The UI makes it seem push-based, but it’s actually pull based. There is no technical barrier from pulling from someone’s account. Any malicious entity can do this if they present the bank with a forged hand signature. Or, of course, a malicious bank. Or, of course, a malicious employee at a bank.
Worse, banks won’t let you create a whitelist of accounts that are explicitly permitted pull from your account (called “positive pay” for ACH)
In what world is SEPA pull based, they can’t just remove money from your account.
Yes, they can.
The UI makes it seem push-based, but it’s actually pull based. There is no technical barrier from pulling from someone’s account. Any malicious entity can do this if they present the bank with a forged hand signature. Or, of course, a malicious bank. Or, of course, a malicious employee at a bank.
Worse, banks won’t let you create a whitelist of accounts that are explicitly permitted pull from your account (called “positive pay” for ACH)