Card Based Payment Instrument Issuers (CBPIIs)

Consent for Confirmation of Funds (CoF)

This version is:

Published 5 years ago 01 Mar 2019
User Journey   Regulation 68(3)(a) of the PSRs, requires that the CBPIIs must have the explicit consent…

Other pages in this section

User Journey

 

Regulation 68(3)(a) of the PSRs, requires that the CBPIIs must have the explicit consent of the PSU prior to making Confirmation of Funds requests to the PSUs ASPSPs.

Regulation 68(5)(b) of the PSRs requires that the ASPSPs must have the explicit consent of the PSU prior to responding to the first CBPII Confirmation of Funds request. This applies to each specific CBPII and each PSU payment account, that is accessible online.

The above journey illustrates the consent given by PSUs for CoF purposes.

 

Wireframes

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
Minimum Set of Parameters CBPIIs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats). Note 1: In some of the above cases, CBPIIs may also need PSUs to provide their ASPSP name so that CBPIIs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account. CBPIIs could also choose to allow PSUs to enter their payment account name. Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sort code are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK.

2

CEG Checklist Requirements 2
PSU Consent to CBPII CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs. This should include information such as the following: •Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs. •CBPIIs will only received a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction. •The Confirmation of Funds Response will not be stored by CBPIIs. •Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made. •The period over which CoF consent is requested and the reasons why. •How PSUs will be able to revoke their consent through the CBPII environment.

3

CEG Checklist Requirements 3
PSU Consent to CBPII CBPIIs must request for the PSUs’ consent to in a clear and specific manner. CBPIIs must display the following information in the consent screen: •PSU payment Account Identification and/or the selected ASPSP (based on item #1 options). •Note 1: if PSU payment Account identification is selected in item #1, CBPIIs should mask the PSU payment Account details on the consent screen. Otherwise, if the PSU payment Account identification has been input by PSUs in item #1, CBPIIs should not mask these details to allow PSUs to check and verify correctness. •Note 2: if PSU payment Account identification is provided by PSUs in item #1, CBPIIs could use this to identify and display the ASPSP without having to ask PSUs. •Expiration Date & Time: Consent couldbe on-going or for set period of time. If this parameter is provided by CBPIIs, the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card. •PSU payment Account name, if provided by PSUs in item #1.

5

CEG Checklist Requirements 5
Authentication ASPSPs must apply SCA. The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.

7

CEG Checklist Requirements 7
ASPSP Consent Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests. ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent. ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following: CBPII requesting CoF to the PSU account. PSU payment Account Name. PSU payment Account Identification. Consent Expiration Date & Time: (this could also be on-going). Note: PSU’s payment account details may be shown in account number and sort-code format in cases when PSU in item #1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII and ASPSPs offering these options.

 

Requirements and Considerations

CEG Checklist Requirements & CX Considerations

1

Minimum Set of Parameters

CBPIIs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats).

Note1:In some of the above cases, CBPIIs may also need PSUs to provide their ASPSP name so that CBPIIs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account.

CBPIIs could also choose to allow PSUs to enter their payment account name.

Note 2: The use of IBANas an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sortcode are the main account identifiers used in the UK. IBANhowever will be used by non UK ASPSPsimplementing OBIEstandards and offering their services in the UK. 

34

2

PSU Consent to CBPII

CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs.

This should include information such as the following:

Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs.
CBPIIs will only received a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction.
The Confirmation of Funds Response will not be stored by CBPIIs.
Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made.
The period over which CoF consent is requested and the reasons why.
How PSUs will be able to revoke their consent through the CBPII environment.

8

3

PSU Consent to CBPII

CBPIIs must request for the PSUs’ consent to in a clear and specific manner.

CBPIIs must display the following information in the consent screen:

PSU payment Account Identification and/or the selected ASPSP (based on item #1 options).
•Note 1: if PSU payment Account identification is selected in item #1, CBPIIs should mask the PSU payment Account details on the consent screen. Otherwise, if the PSU payment Account identification has been input by PSUs in item #1, CBPIIs should not mask these details to allow PSUs to check and verify correctness.
•Note 2: if PSU payment Account identification is provided by PSUs in item #1, CBPIIs could use this to identify and display the ASPSP without having to ask PSUs.
Expiration Date & Time: Consent couldbe on-going or for set period of time. If this parameter is provided by CBPIIs, the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card.
PSU payment Account name, if provided by PSUs in item #1.

8 32

Generic CBPII to ASPSP redirection Screen and message. Please refer to Section Effective use of redirection screens.

5

Authentication

ASPSPs must apply SCA.

The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.

1

Authentication

ASPSPs could display a message to prompt PSUs to authenticate to continue with setting up Funds Check. 

7

ASPSP Consent

Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests.

ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent.

ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following: 

CBPII requesting CoF to the PSU account.
PSU payment Account Name.
PSU payment Account Identification.
Consent Expiration Date & Time: (this could also be on-going).

Note: PSU’s payment account details may be shown in account number and sort-code format in cases when PSU in item #1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII and ASPSPs offering these options.

31

ASPSP Supplementary Information

ASPSPs should provide some supplementary information in relation to their obligations for CoF requests and how these will be handled. This may include but not limited to the following:

ASPSPs will only respond with a ‘yes/no’ answer about the availability of funds at the PSUs‘ account, sufficient to cover a specific amount of a CBPII transaction.
ASPSPs are not permitted to provide additional account information (such as the account balance) or block funds on the PSU’s account for the CBPII transaction.
PSUs may be able to view their history of Confirmation of Funds requests including the identity of CBPIIs which made CoF requests and the provided response, using their Access Dashboard at their ASPSPs.
How PSUs will be able to revoke their consent from the ASPSP Access Dashboard.

ASPSPs should allow PSUs to review,as a part of the authentication process, all the information related to the CoF. PSUs can either proceed with the CoF consent or cancel it, on the same screen with items #7 & #8, using “equal weight” options.

Generic ASPSP to CBPII redirection screen and message. Please refer to section Effective use of redirection screens.

CBPII Confirmation 

CBPIIs should confirm to PSUs the successful completion of the Confirmation of Funds account access request.

CBPIIs could also choose to display again:

The PSU payment account identification details (this can now be in masked form).
The expiration date of the Confirmation of Funds consent.

PSU Research Considerations

Research undertaken on behalf of OBIE with consumer PSUs has identified the following points:

• PSUs do not understand the term CBPII and thus other language should be used for the consent group:
o Consumers have no spontaneous awareness or understanding of CBPII. It is easiest to explain to them using a practical example of how it might operate. Thus, the term CBPII is unknown and should avoided in customer journeys.
o Once explained, ‘Confirmation of Funds’ is a workable name for part of the process, as is ‘Funds availability check’.
o Other suggestions included: ‘Funds check’, ’Funds confirmation’ and ‘Pre-transaction check’.
• PSUs trust and are willing to provide their consent to the CBPIIs to make CoF requests to their ASPSP accounts
o Once the concept has been explained, PSUs are happy to provide consent to make CoF requests, although in their minds these are of secondary importance compared to payments.
• PSUs understand that CoF is ‘yes’/ ‘no’ answer and that their ASPSP will neither provide any other account information to the CBPII such as the actual balance on their account, nor allow them to initiate any payments.

The process of CoF and what information the CBPII card issuer would have access to are both easy to understand, once explained, and make sense / reassure PSUs.

 

What the research says

 

Click for customer research