Re-Authentication of CoF Access at the ASPSP
CX Consideration 1
CBPIIs should alert PSUs when re-authentication needs to be performed so that CBPII access at the ASPSP for CoF is restored.
CX Consideration 2
CBPIIs should make it clear that PSUs are being asked to authenticate with theirASPSPs to restore the funds checking access of CBPIIs to their account.
CEG Checklist Requirements 3
PSU Consent to CBPII CBPIIs must provide PSUs sufficient information to enable them to make an informed decision about whether to consent to the CBPII making CoF requests to their ASPSP accounts. For example, the CBPII should provide details on the purpose for which the funds checks will be used (including whether any other parties will have access to the information) and clear and reassuring messages about what information will be made available from the ASPSPs. This shouldinclude information such as the following: •Prior to making Confirmation of funds requests to their ASPSPs, CBPIIs must have been given explicit consent by PSUs. •CBPIIs will only received a 'yes/no' answer about the availability of funds at PSUs' account, sufficient to cover a specific amount of a CBPII transaction. •The Confirmation of Funds Response will not be stored by CBPIIs. •Confirmation received by CBPIIs cannot be used for any other purpose than the execution of the transaction for which the request is made. •The period over which CoF consent is requested and the reasons why. •How PSUs will be able to revoke their consent through the CBPII environment.
CEG Checklist Requirements 4
PSU Consent to CBPII CBPIIs must request for the PSUs' consent to in a clear and specific manner. CBPIIs must display the following information in the consent screen: PSU payment Account Identification and/or the selected ASPSP Note 1: CBPIIs should mask the PSU payment Account details on the consent screen. Expiration Date & Time: Consent could be on-going or for set period of time. If this parameter is provided by CBPIIs, the consent will have limited life span and will expire on the specified date. CBPIIs could choose to align this expiry date with the expiration date of the card based instrument issued to PSUs. Alternatively, they could choose a different period for security or business reasons, or they could also allow PSUs to select their desired expiry date explaining however the implications this may have on the usage of their issued card. PSU payment Account name, if provided by PSUs in the original consent journey (as per Consent for Confirmation of Funds (CoF).
CX Consideration 5
Generic CBPII to ASPSP redirection screen and message. Please refer to Section Effective use of redirection screens.
CEG Checklist Requirements 6
Authentication ASPSPs must apply SCA. The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly authenticating via the ASPSP channel.
CX Consideration 7
Authentication ASPSPs could display a message to prompt PSUs to authenticate to continue with setting up Funds Check.
CEG Checklist Requirements 8
ASPSP Consent Prior to receiving the first request from each CBPII, ASPSPs must obtain explicit consent from the PSU to provide confirmation of funds to CBPII requests. ASPSPs must be able to introduce an additional screen to display Information associated with the Confirmation of Funds consent. ASPSPs must display to PSUs all the information related to the CoF consent. This information includes the following: CBPII requesting CoF to the PSU account. PSU payment Account Name. PSU payment Account Identification. Consent Expiration Date & Time: (this could also be on-going). Note: PSU's payment account details may be shown in account number and sort-code format in cases when PSU in item #1 provided account identification details in other formats such as a PAN, IBAN, Paym mobile number, etc., subject to CBPII offering these options.
CX Consideration 9
ASPSP Supplementary Information ASPSPs should provide some supplementary information in relation to their obligations for CoF requests and how these will be handled. This may include but not limited to the following: ASPSPs will only respond with a 'yes/no' answer about the availability of funds at PSUs' account, sufficient to cover a specific amount of a CBPII transaction. ASPSPs are not permitted to provide additional account information (such as the account balance) or block funds on the PSU's account for the CBPII transaction. PSUs may be able to view their history of Confirmation of Funds requests including the identity of CBPIIs which made CoF requests and the provided response, using their Access Dashboard at their ASPSPs. How PSUs will be able to revoke their consent from the ASPSP Access Dashboard.
CX Consideration 10
ASPSPs should allow PSUs to review as a part of the authentication process all the information related to the CoF. PSUs can either proceed with the CoF consent or cancel it, on the same screen with items #8 & #9,using "equal weight" options.
CX Consideration 11
Generic ASPSP to CBPII redirection Screen and message. Please refer to Section Effective use of redirection screens.
CX Consideration 12
CBPII Confirmation CBPIIs should confirm to PSUs the successful completion of the Confirmation of Funds account access request. CBPIIs could also choose to display again: the PSU payment account identification details (this can now be in masked form). the expiration date of the Confirmation of Funds consent.