Versions Compared

Version Old Version 12 New Version 13
Changes made by

Rajeev Walia

Chris Wood

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleMenu
Table of Contents
minLevel1
maxLevel6
outlinefalse
stylenone
typelist
printabletrue

...

1.4 Prerequisites for Payments with Delegated Authentication

...

With the Delegated Secure Customer Authentication (SCA) model, the TPP is responsible for securely authenticating the user using a SCA process for each payment initiation, leveraging a long-lived consent agreement established with the user, that also triggers the liability shift (see Limitation of Liability Model)for the SCA activities from the LFI. Authentication factors are categorized based on:

  • Knowledge: Something only the user knows

  • Possession: Something only the user possesses

  • Inherence: Something unique to the user’s physical characteristics

1.4.

...

1 The authentication methods are limited to the following:

  • User biometrics on a mobile device: such as fingerprint or facial recognition executed on the customer’s device, where a TPP app is also bound

  • Dynamic tokens on a mobile device: generated by authenticator apps (e.g., Authy, Google Authenticator, Microsoft Authenticator) on the customer’s device, where a TPP app is also bound

  • NFC-based trigger on a mobile device: used as a possession factor through Near Field Communication for secure, contactless verification, on the customer’s device, where a TPP app is bound and logged in

  • NFC based trigger on another IoT device: The device holds credentials that can be used to verify the User identity, provisioned in conjunction with a TPP service. The device MUST have a biometric capability, a means to securely store a private key that is uniquely linked to the User, and can only be activated on presentment of a biometric gesture.

The TPP application MUST can support biometric authentication and a secondary authentication method, such as a PIN. If biometric authentication fails or is unavailable for the user, the secondary authentication method MUST canbe provided as an alternative.

In this model, TPPs can choose from the following approaches to authenticate the user:

...

#

Step

Rules & Guidelines

MPCS-1

Consent setup

Basic Consent Parameters

TPPs MUST:

1.1 Enable Users to provide and review the parameters related to the initiation of a series of Multi-Payments they need to consent to. These parameters include:

  • Set the Is Delegated Authentication flag to true to reflect the payments consent is using the Delegated Authentication capability

  • User Payment Account or User LFI (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#2.-User-Payment-Account-Selection)

  • Allow Users to manually enter the Creditor Reference or pre-populate it for the Users (depending on the Use Case). Creditor Reference is mandatory due to being the default value to be used as the Creditor Reference of the Payment Initiation Requests. The Creditor Reference is populated either by the User (i.e. debtor) or the TPP using information requested by the beneficiary or any other information that can be provided to the beneficiary to assist in identifying and reconciling any payments initiated using this consent. This information may be mapped to the Creditor Reference of each Payment Initiation Request and thus may be transferred via the payment rails to the beneficiary LFI. However, the TPP if required use a different Creditor Reference for each of the initiated payment Requests

  • Validate that the format of the Creditor Reference is according to the Bank Service Initiation OpenAPI.

Additional Consent Parameters

1.2 Set the Accepted Authorization Type (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#7.-Is-Single-Authorization-flag ).

1.3 Set the Authorization Time Window (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#8.-Authorization-Time-Window) if there are specific timing requirements that must be met for the consent authorization. This is also relevant to cases where multiple authorizers are required to authorize the payment consent.

1.4 Set the Risk Information Block (as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#9.-Risk-Information-Block)

1.5 Enable Users to provide explicit consent for the initiation of future Payments from their online payment account held at their LFI as specified in the consent.

Balance Check Permission

1.6 Request permission to check the balance of the payment account before initiating a payment. https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/edit-v2/210799644#4.-Balance-Check

MPCS-2

Consent Staging

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#10.-Consent-Staging

MPCS-3

Hand-off to LFI

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#11.-Hand-off-to-LFI

Example wording to use: ‘We will securely transfer to YOUR LFI to authenticate and authorize your payments setup“.

MPCS-4

Authentication

LFI Authentication Only

As per the following sections:

Centralized Authentication and Authorization (Federated) Only

As per Centralized Authentication and Authorization

MPCS-5

Authorization

LFIs MUST:

5.1 Enable Users to authenticate using Multi-Factor Authentication (MFA) in order to review and authorize the long-lived payment Consent.

5.2 Retrieve from the OFP the payment Consent details staged by the TPP using the unique Consent Identifier.

5.3 Allow Users to select a payment account for the initiation of the payments, if this was not provided in the retrieved staged Payment Consent details as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#12.-Payment-Account-Selection-at-LFI

  • 5.3.1 Allow Users to select a payment account for the initiation of the payments even if it has insufficient funds at the time of the payment Consent authorization. This allows Users to fund the payment accounts appropriately before the dates of the payment initiation. However, the LFIs MUST inform the User, if the selected payment account has insufficient funds.

5.4 Only present additional screens, if necessary to allow the validation and confirmation of the payment Consent.

5.5 NOT earmark (i.e. block) any funds related to the payment Consent in the Users' payment account at the point of Consent authorization.

5.6 Check the authorization status of the selected payment account is in accordance with the TPPs' Accepted Authorization Type as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#13.-Check-Accepted-Authorization-Type.

5.7 Display to Users the TPP Trading Name of the TPP that initiated the long-lived payment Consent.

  • 5.7.1 If there are customer-facing service providers (e.g. Merchants) who are not TPPs but have commercial relationships with TPPs, the LFIs MUST display the customer-facing service provider name along with the TPP trading name.

5.8 Present to Users the following minimum required information for authorizing the long-lived payments Consent:

  • User Payment Account

  • Consent Reference

  • Currency

  • Consent Expiration Date & Time

5.9 Request for Balance Check Permission: If the TPP has requested permission to check the balance of the User’s payment account.

5.10 Change the state of the payment Consent from Awaiting Authorization to Authorized when all Authorizers (one or more) have authorized the payment Consent.

5.11 Update the payment Consent details stored in the OFP with all the information included in the payment Consent authorized by the User.

OFP MUST:

5.12 Check the Authorization Time window is valid as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#19.-Check-Authorization-Time-Window.

5.13 Confirm back to the LFIs that the payment Consent details have been updated successfully.

5.14 Start tracking the Consent Control Parameters for the Control Period at the Control Period Start Date, if provided, or the Consent creation Date otherwise. The Control Period starts from 00:00:00 of the day and ends at 23:59:59 of the Control Period end day, calculated based on the Control Period type as defined in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210798542/Multi-Payments#6.3.2-VRP-Consent-Control-Period-%26-Start-Date.

Multi-Authorization Journey Only

5.15 As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#18.-Multi-User-Authorization-Flow

MPCS-6

Hand-off back to the TPP

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#14.-Hand-off-back-to-the-TPP

MPCS-7

Confirmation to User

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#16.-Confirmation-to-User

...