Fraud Prevention: Blocking Mandates

Blocking a DD mandate

This guide shows how to block a Direct Debit mandate.

Overview

Merchants experience fraud through a number of different channels. Oftentimes, particularly for chargebacks, they notice similar payers signing up, again and again, to try and defraud them. Until now merchants did not have a way for blocking these fraudulent payers. This feature provides the capability for merchants to create a blocklist for fraudulent payers based on email_idemail_domain, and bank_account. We match against this blocklist when the payer is setting up the mandate and block the mandate if there is a match.

What can be blocked?

The blocking feature is applicable only for Direct Debit mandates and can be used across all schemes except for the faster_payments. Instant Bank payments(IBP) will not be blocked. For Instant First Payment where the DD mandate is set up along with the IBP, only the DD mandate will be blocked, the IBP will be allowed to go through successfully.

Effect on API Integration

There are no breaking changes for any of the API integrations and merchants need not do anything from their side. The customer would see the success screen when going through the billing request flow or any Payment Pages which means that they have completed the flow but the mandate would fail later on. This would be similar to failed and cancelled mandate.

Effect of blocking on payments, subscriptions, and instalment_schedules

Once a mandate is transitioned to a blocked state it becomes inactive and behaves similar to cancelled and failed mandates. We will not be able to create any payments or subscriptions. Blocking has no impact on existing mandates and payments. Only new mandates set up after the block is in place will be impacted.

Adding details to blocklists

This can be done by following the instructions for the Block API here

There is also a support interface, details about this can be found here

Notifications

Payer notification

An email notification is sent to the customer when the mandate is blocked. There won’t be any changes to any of the payment pages and the payer will see the success screen. However, we do not tell the customer explicitly that they have been blocked by the organisation in order to avoid them trying different email addresses or bank accounts. We provide the mandate_id as a reference code to the payer in the email which they can use to contact the merchant.

Merchant notification

mandate_blocked webhook notification is sent to the merchant when the mandate is blocked.

1 { 2 "events": [ 3 { 4 "id": "EV123", 5 "created_at": "2014-08-03T12:00:00.000Z", 6 "action": "mandate_blocked", 7 "resource_type": "mandates", 8 "links": { 9 "payment": "MD123" 10 }, 11 "details": { 12 "origin": "gocardless", 13 "cause": "mandate_blocked", 14 "description": "The mandate has been blocked, because the customer's details have been found in the blocked list provided by you. This mandate cannot be unblocked and payments cannot be created against it" 15 } 16 } 17 ] 18 }

Retrieving blocked mandates

Dashboard

Merchant can filter for mandate blocked events in the events tab of the enterprise dashboard. This will list all the mandates blocked.

API

Send GET API request to mandate endpoint with below filter

GET https://api.gocardless.com/mandates?status=blocked

OR send API request to the events endpoint with the below query parameters

GET https://api.gocardless.com/events?resource_type=mandates&action=blocked

Retrieve the block state of a give mandate_id

Dashboard

API

Send GET API request to mandate endpoint. The status of the mandate will be blocked

1 GET https://api.gocardless.com/mandates/MD0000S2KNTB2V 2 3 { 4 "mandates": { 5 "id": "MD0000S2KNTB2V", 6 "created_at": "2021-09-01T15:36:09.104Z", 7 "reference": "ANKITHATEST-3YD936", 8 "status": "blocked", 9 "scheme": "bacs", 10 "next_possible_charge_date": null, 11 "payments_require_approval": false, 12 "metadata": {}, 13 "links": { 14 "customer_bank_account": "BA0000S4DSSHQK", 15 "creditor": "CR00008AWM8AC8", 16 "customer": "CU00018NMYB3H1" 17 } 18 } 19 }

Unblocking payers

What can be done if there is a false positive?

Since a mandate can not be unblocked, the merchant has to disable the block for this payer and ask the payer to set up the mandate again.

Alternatively, merchants using the Billing Request Flow or who have done the Custom Payment Pages integration using Billing Request can follow the below steps to set up the mandate again and to reduce the number of steps the payer has to go through.

Using the Billing Request Flow
Step 1: Create a new billing request

Pass the customer_id and bank_account_id to create a new billing request.

1 POST https://api.gocardless.com/billing_requests 2 "billing_requests": { 3 "mandate_request": { 4 "currency": "GBP" 5 // "scheme": "bacs" 6 } 7 "links": { 8 "customer": "CU000176GQ2BXM" 9 "bank_account": "BA123456789" 10 } 11 }
Step 2a: Create a Billing Request flow.

Since we already have the customer and bank_account the payer need not fill out the form. The payer only has to confirm the details.

1 POST https://api.gocardless.com/billing_request_flows 2 3 { 4 "billing_request_flows": { 5 "auto_fulfil": true, 6 "lock_bank_account": true, 7 "lock_customer_details": true, 8 "links": { 9 "billing_request": "" 10 } 11 } 12 }
Step 2b-1: For Custom payment pages (Using the Billing Request API)

Confirm the customer and bank account details

1 POST https://api.gocardless.com/billing_requests/BR12345678/actions/confirm_payer_details 2

Fulfil the billing request

1POST https://api.gocardless.com/billing_requests/BR12345678/actions/fulfil 2
Step 2b-2: For Custom payment pages (Using Direct Debit APIs)

If you create mandates using the 3 endpoints - customer createbank account create and mandate create

Since the customer and bank_account are already available the merchant have to only create the mandate using mandate create API

1POST https://api.gocardless.com/mandates HTTP/1.1 2{ 3 "mandates": { 4 "scheme": "bacs", 5 "links": { 6 "customer_bank_account": "BA123" 7 } 8 } 9}

Supporting mandates set up outside of your product

Responding to mandate events

Importing mandates from another provider

Need help?