Fraud Prevention: Blocking Mandates
Blocking a DD mandate
This guide shows how to block a Direct Debit mandate.
Overview
Merchants experience fraud through a number of different channels. Oftentimes, particularly for chargebacks, they notice similar payers signing up, again and again, to try and defraud them. Until now merchants did not have a way for blocking these fraudulent payers. This feature provides the capability for merchants to create a blocklist for fraudulent payers based on email_id, email_domain, and bank_account. We match against this blocklist when the payer is setting up the mandate and block the mandate if there is a match.
What can be blocked?
The blocking feature is applicable only for Direct Debit mandates and can be used across all schemes except for the faster_payments. Instant Bank payments(IBP) will not be blocked. For Instant First Payment where the DD mandate is set up along with the IBP, only the DD mandate will be blocked, the IBP will be allowed to go through successfully.
Effect on API Integration
There are no breaking changes for any of the API integrations and merchants need not do anything from their side. The customer would see the success screen when going through the billing request flow or any Payment Pages which means that they have completed the flow but the mandate would fail later on. This would be similar to failed and cancelled mandate.
Effect of blocking on payments, subscriptions, and instalment_schedules
Once a mandate is transitioned to a blocked state it becomes inactive and behaves similar to cancelled and failed mandates. We will not be able to create any payments or subscriptions. Blocking has no impact on existing mandates and payments. Only new mandates set up after the block is in place will be impacted.
Adding details to blocklists
This can be done by following the instructions for the Block API here
There is also a support interface, details about this can be found here
Notifications
Payer notification
An email notification is sent to the customer when the mandate is blocked. There won’t be any changes to any of the payment pages and the payer will see the success screen. However, we do not tell the customer explicitly that they have been blocked by the organisation in order to avoid them trying different email addresses or bank accounts. We provide the mandate_id as a reference code to the payer in the email which they can use to contact the merchant.
Merchant notification
mandate_blocked webhook notification is sent to the merchant when the mandate is blocked.
1 {
2 "events": [
3 {
4 "id": "EV123",
5 "created_at": "2014-08-03T12:00:00.000Z",
6 "action": "mandate_blocked",
7 "resource_type": "mandates",
8 "links": {
9 "payment": "MD123"
10 },
11 "details": {
12 "origin": "gocardless",
13 "cause": "mandate_blocked",
14 "description": "The mandate has been blocked because the customer's details matched against an entry in the blocklist populated by you."
15 }
16 }
17 ]
18 }Retrieving blocked mandates
Dashboard
Merchant can filter for mandate blocked events in the events tab of the enterprise dashboard. This will list all the mandates blocked.
API
Send GET API request to mandate endpoint with below filter
GET https://api.gocardless.com/mandates?status=blocked
OR send API request to the events endpoint with the below query parameters
GET https://api.gocardless.com/events?resource_type=mandates&action=blocked
Retrieve the block state of a give mandate_id
Dashboard
API
Send GET API request to mandate endpoint. The status of the mandate will be blocked
1 GET https://api.gocardless.com/mandates/MD0000S2KNTB2V
2
3 {
4 "mandates": {
5 "id": "MD0000S2KNTB2V",
6 "created_at": "2021-09-01T15:36:09.104Z",
7 "reference": "ANKITHATEST-3YD936",
8 "status": "blocked",
9 "scheme": "bacs",
10 "next_possible_charge_date": null,
11 "payments_require_approval": false,
12 "metadata": {},
13 "links": {
14 "customer_bank_account": "BA0000S4DSSHQK",
15 "creditor": "CR00008AWM8AC8",
16 "customer": "CU00018NMYB3H1"
17 }
18 }
19 }Unblocking payers
What can be done if there is a false positive?
Since a mandate can not be unblocked, the merchant has to disable the block for this payer and ask the payer to set up the mandate again.
Alternatively, merchants using the Billing Request Flow or who have done the Custom Payment Pages integration using Billing Request can follow the below steps to set up the mandate again and to reduce the number of steps the payer has to go through.
Using the Billing Request Flow
Step 1: Create a new billing request
Pass the customer_id and bank_account_id to create a new billing request.
1 POST https://api.gocardless.com/billing_requests
2 "billing_requests": {
3 "mandate_request": {
4 "currency": "GBP"
5 // "scheme": "bacs"
6 }
7 "links": {
8 "customer": "CU000176GQ2BXM"
9 "bank_account": "BA123456789"
10 }
11 }Step 2a: Create a Billing Request flow.
Since we already have the customer and bank_account the payer need not fill out the form. The payer only has to confirm the details.
1 POST https://api.gocardless.com/billing_request_flows
2
3 {
4 "billing_request_flows": {
5 "auto_fulfil": true,
6 "lock_bank_account": true,
7 "lock_customer_details": true,
8 "links": {
9 "billing_request": ""
10 }
11 }
12 }Step 2b-1: For Custom payment pages (Using the Billing Request API)
Confirm the customer and bank account details
1 POST https://api.gocardless.com/billing_requests/BR12345678/actions/confirm_payer_details
2Fulfil the billing request
1POST https://api.gocardless.com/billing_requests/BR12345678/actions/fulfil
2Step 2b-2: For Custom payment pages (Using Direct Debit APIs)
If you create mandates using the 3 endpoints - customer create, bank account create and mandate create
Since the customer and bank_account are already available the merchant have to only create the mandate using mandate create API
1POST https://api.gocardless.com/mandates HTTP/1.1
2{
3 "mandates": {
4 "scheme": "bacs",
5 "links": {
6 "customer_bank_account": "BA123"
7 }
8 }
9}