BACS and Direct Debit

10 years ago I posted about us having to re-do our payments system with only 2 months notice. That time was because of HMRC making changes that caused Lloyds to very suddenly close their BACS bureau. Scary times.

Last month we got two months notice that the BACS submission system we use (Experian) was end of life. Do these people have no clue how slow banking stuff moves?

So, the good news, my management team (Alex/Andrew) investigated a number of solutions. Most would stand no chance of being up and running in the time frame. But of a couple of options could be: one was by the company doing the Experian s/w (they took them over!) which could magically "support" the Experian system after "end of life" if we are onboarding (horrid word) their new system.

However we picked someone else - InterBACS, who are clearly technically clued up and have allowed us to get working very quickly.

What are BACS submissions?

There are two main reasons you want to send files to BACS, one if Direct Debits (getting money from people), and one is Direct Credits (paying people). Direct Debits actually have special messages for setting up and cancelling Direct Debits as well as the actual payment connection messages. These type of direct credits are usually for payroll and is the older system, not to be confused with Fast Payments. Either way the process takes two banking days, and then the money moves. A reliable system. There are also a load of BACS reports we have to get, which include reports on the submission, and on changes to Direct Debits by banks, people moving to new banks and accounts, errors, bounced Direct Debit collections, and clawed back Direct Debit payments. These can actually be downloaded from the BACS web site.

Three ways to make BACS submissions.

It looks like there are three ways to do BACS submissions (and get reports). I thought there were only the first two, but we discovered InterBACS do a third way.

1. Bureau

One of the simplest ways is dealing with a BACS bureau - they accept a file from you, and authenticate you by whatever means they agree, and they send the file to BACS for you.

In most cases they don't actually take a "file", but "manage" Direct Debits for you, so you tell them a new customer, and how much they are paying every month - they then send the notice to the customer, and do the payments, and so on. This is ideal for a gym or the like, and can mean a simple web interface to manage regular customer payments.

2. Direct submission

For direct submission you have software to send files to BACS directly. This is what we had with the Experian system. It means we have a BACS user and smart card from the bank. This is used to sign the submission file, and to log in to BACS (to send the file and get reports). The signing code only works on windows, which is a tad annoying - the only windows machine we have. This is usually cheaper than a bureau.

3. Web based direct submission

This was new to us, and what InterBACS do. They have a web based system, allowing us to upload a submission file to them. Then, via the web page, log in to BACS - they log in, but they have the web browser (or a separate app depending on the browser) do the signing for the login using the card signing and card on our windows machine. So it is logged in, remotely. Similar they do signing the submission file remotely using the card on our windows machine. They get BACS reports and allow us to download them. It means we don't have to install BACS software, just the card signing stuff from the bank, and use a browser.

The also have a bureau service, and also have a whole management package for people just wanting to set up monthly payments, etc.

HSM

There is another option, but very expensive. The bank could provide a hardware security module certificate, which we either have an (expensive) HSM, or have the certificate loaded on InterBACS's HSM. This allows the whole logging in to BACS and signing the submission without a manual use of a card and PIN. I.e. it can be fully automated. Sadly it is way too expensive to be remotely viable.

Experience with InterBACS

We picked them as they seemed clued up and very responsive. They were very quick to sort things out and the whole thing just works. So quite impressed.

Also, they were responsive when we needed minor changes - a bulk save of all reports rather than selecting each one, etc.

We are now up and running with them in only a few weeks. Indeed, in hindsight, it could have been under a week, had the deadline been even closer, but we were a little cautious with lots of testing first.

Companies bad at banking

I was discussing with a colleague the other day how so many companies are so bad with banking.

In some ways we have been lucky, but to be fair we have worked at it and made systems that work.

Your payment will not appear for 3 to 5 working days

I see this a lot when paying people - we live in a world of "fast payments", at least in the UK, and if I (personally) pay someone they will have the money within seconds. I mean technically the process can take longer, but in practice it does not.

I had some issue with a loan company for one of my kids, a settlement amount paid by fast payment and they still considered it several days later and extra interest. I was very much on their case from technical and legal points of view until they caved.

So what the hell are companies doing?

If someone pays A&A via normal UK fast payment, we have the money, and, in literally seconds, they get an emailed statement showing their account with the payment received. This is all thanks to Monzo web hooks. I am impressed with Monzo handling this well.

But even without that, there are ways to pull from Open Banking, allowing a payment to show on the banking day it arrives, but polled. Even if only polled once a day a company can see they are paid that day. Poll a couple of times and see money as it comes in during the day. It is not hard! It works for all banks.

Your refund will be in 5 to 10 working days

This is slightly harder, in some ways, as sending money generally needs more business controls.

We do BACS direct credits meaning we can send money on 2 working days if needed, and automate it all with direct submission to BACS.

In special circumstances we can do manual fast payments, but to be honest that is rarely needed from a business point of view. One day we may have that sorted too with the BACS system. But obviously such systems need careful business processes in place to avoid errors (either bugs or errors by staff).

Indeed, we automate refunds up to certain levels with two day BACS as a matter of course. But they have limits and above those I am involved (as director) confirming them.

But so many companies are so bad at this, sending cheques (wow) or "refunding DD payments". When Bulb sent me money it was dozens of payments that were each the amount of a previous DD.

Banking should be simple

I wish Open Banking had given companies and individuals control of their own bank accounts properly. They could do it all and all be like A&A. There are some companies offering this indirectly but why is Open Banking not something that is available to the account holder as standard - that would make sense.

Confirmation of Payee

UK banks have been rolling out a new confirmation of payee system recently.

The idea is relatively simple - when paying someone using your bank app or web site, you put not only the sort code and account number, but also payee name (the name of the person or business you are paying). The system can then advise if you have that right, or a "close match" which can then let you confirm the exact name.

As I have said before I think this is problematic at best - banks usually have shortened (18 characters) names for accounts, but companies and people have longer names, trading names, may use initials, or have joint accounts, and so on. It means a match may not work.

It may help typos, but then that is what check digits are for, but what concerns me even more is that scammers will simply change their tactics - telling their marks a different payee name, perhaps justifying as the holding or parent company, etc. That will then match. Indeed, I expect scammers to be slick and make paying them really easy, but normal businesses and individuals to run in to problems.

Just to highlight how stupid this is - I sent a payment from Barclays to Monzo, and Barclays set the payer name in that case to KENNARD AJ. I then sent payment back on Monzo, and it went through confirmation of payee on the (pre-filled) details, and Barclays failed to validate KENNARD AJ as my account name, not even a suggested alternative, even though it is what they sent!!!

This type of stupidity, where you have pre-filled or known correct details totally failing, will get people just doing "click through" of errors and warnings as a matter of course, just like cookie warnings. Some people will have so much trouble they tell payers "just ignore any errors". However, the fraudsters will know exactly how to make it work perfectly and what to tell people. This almost makes it worse than before!

Of course, as you may know, my company is Andrews & Arnold Limited, and like other companies with an ampersand in the company name, we have the occasional issue. Some times it is silly things like a delivery address on a parcel saying Andrews & Arnold Ltd or some such, but some times it is more severe, such as BTs back end systems simply not working for us initially as they forgot to escape the ampersand in XML.

I should not have been surprised, obviously, that the new confirmation of payee system would have issues. I am however shocked at quite how bad it is, and how it seems that several different banks are broken in different ways.

First off, the good guys - Lloyds bank. The app allows me to enter Andrews & Arnold Ltd as the company name, and confirms it is correct - yay!

 

Well done Lloyds, but other banks are more of a challenge!

Barclays web page was OK, but the app does not allow you to even type an ampersand in the name. This is crazy as an ampersand is not some new fangled unicode emoji, but something that is valid in ASCII, BACS, Fast Payments, even old fashioned mechanical typewriters. Apparently it dates back to the 1st century AD!

It seems Nat West mobile app allows an ampersand but then does not match, and we have reports of the same from Co-op bank.

The other odd issue is that when the account does not match, in some cases, the actual account name is advised, and you can pick that. The problem is that what gets advised is ANDREWS ARNOLD LIMITED,ANDREWS ARNOLD LTD



Of course, this long string with something like our name (missing ampersand) twice, does not then match even though it is what was suggested.

The solution?

Update1: By the end of the day of reporting this, Monzo had made a change that helps. The suggested name is now just ANDREWS ARNOLD LIMITED, and using the suggested name now works. This should stop customers having problems as they don't have to ignore the warning now.

Monzo are still working on the ampersand in the suggested name.
Barclays have not said any more, but obviously they need to allow ampersand to be typed.

P.S. It will be fun if ever Companies House allow unicode... Andrews ⅋ Arnold, anyone?

Case study: Payments and trust (Monzo)

Credit (and debit) cards are immensely useful, and I am even more appreciative of them after the fiasco with a holiday refund. Amex were great.

But there is always a balance of trust with customer and supplier, and a range of ways to manage that. Cards provide a good means to handle suppliers that fail. Direct Debits also offer some high level of bias towards the customer, which is very important because of how easy it is to collect payments. This ability to claim for a mistake helps ensure Direct Debits are rarely used for fraud.

For the most part, whichever type of payment is used, where supplier and customer are both honest, all goes well. Sadly when one or the other is not so honest, or even something unexpected, like a global pandemic, happens, the way you pay for things matters.

But some times, as a supplier, you want a reliable payment that you know cannot be clawed back or reversed. This is, of course, a huge bias towards the supplier, and away from the customer, but it is also rather "traditional" in that cash payment was always irreversible.

Bank transfers via BACS, or fast payments, provide this - they are like cash, and generally impossible to reverse as the person paying. Obviously the person paid can send money back if they want. They do create an audit trail, you know where the money went (unlike cash), which helps with any possible fraud.

As a business we do a lot with Direct Debits. This puts a lot of control in the hands of the customer who can make a DD guarantee claim at any time, and we would have to reimburse the bank. Thankfully this is rare, but it does allow some opportunity for fraud by a rogue customer using someone else's bank details. This is one reason why suppliers are expected to check the bank details of new DD instructions where they can. That is not so easy.

Thankfully Monzo have opened up an interesting new option for us - a deposit by fast payment!

We have started asking for a deposit, for new accounts, optionally, for some services (VoIP and L2TP). Just £10 paid by bank transfer as part of the order process. We see it instantly, and it provides the bank details for setting up the Direct Debit for on-going payment.

We have even set it up so that we will automatically send the money back in a few days if the order does not go through.

Whilst we face very little fraud, we have found some services, like VoIP, have had issues. Providing the service instantly, even in the middle of the night, means that false/fraudulent details do not show up for a couple of days, or much longer. Until now we have actually blocked some types of out-of-hours VoIP orders because of this, which is not ideal.

Taking payment by card would be an option, but that too is rather biased to the card holder, and does not allow us to validate bank details for Direct Debit. We have had cases of card fraud too.

The deposit is optional, but we are making it so that the order can go ahead instantly if you make a deposit. At the end of the day this is not about the £10, it is that a scammer will not want to send any money. If it is their account, those account details can go to the police if there is fraud. They are creating much more of a paper trail by sending money. Of course if they have compromised someone else's account they can send a deposit, but I am sure they have more interesting things they can send money towards than our services in such cases. I hope so.

This means we have opened up the VoIP ordering at any time of day if you pay a small deposit. Ongoing payments are then by Direct Debit, which give the customer a lot of control if we do anything wrong, but we are able to ensure we have the right bank details that match the deposit. It seems to me to be a good trade off - the trust/risk is biased to us for first £10 and then to customer ongoing by Direct Debit.

We have been running it for a few days, and in spite of it very clearly being optional, so far, every new customer has chosen to pay a deposit - which is really great news. Apart from one test we ran to ensure we do auto-refund, nobody has given up on an order after paying a deposit, either.

It is a very different approach to taking credit cards, which is so common these days, and I think it is working well. And it is all down to Monzo providing the instant feedback for us via a web hook for the incoming payment.

If someone does not want to pay a deposit, that is fine, but it means accounts staff checking the order during office hours, and adds a small delay. So it is a choice people can make if they want, either way.

I am really pleased that Monzo have meant this is now possible. It is a shame the major existing banks did not think it worth while providing this level of control and information to their customers really. Well done Monzo!

P.S. Sales pitch - if you are a business and need this type of integration, we know people that can help you (some A&A customers we work with).

Monzo Business Account

Finally, Monzo have launched a business account.

I have taken the step of moving the incoming payments account for customers paying us (AAISP) to Monzo. This means we have updated the account details people see on invoices and statements and on the web site, and we are working on a "redirect" for the old Barclays account.

This is not a decision I have taken lightly. We rely on people paying us money, but thankfully a lot of that is via Direct Debit (for which we use Lloyds). But quite a lot of money comes in via bank transfers to us. I appreciate people prefer this than Direct Debit in many cases as I know a lot of companies are nowhere near as pedantic in following the Direct Debit rules as we are.

Up until now, payments arrive at Barclays and we can download a statement. At various points in the past I have managed to screen scrape that on Barclays, but that is not ideal and for a couple of years it has meant I log in every day, even when on a cruise ship in the Pacific! Either way, all we get is a CSV file up to the end of the previous day.

We can then load that in to the accounts to record who has paid us, and how much.

Fraud

It is always a concern advising customers of new bank details as this is the way a lot of frauds work. So we are asking customers to check our web site to confirm details, as well as digitally signed invoices and statements. https://www.aa.net.uk/legal/bacs-payments/

Also, of course, now it is all real time, customers can easily sent say £1 deposit and see on their on-line account at A&A that it has arrived. This is very sensible, and thanks to the customers doing this to be sure.

Real time

Changing to Monzo for incoming payments is a huge difference. We have a simple means to have web hooks which means Monzo send us a secure post of the details of the transaction as it happens.

And I mean real time here - before the sender has seen on their mobile or web banking app even that the payment has gone, we know we have the money! It is impressive.

This is also very robust, retrying if we don't answer, and we can reload all transactions if we need. They have a unique reference on each transaction too, unlike Barclays where no unique reference meant it was tricky if someone paid the same amount twice on the same day.

Barclays even have a limit on how many transactions are in the statement, which meant that at one point it was impossible to download the previous days transactions. When that happened we set up two accounts for people paying us to keep the daily total below the limit. Crazy. Direct Debit solved that, but it shows how behind the times banks are. As far as I know, that limit (I think 300, off the top of my head) still applies.

Moving to Monzo makes a big difference for our accounts staff as it mean they can see people have paid in real time. This avoids delay sending equipment and any delay enabling, or re-enabling, a service that has been suspended.

Payer details

We also get proper payer details, notably sender sort code and account number. This means that when people forget to put the right reference on the payment we can often find the account based on their bank details. Remember that when you used a cheque in the past you gave your bank details on the cheque.

This helps with privacy as well, as our accounts staff can be looking at the customer account and not a general "company bank account". Only if the payment does not match anyone do we put it in a suspense account to be allocated.

In those rare cases of a random, unexplained, payment to us, we used to be a tad stuck. We have had money from someone listed as "CURRENT ACCOUNT" before now, and nobody complaining they had paid and we had not seen it. What do you do? Well, now, we can, simply, send back to the sort code and account from which it came, if all else fails. That said, we also get more of the payer name as Fast Payments have longer fields that are not truncated to 18 characters used by BACS (and what Barclays gave us).

Opportunities

The process also allows some opportunities, which we are working on. Some of our services are, sadly, prone to fraudulent orders. We manage these quite well both automatically and with manual checks by our accounts staff, but this means, for example, you cannot order 07 VoIP numbers from us outside some restricted office hours, and there are some services we don't sell on-line yet.

Live incoming payments would allow many of these services to be activated immediately if we get a small deposit by bank fast payment, and also allow us to confirm the details for subsequent Direct Debit.

Obviously we can make this optional - allowing customers that would rather talk to our accounts staff and delay activating a service, to do so. But it would allow people to order services any time, day or night, and have them immediately activated if they are prepared to send a small deposit by on-line banking.

I'm not sure when we will have that in place, but Monzo make it possible.

Stupidity tax?

This is largely a rant as I am the one that sorts the unreconcilable banking stuff on our system - mostly passing it on to the accounts department. But ultimately I am the only one with access to the actual bank - the company is small enough that it makes sense to work that way. So when things appear on the daily statement that cannot be automatically processed, I have to decide what to do.

Some days, rarely, there is nothing to check, but most days there is something, and it is almost always customers being a tad annoying.

We mostly collect payment by Direct Debit, which "just works" - however we allow payment by bank transfer at no extra cost (though some packages are DD only). Basically, some people do not trust Direct Debit, and I know why. We don't trust it - or to be more accurate we don't trust all of our suppliers to actually do Direct Debit in accordance with the rules. It is a sad state of affairs as the rules are actually very clear and simple, and allow claw-back if not followed. When we do Direct Debit we make damn sure we are following the rules. However, if someone wants to pay us by bank transfer they can. I really do understand. We have many people doing that correctly and on time.

The only stipulation we have is that they complete the correct beneficiary reference on the payment. Well, of course, they also have to do the right sort code and account number, but the reference is for our benefit. It is to allow us to assign the payment correctly.

I had one today and it wound me up - hence the post. The customer pays quarterly and uses normal 2 day BACS transfers, and normally pays on time.

They never send the right reference, in fact they send "0". We do not get sender sort code and account from our bank, so we have to make some guess and generally I have to make the assignment of their payment manually. We charge £5 for doing so - it is manual work we should not have to do.

So is it unfair that we insist on the correct reference on the payment?

I really do not think so - at the end of the day that is why the reference exists, and there are so many organisations you have to pay that also insist on the correct reference: Gas, Electric, Water, Telephone, Rates, VAT, PAYE, and many more. Companies have to have a way to send payments with the right beneficiary reference else they have some serious problems paying the most basic things like VAT and Rates. We are no different.

The one today was extra special. It was a company that usually pays on time but never uses the right reference. As such we charge £5, but to make it easy we include that as a line item in the next bill and not a separate invoice. If we made it a separate invoice you have an infinite loop of paying that without the correct reference and again being invoiced. We saw that happen once when we made it a separate invoice - very sad - we did not have the heart to keep it going and so changed the system.

But occasionally this organisation also pays late and so gets a late payment invoice (typically £40) and then a separate invoice when they pay, for the interest. In this case it was for 3p. This is all according to statute for late payment of commercial debts. If you don't like it, pay on time, duh!

What was especially sad is they sent a BACS payment for the 3p. BACS works for 1p to £10million. They did not send £40.03 to cover both invoices, but just 3p, leaving the £40 overdue. They will end up with a £5 charge on the next invoice for paying 3p without a reference - a £5 charge for my time and the accounts team's time handling the payment with not reference (bargain). They probably pay bank charges to send the 3p that is a lot more than 3p!

It is sad that large company bureaucracy can end up like this - just paying - not even complaining - paying for their own failings time and time again.

I think the £5 charge is fair. I dislike having to faff around every day (even when on the North Sea) to do bank reconciliation, and then paying accounts staff as well. It costs money and is avoidable - just use the right reference. It is even the same every time (the A...A account number) but we are flexible and can handle the I...A invoice number if preferred. This is not a way for us to make extra money at the expense of companies that are inept, honest.

Even so, this is verging on a stupidity tax, and so it is scary...