This guide shows how to block a Direct Debit mandate.

Note: This feature is currently only available to approved integrators - please get in touch if you would like to use the Block API.

Overview

Merchants experience fraud through a number of different channels. Often times, particularly for chargebacks, they notice similar payers signing up again and again to try and defraud them. Until now merchants did not have a way for blocking these fraudulent payers. This feature provides the capability for merchants to create a blocklist for fraudulent payers based on email_id, email_domain, and bank_account. We match against this blocklist when the payer is setting up mandate and block the mandate if there is a match.

What can be blocked?

The blocking feature is applicable only for Direct Debit mandates and can be used across all schemes except for the faster_payments. Instant Bank payments(IBP) will not be blocked. For Instant First Payment where the DD mandate is set up along with the IBP, only the DD mandate will be blocked, the IBP will be allowed to go through successfully.

Effect on API Integration

There are no breaking changes for any of the API integrations and merchant need not do anything from their side. The customer would see the success screen when going through the billing request flow or any Payment Pages which means that they have completed the flow but the mandate would fail later on. This would be similar to failed and canceled mandate.

Effect of blocking on payments, subscriptions, and instalment_schedules

Once a mandate is transitioned to a blocked state it becomes inactive and behaves similar to canceled and failed mandates. We will not be able to create any payments or subscriptions. Blocking has no impact on existing mandates and payments. Only new mandates setup after the block is in place will be impacted.

Adding details to block lists

This can be done by following the instructions for the Block API here

There is also a support interface, details about this can be found here

Notifications

  • Payer notification

    An email notification is sent to the customer when the mandate is blocked. There won’t be any changes to any of the payment pages and the payer will see the success screen. However, we do not tell the customer explicitly that they have been blocked by the organisation in order to avoid them trying different email address or bank account. We provide the mandate_id as a reference code to the payer in the email which they can use to contact the merchant.

    block_lists

  • Merchant notification

    mandate_blocked webhook notification is sent to the merchant when the mandate is blocked.

      {
          "events": [
                {
                  "id": "EV123",
                  "created_at": "2014-08-03T12:00:00.000Z",
                  "action": "mandate_blocked",
                  "resource_type": "mandates",
                  "links": {
                    "payment": "MD123"
                  },
                  "details": {
                    "origin": "gocardless",
                    "cause": "mandate_blocked",
                    "description": "The mandate has been blocked, because the customer's details have been found in the blocked list provided by you. This mandate cannot be unblocked and payments cannot be created against it"
                  }
                }
          ]
      }
    

Retrieving blocked mandates

  • Dashboard

Merchant can filter for mandate blocked events in the events tab of the enterprise dashboard. This will list all the mandates blocked. block_lists

  • API

    Send GET API request to mandate endpoint with below filter

    GET https://api.gocardless.com/mandates?status=blocked
    

    OR send API request to the events endpoint with the below query parameters

    GET https://api.gocardless.com/events?resource_type=mandates&action=blocked
    

Retrieve the block state of a give mandate_id

  • Dashboard

Search for the mandate_id in the dashboard and under the mandate history section we can see the transition to blocked state block_lists

  • API

    Send GET API request to mandate endpoint. The status of the mandate will be blocked

      GET https://api.gocardless.com/mandates/MD0000S2KNTB2V
    
      {
          "mandates": {
              "id": "MD0000S2KNTB2V",
              "created_at": "2021-09-01T15:36:09.104Z",
              "reference": "ANKITHATEST-3YD936",
              "status": "blocked",
              "scheme": "bacs",
              "next_possible_charge_date": null,
              "payments_require_approval": false,
              "metadata": {},
              "links": {
                  "customer_bank_account": "BA0000S4DSSHQK",
                  "creditor": "CR00008AWM8AC8",
                  "customer": "CU00018NMYB3H1"
              }
          }
      }
    

Unblocking payers

  • What can be done if there is a false positive?

    Since a mandate can not be unblocked, the merchant has to disable the block for this payer and ask the payer to set up the mandate again.

    Alternatively, merchants using the Billing Request Flow or who have done the Custom Payment Pages integration using Billing Request can follow the below steps to set up the mandate again and to reduce the number of steps the payer has to go through.

    1. Pass the customer_id and bank_account_id to create a new billing request.

       POST https://api.gocardless.com/billing_requests
       "billing_requests": {
               "mandate_request": {
                   "currency": "GBP"
                   // "scheme": "bacs"
               }
               "links": {
                   "customer": "CU000176GQ2BXM"
                   "bank_account": "BA123456789"
               }
           }
      
    2. There are 2 options here

      • If you’ve built your own payment pages
        • Using Billing Request API

          Confirm the customer and bank account details

            POST https://api.gocardless.com/billing_requests/BR12345678/actions/confirm_payer_details
          

          Fulfill the billing request

          POST https://api.gocardless.com/billing_requests/BR12345678/actions/fulfil 
          
        • If you create mandates using the 3 endpoints - customer create, bank account create and mandate create

          Since the customer and bank_account are already available the merchant have to only create the mandate using mandate create API

          POST https://api.gocardless.com/mandates HTTP/1.1
          {
            "mandates": {
              "scheme": "bacs",
              "links": {
                "customer_bank_account": "BA123"
              }
            }
          }
          
      • Using Billing Request flow

        Create a Billing Request flow. Since we already have the customer and bank_account the payer need not fill the form. The payer only has to confirm the details.

          POST https://api.gocardless.com/billing_request_flows
        
          {
            "billing_request_flows": {
              "auto_fulfil": true,
              "lock_bank_account": true,
              "lock_customer_details": true,
              "links": {
                "billing_request": ""
              }
            }
          }
        

Organisation

  • Can the blocklist created by one organisation be used by another organisation?

    Blocklist is created per organisation. For example, if an email is blocked by organisation A then the mandate set up will be blocked if the payer is setting up the mandate for org A with this email. If the same payer sets up the mandate using the same email for org B then this mandate creation will not be blocked.