Direct Debit Rules For Companies In The UK

Offering customers the option to pay by Direct Debit can transform your cash flow. It’s lower-cost than cards, reduces late payments, and works brilliantly for subscriptions or ongoing services.

But to collect Direct Debits lawfully and smoothly in the UK, you’ll need to follow both Bacs scheme rules and wider laws that apply to how you contract with customers and handle their data.

This guide breaks down the Direct Debit rules for companies in plain English, so you can set up with confidence and stay compliant from day one.

What Is A Direct Debit And How Does It Work For Your Business?

A Direct Debit is an instruction from your customer to their bank that authorises you (via your bank or a provider) to collect payments from their account. Once the instruction is in place, you can take variable or fixed amounts on agreed dates-so it’s perfect for subscriptions, memberships, retainers, utilities, and instalments.

In the UK, Direct Debits are processed by Bacs. To collect them, a business typically needs:

• A Service User Number (SUN) sponsored by a bank, or
• An arrangement with a Facilities Management (FM) provider or payment processor that lets you use their SUN (often the simpler route for early-stage businesses).

Customers are protected by the Direct Debit Guarantee, which requires advance notice of collections and offers immediate refunds for unauthorised or incorrectly taken payments. That means your processes and customer communications must be accurate, timely and well-documented.

Which UK Laws And Bacs Rules Apply To Direct Debit Collection?

You’ll need to comply with scheme rules and general law. The essentials are:

Bacs Scheme Rules

• Direct Debit Instruction (DDI): You must obtain a valid DDI (paper, phone, or online/paperless via AUDDIS) with the required wording and confirmation.
• Advance Notice: Give “advance notice” before the first collection and whenever amounts/dates change. The standard is at least 10 working days unless you’ve agreed a different period with the payer (and your sponsor bank accepts it).
• Direct Debit Guarantee: Your documents and communications must incorporate the Direct Debit Guarantee text and you must honour it.
• Accurate Submissions: Files submitted to Bacs must be accurate and on time. Keep robust controls, especially if you use paperless signups.
• Audit And Records: Maintain audit trails of mandates, notices and amendments for scheme compliance and disputes.

Payment Services Regulations 2017 (PSRs)

The PSRs regulate payment services in the UK. Most small businesses don’t need FCA authorisation simply to collect Direct Debits for their own goods/services using their bank or an authorised third-party processor. However, if you sit in the chain as a payment service provider (e.g., holding client money or initiating payments on behalf of others), you may trigger authorisation or registration requirements.

If in doubt, use an FCA-authorised provider for processing and settlement rather than designing your own payment service model.

Consumer Law (If You Sell To Consumers)

If you’re taking Direct Debits from consumers (not businesses), ensure your terms and processes comply with the Consumer Rights Act 2015 and the Consumer Contracts Regulations. Key points include clear information upfront, fair terms, and straightforward cancellation and refunds. If you use recurring contracts, align your practices with auto-renewal laws and avoid surprise renewals or hidden charges. If you change prices on recurring services, follow the rules on price increase notification-especially around transparency and notice.

Contract And Data Protection Basics

• Contracts: Your customer terms must authorise Direct Debit collection, set out notice periods, your cancellation process, and how changes to dates/amounts will be handled.
• Privacy: Bank details are personal data when linked to an identifiable person. You must comply with UK GDPR and the Data Protection Act 2018, including having a clear Privacy Policy and lawful basis for processing.

Non-compliance can lead to rejected collections, chargebacks, bank penalties, investigations and customer complaints-so it’s worth getting this right upfront.

How To Set Up Company Direct Debits Step-By-Step

Here’s a practical sequence to follow as a UK SME:

1) Choose Your Route To Bacs

• Own SUN via your bank: You’ll undergo financial and operational due diligence and need strong internal controls. This suits established businesses with volume.
• Facilities Management (FM) provider or payment platform: They sponsor the SUN and handle scheme compliance mechanics. This is quicker to launch and common for startups and scale-ups.

2) Design Your Customer Journey

Map out how customers authorise the mandate, receive advance notice, and manage changes or cancellations. If the journey is online, build the right consent and confirmation screens and keep time-stamped records.

Make sure your customer-facing documents support this journey-your Website Terms and Conditions set the framework for using your site, while your commercial terms (see below) govern the actual service and payments.

3) Put Clear Commercial Terms In Place

For recurring services, have robust written terms that cover Direct Debit authority, billing cycles, price changes, failed payment handling, and cancellation mechanics. Many SMEs use:

• Online Subscription Terms and Conditions for recurring memberships or SaaS;
• Terms of Sale for goods or blended offerings;
• Service-specific agreements where you deliver ongoing professional services or retainers.

These documents should dovetail with your Direct Debit notices and the Direct Debit Guarantee wording.

4) Build Bacs-Compliant Mandate Capture

Whether you use paper or paperless signups, the Direct Debit Instruction must include the required information and confirmations. Under paperless/AUDDIS processes, you may need extra controls, like verification checks, confirmation communications and secure storage of electronic evidence.

5) Set Up Advance Notice And Change Notices

Decide your advance notice period (10 working days is standard unless a shorter period is expressly agreed and accepted by your bank). Configure your system to send timely notices for first collections and any changes to dates or amounts.

6) Implement Reconciliation And Exceptions Handling

Plan for failed collections, indemnity claims, and customer disputes. Have clear internal procedures, communication templates, and escalation paths. This is essential to keep cash flow predictable and customer experience positive.

7) Keep Proper Records

Maintain audit trails of mandates, notices, amendments, cancellations and communications. You’ll need these for scheme audits and to resolve any indemnity claims. Good back-office hygiene also supports accurate billing and compliant invoice requirements.

What Must Your Customer Communications And Contracts Include?

Your paperwork isn’t just formality-it’s the legal foundation that lets you collect Direct Debits properly and reduces disputes. Aim to include the following:

Core Contract Terms That Support Direct Debits

• Authority To Collect: An express statement that the customer authorises payment by Direct Debit and will complete the DDI.
• Billing Cadence: Clear billing frequency (e.g., monthly on or after a set date), and whether amounts are fixed or variable.
• Advance Notice: Your standard notice period for new or changed collections.
• Price Changes: How and when prices can change, including any notice period and the customer’s right to cancel. If you’ll adjust fees, ensure your clause aligns with the rules on price increase notification.
• Auto-Renewals: Renewal mechanics and cancellation windows should be easy to find and fair, consistent with auto-renewal laws.
• Failed Payments: What happens if a payment fails (e.g., retries, late fees, suspension of service).
• Cancellation: How to cancel the service and the DDI (both with you and with the customer’s bank), and any notice or minimum terms.
• Refunds And Adjustments: When refunds or credits apply (in addition to the Direct Debit Guarantee).
• Contact Details: A clear route to contact you to query or dispute a payment.

For online or subscription models, it’s common to pair your Website Terms with tailored subscription terms so the Direct Debit rules sit in the contract that your customers accept at sign-up.

Direct Debit Instruction (DDI) And Confirmation

• Use the exact wording required by Bacs for the DDI and the Direct Debit Guarantee.
• Give a confirmation of the DDI (e.g., email) and keep a record.
• For paperless mandates, ensure the customer actively confirms the instruction and that you can evidence consent later.

Advance Notice Communications

• Send notice of the first collection and any changes to the amount/date within your agreed timeframe.
• Keep the wording straightforward-date, amount, and how to contact you with queries or to cancel.

Website And Checkout

• Display key payment and cancellation information near the point of sign-up, not buried in a footer.
• Ensure your Website Terms and Conditions align with your payment terms to avoid inconsistencies.

Avoid generic templates-your terms should reflect your exact billing logic, notice periods and operational realities. Getting these drafted properly will make collections more reliable and reduce chargebacks and complaints.

Data Protection And Security When Handling Bank Details

Bank account details and associated information are personal data when they relate to an identifiable person. Under UK GDPR and the Data Protection Act 2018, you must handle them lawfully, transparently and securely. Key steps include:

Be Clear About Your Data Use

• Identify your lawful basis-usually “contract” for taking payment, and “legitimate interests” for fraud prevention or internal analytics.
• Explain your practices in a clear, up-to-date Privacy Policy (including who processes payments for you and any international transfers).

Have The Right Agreements In Place

• If you use a payment provider or bureau, they’ll typically be your processor for certain activities-ensure you have a compliant Data Processing Agreement (DPA) with them.
• With other partners who may receive customer data (e.g., outsourced support or analytics), use a Data Processing Schedule to define roles, security and compliance responsibilities.

Secure Your Systems And Limit Access

• Only collect data you truly need and store it for no longer than necessary.
• Restrict access to staff on a need-to-know basis and train them on phishing and fraud indicators.
• Encrypt data in transit and at rest where possible, and protect backups.

Prepare For Incidents

• Create and test an incident response process, including triggers for notifying customers, banks and potentially the ICO. A practical starting point is a documented Data Breach Response Plan.

If this feels like a lot, don’t stress-tight data practices are very achievable with the right policies and vendor choices. Taking privacy seriously also builds trust with customers and banks.

Key Takeaways

• Direct Debit is a powerful, low-cost way to improve cash flow for subscriptions and recurring services, but you must follow Bacs scheme rules and UK law.
• Choose your route to Bacs-either obtain your own SUN via your bank or use a Facilities Management provider/payment platform to get started faster.
• Your customer terms should explicitly authorise Direct Debit, define notice periods, cancellation, price changes and failed payments. For recurring services, use clear subscription terms and align them with your Direct Debit notices.
• Give accurate advance notice (standard 10 working days unless agreed otherwise) and include the Direct Debit Guarantee wording in your mandates and confirmations.
• If you sell to consumers, keep auto-renewals and price changes transparent and fair, consistent with auto-renewal laws and price increase notification rules.
• Protect personal data with a clear Privacy Policy, solid processor contracts like a Data Processing Agreement, and a tested Data Breach Response Plan.
• Keep strong records of mandates, notices and changes to support audits and resolve disputes quickly.

If you’d like help setting up Direct Debit-friendly terms, privacy documents and compliant customer journeys, our team can support you end-to-end. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.