Versions Compared

Old Version 2

changes.mady.by.user Matthew Bell

Saved on

compared with

New Version 3

changes.mady.by.user Katie Wilson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Content

Table of Contents
outlinetrue

...

The v2.0 Payments Initiation specificationincludes functionality to support third parties Third Parties and API providers Providers that are bilaterally partnering to offer new services using an enduring payment consent. Enduring payment consent offers the customer a blend of having a high level of control over the circumstances that a payment may be made, with the convenience of automating payments that fit those circumstances.

An overview of the enduring payment consent process is:

  • The third party Third Party agrees the terms of the enduring payment consent with the customer. The parameters of the consent may be limited by a combination of payment frequency and value.

  • The third party Third Party uses one of the authentication flows, either redirect or decoupled, to authenticate the customer with the API providerProvider.

  • The customer authorises the enduring payment consent with their API providerProvider.

  • The third party Third Party initiates a single one-off payment(s) on behalf of the customer when necessary. The API provider Provider then processes the payment, as long as it is within the parameters of the authorised enduring payment consent.

  • The customer may revoke the consent at any time with either the third party or their API providerProvider.

The high level implications of the enduring payment consent are:

  • The customer will need to be present to initially authenticate themselves to authorise the enduring payment consent with their API providerProvider.

  • The customer does not need to be present to authenticate future one-off payments that are within the parameters of the enduring payment consent.

...

  1. POST /enduring-payment-consents - this is used to set up a new enduring payment consent.

  2. GET /enduring-payment-consents/{ConsentId} - this is used by third parties Third Parties to obtain the status of an established enduring payment consent.

  3. DELETE /enduring-payment-consents/{ConsentId} - this is used by third parties Third Parties to revoke an established enduring payment consent.

...

Enduring payment consent represents a long-lived payment order that has been agreed between the customer and the third partyThird Party. It contains specific parameters, or attributes, that set the boundaries for when payment(s) may be initiated by a third party Third Party on behalf of a customer. A combination of laws, the API Centre’s Terms and Conditions, and the API standard itself combine to ensure a robust process is in place for how the enduring payment consent is established. The API Centre is also developing customer experience guidelines to illustrate what the customer interactions might look like.

The first stage is for the third party Third Party to interact with the customer to agree the consent attributes that the customer would like to grant. The third party Third Party communicates this consent to the API provider Provider - this consent must not be altered by the third party Third Party when they submit it to the API provider Provider for customer authorisation. The customer is then authenticated by their API providerProvider, and they are presented with the third party’s Third Party’s request to authorise an enduring payment consent.

The attributes of the enduring payment consent, that have been agreed between the third party Third Party and the customer, cannot be altered by the customer or the API providerProvider. This applies to both:

  • authorising a consent - the customer reviews the consent and either rejects or authorises it as is (i.e. the customer decision is to either accept/reject the consent, and it is not an accept/amend/reject decision); and

  • once the consent is authorised and in place, the customer may revoke the consent at any time but may not alter it.

This also applies to the accounts that the consent is linked to, if specified in the enduring payment consent by the third partyThird Party. The customer's account that funds are debited from cannot be altered once the consent is granted. Also, the account(s) that payments are credited into must be set when the customer grants the consent. If the customer wants to change an account, they must revoke the existing consent and establish a new one. This ensures coordination and clarity between the customer, API provider Provider and the third partyThird Party.

Once the consent is established, the API provider will provide Provider will provide the ability for the customer to view all of their current enduring payment consents. This is to help ensure the customer is in control and informed of the enduring payment consents they have live.

...

The customer is required to select a small number of core (mandatory) consent attributes. The specification also supports a wide range of other non-mandatory consent attributes that API providers Providers and/or third parties Third Parties have the option of offering customers, in order to deliver their use cases.

...

Once an enduring payment consent has been authorised by the customer, the third party Third Party is issued with a token(s) by the API provider Provider that represent a long-lived payment-order consent. These tokens are then used when the third party Third Party initiates one-off payments under the enduring payment consent. The one-off payment is processed via the one-off domestic payment flow.

The enduring payment consent acts as a standing authorisation. The customer does not need to be present for the payment to be processed, as long as each domestic payment is within the enduring payment consent parameters. API providers Providers ensure that any payments initiated using the enduring payment consent are within the established attributes of the consent. The third party ensures Third Party ensures each one-off payment is within the attributes of the customer’s enduring payment consent. If a third party Third Party initiates a payment outside of the enduring payment consent attributes, the payment will be rejected by the API providerProvider.

API providers Providers have the ability to step up any payment initiated under the enduring payment consent, and require the customer to authenticate and authorise that payment before it is processed, by linking the ID token returned from the enduring payment consent authorisation with a one-off payment request.

Standardised error codes provide information back to the third party Third Party to provide reasons why a payment was rejected. Error code enumerations have also been defined as part of the API standard.

...

The specification allows a customer to revoke their enduring payment consent at any time, with either the third party Third Party or the API providerProvider. Both the third party Third Party and the API provider Provider must provide easy pathways for the customer to revoke their consent. Note that:

  • The API provider Provider holds the record of the enduring payment consent.

  • The third party Third Party may revoke the consent by using the DELETE endpoint to advise the API providerProvider.

  • The API provider Provider also has the ability to revoke an enduring payment consent, e.g. if they identify a risk.

...