2023-12-17

BACS and Direct Debit

10 years ago I posted about us having to re-do our payments system with only 2 months notice. That time was because of HMRC making changes that caused Lloyds to very suddenly close their BACS bureau. Scary times.

Last month we got two months notice that the BACS submission system we use (Experian) was end of life. Do these people have no clue how slow banking stuff moves?

So, the good news, my management team (Alex/Andrew) investigated a number of solutions. Most would stand no chance of being up and running in the time frame. But of a couple of options could be: one was by the company doing the Experian s/w (they took them over!) which could magically "support" the Experian system after "end of life" if we are onboarding (horrid word) their new system.

However we picked someone else - InterBACS, who are clearly technically clued up and have allowed us to get working very quickly.

What are BACS submissions?

There are two main reasons you want to send files to BACS, one if Direct Debits (getting money from people), and one is Direct Credits (paying people). Direct Debits actually have special messages for setting up and cancelling Direct Debits as well as the actual payment connection messages. These type of direct credits are usually for payroll and is the older system, not to be confused with Fast Payments. Either way the process takes two banking days, and then the money moves. A reliable system. There are also a load of BACS reports we have to get, which include reports on the submission, and on changes to Direct Debits by banks, people moving to new banks and accounts, errors, bounced Direct Debit collections, and clawed back Direct Debit payments. These can actually be downloaded from the BACS web site.

Three ways to make BACS submissions.

It looks like there are three ways to do BACS submissions (and get reports). I thought there were only the first two, but we discovered InterBACS do a third way.

1. Bureau

One of the simplest ways is dealing with a BACS bureau - they accept a file from you, and authenticate you by whatever means they agree, and they send the file to BACS for you.

In most cases they don't actually take a "file", but "manage" Direct Debits for you, so you tell them a new customer, and how much they are paying every month - they then send the notice to the customer, and do the payments, and so on. This is ideal for a gym or the like, and can mean a simple web interface to manage regular customer payments.

2. Direct submission

For direct submission you have software to send files to BACS directly. This is what we had with the Experian system. It means we have a BACS user and smart card from the bank. This is used to sign the submission file, and to log in to BACS (to send the file and get reports). The signing code only works on windows, which is a tad annoying - the only windows machine we have. This is usually cheaper than a bureau.

3. Web based direct submission

This was new to us, and what InterBACS do. They have a web based system, allowing us to upload a submission file to them. Then, via the web page, log in to BACS - they log in, but they have the web browser (or a separate app depending on the browser) do the signing for the login using the card signing and card on our windows machine. So it is logged in, remotely. Similar they do signing the submission file remotely using the card on our windows machine. They get BACS reports and allow us to download them. It means we don't have to install BACS software, just the card signing stuff from the bank, and use a browser.

The also have a bureau service, and also have a whole management package for people just wanting to set up monthly payments, etc.

HSM

There is another option, but very expensive. The bank could provide a hardware security module certificate, which we either have an (expensive) HSM, or have the certificate loaded on InterBACS's HSM. This allows the whole logging in to BACS and signing the submission without a manual use of a card and PIN. I.e. it can be fully automated. Sadly it is way too expensive to be remotely viable.

Experience with InterBACS

We picked them as they seemed clued up and very responsive. They were very quick to sort things out and the whole thing just works. So quite impressed.

Also, they were responsive when we needed minor changes - a bulk save of all reports rather than selecting each one, etc.

We are now up and running with them in only a few weeks. Indeed, in hindsight, it could have been under a week, had the deadline been even closer, but we were a little cautious with lots of testing first.

5 comments:

  1. Would something like a YubiHSM do the job, rather than getting a “full” HSM? I appreciate the question is probably moot now!

    ReplyDelete
    Replies
    1. You can guarantee it has to be a bank approved HSM. And even if the HSM was cheap the certificate for it, per year, is silly money from the bank, even though no different to a certificate in a smart card.

      Delete
  2. Out of interest did you consider GoCardless? I wonder if they can only handle small numbers of customers though rather than the, presumably, thousands of DDs you process every month.

    ReplyDelete
    Replies
    1. That looked way more expensive for us.

      Delete
    2. I've used GoCardless in the past, they've been fine, and I've been involved in projects where they have been used at large scale but they are expensive for that purpose compared to managing BACS yourself.

      Delete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

I²S

I²S is, err, fun. What is I²S Well, first off, it is grammatically like I²C which is an acronym with two Is in it which people then treat an...