They don't need any 'personal' information - they just need your account details
To all those who think they are safe, because someone who might setup a direct debit on their account does not have their personnel details (address, Mothers maiden name, DOB, or even your name).
THINK AGAIN. You do not need any of these details to open a direct debit. You only need an account number (a sort code helps as well). You can put in any name, any address and make other piece of information you like.
Why? Simple. The company who sets up your direct debit have no way of knowing you own the account you are setting the direct debit against and check it against your name, address etc. The banks will not tell them (Data Protection working for you - again). The Company raise a request to the bank and the bank ONLY checks that the account number is valid before raising a Direct Debit against that account. The Bank does not check that the name, address or anything lines up with the account – let alone any other basic security checks.
The Bank’s excuse is that they security vetted the Company raising the direct debit really really carefully, and so when the get a valid direct debit, the HAVE to honour it. (‘valid’ means only that the account number is correct). They do not seem to understand that the Company raising the direct debit has no way of knowing that the account details they are given is actually owned by the person raising the Direct Debit.
So the Company raising the direct debit has no way of security checking any direct debit request and the Bank performs no security checks on your behalf.
So all you need is someone’s account details and you can set up a direct debit against their account.
The question is not ‘how could the bank have allowed Clarkson’s account be debited’ but rather ‘How could the banks have allowed such a huge security hole to have existed for so many years’. It is a simple answer. They don’t care because they are indemnified by the Company raising the Direct Debit.