Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleMENU
Table of Contents
stylenone

...

#

Step

Rules & Guidelines

MPCS-1

Consent setup

Basic Consent Parameters

TPPs MUST:

1.1 Enable Users to provide and review the parameters related to the initiation of a series of Multi-Payments they need to consent to. These parameters include:

Additional Consent Parameters

1.2 Set the Accepted Authorization Type (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#7.-Accepted-Authorization-Type).

1.3 Set the Authorization Time Window (as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#8.-Authorization-Time-Window) if there are specific timing requirements that must be met for the consent authorization. This is also relevant to cases where multiple authorizers are required to authorize the payment consent.

1.4 Set the Risk Information Block (as perhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#9.-Risk-Information-Block)

1.5 Enable Users to provide explicit consent for the initiation of future Payments from their online payment account held at their LFI as specified in the consent.

Balance Check Permission

1.6 Optionally request permission to check the balance of the payment account before initiating a payment.

MPCS-2

Consent Staging

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#10.-Consent-Staging

MPCS-3

Hand-off to LFI

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#11.-Hand-off-to-LFI

Example wording to use: ‘We will securely transfer to YOUR LFI to authenticate and authorize your payments setup“.

MPCS-4

Authentication

LFI Authentication Only

As per the following sections:

Centralized Authentication and Authorization (Federated) Only

As per https://openfinanceuae.atlassian.net/wiki/x/HoBBAw

MPCS-5

Confirmation/ Authorization

LFIs MUST:

5.1 Enable Users to authenticate using Multi-Factor Authentication (MFA) in order to review and authorize the long-lived payment Consent.

5.2 Retrieve from the OFP the payment Consent details staged by the TPP using the unique Consent Identifier.

5.3 Allow Users to select a payment account for the initiation of the payments, if this was not provided in the retrieved staged Payment Consent details as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#12.-Payment-Account-Selection-at-LFI

  • 5.3.1 Allow Users to select a payment account for the initiation of the payments even if it has insufficient funds at the time of the payment Consent authorization. This allows Users to fund the payment accounts appropriately before the dates of the payment initiation. However, the LFIs MUST inform the User, if the selected payment account has insufficient funds.

5.4 Only present additional screens, if necessary to allow the validation and confirmation of the payment Consent.

5.5 NOT earmark (i.e. block) any funds related to the payment Consent in the Users' payment account at the point of Consent authorization.

5.6 Check the authorization status of the selected payment account is in accordance with the TPPs' Accepted Authorization Type as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#13.-Check-Accepted-Authorization-Type.

5.8 Present to Users the following minimum required information for authorizing the long-lived payments Consent:

  • User Payment Account

  • Consent Reference

  • Currency

  • Consent Expiration Date & Time

  • Fees & VAT (if applicable): These are potential charges that will be applied to the User account for making a payment in relation to the long-lived payment Consent. Both bank charges and VAT MUST be presented, stated separately, prior to the User Consent authorization. If applicable, LFIs MUST apply the charges on the date of each payment initiation and not at the point of payment Consent authorization.

5.9 Request for Balance Check Permission: If the TPP has requested permission to check the balance of the User’s payment account.

5.10 Check the Authorization Time window is valid as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#20.-Check-Authorization-Time-Window

5.11 Change the state of the payment Consent from Awaiting Authorization to Authorized when all Authorizers (one or more) have authorized the payment Consent.

5.12 Update the payment Consent details stored in the OFP with all the information included in the payment Consent authorized by the User.

OFP MUST:

5.13 Confirm back to the LFIs that the payment Consent details have been updated successfully.

5.14 Start tracking the Consent Control Parameters for the Control Period at the Control Period Start Date, if provided, or the Consent creation Date otherwise. The Control Period starts from 00:00:00 of the day and ends at 23:59:59 of the Control Period end day, calculated based on the Control Period type as defined in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009211998338296/Multi-Payments#6.3.2-VRP-Consent-Control-Period-%26-Start-Date.

Multi-Authorization Journey Only

5.16 As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#18.-Multi-User-Authorization-Flow

MPCS-6

Hand-off back to the TPP

6.1 As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#14.-Hand-off-back-to-the-TPP

MPCS-7

Confirmation to User

7.1 As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#16.-Confirmation-to-User

7.2 As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#19.-Payment-Details-Saving

...

#

Step

Rules & Guidelines

MPPI-1

Payment Initiation

TPPs MUST:

1.1 Present to Users for each payment initiation the following minimum required information:

1.3 Ensure that all required authorization conditions as agreed with the User during the Consent setup are met.

1.4 Generate a unique identifier for the transaction that links the User’s authorization factors with the payment details (i.e. amount and payee identification). TPPs MUST generate an audit trail of the User’s payment initiation actions during the session. TPPs MUST have all required records as evidence required as listed in the liability model.

1.5 Provide Users the ability to abort the payment journey, if Users decide to terminate the request.

TPPs MUST:

1.6 Enable Users to authenticate using Multi-Factor Authentication (MFA) to review and authorize the payment.

1.7 Submit to OFP payment initiation requests with the same fixed parameters as per the long-lived Payment Consent authorized by the User.

1.8 Submit to OFP payment initiation requests with variable parameters within the allowable limits of the Consent Controls as per the long-lived Payment Consent authorized by the User.

1.9 Include in each of the payment initiation requests a Payment Reference for every payment initiated under the long-lived Payment Consent based on the requirements of the TPPs or their servicing customers.

TPPs MUST:

1.10 NOT submit any payment initiation requests which are outside the limits which are configured by the User as per

MPPI-2

Processing of Payment Initiation Requests

OFP MUST:

2.1 Allow the TPPs to submit individual payment initiation requests under the long-lived Payment Consent authorized by the User, without any additional MFA or authorization from the User.

2.2 Check that the received payment initiation requests relate to a valid long-lived Payment Consent authorized by the User. The Consent MUST be in the Authorized state. The OFP MUST reject any payment initiation messages related to a Payment Consent in a different state (e.g. expired) and respond back to the TPP with the appropriate error message/code.

2.3 Check the payment initiation request parameters against the authorized long-lived Payment Consent. More specifically, the OFP MUST check the following:

2.4 The date of the submitted payment initiation request is within the validity period of the long-lived Payment Consent (i.e. Consent Expiration Date & Time)

OFP MUST:

2.13 Allow the description of the Payment Reference in the submitted payment initiation request to be different than the one defined in the Payment Reference of the long-lived Payment Consent.

2.14 Reject the payment initiation and provide the necessary error message to the TPP if any other checks of the payment initiation request parameters fails against Consent parameters of the authorized long-lived Payment Consent.

2.15 Send a payment initiation request to the LFI for initiating an instant payment using the payment parameters included in the payment initiation request including:

  • User Payment Account (or account identifier)

  • Payment Amount & Currency

  • Payee Identification details

  • Payer Note (If provided)

  • Payment Reference

LFIs MUST:

2.16. Allow the OFP to submit the payment initiation request without any additional MFA or authorization from the User.https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009333698338871/Payments+with+Delegated+Authentication#1.5.3.2-Multifactor-Authentication

2.17 Add to the payment initiation request the IBAN of the Payee returned by the Proxy resolution process, if the payment initiation request was submitted using a Proxy as the Payee Identification. The payment initiation request is thereafter tied to the IBAN of the Payee rather than the proxy itself.

  • 2.17.1 Include in the payment initiation response to the OFP the IBAN of the Payee identification returned by the Proxy resolution.

2.18 Additionally apply all existing BAU payment account controls and limits such as single transaction value limit, total transaction value limit, AML checking (if applicable) and others, as if the payment request has been initiated by the existing channels of the LFI. LFIs MUST send an appropriate error response to the OFP in case the payment is rejected due to violating any of these limits or checks.

2.19 Reject the payment initiation if the payment account selected for the payment has insufficient funds. The OFP MUST be notified about this rejection with an appropriate error message.

2.20 Subject to successful BAU checking, validation and payment processing, proceed with the execution of the payment by either submitting the payment to the underlying payment rails or executing internally as Intra-bank payment.

2.21 Provide the OFP with all the available information in relation to the initiated payment instruction including the payment’s unique identifier Payment Transaction ID. The format of the Payment Transaction ID can be found in the UAE Open Finance Standard specifications.

OFP MUST:

2.22 Send an appropriate error response to the TPPs in case the payment is rejected due to violating any of the LFIs BAU payment accounts checks or limits.

2.23 Send to the TPP the appropriate error message in case the payment payment initiation was rejected by the LFI due to insufficient funds in the selected payment account.

2.24 Provide the TPP with all the available information in relation to the initiated payment instruction including the payment’s unique identifier Payment Transaction ID.

MPPI-3

Payment Status Update

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#15.-Payment-Status-Update

MPPI-4

Payment Notifications

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft3standardsv1draft4/pages/7009290298339394/Common+Rules+and+Guidelines#17.-Payment-Notifications

...

#

Step

Rules

MPCU-1

Consent Update

TPPs MUST:

1.1 Enable Users to use the Consent Dashboard to amend the following parameters of a long-lived Payment consent:

1.2 Require the Users to authenticate with their LFI and authorize the Consent update.

6.

...

6.1 Consent Reference

Wallet Use Case

Orange-3.pngImage Added

The diagram illustrates the setup of consent for Payments with Delegated Authentication for a payment wallet use case.

The wallet enables users to make contactless payments to merchants. The user can add their Credit/Debit cards or link a Bank Account as a payment option.

When the user selects the bank account option they will be taken through the Open Finance setup journey as explained in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft4/pages/98338871/Payments+with+Delegated+Authentication#3.1.-Consent-Setup. Once the user authorizes the consent they can start making contactless payments where the payments will be initiated using Open Finance from their connected account.

7. Common Rules & Guidelines

7.1 Consent Reference

Panel
panelIconId068fdde3-c1f6-4759-9967-8a80e7ba7356
panelIcon:rock:
panelIconText:rock:
bgColor#DEEBFF

TTPs MUST:

6.1.1 Allow Users to manually enter the Consent Reference or pre-populate it for the Users (depending on the Use Case). Consent Reference is mandatory due to being the default value to be used for the Payment Reference of the Payment Initiation Requests. The Consent Reference is populated either by the User (i.e. payer) or the TPP using information requested by the beneficiary or any other information that can be provided to the beneficiary to assist in identifying and reconciling any payments initiated using this consent. This information may be mapped to the Payment Reference of each Payment Initiation Request and thus may be transferred via the payment rails to the beneficiary LFI. However, the TPP might not be using this and may be populating the Payment Reference of each of the initiated payment Requests with different information.

6.1.2 Validate that the format of the Consent Reference is according to the Bank Service Initiation API - Swagger OpenAPI Documentation.