Card Based Payment Instrument Issuers – CBPIIs

Consent for Confirmation of Funds – CoF

This version is:

Published 2 years ago 04 Apr 2022

Open Banking API specifications support CoF services for Card Based Payment Instrument Issuers (CBPIIs). These services allow PSUs to provide explicit consent to an ASPSP, so that they can respond to confirmation of funds requests from CBPIIs, limited to a yes or no.

Other pages in this section

 

User Journey

Main content image

Regulation 68(3)(a) of the PSRs, requires that the CBPIIs must have the explicit consent of the PSU prior to making Confirmation of Funds requests to the PSUs ASPSPs.

Regulation 68(5)(b) of the PSRs requires that the ASPSPs must have the explicit consent of the PSU prior to responding to the first CBPII Confirmation of Funds request. This applies to each specific CBPII and each PSU payment account, that is accessible online.

The above journey illustrates the consent given by PSUs for CoF purposes.

Wireframes

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
Minimum Set of Parameters CBPIIs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats). Note 1: In some of the above cases, CBPIIs may also need PSUs to provide their ASPSP name so that CBPIIs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account. CBPIIs could also choose to allow PSUs to enter their payment account name. Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sort code are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK.

2

CEG Checklist Requirements 2
PSU Consent to CBPII CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs. This should include information such as the following: •Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs. •CBPIIs will only received a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction. •The Confirmation of Funds Response will not be stored by CBPIIs. •Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made. •The period over which CoF consent is requested and the reasons why. •How PSUs will be able to revoke their consent through the CBPII environment.

3

CEG Checklist Requirements 3
PSU Consent to CBPII CBPIIs must request for the PSUs’ consent to in a clear and specific manner. CBPIIs must display the following information in the consent screen: •PSU payment Account Identification and/or the selected ASPSP (based on item #1 options). •Note 1: if PSU payment Account identification is selected in item #1, CBPIIs should mask the PSU payment Account details on the consent screen. Otherwise, if the PSU payment Account identification has been input by PSUs in item #1, CBPIIs should not mask these details to allow PSUs to check and verify correctness. •Note 2: if PSU payment Account identification is provided by PSUs in item #1, CBPIIs could use this to identify and display the ASPSP without having to ask PSUs. •Expiration Date & Time: Consent couldbe on-going or for set period of time. If this parameter is provided by CBPIIs, the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card. •PSU payment Account name, if provided by PSUs in item #1.

5

CEG Checklist Requirements 5
Authentication ASPSPs must apply SCA. The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.

7

CEG Checklist Requirements 7
ASPSP Consent Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests. ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent. ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following: CBPII requesting CoF to the PSU account. PSU payment Account Name. PSU payment Account Identification. Consent Expiration Date & Time: (this could also be on-going). Note: PSU’s payment account details may be shown in account number and sort-code format in cases when PSU in item #1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII and ASPSPs offering these options.

CEG Checklist Requirements & Customer Experience Considerations

1

Minimum Set of Parameters CBPIIs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats).

Note 1: In some of the above cases, CBPIIs may also need PSUs to provide their ASPSP name so that CBPIIs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account.

CBPIIs could also choose to allow PSUs to enter their payment account name.

Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sortcode are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK. 

34

2

PSU Consent to CBPII CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs. This should include information such as the following:

  • Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs.
  • CBPIIs will only received a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction.
  • The Confirmation of Funds Response will not be stored by CBPIIs.
  • Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made.
  • The period over which CoF consent is requested and the reasons why.
  • How PSUs will be able to revoke their consent through the CBPII environment.

8

3

PSU Consent to CBPII CBPIIs must request for the PSUs’ consent to in a clear and specific manner. CBPIIs must display the following information in the consent screen:

  • PSU payment Account Identification and/or the selected ASPSP (based on item 1 options).
    • Note 1: if PSU payment Account identification is selected in item 1, CBPIIs should mask the PSU payment Account details on the consent screen. Otherwise, if the PSU payment Account identification has been input by PSUs in item #1, CBPIIs should not mask these details to allow PSUs to check and verify correctness.
    • Note 2: if PSU payment Account identification is provided by PSUs in item #1, CBPIIs could use this to identify and display the ASPSP without having to ask PSUs.
  • Expiration Date & Time: Consent could be on-going or for set period of time. If this parameter is provided by CBPIIs, the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card.
  • PSU payment Account name, if provided by PSUs in item 1.

8 32

Generic CBPII to ASPSP redirection Screen and message. Please refer to Section Effective use of redirection screens.

5

Authentication ASPSPs must apply SCA. The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.

1

Authentication ASPSPs could display a message to prompt PSUs to authenticate to continue with setting up Funds Check.

7

ASPSP Consent Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests. ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent. ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following:

  • CBPII requesting CoF to the PSU account.
  • PSU payment Account Name.
  • PSU payment Account Identification.
  • Consent Expiration Date & Time: (this could also be on-going).

Note: PSU’s payment account details may be shown in account number and sort-code format in cases when PSU in item 1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII and ASPSPs offering these options.

31

ASPSP Supplementary Information ASPSPs should provide some supplementary information in relation to their obligations for CoF requests and how these will be handled. This may include but not limited to the following:

  • ASPSPs will only respond with a ‘yes/no’ answer about the availability of funds at the PSUs’ account, sufficient to cover a specific amount of a CBPII transaction.
  • ASPSPs are not permitted to provide additional account information (such as the account balance) or block funds on the PSU’s account for the CBPII transaction.
  • PSUs may be able to view their history of Confirmation of Funds requests including the identity of CBPIIs which made CoF requests and the provided response, using their Access Dashboard at their ASPSPs.
  • How PSUs will be able to revoke their consent from the ASPSP Access Dashboard.

ASPSPs should allow PSUs to review,as a part of the authentication process, all the information related to the CoF. PSUs can either proceed with the CoF consent or cancel it, on the same screen with items 7 & 8, using “equal weight” options.

Generic ASPSP to CBPII redirection screen and message. Please refer to section Effective use of redirection screens.

CBPII Confirmation  CBPIIs should confirm to PSUs the successful completion of the Confirmation of Funds account access request. CBPIIs could also choose to display again:

  • The PSU payment account identification details (this can now be in masked form).
  • The expiration date of the Confirmation of Funds consent.

 

PSU Research Considerations

Research undertaken on behalf of OBIE with consumer PSUs has identified the following points:

The process of CoF and what information the CBPII card issuer would have access to are both easy to understand, once explained, and make sense / reassure PSUs.

What the research says

 

Click for customer research