In order to set up a recurring bill the merchant must get a "mandate" from the customer, which involves them approving the amount/frequency/term of the payment. The customer can at any time view a list of open mandates on their bank's web site/app and cancel any they wish. Recurring payments only succeed when the mandate remains valid.
The payment amount may be revised downward without getting a new mandate, but raising it up requires replacing the old mandate with a new one.
In order to make a non-initial charge the merchant must pre-authorize it with the bank a few days prior (handing the ID of mandate under which the charge is made to the bank), and pass the confirmation they get back from the bank when they do the real charge. The bank notifies the customer about the upcoming renewal and its amount.
IMO this is exactly how it should work.
The merchant should never be able to pull from your bank account. However, the merchant can send an invoice for a payment. Either the customer manually pushes the payment, or delegates to the bank that each invoice from merchant X should immediately result in a payment push [1].
The difference from the pull system is that the customer can at any point end this automatic push payment, but in the pull system the customer can only beg the merchant (eg. the gym) to stop charging their account.
[1] Or even better in an ideal world, delegate this pushing to their local finance app. So the bank can't put roadblocks for a customer cancelling a subscription.
This already very close to how SEPA direct debits currently operate. I can instruct my bank with one click to stop honoring a given direct debit mandate (they'll then block all further payments under the same mandate reference), request any payment to be reversed for any reason (that I don't have to provide) etc.
The only difference to your suggested model is that the default is to honor all new mandates. I believe nothing – operationally or from a scheme perspective – prevents banks from requiring positive confirmation for every new mandate or even every single direct debit, though, and some banks (but not mine) even support this.
> in the pull system the customer can only beg the merchant (eg. the gym) to stop charging their account.
Not for SEPA direct debits, in any case.
It's insane that digital systems are less secure than cash based system. If a merchant hands me a paper invoice, they can't just take cash out of my wallet.
The merchant should communicate to me where I need to deposit money, and I should put that into my system. The merchant should have little to no information about me.
Not in the implementation where any new merchant (or even new mandate reference of the same merchant, e.g. for two Netflix subscriptions pulling from the same account) has to be positively confirmed, which is possible in SEPA as I've described.
This is possible because, unlike cards, SEPA has no payment guarantee/chargeback protection at all. Otherwise, you'd indeed need some way of positively approving new recurring payment mandates.
