Billing Requests: Verified Mandates

Collect Verified Mandates

This guide shows how to create a Verified Mandate by creating a Billing Request which opts-into customer bank account verification, and sending the customer through a GoCardless hosted Billing Request Flow to complete the verification.

By verifying the customer has access to the bank account the Direct Debit mandate will be created against, you can protect yourself against fraudulent payers.

Before we begin: Availability and Preference

Verified Mandates use different mechanisms depending on the scheme of the mandate in the Billing Request.

Here is a full list of supported Bank Debit schemes, whether a verification mechanism is available, and whether scheme compliance requires a customer to perform the verification.




Required by Scheme

🇺🇸 ACH




🇸🇪 Autogiro




🇬🇧 Bacs












🇩🇰 Betalingsservice




🇨🇦 PAD




🇪🇺 SEPA Core


Germany 🇩🇪 (coming soon for France 🇫🇷)


To request verification for your mandate, you must set the verify attribute of the mandate_request to a level that matches your preference.

Verification preference can be one of:

  • minimum: only verify if absolutely required, such as when part of scheme rules

  • recommended: in addition to minimum, use Protect+ to decide if a payer should be verified

  • when_available: if verification mechanisms are available, use them

  • always: as when_available, but fail to create the Billing Request if a mechanism isn't available

By default, all Billing Requests use the recommended verification preference. It uses Protect+ to determine if a payer is fraudulent or not. The verification mechanism is based on the response and the payer may be asked to verify themselves. If the feature is not available, recommended behaves like minimum.

If you never wish to take advantage of Protect+ and Verified Mandates as they are released in new schemes, please use the minimum verification preference.

Let us know you’re interested


In this how-to, we'll opt for when_available to ensure we apply the verification if the scheme supports it. And as per our availability, we'll be creating a bacs mandate, as that scheme supports verification.

Let's begin!

Goal - Create a Direct Debit mandate using Billing Request

Engineering complexity - Easy

Time taken - 15 minutes

Use the Create a Billing Request endpoint:

1$client = new \GoCardlessPro\Client(array( 2 'access_token' => 'your_access_token_here', 3 'environment' => \GoCardlessPro\Environment::SANDBOX 4)); 5 6$client->billingRequests()->create([ 7 "params" => [ 8 "mandate_request" => [ 9 "scheme" => "bacs", 10 "verify" => "when_available" 11 ] 12 ] 13]);

This will create a new Billing Request, asking for a Bacs mandate and requesting a when_available verification preference.

The response will look like this:

{ "billing_requests": { "id": "BRQ123", "status": "pending", "mandate_request": { "currency": "GBP", "scheme": "bacs", "verify": "when_available" }, "actions": [ { "type": "bank_authorisation", "required": true, "status": "pending" } ] } }

As Bacs supports verification, you’ll see we have a bank_authorisation action in the Billing Request response. Note the action is required, which means we cannot fulfil this request without first completing the bank authorisation.

We can use Billing Request Flows to generate a checkout flow that guides the payer through these actions, including the verification via bank authorisation.

Goal - Create a Billing Request Flow that can be used for your customer to authorise payments

Engineering complexity - Easy

Time taken - 15 minutes

Billing Request Flows can be created against Billing Requests, and provide an entry into a hosted GoCardless flow that completes whatever actions remain against the request.

Create a Billing Request Flow to retrieve a link that can be provided to your customer to complete the request:

1$client = new \GoCardlessPro\Client(array( 2 'access_token' => 'your_access_token_here', 3 'environment' => \GoCardlessPro\Environment::SANDBOX 4)); 5 6$client->billingRequestFlows()->create([ 7 "params" => [ 8 "redirect_uri" => "", 9 "exit_uri" => "", 10 "links" => [ 11 "billing_request" => "BRQ123" 12 ] 13 ] 14]);

This returns a new flow, which has an authorisation_url you should send to your customer:

1{ 2 "billing_request_flows": { 3 "authorisation_url": "<br_id>", 4 "lock_customer_details": false, 5 "lock_bank_account": false, 6 "auto_fulfil": true, 7 "created_at": "2021-03-30T16:23:10.679Z", 8 "expires_at": "2021-04-06T16:23:10.679Z", 9 "redirect_uri": "", 10 "links": { 11 "billing_request": "BRQ123" 12 } 13 } 14} 15

Share your authorisation link from the response in Step 02, via a button on your website, SMS, email, or any other way you like.

Preview what your customer will see by following the steps below.

What the customer will see

When the customer opens the authorisation link, they'll see a form that goes through the following steps. The example is shown for the 🇬🇧 Bacs scheme.

Note: This screen is skipped if the details already exist, or the customer details have been locked.

Collect customer details in order to complete the billing request.

Optional step: This step is only required when verify is set to recommended or minumum.

Collect customer bank account details in order to complete the billing request

Optional step: This step is required only when verify is set to always or when_available. It is also required for the Bacs scheme with recommended option.

Select bank in order to complete the billing request

Customers can start the verification process by clicking Agree and continue and scanning the QR code.

This is an example of a possible verification mechanism, but different schemes and banks have different flows, and we reserve the right to change the mechanism to better suit specific schemes or business needs.

The customer should log in to their bank account and authorise GoCardless to read their details. This is an example of the Monzo mobile flow.

Optional step: This step is required only if the payer provided consent to access multiple accounts eligible for Direct Debit set up.

The customer should select the bank account they would like to set up Direct Debit with.

Preview the details and Direct Debit guarantee (changes per scheme) before agreeing to set up the mandate.

Everything has been set up, and we show a success screen before redirecting back to the Billing Request Flow redirect_uri.


The Direct Debit mandate has now been created, and the Billing Request is fulfilled. Note that the mandate will have a verified_at timestamp set to the last successful verification, which can be used to identify which mandates have been verified.

You can use the Create Payments endpoint to create new payments against the mandate or use the mandate in other resources such as when Creating a Subscription.

Examples in other schemes

For the ACH scheme, the verification is processed by the external provider.

For the Autogiro scheme, it is a requirement to put all the payers setting up the Direct Debit Mandate through BankId verification. This means you will need the Verified Mandates upgrade enabled in order to have mandates set up in the Autogiro scheme.

Frequently asked questions

Set the verify option on the billing_request to always to test the flow.

This means that the institution the payer is trying to use is not supported by our Account Information Service (AIS) provider.

A timestamp for authorised_at will be set on the bank_authorisation resource for the billing request. The created mandate will also include a 'verified' badge next to the Mandate verification status on the merchant dashboard.

What’s next?

First instant payment with mandate Direct Debit set up

Get started

Collect Direct Debit Mandates

Billing Request overview

For partners

Go to Partner PortalTo learn more about technical and UX requirements

Need help?