Card Based Payment Instrument Issuers (CBPIIs)

Re-Authentication of COF Access at the ASPSP

This version is:

Published 5 years ago 01 Mar 2019
User Journey   We note that generally ASPSPs may not require re-authentication of PSUs once…

Other pages in this section

User Journey

 

We note that generally ASPSPs may not require re-authentication of PSUs once PSUs have given their explicit consent to ASPSPs to provide Confirmation of Funds responses to requests from a specific CBPII, prior to the first request (as shown in journey Consent for Confirmation of Funds (CoF). However, there may be instances where ASPSPs have invalidated the token after the consent has been setup, for example due to suspicion of fraud. In these instances, the PSU will need to be re-authenticated. This section describes the customer journey where re-authentication for CBPII access is required to allow the CBPII to continue making further confirmation of funds requests.

CBPIIs should inform the PSU that they need to be re-authenticated by their ASPSP. CBPIIs should present the original account details and expiration date (or CBPIIs could vary the expiration date). This re-authentication journey will establish a new token which the CBPII can use to make subsequent confirmation of funds requests.

 

Wireframes

This content is best viewed on a desktop browser.

3

CEG Checklist Requirements 3
PSU Consent to CBPII CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs. This shouldinclude information such as the following: •Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs. •CBPIIs will only received a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction. •The Confirmation of Funds Response will not be stored by CBPIIs. •Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made. •The period over which CoF consent is requested and the reasons why. •How PSUs will be able to revoke their consent through the CBPII environment.

4

CEG Checklist Requirements 4
PSU Consent to CBPII CBPIIs must request for the PSUs’ consent to in a clear and specific manner. CBPIIs must display the following information in the consent screen: PSU payment Account Identification and/or the selected ASPSP Note 1: CBPIIs should mask the PSU payment Account details on the consent screen. Expiration Date & Time: Consent could be on-going or for set period of time. If this parameter is provided by CBPIIs, the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card. PSU payment Account name, if provided by PSUs in the original consent journey (as per Consent for Confirmation of Funds (CoF).

6

CEG Checklist Requirements 6
Authentication ASPSPs must apply SCA. The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.

8

CEG Checklist Requirements 8
ASPSP Consent Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests. ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent. ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following: CBPII requesting CoF to the PSU account. PSU payment Account Name. PSU payment Account Identification. Consent Expiration Date & Time: (this could also be on-going). Note: PSU’s payment account details may be shown in account number and sort-code format in cases when PSU in item #1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII offering these options.

 

Requirements and Considerations

CEG Checklist Requirements & CX Considerations

CBPIIs should alert PSUs when re-authentication needs to be performed so that CBPII access at the ASPSP for CoF is restored.

CBPIIs should make it clear that PSUs are being asked to authenticate with their ASPSPs to restore the funds checking access of CBPIIs to their account.

3

PSU Consent to CBPII

CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs.

This should include information such as the following:

Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs.
CBPIIs will only received a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction.
The Confirmation of Funds Response will not be stored by CBPIIs.
Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made.
The period over which CoF consent is requested and the reasons why.
How PSUs will be able to revoke their consent through the CBPII environment.

8

4

PSU Consent to CBPII

CBPIIs must request for the PSUs’ consent to in a clear and specific manner.

CBPIIs must display the following information in the consent screen:

PSU payment Account Identification and/or the selected ASPSP
•Note 1: CBPIIs should mask the PSU payment Account details on the consent screen.
Expiration Date & Time: Consent could be on-going or for set period of time. If this parameter is provided by CBPIIs,the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card.
PSU payment Account name, if provided by PSUs in the original consent journey (as per Consent for Confirmation of Funds (CoF).

8 32

Generic CBPII to ASPSP redirection screen and message. Please refer to section Effective use of redirection screens.

6

Authentication

ASPSPs must apply SCA.

The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.

1

Authentication

ASPSPs could display a message to prompt PSUs to authenticate to continue with setting up Funds Check. 

8

ASPSPConsent

Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests.

ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent.

ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following: 

CBPII requesting CoF to the PSU account.
PSU payment Account Name.
PSU payment Account Identification.
Consent Expiration Date & Time: (this could also be on-going).

Note: PSU’s payment account details may be shown in account number and sort-code format in cases when PSU in item #1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII offering these options.

31

ASPSP Supplementary Information

ASPSPs should provide some supplementary information in relation to their obligations for CoF requests and how these will be handled. This may include but not limited to the following:

ASPSPs will only respond with a ‘yes/no’ answer about the availability of funds at PSUs’ account, sufficient to cover a specific amount of a CBPII transaction.
ASPSPs are not permitted to provide additional account information (such as the account balance) or block funds on the PSU’s account for the CBPII transaction.
PSUs may be able to view their history of Confirmation of Funds requests including the identity of CBPIIs which made CoF requests and the provided response,using their Access Dashboard at their ASPSPs.
How PSUs will be able to revoke their consent from the ASPSP Access Dashboard.

ASPSPs should allow PSUs to review as a part of the authentication process all the information related to the CoF. PSUs can either proceed with the CoF consent or cancel it, on the same screen with items #8 & #9,using “equal weight” options.

Generic ASPSP to CBPII redirection Screen and message. Please refer to section Effective use of redirection screens.

CBPII Confirmation 

CBPIIs should confirm to PSUs the successful completion of the Confirmation of Funds account access request.

CBPIIs could also choose to display again:

the PSU payment account identification details (this can now be in masked form).
the expiration date of the Confirmation of Funds consent.