Part V: Alternative Payment Methods (APMs)
Chapter 20 — Direct Debit, Mandates & Pull-Based Payments
The unsexy workhorse behind rent, utilities, and subscriptions.
It's a Tuesday evening in London and Priya has just decided to commit. Not to a relationship — to a gym membership. She's on FitLoop's website, staring at the monthly plan: £49 a month for gym access plus streaming classes. She clicks "Pay by Direct Debit," types her sort code and account number, ticks a box confirming she's read the Direct Debit Guarantee, and hits submit.
No card number. No expiry date. No CVV.
Three seconds later, FitLoop's checkout page says "You're in!" But here's the thing: FitLoop hasn't charged Priya a single penny. The money won't move for three working days. And if Priya changes her mind next month — even after she's been hitting spin classes twice a week — she can call her bank and get a full refund. No questions asked.
Welcome to direct debit: the payment method where the merchant initiates the charge, the customer has already said "yes," and yet the customer can still say "no" long after the fact.
How does that work? And why would any business voluntarily sign up for this?
The answer is that direct debit isn't really a "payment method" in the way you think of cards or bank transfers. It's a governance system — a set of rules for permissioned pulls from a bank account. The money movement is the easy part. What matters is the permissioning, the evidence trail, and the dispute machinery wrapped around it. Get those right, and you unlock what might be the most cost-effective recurring payment mechanism on the planet.

Pull vs Push: The Core Mental Model
Every payment in the world falls into one of two categories. Either you send money (a push), or someone takes money from you with your permission (a pull). It's a simple distinction, but it shapes everything — from settlement timing to fraud risk to who holds the power when something goes wrong.
When you log into your banking app and transfer rent to your landlord, that's a push. You decided when, how much, and to whom. Your bank executed your instruction. Once the money leaves, it's gone — you can't easily claw it back.
Direct debit flips this entirely. Your landlord — or in Priya's case, FitLoop — initiates the charge. They decide the amount and the timing. Your bank honors the request because you previously gave permission through something called a mandate. And here's the crucial bit: because they pulled the money rather than you pushing it, the schemes give you stronger protections. If something goes wrong, the burden falls on the party that initiated the pull.
This is why the mandate is the key concept in direct debit — not the payment itself. A mandate is permission plus parameters plus evidence plus dispute rights, all bundled together. It says: "I authorize this company to debit my account, for this purpose, under these conditions, and I can revoke this permission or dispute any charge that doesn't match what I agreed to."
Don't confuse mandates with authentication. A mandate is permission — it records what you consented to. Authentication is identity verification — it confirms you're the person giving consent. Some schemes bind them tightly (India's UPI AutoPay requires a PIN for mandate setup). Others keep them separate (UK Bacs lets you set up a mandate with just a sort code and account number — no authentication at all).
So why do pull payments exist? Because recurring billing at scale requires "set and forget." Neither FitLoop nor Priya wants to manually initiate a payment every month. Priya wants to sign up once and not think about it again. FitLoop wants predictable cash flow without chasing invoices. Direct debit gives both parties what they want — at a cost. The cost isn't financial (direct debit is cheap). The cost is risk: merchants accept longer settlement times and stronger payer protections in exchange for low fees and high retention.
| Dimension | Push payment (bank transfer) | Pull payment (direct debit) |
|---|---|---|
| Who initiates | Payer | Payee (with payer's prior consent) |
| Payer effort per payment | Active (login, approve each time) | Passive (set and forget) |
| Merchant control over timing | Low | High |
| Settlement speed | Varies (instant to batch) | Typically batch (1-3+ days) |
| Payer protection / reversibility | Limited once sent | Strong (scheme-dependent windows) |
| Best for | One-off payments, ad-hoc invoices | Recurring: rent, subscriptions, utilities, loan repayments |
How Direct Debit Works: The Mandate-to-Money Lifecycle
Let's follow Priya's FitLoop signup through the entire lifecycle — from the moment she enters her bank details to the moment FitLoop's finance team sees the money land.
Step 1: Mandate capture. Priya enters her sort code (20-45-67) and account number (12345678) on FitLoop's checkout page. She ticks the box confirming the Direct Debit Guarantee. Behind the scenes, FitLoop's payment service provider (PSP) creates a mandate object — capturing Priya's consent, a timestamp, her IP address, the bank details, and the terms she agreed to.
Step 2: Mandate submission. The PSP submits the mandate to Bacs, the UK's direct debit scheme. Bacs registers the mandate with Priya's bank, essentially saying: "This customer has authorized FitLoop to debit her account."
Step 3: Pre-notification. Before FitLoop can collect any money, they must tell Priya what's coming. Under Bacs rules, this means sending an advance notice — typically 10 working days before the first debit — stating the amount (£49), the date (1st of each month), and the frequency (monthly). This is the Direct Debit Guarantee in action: no surprises.
Step 4: Collection submission. On the billing date, FitLoop submits a collection file through their PSP to Bacs. This is Day 1 of the three-day Bacs cycle. The file says: "Please debit £49 from Priya's account."
Step 5: Processing. Day 2. Bacs validates the file, checks the mandate references, and forwards the debit instruction to Priya's bank.
Step 6: Settlement. Day 3. Priya's bank debits £49 from her account. The funds settle to FitLoop's bank. Priya sees the debit on her statement.
Step 7: Confirmation. FitLoop's PSP sends a webhook confirming successful collection. FitLoop's billing system marks Priya's invoice as paid. Her membership continues.
Here's the key insight for anyone coming from the card world: in the three days between FitLoop submitting that collection and the money actually landing, FitLoop has no money and no guarantee. The payment can still be rejected (insufficient funds), returned (account closed), or — weeks later — refunded (Priya disputes the charge). This is the fundamental risk physics of pull payments. You act on trust, then wait.
Global Schemes: Same Idea, Very Different Physics
FitLoop's Singapore headquarters is expanding globally, which means navigating a different direct debit scheme in each market. The concept is always the same — permissioned pull from a bank account — but the rules, timelines, and risk profiles vary enormously.
Bacs Direct Debit (UK)
Priya's mandate runs on Bacs, the UK's workhorse for recurring payments. Bacs processes over 4.5 billion Direct Debit transactions per year, handling everything from mortgage payments to Netflix subscriptions.
The three-working-day batch cycle (input, processing, collection) is the defining characteristic. Files must be submitted by 22:30 on Day 1. No weekends, no bank holidays — which means FitLoop's billing team needs to account for the Bacs processing calendar when scheduling collections.
The Direct Debit Guarantee is what makes Bacs unique. It's not just a dispute mechanism — it's a blanket promise from every participating bank: if there's any error in a Direct Debit payment, the payer gets a full and immediate refund. No investigation period, no provisional credit — immediate. This is extraordinarily merchant-unfriendly by card standards, but it's also why consumers trust Direct Debit so deeply in the UK.
Most merchants don't connect to Bacs directly. Over half of all organizations submitting Direct Debits do so through one of roughly 700 Bacs-approved bureaux, which handle file generation, submission, and scheme reporting on the merchant's behalf.
SEPA Direct Debit Core (EEA)
When FitLoop expands to Europe, they encounter SEPA Core — and a payer protection regime that makes even Bacs look tame.
The headline rule: payers can request a refund within 8 weeks of any authorized debit. No reason required. No questions asked. FitLoop debits a German customer's account for a €499 annual plan, the customer uses the service for six weeks, and then requests a refund? The bank must honor it.
For unauthorized debits — where the payer claims they never signed a mandate — the window extends to 13 months. That's over a year of potential reversal exposure for every single collection.
Pre-notification is mandatory: at least 14 calendar days before the debit date (though this can be shortened by agreement in the mandate terms). The current rulebook is the 2025 SEPA Direct Debit Core Rulebook version 1.1, published by the European Payments Council.
SEPA Direct Debit B2B (EEA)
SEPA B2B exists for one reason: to strip away the consumer-protection rules that make Core so risky for merchants collecting from businesses.
The critical difference: no refund right for authorized transactions. Once a B2B mandate is verified and a collection settles, the payer cannot reverse it through the scheme. The payer's bank must verify the mandate before processing each collection — something that doesn't happen in Core.
The trade-off? B2B is restricted to business payers (no consumers), participation is optional for banks (unlike Core, which is mandatory), and the operational overhead is higher. But for high-value B2B recurring collections, eliminating refund risk can be worth it.
ACH Debit (US)
Across the Atlantic, FitLoop's US expansion runs on ACH — the Automated Clearing House network that processed 35.2 billion payments worth $93 trillion in 2025.
ACH operates on a multi-window batch system with Same Day ACH available for time-sensitive collections (currently capped at $1 million per transaction, with a proposal to raise this to $10 million by March 2027).
Consumer protection comes through Regulation E, which gives consumers 60 days from their bank statement to report unauthorized transfers. The liability is tiered: report within two business days and your maximum loss is $50. Wait longer than 60 days, and your liability is potentially unlimited for transactions occurring after that window.
Unlike Bacs, where the Direct Debit Guarantee creates a near-automatic refund, ACH disputes require the consumer to actively report the issue. Nacha rules require merchants to retain proof of authorization for two years from the date of termination.
BECS Direct Entry (Australia)
Jake, FitLoop's Australian member, pays through BECS — the Bulk Electronic Clearing System managed by AusPayNet.
BECS is batch-oriented and procedurally heavy. The compliance requirements are distinctive: merchants must retain every Direct Debit Request (DDR) for seven years from the last debit — the longest retention requirement of any major scheme. If a customer or their bank requests the evidence and you can't produce it, you're exposed.
Disputed-debit claims must be responded to within five business days for claims made within 12 months. After 12 months, the response window extends to one month. A notable recent development: AusPayNet removed the planned June 2030 BECS decommissioning date, meaning this system — originally scheduled for retirement in favor of the modern NPP platform — will continue indefinitely.
NACH / UPI AutoPay (India)
India runs two parallel systems. NACH (National Automated Clearing House) handles traditional batch-based recurring collections using UMRN identifiers — think insurance premiums, loan EMIs, and SIP investments at massive scale.
UPI AutoPay is the modern overlay, enabling near-real-time recurring mandates on India's UPI rails. The numbers are staggering: 926 million AutoPay transactions in November 2025 alone, with 1.27 billion active mandates — a 10x increase from January 2024.
The NPCI (National Payments Corporation of India) tightly controls mandate execution through circulars. Standard mandates below Rs 15,000 can execute without additional authentication. Above that threshold — or above Rs 1,00,000 for select categories like insurance and mutual funds — UPI PIN authentication is required for each debit. Retries are capped at four attempts total, and execution is restricted to non-peak time slots.
| Dimension | Bacs (UK) | SEPA Core (EEA) | SEPA B2B (EEA) | ACH (US) | BECS (AU) | NACH / UPI AutoPay (India) |
|---|---|---|---|---|---|---|
| Rail style | Batch (3 working days) | Batch (due-date) | Batch (stricter checks) | Batch + same-day | Batch | Batch (NACH) / Near-RT (UPI) |
| Payer refund right | Strong (DD Guarantee) | 8 weeks (no questions) | None for authorized | Reg E: 60-day window | Claim within 12 months | Scheme-dependent |
| Unauthorized claim window | Scheme guarantee | Up to 13 months | Up to 13 months | Reg E framework | Procedural | Scheme-dependent |
| Pre-notification | 10 working days | 14 calendar days (default) | 14 calendar days (default) | Varies | Varies | NPCI circular-defined |
| Mandate evidence retention | Scheme-defined | Scheme-defined | Scheme-defined | 2 years from termination | 7 years from last debit | Scheme-defined |
| Payer segment | Consumer + business | Consumer + business | Business only | Consumer + business | Consumer + business | Consumer + business |
Exception Handling: Rejects, Returns, Refunds, and Disputes
If you've come from the card world, you're used to one word for things going wrong: chargeback. Direct debit has four different failure modes, and confusing them will cost you money.
A reject happens before settlement. The payer's bank refuses to honor the collection — maybe the account is closed, the sort code is wrong, or there are insufficient funds. The money never moved. FitLoop finds out on Day 3 that the collection failed.
A return happens after settlement but within the scheme's return window. The money did move, but the bank reverses it — typically because insufficient funds were discovered after the initial debit posted, or because a technical issue surfaced during reconciliation.
A refund is the payer exercising their scheme-granted right to reverse a payment. This is the SEPA Core 8-week rule, the Bacs Direct Debit Guarantee, or similar protections. The payer contacts their bank, says "I want my money back," and the bank obliges — often without investigating the merchant's side of the story.
A dispute (or claim) is an assertion that the debit was unauthorized — the payer says they never signed a mandate, or the amount doesn't match what they agreed to. This triggers an evidence review: the scheme asks the merchant to produce the mandate. If you can, the dispute may be resolved in your favor. If you can't, you lose.
Let's follow Jake, FitLoop's Australian member, through a real exception flow.
Jake's monthly $49 collection fails on the first attempt — insufficient funds. His account was short by $12. FitLoop's PSP receives a reject notification. Under their retry policy, the PSP automatically retries two business days later. Same result — Jake still hasn't topped up his account.
Now FitLoop's dunning system kicks in. Jake gets an email: "We couldn't collect your membership payment. Please ensure funds are available." Three days later, the third and final retry succeeds. Jake's account now has enough, the $49 debits, and his membership continues uninterrupted.
But what if all three retries had failed? FitLoop would need to either contact Jake to update his payment method, set up a new mandate if he's switching banks, or — worst case — suspend his membership and move him to a collections flow.
The 80/20 of direct debit failures is simple: insufficient funds causes the vast majority of problems. Account closed, payment stopped by payer, and authorization disputes make up most of the rest. Unlike card payments, where fraud is a major concern, direct debit failures are overwhelmingly about ability to pay rather than intent to defraud.
The Merchant Playbook: Economics, Settlement, and Risk
Why Merchants Choose Direct Debit
The case for direct debit comes down to three things: cost, retention, and control.
Cost. Direct debit is materially cheaper than cards for recurring billing. GoCardless charges 0.5% + $0.05 per ACH transaction (capped at $5) and 1% + £0.20 for Bacs (capped at £2). Stripe's ACH Direct Debit rate is 0.8%, capped at $5. Compare that to card processing at 2-3% with no cap, and the math speaks for itself. For FitLoop's $499 annual plans, the difference between a $5 capped direct debit fee and a $15 card processing fee adds up fast across thousands of members.
Retention. This is the killer advantage. Bank accounts rarely change — people keep the same current account for years, sometimes decades. Credit cards expire every three to four years, and the number changes if the card is lost, stolen, or reissued. FitLoop was losing 8% of its annual plan subscribers to card-expiry churn before it offered direct debit. The UK energy company Octopus Energy migrated 5.5 million customer accounts and £12 billion in annual payments to GoCardless precisely because direct debit eliminates this problem. One B2B subscription company reported involuntary churn dropping from 2% to below 0.5% after migrating high-value customers to bank debit.
Control. The merchant decides when to collect. No waiting for the customer to remember to pay an invoice. No chasing late payments. FitLoop's billing team schedules collections for the 1st of each month, and the system runs automatically.
What Merchants Underestimate
Settlement lag. Batch schemes mean one to three or more working days before funds arrive. For a streaming subscription, this is fine — the service costs nothing to deliver while you wait. For a high-value physical goods merchant shipping on payment confirmation, it's a problem.
Refund tail risk. SEPA Core's 8-week window means revenue booked today can be reversed nearly two months later. FitLoop's finance team learned this the hard way: they had to build "refund tail accounting" for their European annual plans, reserving a portion of collected revenue against potential reversals for 56 days after each debit.
Mandate evidence burden. "Produce it on demand" isn't a theoretical requirement. When a scheme or bank requests mandate evidence during a dispute, you need to produce the original consent record — timestamp, IP address, bank details, terms agreed to — linked to the specific payment in question. If you can't reliably connect mandate evidence to payment events to customer identity, you're building future dispute debt.
Return-rate monitoring. Schemes and regulators monitor your return rates. If your failure rate spikes — because you're collecting from customers who can't pay, or your mandate processes are sloppy — you face enforcement actions. High return rates can result in increased scrutiny, fines, or even loss of your ability to collect.
The Double-Credit Trap
Strong payer protections can create a nasty accounting problem. Imagine: a customer contacts their bank for a refund (exercising their scheme right), and separately contacts FitLoop's support team requesting a refund. If FitLoop processes the internal refund before learning about the bank-initiated one, the customer gets their money back twice. This double-credit scenario is more common than you'd expect, and preventing it requires real-time synchronization between your billing system and your PSP's event stream.

Implementation: Build, Buy, or Hybrid
FitLoop's engineering team faces a classic build-vs-buy decision. There are three paths to collecting direct debits, each with different trade-offs.
Option 1: Direct Bank Integration
Connect directly to each scheme via file submission (Bacs) or host-to-host connectivity (SEPA). You handle mandate storage, file generation, cut-off management, scheme report processing, and dispute handling yourself.
This gives you maximum control and potentially the lowest variable cost at scale. But the operational maturity required is significant — you need to manage processing calendars, handle every ADDACS and ARUDD report, maintain mandate evidence in an auditable store, and build retry logic for every failure scenario. This path makes sense only for high-volume, single-market operators.
Option 2: PSP / API Integration
Use a payments platform like GoCardless, Stripe, or Adyen that abstracts away scheme connectivity. You interact with a single API; the PSP handles mandate storage, data security, scheme submission, and event reporting via webhooks.
This is the path most merchants take. The per-transaction pricing (percentage with caps) is higher than direct integration at scale, but the operational burden is dramatically lower. One API gives you multi-scheme coverage — Bacs, SEPA, ACH, BECS — without building separate integrations for each market.
Option 3: Open Banking / Instant A2A Recurring
The newest option: use real-time account-to-account rails for recurring payments. Australia's PayTo (an NPP overlay) already processes over a million settled transactions; UK Variable Recurring Payments (VRPs) saw sweeping volumes nearly double in 2025, and commercial VRP launches in Q1 2026 under the UK Payments Initiative.
These "new pull" mechanisms offer faster settlement, richer payer control (customers can set spending limits and revoke permission instantly through their banking app), and potentially lower cost. The catch: coverage is still limited, and consumer adoption is nascent.
| Dimension | Direct bank integration | PSP / API integration | Open banking / A2A recurring |
|---|---|---|---|
| Operational complexity | High | Low-Medium | Medium |
| Variable cost at scale | Lowest | Medium (per-txn with caps) | Varies by rail |
| Mandate storage responsibility | You | PSP | Varies |
| Scheme coverage | Single scheme per integration | Multi-scheme via one API | Scheme-specific |
| Settlement speed | Scheme-dependent (1-3+ days) | Scheme + PSP payout timing | Near-instant possible |
| Best for | High-volume, single-market | Multi-market merchants | Early adopters in UK/AU |
The 2026 hybrid pattern that's emerging among sophisticated merchants: direct debit as the primary recurring rail (for its reliability and low cost), with instant push payments via open banking as a fallback for failed collections. Customer's direct debit bounced? Send them a "pay now" link that triggers an instant bank transfer. It's the best of both worlds.
Legal, Regulatory, and Compliance
Consumer protection isn't a bug in direct debit — it's the core feature. The entire system is built on the premise that when someone else pulls money from your account, you deserve strong safeguards. The Direct Debit Guarantee, SEPA's 8-week rule, Regulation E — these aren't add-ons. They're load-bearing walls.
What this means for merchants is that compliance isn't optional, and the requirements are concrete.
Mandate retention is auditable. BECS requires seven years from the last debit. ACH requires two years from termination. Other schemes define their own windows. If a dispute arrives and you can't produce the original mandate — with timestamp, consent evidence, and agreed terms — you lose by default. Build your mandate storage accordingly: immutable records, linked to payment events, with clear audit trails.
Bank account details are sensitive data. They're not covered by PCI DSS (that's cards), but they're personal data under GDPR, CCPA, and equivalent regulations worldwide. Treat sort codes and account numbers as secrets. If you're using a PSP, they handle tokenization and vault storage. If you're integrating directly, you need segmented vault storage with access controls, encryption, and audit logs.
The "produce it on demand" reality is the single most important operational discipline in direct debit. If you can't reliably link mandate evidence to payment events to customer identity, you are accumulating dispute debt that will eventually come due. Every disputed payment where you can't produce evidence is a loss — and if the pattern repeats, schemes will escalate enforcement.
The Future of Pull Payments
Three trends are already reshaping how recurring money moves.
Payer-controlled recurring on instant rails. Australia's PayTo is the clearest signal of where pull payments are heading. Instead of the merchant holding a mandate that the payer has limited visibility into, PayTo puts the payer in control — they can see their active agreements in their banking app, adjust spending limits, pause, or cancel instantly. It processed over A$612 million in settled transactions by mid-2025, with 301% growth in e-commerce adoption. This is direct debit reimagined for the real-time era.
Variable Recurring Payments in the UK. Sweeping VRPs (moving money between your own accounts) nearly doubled in 2025 and now represent 16% of all Open Banking payments. Commercial VRPs — where merchants can pull variable amounts from customer accounts via Open Banking — launch in Q1 2026 under the newly formed UK Payments Initiative. Phase 1 covers utilities, financial services, and government payments. E-commerce follows later. If commercial VRP achieves meaningful adoption, it could eventually offer a faster, cheaper, and more transparent alternative to traditional direct debit.
Mandate governance gets stricter at scale. India's UPI AutoPay is the template for how regulators respond when pull payments reach billions of transactions. The NPCI defines exactly how much can be debited without additional authentication, how many retries are allowed, when during the day mandates can execute, and what notifications must be sent. As other markets scale their pull payment systems, expect similar regulatory tightening around consent integrity and payer control.
Direct debit won't be replaced anytime soon. It's too deeply embedded in the infrastructure of recurring payments — from mortgages to streaming services — and its economics are too compelling. But it will be augmented, and the augmentation follows a clear pattern: more payer visibility, faster settlement, and richer consent management.
In the next chapter, we'll look at another payment rail that feels like it belongs to a different era entirely — carrier billing. Where direct debit pulls money from your bank account with a mandate, carrier billing charges your phone bill. It's niche, but it's not dead — and the economics are wildly different from anything we've seen so far.

Sources
- Pay.UK, "Direct Debit Guarantee" and "Bacs Processing Calendar 2026," wearepay.uk
- European Payments Council, "2025 SEPA Direct Debit Core Rulebook version 1.1," europeanpaymentscouncil.eu
- Nacha, "Same Day ACH and Business-to-Business Payments Propel ACH Network Volume Growth in 2025," nacha.org
- Consumer Financial Protection Bureau, "Regulation E — Electronic Fund Transfers," 12 CFR Part 1005, consumerfinance.gov
- AusPayNet, "BECS Procedures Version E071," effective September 1, 2025, auspaynet.com.au
- NPCI, "UPI AutoPay Product Overview" and circulars OC-151A, OC-223, npci.org.in
- European Central Bank, "Payments statistics: second half of 2024" and "first half of 2025," ecb.europa.eu
- GoCardless, pricing pages for US, EU, and Australia, gocardless.com
- Stripe, "ACH Direct Debit Pricing," support.stripe.com
- The Fintech Times, "Octopus Energy and GoCardless Complete 12bn Direct Debit Migration," 2025, thefintechtimes.com
- GoCardless, "How US SaaS Businesses are Leveraging Bank Debit Payments to Scale Internationally," gocardless.com
- Open Banking, "Open Banking in 2025: Now Part of the UK's Everyday Financial Life," openbanking.org.uk
- PSR, "Commercial Variable Recurring Payments: Update on Delivery," December 2025, psr.org.uk
- Zepto / Ecommerce News Australia, "Australian Online Retailers See 301% Surge in PayTo Payments," 2025, ecommercenews.com.au