The perils of payments

By Milo Yiannopoulos on November 20th, 2012

Technology commentators, together with the public, often whinge about the internet industry’s failure to solve real-world problems. But when start-ups do address pressing needs, or introduce new efficiencies or opportunities into sluggish processes, we can be ruthless about the tiniest slip-up.

Take, for example, a recent case in which east London start-up GoCardless, a payments company that enables smaller merchants to take advantage of the direct debit system, was used to take £50 from an account belonging to a charity.

According to documents seen by The Kernel, the withdrawal was made without the user providing much in the way of personal information. And many of the details given for various accounts were very similar, such as email addresses with only a few characters’ difference.

It wasn’t what you might call proper fraud: the user, who contacted The Kernel after returning the money to the charity, was making a point. But the anger and frustration expressed to us by the user, who preferred to remain anonymous, shows how sensitive people can be about finance.

£50 is a small amount of money – so small that it failed to set off GoCardless’s fraud prevention measures – but the fact that direct debit payments can be subject to misuse so apparently easily does pose a problem for young financial services firms, for whom reputation is paramount.

Banks’ traditional approach to fraud management has been to levy onerous upfront requirements on merchants who want to collect money via credit cards or direct debit payments. Just to get access to the direct debit network, one High Street bank expects £10 million a year in revenue and a three-year-old account in perfect standing.

So it can be difficult to impossible for small businesses to take advantage of such systems, which is the problem GoCardless is attempting to solve by imposing identification requirements commensurate with risk. You can set up an account very easily, but, as with PayPal, security measures drop into place quite quickly, the company says, once larger amounts are involved.

GoCardless itself is exposed to any concomitant risk, Tom Blomfield, GoCardless co-founder told The Kernel. “Consumers are completely protected. The direct debit guarantee entitles fraud victims to a same-day refund from their banks. The bank will then claim the money back from GoCardless.”

Blomfield points out something banks are only too familiar with: it’s impossible to rule out fraud altogether, and a small level of fraud loss is simply “the cost of doing business in payments”. The company says it has caught 99.5% of fraud attempts in the past 12 months – “testament to all the work we’ve done so far”.

“One recent attack attempted to steal over £60,000 from victims of identity theft. Our systems caught it in seconds, and we’re currently working with police services across the country to prosecute the gang responsible. It’s worth noting that these fraudulent payment attempts passed all of the industry-standard identity checks carried out by other direct debit providers, since real, albeit stolen, identities were used.

“It’s only our in-house fraud systems that picked up on the heightened risk and highlighted accounts for manual review.”

But some fraudulent attempts do get through, like the £50 taken from a charity. GoCardless says it will double the amount refunded to apologise for any inconvenience caused to those concerned, and points out that a second payment of £50 from the same user was stopped by their systems.

In the meantime, the company is operating in an occasionally hostile environment, with consumers who say they want more convenient ways to pay, but whose trust can be remarkably fragile. Maybe it’s understandable in a challenging economic landscape.

Our verdict in this case? Trust a scrappy start-up over a High Street bank any day of the week.