based solution. With these solutions, all four involved parties are informed in real time of the issuance and validity of the mandate.

Four-corner model solutions for e-mandates work as follows:

1. A debtor, on a creditor website, starts the process by selecting the debtor bank.

2. The creditor sends a request to the creditor bank’s routing service. 3. The request is sent to the debtor bank. 4. The debtor, who has been redirected to his own bank, is presented with an

authorisation request. 5. The debtor authorizes the mandate. Two-factor authentication can be used. 6. The authorisation is confirmed to the creditor bank. 7. The authorisation is confirmed to the creditor. 8. The creditor can then in turn confirm to the debtor that the mandate has been

properly issued.

The process can be visualized as on the following figure:

Four-corner model process for e-mandates1

1 Based on MyBank process flow for SDD

Debtor Creditor8. Confirmation

1. Initiation

Debtorbank

Creditorbank

2. Request4. Signature request

5. Signature

3. Request

6. Confirmation

7. Confirmation



Major advantages of this model are:

- There is no external party involved; all communication is between debtor and creditor bank, debtor and creditor.

- The customer is not redirected to an unknown website to perform the authentication, but instead to his familiar online banking website.

- All parties are informed in real time of the authorization of the mandate, so there is no doubt as to its validity.

- Debtor banks can, if they choose to implement such a feature, allow their customers to easily review and manage all issued mandates on their online banking interface.

- Four-corner model-based solutions are also useful for split payments: as both debtor and creditor banks are involved in the process, such payments are easy to manage.

A limitation of such a solution is, however, that it needs to be implemented by all involved banks and by the creditors.

Several providers plan to offer four-corner model-based mandates, sometimes in some specific countries, sometimes with the plan to be available in the whole SEPA area between early 2014 and 2015. iDEAL is planning a SEPA e-mandate solution for mid-2015. SIBS1, Bank of Austria2 (with the EPS e-Mandate Service) and GEMME@SEPAMAIL3 plan country-specific solutions respectively in Portugal, Austria and France. MyBank by EBA CLEARING will launch a SEPA-wide SDD e-mandate solution early 2014.

1 http://www.sibs-international.com/ 2 http://www.bankaustria.at/ 3 http://www.sepamail.eu/

http://www.sibs-international.com/

http://www.bankaustria.at/

http://www.sepamail.eu/



Fulfilment of the requirements

The following table summarizes how four-corner model solutions fulfil the requirements.

Requirement Four-corner model

Mandate acceptance Both creditor bank and debtor bank are involved in the mandate process and informed in real time of its issuance.

Security In general, such solutions can be considered secure, as they rely on secure communications between banks and debtor and creditor. Depending on the implementation, the IBAN can be provided by the debtor bank, thus drastically reducing error or fraud risks.


Once implemented, four-corner model solutions provide qualified signatures that can be used for mandates associated not only with low but also with higher risks. The e-mandates issued are fully electronic. They can be described in standard ISO 20022 format and are easy to integrate and process.


Creditor banks are informed in real time of the issuance and validity of the mandate, which makes four-corner model solutions the preferred approach.


Creditors first need to implement the solution. Once this step is performed, they can however take advantage of cheap secure fully electronic and easy to manage mandates.


The issuance of a mandate with a four-corner typically relies on the use of the standard online banking website from the debtor bank. The debtor simply needs to select his or her bank on the creditor’s site, to log in to online banking and confirm the mandate (possibly with two factor authentication).

Reach Mandates issued by this method apply to banks actively participating in the specific implementation of the four-corner model. This guarantees that the mandates will be recognized and accepted by both banks, and that the shorter delay for possible refunds applies, but can limit the reach of the solution.



The following table summarizes the fulfilment of the requirements legal compliance, security, efficiency for debtor banks, efficiency for creditor banks, efficiency for creditors, ease of use for debtors, and reach, for the two-, three- and four-corner model-based solutions.

Mandate

acceptance Security

Efficiency for debtor

banks



Ease of use for debtors Reach

Two-corner

? Universal

Three-corner ? Participants

Four-corner Participants

Two-corner model-based solutions are universal, but also more risky for debtor and creditor banks as they are not involved in the mandate creation process. The fact that the mandate has to be filled by the debtor is also a source of possible errors, or even fraud. Three-corner model solutions can mitigate these risks by involving in some cases the debtor bank. Their reach is then however limited as the solution needs to be supported by the debtor bank. Finally, four-corner model solutions guarantee that all four involved parties are informed in real time of the issuance of an e-mandate, thus reducing the risks of invalid mandates to a minimum. At the same time, both debtor banks and creditor banks need to actively participate in the solution.

This leads Fraunhofer IAO to recommend creditors to support a variety of solutions:

- Universal two-corner model solutions can be used for low-risk mandates (associated to small payment amounts, or considered low risk by the creditor for specific business reasons)

- Secure four-corner model solutions should be used whenever possible, and in particular for mandates associated to possibly high payment amounts.

Using the same justification, banks and payment service providers are encouraged to support four-corner model solutions, so that low-risk and easy to manage mandates can be broadly used.

3 Conclusion



Presentation of Fraunhofer IAO

Fraunhofer is Europe’s largest application-oriented research organization. Fraunhofer undertakes applied research,

consulting and development of direct utility to private and public enterprises and of wide benefit to society on a non-profit basis. A staff of some 22,000, predominantly qualified

scientists and engineers, works with an annual research budget of 1.9 billion euros.

One of the major units of Fraunhofer is Fraunhofer IAO, located in Stuttgart, Germany. The activities of Fraunhofer IAO focus on investigation of current topics in the field of

technology management. The Competence Center Electronic Business at Fraunhofer IAO

carries out projects, among others, in the following areas:

Development of e-business strategies to support

business processes within or between companies and organisations;

Development and evaluation of process technology

innovations; Technology evaluation studies and product

benchmarking; Design, development, testing and rollout of

networked IT and online solutions,

Development and evaluation of e-business standards.

Further information about Fraunhofer IAO can be found at www.iao.fraunhofer.de.

Presentation of EBA CLEARING and MyBank

EBA CLEARING was established in June 1998 by 52 major European and international banks with the mission to own

and operate the EURO1 large-value payment system. Today, EBA CLEARING counts 63 shareholder banks and,

through its EURO1, STEP1 and STEP2 systems, offers both high-value and low-value clearing and settlement services to a wide community of banks in the European Union.

EBA CLEARING has developed MyBank, a real time e-authorization solution based on the four-corner model. It

allows safe and simple online and mobile payments from the account all over Europe by using SEPA payment instruments.

MyBank for SEPA Credit Transfers was launched on March 25th, 2013. MyBank for SEPA Direct Debit e-mandates is scheduled to go live in February 2014.

Supporting MyBank therefore opens new possibilities for payment service providers to offer not only an e-authorization

solution for SEPA payments and e-mandates, but generally a secure authorization system with a large number of applications.

Further information on MyBank can be found at www.mybankpayments.eu.

Discover MyBank Video at www.youtube.com/watch?v=UKbudxpvhWM.

http://www.iao.fraunhofer.de/

http://www.mybankpayments.eu/

http://www.youtube.com/watch?v=UKbudxpvhWM

With the SEPA migration end date set for February 2014, banks and creditors need to adapt their systems to support the management of SEPA Direct Debit (SDD) mandates.

This white paper is targeted at banks, creditors, and service providers seeking a solution that streamlinestheir processes and complies with the new SEPA requirements and recommendations. It presents possiblealternatives and discusses their respective advantages and limitations.

The investigated alternatives are:

• (Scanned) paper mandates and two-corner model mandate solutions• Three-corner model-based mandates that make use of a digital signature, and• Four-corner model solutions for e-mandates which directly involve the debtor bank

and the creditor bank.

Thesesolutionsareassessedbasedonargumentstakingintoaccountthemandatevalidity,theefficiencyfor all involved actors (debtor, debtor bank, creditor and creditor bank), and the reachability of potential debtors and creditors.

E-MANDATES FOR SEPA DIRECT DEBIT

Documents

Transcript of E-MANDATES FOR SEPA DIRECT DEBIT