0

How can I send an official, legally-binding letter to my EU bank that requires them to block all Direct Debits from my account?

I recently moved to Europe and was shocked to discover that an IBAN number and some personal information is sufficient to steal money from someone else's account. My business's IBAN is fairly public information, and I've already had two merchants try to steal from my account.

inb4: Oh but SEPA is secure

Indeed, this appears to be a big security issue in Europe.

Of course I have the legal right to fight the charges and get them rolled-back (NB: this right is lost if I don't notice the charge before some weeks/months), but that could still cause my business immense harm in legal fees and cash flow issues. I'd rather just eliminate the risk by blocking all Direct Debits.

The EU gives their member states some great rights. For example, GDPR provides great data protection rights to EU citizens.

Does the EU give bank customers the right to force their banks to block direct debits?

I've seen some banks in the EU provide a process by which their customers can block all Direct Debits from their account. For example, the Bank of Ireland has Form SEPA Instruction: Block Account to all Direct Debit Payments

I assume this is some standard switch built-into their backend software that implements SEPA transfers, and it's therefore a standard setting whether or not the bank has a well-defined protocol for their staff to implement it. Is that true?

That said, how can I formally instruct any EU bank to block all Direct Debits from my account?

Michael Altfield
  • 204
  • 1
  • 13
  • Which bank is it? – AakashM Apr 08 '22 at 10:52
  • Is the second question: which IBAN number? :P Unfortunately, due to the (in)security of these systems, it's best to keep the specifics unknown and my question generalized – Michael Altfield Apr 08 '22 at 10:57
  • 1
    No, there was no follow up question. It's going to depend on the bank - they're all different and all perfectly entitled to have their own way of doing this, or none at all. Really, you should be asking them. – AakashM Apr 08 '22 at 11:07
  • Yes, my question is: are EU banks actually entitled to leave my account open to malicious direct debits? I would expect they are not entitled leave my account so insecure, and they have to secure my account at my request, regardless of [a] if they make it easy for me to request and [b] if their support representatives are trained on this. So my question is general: how do I force any EU bank to make this change. – Michael Altfield Apr 08 '22 at 11:09
  • Have you heard of any frauds that works the way you describe? – Bernhard Döbler Apr 08 '22 at 11:25
  • See the articles linked-to in my OP – Michael Altfield Apr 08 '22 at 12:29
  • This will depend entirely on the bank and country, but I would expect such a feature to be common for business accounts so that you can have one IBAN only for incoming payments. Business accounts would of course be out of consumer protection regulations, if there was one covering this specific case. Direct debit is protected by legal not by technical means – the two merchants stealing from you may have committed fraud. – amon Apr 08 '22 at 13:27
  • 1
    It would happen quite often, if this was a risk as big a you describe. Would it not? Never heard of one single case, in the wild. There are a couple security measures in place. Those who want to take money need the SEPA permit. They transfer money to an account whose owner is known. – Bernhard Döbler Apr 08 '22 at 18:46
  • 1
    With my Dutch bank, it's a matter of a few clicks in online banking to only allow debits for whitelisted accounts and deny everything else by default (or get alerted for every debit attempt which I then have to explicitly approve/reject). Doesn't your bank have a similar option? – TooTea Apr 09 '22 at 22:27
  • @TooTea I've never seen a bank UI that implements block-all-and-setup-allowlist for direct debits. All I've seen is paper forms printed, filled-out, signed & mailed to the bank. May I ask who your awesome dutch bank is? – Michael Altfield Apr 11 '22 at 08:09
  • See also https://security.stackexchange.com/questions/189217/how-to-check-if-direct-debit-whitelisting-is-in-place-for-a-specific-account-num – Michael Altfield Apr 11 '22 at 08:26
  • See also https://security.stackexchange.com/questions/124997/best-practice-for-users-to-avoid-fraud-for-direct-debit-enabled-bank-accounts – Michael Altfield Apr 11 '22 at 08:30
  • 1
    I use Rabobank (one of the Big 3 Dutch banks). I'm not going to post a screenshot for privacy reasons, but if you can read some Dutch, here is the help page (scroll down to "blokkade-" (blacklist) or "goedkeuringslijst" (whitelist)). A cursory Google shows that other Dutch banks provide similar options. – TooTea Apr 11 '22 at 08:33
  • 1
    Actually, I made a redacted screenshot here. The text at the bottom explains that any debit attempts not on the whitelist will trigger a notification asking for manual approval. – TooTea Apr 11 '22 at 08:40

0 Answers0