1

User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs authentication, data grouping and/or service initiation capabilities.

2

User-facing TPPs MUST make the User aware on the inbound redirection screen(User-facing TPP to CAAP) that the authorisation for the request needs to be done through the CAAP app and provide additional information related to CAAP app.

3

Since the User does not have the CAAP app the redirection MUST take the User to a web page hosted by the CAAP.

4

The CAAP webpage MUST provide the following

1. Summary of CAAP app and why it’s required

2. QRCode to download the CAAP app which deeplinks to the appstore, for Users that want to install the CAAP on a device separate to the device on which the TPP service is being consumed

3. Appstore deeplinks on mobile devices for Users that want to install the CAAP on the same device on which the TPP service is consumed

5

On redirection to the CAAP webpage in Step 4 the consent details will be persisted for the User which will be retrieved and presented after the User installs the app (using the mechanism of deferred deep linking).

6

After installing the CAAP app the User MUST be presented with a one time consent to be given to the CAAP app to

• carry out an Identity verification of the User

• link LFIs selected by the User

• handle authorisation of OF requests for these LFIs

• handle the OF consents authorised by the User

7

The CAAP app MUST perform a ID verification of the User which will involve

• scanning one or more documents from a list of acceptable documents (passport , driving license etc)

• liveness test where the User MUST upload a short video to prove their physical presence

Each step MUST be presented with clear instructions

8

On successful verification of the User’s identity, the CAAP app MUST link the LFI which was selected as part of the consent. For this

• The CAAP app retrieves the User contact details like email and mobile number which are registered with the LFI.

• The CAAP sends a One Time Passcode(OTP) to the contact details retrieved and the User is asked to enter the OTP

• The User enters this OTP to confirm these details with the LFI

9

On successfully linking the LFI, the User MUST be presented the OF consent given to the TPP.

If the Consent Authorisation Window as expected by the TPP has expired then the User MUST be informed that they need to initiate the request again from the TPP.

10

As an additional step for authorization of the consent the CAAP COULD conditionally request another biometric authentication only for the following scenarios

• authentication requested again MUST be biometric authentication

• the request is for Service Initiation of Single Instant Payment for a value greater than [TBD]

• the request is for setting up a Variable Recurring Payment

11

On successful authorization MUST have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP.

12

CAAP MUST inform the User on the outbound redirection screen that their session with the CAAP was closed.

13

User-facing TPPs MUST confirm the successful completion of the OF Request (DSR, SIR).

1

User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs authentication, data grouping and/or service initiation capabilities.

2

User-facing TPPs MUST make the User aware on the inbound redirection screen( User-facing TPP to CAAP) that the authorisation for the request needs to be done through the CAAP app and provide additional information related to CAAP app.

3

If the user is consuming the TPP service(mobile app/mobile web page) on the same mobile device which has the CAAP app the redirection MUST take the User to the CAAP app.

4

If the user is consuming the TPP service on the device which does not have the CAAP app then the redirection MUST take the User to a CAAP hosted webpage which MUST provide the following

1. summary of CAAP app and why it’s required

2. QRCode to scan with the device that has the CAAP app

5

On redirection from Step 3 or 4 the CAAP app will request for the biometric/Device PIN authentication.

6

On successful User authentication, the CAAP app MUST link the LFI which was selected as part of the consent. For this

• The CAAP app retrieves the User contact details like email and mobile number which are registered with the LFI.

• The CAAP sends a One Time Passcode(OTP) to the contact details retrieved and the User is asked to enter the OTP

• The User enters this OTP to confirm these details with the LFI

7

On successfully linking the LFI, the User MUST be presented the OF consent given to the TPP.

If the Consent Authorisation Window as expected by the TPP has expired then the User MUST be informed that they need to initiate the request again from the TPP.

8

As an additional step for authorization of the consent the CAAP COULD conditionally request another biometric authentication only for the following scenarios

• authentication requested again MUST be biometric authentication

• the request is for Service Initiation of Single Instant Payment for a value greater than [TBD]

• the request is for setting up a Variable Recurring Payment

9

On successful authorization of the consent the CAAP MUST have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP.

10

CAAP MUST inform the User on the outbound redirection screen that their session with the CAAP was closed.

11

User-facing TPPs MUST confirm the successful completion of the OF Request (DSR, SIR).

1

User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs authentication, data grouping and/or service initiation capabilities.

2

User-facing TPPs MUST make the User aware on the inbound redirection screen( User-facing TPP to CAAP) that the authorisation for the request needs to be done through the CAAP app and provide additional information related to CAAP app.

3

If the user is consuming the TPP service(mobile app/mobile web page) on the same mobile device which has the CAAP app the redirection MUST take the User directly to the CAAP app.

4

If the user is consuming the TPP service on the device which does not have the CAAP app then the redirection MUST take the User to a CAAP hosted webpage which MUST provide the following

1. summary of CAAP app and why it’s required

2. QRCode to scan with the device that has the CAAP app

5

On redirection from Step 3 or 4 the CAAP app will request for the biometric authentication.

6

After successful User authentication the CAAP app MUST present the OF consent given to the TPP.

8

As an additional step for authorization of the consent the CAAP COULD conditionally request another biometric authentication only for the following scenarios

• authentication requested again MUST be biometric authentication

• the request is for Service Initiation of Single Instant Payment for a value greater than [TBD]

• the request is for setting up a Variable Recurring Payment

9

On successful authorization of the consent the CAAP MUST have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP.

10

CAAP MUST inform the User on the outbound redirection screen that their session with the CAAP was closed.

11

User-facing TPPs MUST confirm the successful completion of the Open Banking Service Request (DSR, SIR).