Keeping your payments safe: your guide to payments and transaction rulesGuard your B2B payments against fraud with confidence

Confidence – how much of it do you really have in the payments your business makes and receives?

Every team member, from payments administrators to the CFO, is under pressure to step and apply their expertise to payment processing.

Fortunately, the regulations, like PSD2, were built to help you detect suspicious activity in direct debit verification. By honing in on the technical specifications of these systems, you can learn the rules and take the reins to make sure that your organisation’s funds don’t end up in the wrong hands.

Payment systems for businesses

A payment system involves a group of participants that enable the transfer of funds electronically between individuals, businesses and financial institutions. In a corporate setting, you’ll most commonly rely on payment systems to accept online payments from customers, pay out to suppliers, and manage internal transfers.

Payment systems lay out a set of shared standards that are upheld by each of the participants. This includes:

• Banks
• Payment service providers (PSPs)
• Third party service providers: innovative financial-adjacent services, such as budgeting tools, subscription finders and point of sale hosts

At the end of a successful payment system is a settlement: the payment made.

This guide covers the rules that make settlements possible, including a breakdown of validation and verification methods to keep your payments safe, and delivered to the correct recipient.

The requirements ensure that confidential personal and transaction information remains secure, enabling payments to be made safely. However, the rules also exist to protect the participants against impersonators who falsely claim to be suppliers, customers or other parties.

How could fraudsters manipulate payment systems to access money?

One of the most common examples of a B2B payments scam is a phishing email which appears to be from a legitimate vendor.

This ‘password change’ notification aims to spark panic in the reader, as it’s a completely false narrative.

The cyberattackers’ aim is that:

1. The reader, typically a finance administrator or senior figure at the victim organisation, clicks through to the spoofed site on the other end.
2. The victim inputs their current password to ‘change’ it.
3. The cyberattackers capture this information (the real credentials).
4. The fraudster logs into the system using the real credentials, either accessing confidential information, reviewing real suppliers to later create fake invoices, or directly making payments to themselves.

And if even huge global brands like Microsoft can be targeted, so can all businesses.

In fact, between 2023 and 2024, over 60% of businesses^[1] reported being in the press or social media due to fraud. The negative reputational impacts of scams like this have caused companies to lose trust, clients, and revenue.

Fortunately, regulatory standards like PSD2 are catching up with these types of scams, and payment systems now have built-in defence mechanisms to protect your business’ bank accounts, even if other departments, such as email accounts, are compromised.

BACS Direct Debit and SEPA: what are the rules?

There are dozens of different domestic and international electronic payments systems in the UK, but BACS and SEPA are two of the most popular^[2] systems for sending paperless direct debits.

The rules are simple for both of these systems:

Once the direct debit verification checks are complete, the payment service provider will receive an information message, such as “This account is valid for SEPA payments” or “This account is not valid for SEPA payments.”

Businesses typically encounter BACS direct debits when paying regular bills, such as office rent, utilities, or payroll. Businesses can also collect Direct Debits from customers, which automates the regular collection of payments. This is especially useful for subscription business models.

Validate, verify and confirm payments

There are three core stages to the Experian payment process involving direct debit scheme rules:

1. Validation (Bank Wizard)
2. Verification
3. Confirmation of Payee

Validation

Bank account validation is the process of confirming the accuracy of an entered bank account number. It ensures that the administrator hasn’t mis–keyed any of the data, and that the account number and sort code are in the correct format.

The primary benefit of this step is the ability to correct any errors in real time while still in contact with the customer.

Rather than discovering a mistake after a failed direct debit in 25 days, for example, you can identify and fix the error immediately, reducing the number of rejected payments.

The first stage is validation, using the BACS system if the payment is UK-based or SWIFT to obtain SEPA information if it’s an international payment. Experian’s Bank Wizard Absolute detects errors when capturing and processing account and card details. It uses the Extended Industry Sort Code Directory to access UK sort codes and applies BACS rules to ensure account numbers are in the correct format.

Verification

Bank account verification is the process of confirming that a bank account is valid, active, and owned by the individual or entity claiming ownership. The second stage serves. This stage basically answers, doe​​s this bank account exist?

Verification is important for flagging suspicious accounts, allowing your team to investigate further before falling victim to payment fraud.

Finance teams can set automated rules to block payments to accounts with high-risk scores or mismatched information, ensuring they are fully verified before any funds are transferred.

We then verify that the account details actually exist using BACS rules. We check the Experian Bureau to confirm the existence of the sort code and account number. The record will also include the name, date of birth, and address. We provide a risk score based on how closely the details match and flag potential risks, such as the age of the account or whether it is a joint or single account.

Confirmation of Payee (CoP)

Confirmation of Payee (CoP) is a process used to verify that the name of the account holder matches the account details provided when making a payment. If you’ve sent a payment using online banking in the UK within the last few years – you might already be familiar with CoP without realising it!

In the past, when making a payment to a new person or business, the sender only needed to enter the sort code and account number. Now, they must also provide the name of the recipient as an additional verification step.

This extra check is especially useful for preventing impersonation fraud, as fraudsters often use false names that CoP checks can flag.

All UK payment service providers were required to start adhering to CoP in October 2024, but this isn’t a required standard for overseas transactions.

The latest update to the BACS Service Users Guide and Rules includes new requirements for setting up direct debits. One important change (Section 3b), is the need to verify not only the sort code and account number, but also the account name and address. Our solution is designed to check all of this information, ensuring it meets the updated requirements. This provides our clients with confidence that the account details match and payments are being sent to the correct recipient.

Fraud: the payments and transactions challenge

Payment systems exist to promote high security standards and keep payments safe. However, as virtually all B2B payments now occur online, rather than in cash, these systems have become a key target for cyberattackers.

Card not present transactions: risky but no alternative

Card not present transactions, as known as paperless direct debits, happen when the cardholder, card and merchant are not all in the same place. Card not present transactions increase the fraud risks associated with making payments.

The table below shows examples of card not present transactions and their fraud risks:

Securing payments with PSD2 regulations

Thankfully, the payment systems rules for BACS were updated with the incoming second iteration of the Payment Services Directive – an EU and UK regulatory framework. These requirements aim to reduce the risks of payment fraud cases, especially in card not present transactions.

Both PSD2 and BACS compliance help to secure a BACS direct debit payment.

What is PSD2?

PSD2 (Payment Services Directive 2) is an updated regulation, introduced in 2018,that established a set of standards for payment services providers across Europe. Its primary goals are to enhance the security of digital payments and open the market to third-party fintech companies, which were previously viewed with public skepticism due to a lack of regulation.

An added benefit of PSD2 is increased competition, forcing large, established companies to innovate to keep up with newer tech companies that are improving the customer experience.

Implementation of PSD2

The implementation of PSD2 included the introduction of Strong Customer Authentication (SCA).

SCA improves the security of payments across any UK network by requiring PSPs to verify at least two of the following three factors:

1. Inherence: something the user is: biometrics like facial ID or fingerprint.
2. Knowledge: something the user knows: passwords or chosen questions (such as, what is your mothers maiden name?).
3. Possession: something the user has: a code sent to a mobile phone or email account known to be associated with the account holder.

Thanks to PSD2, we now see widespread use of two factor authentication methods to complete SCA.

Other key implementation changes^[4] included:

• Transaction monitoring to detect suspicious payments activity faster and with better accuracy
• The introduction of standardisation for APIs which would enable third parties to enter payments networks securely

Impacts of PSD2 on payment services

PSPs Payment Service Providers (PSPs) were forced to improve the way that they authenticated their customers, especially with third parties now involved. As a result, products required a higher level of verification.In terms of how that actually impacted the products, it meant that a greater level of verification became required. You can’t get away with just taking the bank details to make a payment anymore, : PSPs need to perform a verification check.

It’s fair to say that PSD2 has transformed the finance industry, opening the door to smarter budgeting, automatic bill payments and intuitive new services. But it’s from a security point of view that PDS2 has had the biggest impact.