Payment Initiation Services

VRP Payments with delegated SCA

This version is:

Published 3 years ago 21 Oct 2021

VRPs with delegated SCA is defined as “VRP Payments that are initiated by the PISP and do not rely on the application of an SCA exemption by the ASPSP, but rather the application of delegated SCA to each individual VRP Payment.”

Other pages in this section

 

VRPs are defined as a series of payments initiated by a PISP using a long-held consent (“VRP Consent”), where:

  1. the VRP Consent must be authorised by the Payment Service User (“PSU”) via Strong Customer Authentication (“SCA”) at their ASPSP (“VRP Consent Setup”), however, each individual payment instructed (“VRP Payment”) using the VRP Consent does not require SCA of the PSU by the ASPSP;
  2. the timing or amount of each payment need not be fixed during the VRP Consent Setup but is instead subject to the constraints of certain parameters (“VRP Consent Parameters”), agreed between the PISP and the PSU, which are enforced by the ASPSP; and
  3. the VRP Consent Parameters are included within the VRP Consent and are therefore subject to SCA of the PSU by the ASPSP as part of the VRP Consent Setup.

VRPs with delegated SCA is defined as “VRP Payments that are initiated by the PISP and do not rely on the application of an SCA exemption by the ASPSP, but rather the application of delegated SCA to each individual VRP Payment.” This will provide explicit consent for each payment instruction, dynamically linking the amount and a payee, allowing for flexibility on the VRP Consent Parameters provided that the applicable SCA requirements are met.

Once the Initial VRP Consent Setup is successfully complete, the PISP can initiate, on the PSU’s behalf, a series of VRP Payments within the VRP Consent Parameters with the application of delegated SCA for each individual VRP Payment. This provides explicit consent for each payment instruction and dynamically links the amount and a payee, providing flexibility on the VRP Consent Parameters provided that the applicable SCA requirements are met.

Delegated SCA VRP Consent Setup User Journey

 

Main content image

 

 

Delegated SCA VRP Payments User Journey

 

Main content image

 

Delegated SCA VRP Consent Setup Wireframe

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
Minimum Set of Parameters PISPs must either allow PSUs to specify the below minimum set of parameters or pre-populate them for the PSUs enabling the PSU to amend: Payee Account Name. Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN). Payment Reference – This is optional but it is good practice to be populated for a payment. Maximum amount per payment and Currency (GBP for UK implementations). Maximum amount per month. Expiry Date (Ongoing or a Specific Date). Any supplementary information required which the ASPSP has published as required and is specific to that ASPSP.

2

CEG Checklist Requirements 2
PSU payment Account Selection PISPs must provide PSUs at least one of the following options: • Enter their Payer’s payment Account Identification details. •PISPs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats). • Select their Account Identification details (this assumes they have been saved previously). • Select their ASPSP in order to select their PSU payment Account from there later on in the journey. Note1: In some of the above cases, PISPs may also need PSUs to provide their ASPSP name so that PISPs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account. Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sortcode are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK.

3

CEG Checklist Requirements 3
Use of clear language to the PSU that they will be consenting to give the PISP the ability to make payment on a (sporadically or periodically) recurring basis. PISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the PISP is only trading with its registered company name then it must display that name to the PSU. If the PISP is not the customer-facing entity and there is an Agent who is acting on behalf of the PISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the PISP and must also, display the PISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the PISP. PISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU (please refer to item #5). Only in instances where there is an Agent acting on behalf of the PISP, the ‘On Behalf of’ name must be displayed to the PSU. PISPs must not populate the ‘ On behalf of’ field with the details of their TSP.

4

CEG Checklist Requirements 4
PSU Consent to PISP PISPs must display the following information in the consent screen: Control Parameters Payment Reference, and any supplementary info, if it has been entered by PSUs or pre-populated by PISPs in item #1. Maximum amount per payment and Currency. Maximum amount per month. Expiry Date as selected by the PSU. Payee Information Payee Account Name. For Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN): If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness. If this has been pre-populated by PISPs (e.g. in an eCommerce payment scenario) PISPs could choose whether to display this information or not. Payer Information PSU payment Account Identification and/or the selected ASPSP (based on item #2 options). Note: if PSU payment Account identification is provided by PSUs in item #2, PISPs could use this to identify and display the ASPSP without having to ask PSUs.

5

CEG Checklist Requirements 5
PSU Consent to PISP PISPs must display the following information in the consent screen: Control Parameters Payment Reference, and any supplementary info, if it has been entered by PSUs or pre-populated by PISPs in item #1. Maximum amount per payment and Currency. Maximum amount per month. Expiry Date as selected by the PSU. Payee Information Payee Account Name. For Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN): If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness. If this has been pre-populated by PISPs (e.g. in an eCommerce payment scenario) PISPs could choose whether to display this information or not. Payer Information PSU payment Account Identification and/or the selected ASPSP (based on item #2 options). Note: if PSU payment Account identification is provided by PSUs in item #2, PISPs could use this to identify and display the ASPSP without having to ask PSUs.

8

CEG Checklist Requirements 8

9

CEG Checklist Requirements 9

11

CEG Checklist Requirements 11
SCA Authentication must be the only action required at the ASPSPs (unless supplementary information required, refer to section Single Domestic Payments – Supplementary info. The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP channel.

13

CEG Checklist Requirements 13
PISP Confirmation PISPs must display the information received from the ASPSP. This information may include: •The unique identifier assigned to the VRP Instruction by ASPSPs.

Delegated SCA VRP Payments Wireframe

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
PISPs must enable the PSU to provide the below: Payee Account Name. Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN).

2

CEG Checklist Requirements 2
PISPs must display the following information in the consent screen: Payment Reference, and any supplementary info, if it has been entered by PSUs or pre-populated by PISPs in item #1. Payee Information Payee Account Name. For Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN): If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness. If this has been pre-populated by PISPs (e.g. in an eCommerce payment scenario) PISPs could choose whether to display this information or not. Payer Information If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness. If this has been pre-populated by PISPs (e.g. PSU already provided as part of VRP consent) PISPs could choose whether to display this information or not.

3

CEG Checklist Requirements 3
SCA Authentication must be the only action required by the PSU.

5

CEG Checklist Requirements 5
ASPSP must reject the VRP Payment and provide an appropriate response back to the PISP if : The VRP payment submitted by PISP is outside the VRP Consent parameters. The VRP consent setup access is revoked by the PSU at the ASPSP.

6

CEG Checklist Requirements 6
PISP Confirmation PISPs must display the information received from the ASPSP. This information may include: •The unique identifier assigned to the VRP payment by ASPSPs.

CEG Checklist Requirements & Customer Experience Considerations

Delegated SCA VRP Consent Setup Wireframe

1

PISPs must either allow PSUs to specify consent parameters or pre-populate them for the PSUs enabling the PSU to amend any of them as required.

Example Consent Parameters:

  • Maximum amount per payment and Currency (GBP for UK implementations).
  • Maximum amount per month.
  • Expiry Date (Ongoing or a Specific Date).
  • Any supplementary information required which the ASPSP has published as required and is specific to that ASPSP.

22 22a

2

PSU payment Account Selection

PISPs must provide PSUs at least one of the following options:

• Enter their Payer’s payment Account Identification details.
•PISPs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats).
• Select their Account Identification details (this assumes they have been saved previously).
• Select their ASPSP in order to select their PSU payment Account from there later on in the journey.

 

Note1: In some of the above cases, PISPs may also need PSUs to provide their ASPSP name so that PISPs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account.

Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sortcode are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK. 

24

3

Use of clear language to the PSU that they will be consenting to give the PISP the ability to make payment on a (sporadically or periodically) recurring basis.

PISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the PISP is only trading with its registered company name then it must display that name to the PSU.

If there is a customer-facing service provider (e.g., Merchant) who is not a PISP but has a commercial relationship with a PISP and is providing the end service to the end-user, the PISP must ensure the software statement reflects this information correctly so that it can be displayed accurately to the PSU on the PIS-VRP ASPSP Dashboard.

This could occur in Merchant journeys for example, where the Merchant contracts with a PISP to provide Variable Recurring Payment as a payment option on their platform.

PISPs must also, populate the customer-facing service provider company name in the ‘On behalf of’’ field of the software statement, in order to inform the ASPSP about the relationship and allow the ASPSP to be able to display this information to the PSU (please refer to item #5). Only in instances where there is a customer-facing service provider acting on behalf of the PISP, the ‘On Behalf of’ name must be displayed to the PSU. PISPs must not populate the ‘ On behalf of’ field with the details of their TSP.

8f

4

PSU Consent to PISP 

PISPs must display the following information in the consent screen:

Consent Parameters (as provided in item 1.)

Payer Information

  • PSU payment Account Identification and/or the selected ASPSP (based on item 2 options).Note: if PSU payment Account identification is provided by PSUs in item 2, PISPs could use this to identify and display the ASPSP without having to ask PSUs.

8b

5

Terms

PISPs must enable the PSUs to view their Terms on the consent screen.

8c

PISPs should provide messaging to inform PSUs that they will be taken to their ASPSPs to complete the payment.

Example wording: “We will securely transfer to YOUR ASPSP to authenticate“.

Generic PISP to ASPSP redirection screen and message. Please refer to sections Browser based redirection – PISApp based redirection – PIS and Effective use of redirection screens.

8

Additional Parameters

ASPSPs must allow PSUs to select the payment account to complete the VRP setup only if the PSU has not provided it to the PISP.

It is up to ASPSP to consider relevant obligations relating to the FCA’s High Cost Credit Review: Overdrafts consultation paper and policy statement (CP18/42) & (PS19/16)”.

23

9

ASPSPs must display all the consent parameter(s) as provided by the PISP.

These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info.

  1. ASPSPs’ Authentication screen (recommended).
  2. ASPSP to PISP redirection screen

28a

For recognition based biometrics (e.g. Face ID) which can be more immediate the biometric authentication should be invoked after a delay or through a call to action to allow the PSU the ability to view the details.

11

SCA Authentication must be the only action required at the ASPSPs (unless supplementary information required, refer to section Single Domestic Payments – Supplementary info.

The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP channel.

19 1

Generic ASPSP to PISP redirection screen and message. Please refer to section Effective use of redirection screens.

13

PISP Confirmation 

PISPs must display the information received from the ASPSP. This information may include:

•The unique identifier assigned to the VRP setup by ASPSPs.

25 26

Delegated SCA VRP Payments Wireframe

This core journey will enable the PISP to initiate variable recurring payment(s) within the agreed set of consent parameter(s) which will result in a single domestic payment being processed by the ASPSPs as a Single Immediate Payment (SIP) via Faster Payments where the customer is required to be in session for each VRP payment(s). The customer must specify the payee and undergo SCA (either Delegated SCA by PISP or a third party or SCA at the ASPSP).

1

PISPs must enable the PSU to provide the below:

  • Payee Account Name.
  • Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN).

22

2

PISPs must display the following information in the consent screen and additional VRP payment information:

Payee Information

  • Payee Account Name.
  • For Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN):
    • If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness.
    • If this has been pre-populated by PISPs (e.g. in an eCommerce payment scenario) PISPs could choose whether to display this information or not.

Payer Information

  • If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness.
  • If this has been pre-populated by PISPs (e.g. PSU already provided as part of VRP consent) PISPs could choose whether to display this information or not.

Additional Payment Information (if any)

  • Payment Amount.
  • Payment reference
  • Debtor reference (optional)

28

3

SCA Authentication must be the only action required by the PSU.

19b

The PISP must be able to submit a CoF request prior to making VRP payment and must receive a response back from the ASPSP.  Please refer to section Confirmation of Funds for PISP – Y/N Response – Requirements items 5 to 9

5

ASPSP must reject the VRP Payment  and provide an appropriate response back to the PISP if :

  • The VRP payment submitted by PISP is outside the VRP Consent parameters.
  • The VRP consent setup access is revoked by the PSU at the ASPSP.

 

28d

6

PISP Confirmation 

PISPs must display the information received from the ASPSP. This information may include:

  • The unique identifier assigned to the VRP payment by ASPSPs.
Note: PISPs that will be offering refunds to PSUs must incorporate the PISP refund journey within the VRP customer journey.

25 26

What the research says

 

Click for customer research