[HacktionLab] Issues with publishing bank details and direct debits.

penguin penguin at riseup.net
Fri May 18 13:38:12 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 18/05/12 14:18, Adelayde Skidmore wrote:
> Hi All,
> 
> Can't find the original email, nor what list it was on, but I
> wanted to post a follow up to an issue that was mentioned to do
> with not posting bank details to the web.
> 
> Well, at the time, I spoke to a bank, possibly HacktionLab's bank
> to clarify the situation.  They told me that a direct debit
> couldn't be set up without authorisation by the account holders.

What they should have said is that if a DD was set up without
authorisation, the money would be refunded.

> 
> Lo and behold, what's happened is that for another project we've
> had someone do just that.
> 
> They got our account details from some where, probably the web
> site, and were able to set up a direct debit to a third-party
> company using their name.  This person was NOT one of the
> authorised account signatories.

According to You & Yours*, banks hardly ever check signatures any more
- - so they don't check that something (standing order, DD, cheque) has
been authorised. They just (ideally) put it right after the fact if it
was not authorised.

* And I will not accept that Radio 4 would, or could, lie to me.

> 
> When I contacted the bank about it, they refunded the direct
> debits.  I also queried with them, how this could have happened.
> 
> There's a system the banks use called AUDDIS, and this system
> instructs them to set up direct debits.  So the perpertrator set up
> a direct debit with a 3rd party in their personal name, but using
> the organisation in question's bank details, and the bank just
> accepts it.
> 
> There is no mechanism by which you can request that the bank not
> accept direct debit set up requests, nor is there a mechanism by
> which you can request that they be authorised by account
> signatories.  At least that's what this bank, Unity Trust, said.
> 
> They said to me that the best idea was to not publish the account 
> details, and I pointed out that they would be in various emails,
> given over the phone, on invoices, card receipts, all sorts of
> things.  I feel that this mechanism totally sucks;

I do not accept that the banks could ever do anything that sucked. Oh,
hang on ...

> it's a bit like signing a whole chequebook full of blank cheques
> and then leaving them around town.... except, that it's not, as
> with AUDDIS, as the transactions aren't authorised by the account
> holders, the money has to be refunded as soon as one of them says
> it wasn't authorised - you wouldn't be able to get the money back
> from the cheques.
> 
> Anyone else had similar experiences, or had a different story from
> their bank?

I hear that a lot of it goes on. Lots of people will use false (i.e.
not their own) details with charities (like the one I work for) to see
if they work. Don't know why this is, but apparently it's well know in
both the charity and banking sectors.

> 
> Cheers,
> 
> Mike.
> 
> p.s. to whomever it was that said that this was an issue, to which
> I poo-pooed it, whilst getting a bank (Lloyds TSB) to back me up, I
> humbly apologise.

I still think publishing the details is the best thing. As Adelayde
said above, there are many ways for dodgy characters to get hold of
bank details. If you publish you details at least people can use
electronic banking. The only other options would be:

a) PayPal or equivalent intermediary - bad cos they charge, and many
people will not have an account.
b) Old school cash and cheques. Cheques are a pain cos somebody has to
pay them in, and many people don't have cheque books. Cash is a pain
cos it has to be paid in (not pissed away at the BarnCamp bar), can go
missing in the post.

> 

- -- 
penguin

GPG key: http://tiny.cc/gpg-key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJPtlDDAAoJENMF+CPFM1bez18IAM8MFflM3mT3KqlZiihVEXwx
HvFwfU40Rx4jBYiOc4+RJDqmsxqHBw1/QGyYm3tOefuRy1CXGSrLiNzXAgWecC6Z
yIW2gIiI0RzO0NpFdxl9Vx9WPntELdfBegDz0rEn5oD0Du62fvRX1GFdXh6vVAtT
O1w++ka/Iz2rLP0O0lp8gvGPC84t4nAXTfNbnlfx2knwGLlLYM9Qeyexfsytw5WV
4O1wQCLqtgGZHPAPwgCurKLIMcClReCYP2gYhS7SIENZ6zDpwW+lOGni2ZD4pU5K
tgnl72qVtoCOl0AlRBl8PSMuBl844ZZ/Q3X15d1TUkKPJJqJPm+DBDLm9W1N8sc=
=bgeI
-----END PGP SIGNATURE-----

More information about the HacktionLab mailing list