VRP Payments under Sweeping Access

 

VRP Payments under sweeping access are a subset of VRP payments with SCA exemption that also has additional constraints:

1. Requires the PISP to attest that the activity meets the standardised definition of sweeping.

2. Requires the use of a specific set of sweeping consent parameters.

3. Requires the application of the Trusted Beneficiary SCA exemption by the ASPSP for each VRP Payment.

For the purpose of simplicity, we have defined the term ‘Sweeping Consents’ and ‘Sweeping Payments’ to refer to ‘VRP Consents’ & ‘VRP Payments’ respectively when they are dealt with under sweeping access.

 

Sweeping Consent Setup User Journey

Sweeping Payments User Journey

Sweeping Consent Setup Wireframe

CEG Checklist Requirements 1

PISPs must either allow PSUs to specify consent parameters or pre-populate them for the PSUs enabling the PSU to amend any of them as required.

The PSU can be treated as having given explicit consent, suitable for the ASPSP to apply a trusted beneficiary exemption to the sweeping payments, provided that the consent includes the required consent parameters listed below:

Required set of Sweeping Consent Parameters

Payee Account Name.
Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN).
Maximum amount per payment and Currency (GBP for UK implementations).
Maximum amount per frequency (Day/Week/Fortnight/Month/HalfYear/Year) and Currency (GBP for UK implementations).
Expiry Date (Ongoing or a Specific Date).
Consent Reference.

CEG Checklist Requirements 2

PSU payment Account Selection

PISPs must provide PSUs at least one of the following options:

• Enter their Payer's payment Account Identification details.
•PISPs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code - with additional roll number if required, IBAN, PAN, Paym and other formats).
• Select their Account Identification details (this assumes they have been saved previously).
• Select their ASPSP in order to select their PSU payment Account from there later on in the journey.

Note1: In some of the above cases, PISPs may also need PSUs to provide their ASPSP name so that PISPs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account.

Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sortcode are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK.

CEG Checklist Requirements 3

Use of clear language to the PSU that they will be consenting to give the PISP the ability to make payment on a (sporadically or periodically) recurring basis.

PISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the PISP is only trading with its registered company name then it must display that name to the PSU.

If the PISP is not the customer-facing entity and there is an Agent who is acting on behalf of the PISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the PISP and must also, display the PISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the PISP.

PISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU (please refer to item #5). Only in instances where there is an Agent acting on behalf of the PISP, the ‘On Behalf of’ name must be displayed to the PSU. PISPs must not populate the ‘ On behalf of’ field with the details of their TSP.

CEG Checklist Requirements 4

PSU Consent to PISP

PISPs must display the following information in the consent screen:

Control Parameters

Payment Reference, and any supplementary info, if it has been entered by PSUs or pre-populated by PISPs in item #1.
Maximum amount per payment and Currency.
Maximum amount per month.
Expiry Date as selected by the PSU.
Payee Information

Payee Account Name.
For Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN):
If this has been provided by PSUs in item #1, then PISPs must also display this in the consent screen to allow PSUs to check and verify correctness.
If this has been pre-populated by PISPs (e.g. in an eCommerce payment scenario) PISPs could choose whether to display this information or not.
Payer Information

PSU payment Account Identification and/or the selected ASPSP (based on item #2 options).
Note: if PSU payment Account identification is provided by PSUs in item #2, PISPs could use this to identify and display the ASPSP without having to ask PSUs.

CEG Checklist Requirements 5

T&Cs

PISPs must enable the PSUs to view their T&Cs on the consent screen.

CX Considerations 6

PISPs should provide messaging to inform PSUs that they will be taken to their ASPSPs to complete the payment.

Example wording: "We will securely transfer to YOUR ASPSP to authenticate and make the payment“.

CX Considerations 7

Generic PISP to ASPSP redirection screen and message. Please refer to sections Browser based redirection – PIS, App based redirection – PIS and Effective use of redirection screens.

CEG Checklist Requirements 8

Additional Parameters

ASPSPs must allow PSUs to select the payment account to complete the VRP setup only if the PSU has not provided it to the PISP in item #1.

It is up to ASPSP to consider relevant obligations relating to the FCA’s High Cost Credit Review: Overdrafts consultation paper and policy statement (CP18/42) & (PS19/16)”.

CEG Checklist Requirements 9

ASPSPs must display as a minimum the following:

Payee Account details ( Payee name, Payee Identification)
Maximum amount per payment.
Maximum amount per month.
Expiry Date
Payment Reference & any supplementary information if provided by the PISP.
Payer Account details (if provided by the PISP).
These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info.

ASPSPs’ Authentication screen (recommended).
ASPSP to PISP redirection screen

CEG Checklist Requirements 10

ASPSPs must inform the PSU that the payee will be added to their Trusted Beneficiary list and must also add the payee to the PSU's Trusted Beneficiary List.

CX Considerations 11

For recognition based biometrics (e.g. Face ID) which can be more immediate the biometric authentication should be invoked after a delay or through a call to action to allow the PSU the ability to view the details.

CEG Checklist Requirements 12

SCA Authentication must be the only action required at the ASPSPs (unless supplementary information required, refer to section Single Domestic Payments – Supplementary info.

The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP channel.

CX Considerations 13

Generic ASPSP to PISP redirection screen and message. Please refer to section Effective use of redirection screens.

CEG Checklist Requirements 14

PISP Confirmation

PISPs must display the information received from the ASPSP. This information may include:

•The unique identifier assigned to the VRP Instruction by ASPSPs.

Sweeping Payments Wireframe

CEG Checklist 1

ASPSP must apply the Trusted Beneficiary SCA exemption when the PISP initiates a Sweeping payment within the Sweeping consent parameters.

CEG Checklist 2

PISPs must provide messaging to inform PSUs that Sweeping payment has been successfully initiated with their ASPSP.

PISPs must provide the PSU with all information related to the Sweeping payment after the payment has been successfully initiated.

Note: PISPs may notify the PSU before initiating each Sweeping payment.

CEG Checklist Requirements & Customer Experience Considerations

Sweeping Consent Setup Wireframe

PISPs must either allow PSUs to specify consent parameters or pre-populate them for the PSUs enabling the PSU to amend any of them as required. 

In order for the PSU to provide their explicit consent to setup a Sweeping Payment, the PISP must present the  required consent parameters listed below:

Required set of Sweeping Consent Parameters

  • Payee Account Name.
  • Payee Account Identification details (e.g. account number and sort code or additionally roll number or full IBAN).
  • Maximum amount per payment and Currency (GBP for UK implementations).
  • Maximum amount per frequency (Day/Week/Fortnight/Month/HalfYear/Year) and Currency (GBP for UK implementations).
  • Expiry Date (Ongoing or a Specific Date).
  • Consent Reference.

 

22b

 

PSU payment Account Selection

PISPs must provide PSUs at least one of the following options:

• Enter their Payer’s payment Account Identification details.
•PISPs must allow PSUs to enter their payment Account Identification details in at least one of the ways specified in the OBIE V3 Read/Write API Specifications (e.g. account number and sort code – with additional roll number if required, IBAN, PAN, Paym and other formats).
• Select their Account Identification details (this assumes they have been saved previously).
• Select their ASPSP in order to select their PSU payment Account from there later on in the journey.

Note1: In some of the above cases, PISPs may also need PSUs to provide their ASPSP name so that PISPs can check whether ASPSPs will be able to match the account identifier to the underlying PSU payment account.

Note 2: The use of IBAN as an identification of the payer account for UK ASPSPs is not expected to be heavily used as account and sortcode are the main account identifiers used in the UK. IBAN however will be used by non UK ASPSPs implementing OBIE standards and offering their services in the UK. 

24

Use of clear language to the PSU that they will be consenting to give the PISP the ability to make payment on a (sporadically or periodically) recurring basis.

PISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the PISP is only trading with its registered company name then it must display that name to the PSU.

If the PISP is not the customer-facing entity and there is an Agent who is acting on behalf of the PISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the PISP and must also, display the PISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the PISP. 

PISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU (please refer to item #5). Only in instances where there is an Agent acting on behalf of the PISP, the ‘On Behalf of’ name must be displayed to the PSU. PISPs must not populate the ‘ On behalf of’ field with the details of their TSP.

8

PSU Consent to PISP 

PISPs must display the following information in the consent screen:

Consent Parameters (as provided in item #1.)

Payer Information

  • PSU payment Account Identification and/or the selected ASPSP (based on item #2 options).Note: if PSU payment Account identification is provided by PSUs in item #2, PISPs could use this to identify and display the ASPSP without having to ask PSUs.

8b

Terms 

PISPs must enable the PSUs to view their Terms on the consent screen.

8c

PISPs should provide messaging to inform PSUs that they will be taken to their ASPSPs to complete the payment.

Example wording: We will securely transfer to YOUR ASPSP to authenticate and make the payment“.

Generic PISP to ASPSP redirection screen and message. Please refer to sections Browser based redirection – PISApp based redirection – PIS and Effective use of redirection screens.

Additional Parameters

ASPSPs must allow PSUs to select the payment account to complete the Sweeping setup only if the PSU has not provided it to the PISP in item #1.

It is up to ASPSP to consider relevant obligations relating to the FCA’s High Cost Credit Review: Overdrafts consultation paper and policy statement (CP18/42) & (PS19/16)”.

23

ASPSPs must display all the consent parameter(s) provided by the PISP.

These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info.

  1. ASPSPs’ Authentication screen (recommended).
  2. ASPSP to PISP redirection screen

28a

ASPSPs must inform the PSU that the payee will be added to their Trusted Beneficiary list and must also add the payee to the PSU’s Trusted Beneficiary List.

28b

For recognition based biometrics (e.g. Face ID) which can be more immediate the biometric authentication should be invoked after a delay or through a call to action to allow the PSU the ability to view the details. 

SCA Authentication must be the only action required at the ASPSPs (unless supplementary information required, refer to section Single Domestic Payments – Supplementary info.

The ASPSP authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP channel.

19

1

Generic ASPSP to PISP redirection screen and message. Please refer to section Effective use of redirection screens.

PISP Confirmation 

PISPs must display the information received from the ASPSP. This information may include:

The unique identifier assigned to the Sweeping setup by ASPSPs.

26a

Sweeping Payments Wireframe

This journey demonstrates Sweeping payment initiation by the PISP where the PSU is not required to be in session for each payment.

This core journey will enable the PISP to initiate an ongoing variable recurring sweeping payment(s) within the agreed set of consent parameter(s) which will result in a single domestic payment being processed by the ASPSPs as a Single Immediate Payment (SIP) via Faster Payments where the customer is not required to be in session for consequent payments.

ASPSP must apply the Trusted Beneficiary SCA exemption when the PISP initiates a Sweeping payment within the Sweeping consent parameters.

Note: There may be instances where an ASPSP may require SCA, even if the payment being made is to a trusted beneficiary, for example, suspicion of fraud. However, the ASPSP must only do so in exceptional circumstances with an objective approach and in line with the proportionality requirements of the PSRs.

28c

PISPs must provide messaging to inform PSUs that Sweeping payment has been successfully initiated with their ASPSP.

PISPs must provide the PSU with all information related to the Sweeping payment after the payment has been successfully initiated.

Note: PISPs may notify the PSU before initiating each Sweeping payment.

25

26

v3.1.8