/
Enduring payment consent guidelines

Enduring payment consent guidelines

The table below is a starter and will feed into the wider consent guidelines work on the API Centre work plan.

Proposed Best practice Guideline

Key concepts

Any guidelines developed should include contextual reference to some key concepts such as:

  • How the customer is in control of their enduring payment consent.

  • The consent is agreed between the customer and the Third Party

  • That consent must be submitted by the Third Party unaltered to the API Provider for customer authorisation.

  • The API Provider must not alter or over-ride any aspects of the consent that is presented to the Customer for authorisation, i.e. the customer decision is only accept/reject, and is not ever accept/amend/reject.

Consent set-up

  • Third Parties must follow consent guidelines developed how the enduring payment consent set-up is staged with the Customer, e.g. standardised minimum wording.

  • Third Parties must ensure any merchant that they provide services that follow the consent guidelines developed how the enduring payment consent set-up is staged with the Customer

  • API Providers must follow consent minimum guidelines developed for how the Customer’s authorisation of enduring payment consent is presented with the customer.

  • The API Provider must provide the ability for the Customer to view current enduring consents and both the API Provider and the Third Party means for the Customer to cancel enduring consents, allowing the Customer to review and better understand enduring consents they have established and to back out if they remain unhappy with what they have previously agreed to.

FAQs

Proposed that there is guidance provided (in FAQ format?) that explains:

  • If the Customer wishes to change the bank and bank account that the enduring payment consent is linked to, the Customer must revoke the consent, and create a new consent via the Consent Recipient that is linked to the different bank and bank account number.

  • If the Customer wishes to change the enduring payment consent’s parameters, the Customer must revoke the consent, and create a new consent via the Consent Recipient with the updated parameters.

  • To change the debtor account that the Customer wants the enduring payment consent linked to, the Customer must revoke the consent, and create a new consent via the Consent Recipient that is linked to the different bank account number.

‘Permitted users’

  • The Third Party should inform the API provider of who the merchant / biller etc is via the API standard.

  • Guidelines should be developed to explain how the roles of the merchant / biller etc ('permitted user' in the Ts and Cs) and the Third Party fit together. Ideally the Third Party should be invisible to the customer, or be referred to in a way like “powered by…”)

Payment processing

  • The Third Party must conduct pre-checks to ensure the payment request is within the parameters of the Customer’s enduring payment consent.

  • The API provider must reject the payment request if does not match the enduring payment consent.

Liability - added into Template Bilateral Agreement

There are to be no guidelines for how liability is managed between the customer, Third Party and the API Provider. However, the Template Bilateral Agreement is to be updated to reflect enduring payment consent liability scenarios with respect to any customer loss resulting from the use of an enduring payment consent. Note that liability models agreed between the API Provider and the Third Party are likely to vary and may reflect the risk profile of a given relationship and use. The following principles apply:

  • The API Provider is liable for processing any payment outside the parameters of the customer’s consent, that result in a loss to the customer.

  • The Third Party is liable for any misuse or compromise resulting in fraudulent payments occurring that are inside the parameters of the customer’s consent, that result in a loss to the customer.

  • The Template Bilateral Agreement is to include clause placeholders for the API Provider and Third Party to negotiate and determine what occurs when a payment is made in line with the customer’s consent that the customer then disputes.

Revoking Consent

  • The Third Party must be able to offer the ability for the customer to revoke the consent.

  • Both the Third Party and API Providers must follow consent minimum guidelines developed for how Customer can evoke a consent. Guidelines include standardised minimum wording.

  • Third Parties must ensure any Consent Recipient that they provide services to follow consent guidelines developed for revoking the consent.