Online fundraising services (legal question)

Firstly I know that it’s unlikely that anyone is a lawyer on here (and even less likely that they would advise on a message board). :grin:

If somebody was to set up a SaaS service for taking online donations on the behalf of charities, but used PCI/DSS compliant payment processors (e.g. Stripe) for handling the payment (so that no card data was touching their services) can you envisage any serious legal obligations the somebody would have to fulfil apart the standard ones (ICO/Data Protection, SSL on the server etc) and due diligence (making sure valid charities are signing up and people are not impersonating them for evil purposes).

Just… y’know… curious…

I’d run this by HMRC. I’d hate to get tripped up. My accountant would have kittens at this idea.

1 Like

I’m pretty sure you’d quickly hit the money laundering regulations:

I’ve read the legislation. It’s not great - would definitely skip the cinema release… :wink:

You’d also enjoy all the fun and games of providing a tasting service for stolen credit card details, and the ensuing chargebacks…

The other things that instantly spring to mind are:

  1. what value-added service are you providing over the charity just taking donations themselves via Stripe et al?
  2. how would the service sustain itself financially?
  3. no bank in the world would be willing to provide you with an account for this kind of thing - fraud risk is too high

Now, if you had an actual product that a charity could buy and run that would handle this directly into their own accounts, or you provided a service whereby you set everything up to that effect, that might be a different story…

@auxbuss - Probably does need checking out!

@wallmari - That’s a useful link (bit dry, lacks a main protagonist though!), however I think it does not apply as all donations will go straight to the charity via their payment provider account.

In answer to your questions:

  1. Many charities have donation forms - smaller/new ones need something simple, mobile friendly, perhaps allowing them to download the data to make Gift Aid submissions. It might also be good if they could have some idea of MRD (Monthly Recurring Donations!) and ARD (Annual Recurring Donations) or see what %age of their money is raised by Gift Aid. That’s the MVP at least. If you’ve ever donated money via form, in person or online I’m sure you can imagine possible expansions. Some small charities probably already use Stripe via a WordPress plugin or custom page.

Think Google Analytics crossed with one of those SaaS revenue trackers. Give people an easy way to use Direct Debit or card, handle dunning etc.

  1. Charge a small %age of their transaction total. They get the donation (with payment provider fees deducted). I charge a small %age on top for hosting the forms and giving them some analytics on who has donated the most/been a long term donor etc.

For reference: most of the providers are charging 4–5% (some even take a percentage of the Gift Aid as well!). Even after they pay the Stripe/DD fees themselves, there’s some fair margin in there as far as I can see. Certainly one “well known” donation website that charges to make a profit “to invest in services” seems to be based in central London in some expensive offices. That irks me somewhat.

  1. Fraud would be something to be thought about (even if it’s just handling Stripe’s API so the charity is notfied get an email). Direct Debit is largely secure with ways for people to make contact with the provider if payments are unexpected (I’ve done a bit more reading up on that).

Yes, that’s kind of the angle I’m going at, but without having to do PCI/DSS myself. For the charity:

  1. Register for Stripe and/or DD provider.
  2. Add webhooks as I tell them.
  3. Add API keys on my web service.
  4. ?
  5. Profit!!! (for charity and me)

Whether a charity would be comfortable with parts 1, 2, and 3 is a question I have no answer to.

When I first started Ottitia, I thought it was just a walk in the park. Turns out it was a long and stressful process and losts of money involved to satisfy the legal bodies.

Best of luck!

@SylarRuby Can you advise what the major sticking points were (either online or offline)?.. Security? Separation of accounts? Data protection? Liability insurance?

I see that you’re a limited company was that a requirement (or just for peace of mind in case something bad [however unlikely] happened?)

The huge one was being fsc compliant, a separate bank account where you temporarily hold that money and more stuffs that I’d have to look for in my burried email. Speak with an account. One quoted me £100 per hour to “chat”.

Regarding the company, yes.

Ah, so I’m guessing you’re processing transactions on their behalf then?

Hmmm. Obviously some things to consider. No massive show-stoppers just yet to de-rail the idea.

I’m doing some late night reading of the FCA handbook. LOL! Developers, what are we like?! :laughing:

The FCA are (quite rightly) looking to make sure that client money and operating fees are kept in separate accounts and that there’s clarity when fees are deducted from their money before they withdraw it.

I’m 99% certain I’m okay. My plan is that if they get a £10 donation, that goes straight to their Stripe account, Stripe will only pay them £9.66 after their fees which they deduct. I’ll charge them some nominal fee (e.g. 2%) so that next month they get billed 20p for me hosting the donation page, tracking Gift Aid, tracking referral sources etc. I’ll never have access to their money. :thumbsup:

I only plan on using standard Stripe, not Stripe Connect where you can establish accounts on other people’s behalf. Payments are automatic: the API cannot change the bank account details for payouts.

I will have to put a serious warning on my service to tell people not to use the same password for my service as for Stripe!

Thinking about it - there’s not much anyone can do even if they get the API keys, it’s largely designed to accept payments, not pay them out!

I’m sure there’s other things to think about. I’ll definitely get some 3rd party opinions if it gets to the beta stage.

Just to note that BT’s MyDonate not only takes no admin fee at all, its card processing fee is cheaper than Stripe:

Using Stripe or GoCardless (for direct debits) directly (as the charity I work for does, I implemented it last month :slight_smile: ), gives you exportable data through its dashboard regarding donations, gift aid, etc.


Hi I was the treasurer for a small charity for the last 3 years and their inhouse IT guy, which was interesting. Given I had a hard time convincing some of them to use email, then doing some of the stuff that you are asking for is going to be beyond most charities.

A lot of the smaller ones use something like btck to build their websites or weebly or wix.

I also got emailed at least once a week with offers to integrate donation pages into the website, which I never did, missed opportunity I know. Most of these used 3rd party payment providers so no issues on PCI compliance.

Happy to have a chat about it at SC thursday if you want.


@matthew Yes, that’s one of the services I’ve compared any potential offering with - it’s very hard to see what their dashboard actually does (nice clean documentation seems to be lacking with many systems). I also see that they fund it’s development from their charitable portion of their profits. Would they be so charitable with their fees if a lot more people were using it? The debit card fee seems incredibly low.

Stripe/GoCardless are my preferred providers as well: my hope would be that as well as producing a standard report, I could produce the HMRC Gift Aid return (standardised spreadsheet) for the people to submit (combining the payments from card and direct debit into one easy system). I also think (later on) it might be nice to see analytics on donors via their referral sources and life time value of donors etc (kind of like Baremetrics but with charitable metrics - e.g.

  • This month: £514 from people raising money for us (up 23%), £245 from regular donations
  • £86 Gift Aid to be processed.
  • Mailshot for ‘New mini-bus’ has raised £580."
  • Debbie Jones has recently passed the £1,000 in total lifetime donations. (Cue to send a letter or thank you card)

Sidenote: I had several years of experience in the voluntary sector after leaving university and I’ve seen how hard it is for smaller organisations to try and get any system up and running. Anything that requires training, or doesn’t solve the majority of problems for them isn’t cost effective to invest time into.

P.S. I had a look at your profile and realised you were the guy who made the usable train times website many moons ago and have done other transport data visualisation. As a transport geek I’m a fan of your work :slight_smile:

@TalentHacker It sounds like you have some interesting experience - I will see if I can make to Drop Forge (still getting over a cold unfortunately), but I’ll keep you in mind if I take this further :slight_smile:

I’m thinking that even if I wasn’t cheapest - there’s value in helping a charity identifying where donations can be increased (perhaps someone has paid £5/month for 3 years… it might be worth email to see if they would consider an increase?). It might also be help remind the charity who to thank, to make sure they don’t cancel a donation.

I think the MVP is likely to be “host a page for one-off donations”… baby steps first!

Proudly sponsored by Bytemark