Do IBANs allow debit without reliable authorization? In the US having a bank account number (and I suppose maybe a name/street address for more plausibility) is enough to print a check and then withdraw money from it. Do IBANs let a random person do that, or do they need verification from the account?
An IBAN by itself is just an account number. A random person obviously can't take money out of another person's account. The fact that this is possible in the US is beyond insane. I wouldn't trust a bank(ing system?) that permitted this as far as I could throw it.
No bank in the SEPA-zone will give anyone unauthorized access based on just an account number.
There are things like SEPA Direct Debit (SDD) which are basicaly mini-contracts between a creditor and a debtor -- with the banks as intermediaries. These can be used, for instance, by your ISP to automagically take your dues out of your account. Either party can cancel just about as easily as well. With most banks, they can be set up in a few clicks. Many banks support limiting the amount (e.g. 50eur/month) on a per-SDD basis.
Bacs in the UK will alert the account holder that a debit has been set up, but to set it up just requires knowing the sort code (routing number) and bank account number. Much like ACH.
The account owner can at any time go in and cancel that mandate, but they do not have to pre-approve it have it set up.
They do, but direct debit is only allowed to “large” companies that move a lot of money in my experience. Usually you have to consent to allow direct debit, sometimes in the paper form, sometimes just by entering your account number. My startup tried to add direct debit via Stripe but our bank didn’t allows us to do because we don’t move a lot of money through our banks accounts also we’re not known. I think a lot of financial things in Europe are based on trust.
Are you sure you aren’t confusing a bank transfer with direct debit? DD in the US requires PAD/PAP between the debtor and the collector and is cleared through ACH regardless of the size of the account or the sum.
No, what GP is saying absolutely is a thing, but not terribly common. Bosch PT Service is one of not that many companies that use it. You only give them your IBAN and check a box basically saying you authorize them to debit the money from your account.
Here in Spain small companies like my accountant do it too. You can reverse it though even for large corps. Orange the telco took some amounts but cut off service (no clue why) so I had them all reversed.
In Serbia (eastern europe) a type of direct debit is realized in cooperation with the client's bank.
The service provider (this is usually used to automatically pay utility bills, rent and mobile/Internet bills) makes a "deal" with some banks, whereby the bank can store a number identifier and the service provider can tell the bank what amount to charge.
The safety part is, however, that the bank's client must obtain the identifier (usually account ID in the service provider's system) and give it to the bank, either with a written request or on the bank's online portal. Only then will the bank process the provider's charges to the client's account.
Disputes are not common and take a lot of time because an actual investigation is done, often times it is resolved in the provider's favor because the client did knowingly consent to the terms and did enter the identifier into the bank's system or give a written statement in the bank's offices.
In general, in this system it is impossible to charge someone without them agreeing that they want to be charged. If they do want to be charged however, and agree to the terms, you can charge them an unlimited amount, which they have to then dispute and provide evidence of unwanted activity. This happens rarely though, because such charges would cause extremely high fines to the service provider, due to gross negligence or malicious intent, whichever is applicable.
I do not know of any person that was "robbed"/scammed this way.
Yes they allow debit, but the other party should acquire some sort of authorization from you, even if the requirements are not strong.
The typical use case: you want to allow recurrent payment for your electric bill. You login in with your credentials on the electric company website, then you give them your IBAN and you press a button to accept the terms and authorize them. The company then checks that the name on your bill is the same as the name linked to your bank account and that's it, they are allowed to charge you.
I know that it does not seem secure, but the rate of fraud is really low, at least in my country:
- your bank send you a notification when some company activate a recurrent debit scheme on you account;
- you can see some days in advance on your home banking what you are being debited, and you can freely cancel the charge up to 8 weeks after it happened, for any reason. The chargeback is automatic;
- you have 13 month to ask for a chargeback if you believe you did not give authorization, and is the company that must prove that you really authorize them. The chargeback is automatic;
- to enable the scheme the company has to go through their bank, and the bank is responsible for the chargeback if the company does not pay. So only big and medium business are usually enabled by their banks, because they don't want chargebacks;
I always use Direct Debit. The guarantee means it's better than paying cash yet it usually comes with a discount because it's easier for the recipient too.
A utility company screwed my billing up at the last address I rented. I'd check my own meters, call up, "This bill is wrong, fix it" they'd send an engineer, the engineer says this happens a lot with a building converted from one dwelling with one meter to many dwellings with retro-fitted meters and then gutted and replaced outright with a purpose built block. They call base "You have the wrong meter for this address. Assign this meter number to the customer account instead". Next month, new bill, same mistake, same calls, rinse & repeat.
So I said "I will not pay you until you bill me for what I actually used". I called my bank, "Undo all direct debits for that utility" and they took all the money back from the utility company and gave it to me.
The utility company sent a letter threatened to sue me, I called the lawyers. They explained that the letters threatening to sue are automatic and that they understood if they show up with knowingly bogus bills they're going to lose and it'll make the judge really unhappy and they might get sanctioned as well as eating my court costs.
Eventually I'd guess maybe six months after I first noticed the error, I got a phone call from the utility company. They'd given up trying to "fix" my account, whatever stupid IT problem they had was too much. They'd opened a fresh account with my name, my address, the correct meter and a zero balance, was that OK? So I never paid them for six months of usage basically.
FWIW If you are worried this is just the honour system, which it is, be even more afraid of credit cards. Payment card settlement is entirely on the honour system and has fewer safeguards. Any merchant can present settlement paperwork saying card #123456789 agreed to pay me $8000 and your bank will by default take $8000 from the account #123456789 corresponds to.
Another HN discussion today is about EMV ("Chip and PIN") but EMV isn't part of Settlement, it's Authorisation. A merchant doesn't need any Authorisation, they can present a settlement demand with no authorisation whatsoever and by default it will get paid.
This really happens. Big merchants are 100% trusted, if the major high street supermarket chain Tesco in the UK says that every single one of its Visa card customers decided to pay twice today, no alarms go off until finally, hours or days later one of those customers wonders where all their money went and is horrified to discover Tesco took twice as much as expected. Oops! We pressed "up" too many times on the keyboard and ran the settlement process twice. No safeguards, because it's the honour system. Check your card statements, if you miss something nobody else will lift a finger.
> FWIW If you are worried this is just the honour system, which it is, be even more afraid of credit cards. Payment card settlement is entirely on the honour system and has fewer safeguards. Any merchant can present settlement paperwork saying card #123456789 agreed to pay me $8000 and your bank will by default take $8000 from the account #123456789 corresponds to.
They won't take money out of your bank account. They'll add $8000 to your credit card bill, and if you don't pay that bill they can report you to a credit bureau, cancel the card, take you to court, but you'll still have access to your money while it's all being sorted out. That's the argument for credit cards being safer.
I have a similar issue with my utility provider in London were the previous tenant didn't pay the bill and the wouldn't allow me to open a new contract on the same address until previous contract on that meter was paid.
They even went so far to send the same bills to 'occupiers of address X' trying to let me pay the £1800 electricity bill.
You can reclaim every amount booked(fetched) via IBAN payment for 13 month, except when you gave an valid mandate, then it's 6weeks where you can invert the payment.
If you submit(wire transfer) money via bank payment though, it is up to your bank, the bank of the reciever and the reciever to ack a refund.
Failed IBAN payments costs the reciever side like 10€ if they triggered it.
Also i have never seen a check beeing used except for people who won a lottery or something.
> Do IBANs allow debit without reliable authorization?
I would say yes. However, unauthorized debit will be returned for max. 13 months. So the risks for the victim account are small.
The risk for the bank could be higher. However, that is mitigated by the fact that it is no longer easy to open bank accounts. Clear documentation is needed (a big problem even for completely legal immigrants, because when you are new in a country you don't have a lot of documentation). Additionally initiating direct debit bookings is not a standard service. I'd guess only accounts with a good track record will get it. Typical risk management for a bank. It's the same as they don't lend money to everyone who might ask.
They don’t need verification. In theory, you are supposed to have a direct debit mandate, but that is basically just a click.
If you want to take out a direct debit you need to be registered though, the process isn’t trivial and you need to deposit a security that can be used for a dispute. That makes it rather unlikely that the system is abused - though not impossible.
Probably depends on country, but in Poland direct debit is sometimes used for recurrent payments. It requires written permission of account owner, and transactions could be reversed by owner up to almost two months.
IBAN’s are basically publicly available (like to pay bills, you just use the IBAN of the receiver, which doesnt change). So I imagine this requires authorization, otherwise everything would break.
Only time I saw checks was when some American company send me a check. I think it cost me 15euro to cash in the check and the time at the bank. So next time I asked if they could pay the royalties by bank transfer. Boy, American companies weren't ready for that in the early 2000s
