The short answer
A recurring mandate is the formal authorization a customer gives a merchant permitting the merchant to charge their account on a recurring schedule. It's the legal and operational backbone of every subscription, membership, or installment billing product. Every payment rail has its own mandate requirements: NACHA for ACH, Visa and Mastercard card-on-file rules for card subscriptions, SEPA Direct Debit in the EU, and BACS Direct Debit in the UK all specify what a valid mandate must look like.
What a valid mandate must capture
- Unambiguous consent. Clear language that the customer agrees to future charges — not buried in 40-page TOS.
- Amount. Fixed amount or a method for calculating variable amounts (e.g., "your monthly usage × $0.10/unit").
- Frequency. Monthly, annually, quarterly, or defined billing interval.
- Start date. First charge date.
- Duration. Until canceled, or fixed number of charges (e.g., 12 installments).
- Merchant identity. Legal name, descriptor on statement, customer-support contact.
- Revocation path. How the customer can cancel — email, self-serve portal, phone.
- Signature / consent evidence. Checkbox with timestamp, wet signature, e-signature, voice recording, audit log of click-through.
Rail-specific mandate rules
- NACHA (ACH): Mandate must be in writing (or similarly authenticated) and retained 2 years after termination. R10 (unauthorized) disputes are defended by producing the mandate.
- Visa/Mastercard COF: Initial consent must meet "clear and conspicuous" standard. Every subsequent merchant-initiated charge (MIT) needs the stored-credential indicator and a link to the original transaction.
- SEPA Direct Debit: Standardized mandate format with a unique mandate reference. Merchants pre-notify the customer before each debit (or use a different SEPA SDD variant).
- BACS Direct Debit (UK): Indemnity guaranteed by the customer's bank. Mandate required; customer can reclaim funds up to 13 months after unauthorized charge.
What operators need to know
- Keep the mandate forever. Two years is the floor; lifetime retention is best practice. A wave of 13-month-old BACS disputes can wipe out a subscription cohort if the mandates aren't recoverable.
- Match the billing descriptor. Whatever name appears in the mandate should match your soft descriptor on statements. Mismatch = "unrecognized charge" disputes.
- Cancellation must actually work. A mandate with "email cancel@" fails the "clear cancellation" standard if you don't respond within 48 hours. Case law and card-network auditors both look for operative cancellation paths.
- Free trials need extra care. Under California AB-390 and FTC ROSCA federal rules, trials converting to paid require separate explicit consent to the conversion charge. A single "sign up" click that implicitly consents to a post-trial charge is increasingly unenforceable.
- Amount changes require new notice. Raising the price mid-subscription requires 30-day advance notice in most regimes.
- Multi-brand operators: mandates are per-brand, per-customer. A mandate to Brand A does not authorize Brand B debits, even under the same parent entity.