Enduring Payment Consents - v2.1.0
- 1 Version Control
- 2 Definition
- 3 Endpoints
- 4 State Model
- 4.1 Diagram
- 4.2 Definitions
- 5 Data Model
- 5.1 Reused Classes
- 5.1.1 NZEnduringConsent1
- 5.2 Enduring Payment Consent - Request
- 5.2.1 UML Diagram
- 5.2.2 Notes
- 5.2.3 Data Dictionary
- 5.3 Enduring Payment Consent - Response
- 5.3.1 UML Diagram
- 5.3.2 Notes
- 5.3.3 Data Dictionary
- 5.1 Reused Classes
- 6 Usage Examples
- 6.1 Generic Flow
- 6.1.1 Sequence Diagram
- 6.1.2 Illustrative Interactions
- 6.2 Subscription
- 6.3 Direct Model
- 6.1 Generic Flow
Version Control
Version | Date | Author | Comments |
---|---|---|---|
2.0.0 | Apr 30, 2020 | Payments NZ API Working Group | Baseline |
2.1-draft1 | Jun 15, 2020 | @Gavin Wong (Unlicensed) | Updated:
|
Definition
The enduring-payment-consents resource represents long lived payment-order consents that have been agreed between the Customer and the Third Party, and contains fields which describe the parameters for payment-order(s) that may be initiated by a Third Party on behalf of a Customer.
The Status of the payment-order consent represents the authentication and authorisation stage with the API Provider.
Endpoints
The enduring-payment-consent endpoints are all optional to implement. However, if the enduring-payment-consent functionality is implemented, all endpoints must be implemented together.
Resource | HTTP Operation | Endpoint | Mandatory ? | Scope | Grant Type | Idempotency Key | Request Object | Response Object |
---|---|---|---|---|---|---|---|---|
enduring-payment-consents | POST | POST /enduring-payment-consents | Optional | payments | Client Credentials | Yes | NZWriteEnduringConsent1 | NZWriteEnduringConsentResponse1 |
enduring-payment-consents | GET | GET /enduring-payment-consents/{ConsentId} | Optional | payments | Client Credentials | No | NA | NZWriteEnduringConsentResponse1 |
enduring-payment-consents | DELETE | DELETE /enduring-payment-consents/{ConsentId} | Optional | payments | Client Credentials | No | NA | NA |
POST /enduring-payment-consents
The API endpoint allows a Third Party to ask an API Provider to create a new enduring-payment-consent.
The Third Party does this with the POST /enduring-payment-consents action.
The Third Party must have an access token issued by the API Provider using a client credentials grant.
The API endpoint allows the Third Party to send a copy of the consent (between Customer and Third Party) to the API Provider.
The API Provider creates the enduring-payment-consent and responds with a unique ConsentId to refer to the consent.
At the point the consent is created, the consent has not been authorised.
The enduring-payment-consent is only valid for 24 hours if not authorised by the Customer.
Flow
The Third Party uses the ConsentId to initiate an authorisation flow (as described in the Security Profile).
As part of the authorisation flow:
The API Provider authenticates the Customer.
The API Provider plays back the consent (registered by the Third Party) back to the Customer - to get consent authorisation. The Customer may accept or reject the consent in its entirety (but not selectively).
If the enduring-payment-consent does not indicate a debtor account, the API Provider presents the Customer a list of accounts from which the Customer must select one.
Once these steps are complete, the consent is considered to have been authorised by the Customer and the Status is updated to "Authorised".
Status
The Status is "AwaitingAuthorisation" immediately after the enduring-payment-consent has been created.
GET /enduring-payment-consents/{ConsentId}
A Third Party may optionally retrieve an enduring-payment-consent that they have created to check its status.
The Third Party does this with the GET /enduring-payment-consents/{ConsentId} action - where the ConsentId relates to the enduring-payment-consent to be retrieved.
The Third Party must have an access token issued by the API Provider using a client credentials grant.
Status
The available status codes for the enduring-payment-consent are:
AwaitingAuthorisation
Rejected
Authorised
Revoked
DELETE /enduring-payment-consents/{ConsentId}
If the Customer revokes the enduring-payment-consent with the Third Party - the Third Party must delete the enduring-payment-consent.
The Third Party does this with the DELETE /enduring-payment-consents/{ConsentId} action - where the ConsentId relates to the enduring-payment-consent to be deleted.
The Third Party must have an access token issued by the API Provider using a client credentials grant.
State Model
The state model for an enduring-payment-consent follows a long lived consent state model.
When the Third Party creates the payment-order consent with the API Provider, the Status of the payment-order consent will be set to
AwaitingAuthorisation
.When the Customer authorises the payment-order consent with the API Provider, the Status of the payment-order consent will be updated with
Authorised
.If the Customer rejects the consent or the payment-order consent has failed some other API Provider validation, the Status of the payment-order consent will be set to
Rejected
.If the Customer revokes the payment-order consent in the
Authorised
Status with the API Provider, the Status of the payment-order consent will be set toRevoked
.
Diagram
This is the state diagram for the status of an enduring-payment-consent.
Definitions
Status | Status Description | |
---|---|---|
1 | AwaitingAuthorisation | The consent resource is awaiting Customer authorisation.
|
2 | Rejected | The consent resource has been rejected.
|
3 | Authorised | The consent resource has been successfully authorised.
|
4 | Revoked | The consent resource has been revoked via the API Provider interface.
|
Data Model
The data dictionary section gives detail on the payload content for the enduring-payment-consent flows.
Reused Classes
NZEnduringConsent1
This section describes the NZEnduringConsent1 class which is reused in the enduring-payment-consent.
UML Diagram
Notes
In an enduring-payment consent-payload:
If an enduring-payment-consent parameter is not specified, the API Provider must not enforce a specific limit for the use of the enduring-payment-consent. E.g., if no TotalAmount is specified, there is no specific restriction on the total of all successful InstructedAmount(s) that may be initiated during the lifetime of the enduring-payment-consent.
The FromDateTime is mandatory as it defines the start date for the Frequency/Period to be calculated.
The ToDateTime is optional as the enduring-payment-consent may be valid for an indefinite period.
The TotalCount is optional and specifies the total number of successful payment-orders that may be created using the enduring-payment-consent. The total number of successful payment-orders is defined as the number of successfully created domestic-payments in the AcceptedSettlementInProgress or AcceptedSettlementCompleted state.
The TotalAmount is optional and specifies the total amount of successful payment-orders that may be created using the enduring-payment-consent. The total amount of successful payment-orders is defined as the sum total of the InstructedAmount(s) of successfully created domestic-payments in the AcceptedSettlementInProgress or AcceptedSettlementCompleted state.
The MaximumAmount is mandatory and specifies the maximum individual amount for a payment-order that may be created using the enduring-payment-consent. A Customer and Third Party may still agree a fixed amount for payment-orders, as long as it is under the MaximumAmount.
The Frequency object is mandatory and specifies constraints on the payment-orders that may be initiated within a "period" from the FromDateTime:
A period from the FromDateTime is calculated with the FromDateTime being fixed. E.g.,
A "Monthly" period with a FromDateTime 2019-08-21T00:00:00 will have periods defined as
2019-08-21T00:00:00 to 2019-09-20T23:59:59
2019-09-21T00:00:00 to 2019-10-20T23:59:59
2019-10-21T00:00:00 to 2019-11-20T23:59:59
Etc
A "Weekly" period with a FromDateTime 2019-08-21T00:00:00 will have periods defined as
2019-08-21T00:00:00 to 2019-08-27T23:59:59
2019-08-28T00:00:00 to 2019-09-03T23:59:59
2019-09-04T00:00:00 to 2019-09-10T23:59:59
Etc
The Frequency/Period is mandatory and specifies a rolling period to measure the total count or total amount of successful payment-orders.
The Frequency/TotalCount is optional and specifies the total number of successful payment-orders that may be initiated within a Frequency/Period.
The Frequency/TotalAmount is mandatory and specifies the total amount of successful payment-orders that may be created within a Frequency/Period.
The DebtorAccount is optional - as the Third Party may not know the account identification details for the Customer.
If the DebtorAccount is not specified in the payload, the Customer must select one valid DebtorAccount during the authorisation flow with the API Provider.
The CreditorAccount is mandatory - the Third Party may be given consent to initiate payments to one or many specified CreditorAccount(s).
The DebtorAccountRelease flag is optional - if set to
true
it indicates that the Customer has consented to releasing their debtor account detailsAPI Providers must reject an enduring-payment-consent under these scenarios:
If the DebtorAccount is not valid.
If the SchemeName is not valid.
If the Currency is not supported.
If the ToDateTime value is in the past.
If the ToDateTime is not greater than the FromDateTime.
If the Frequency/Period is not supported.
API Providers may reject an enduring-payment-consent depending on their own implementations:
If the Frequency, MaximumAmount, TotalCount or TotalAmount values exceed implemented limits.
If the CreditorAccount is not valid.
A payment-order created using an enduring-payment-consent:
must be created with the API Provider between the FromDateTime and ToDateTime in the enduring-payment-consent.
must not have an InstructedAmount that exceeds the MaximumAmount in the enduring-payment-consent.
must be rejected if the cumulative successful payments initiated (including the current payment) via the Payment APIs exceed the limits (i.e., the TotalCount, TotalAmount) in the enduring-payment-consent.
must be rejected if the cumulative successful payments initiated (including the current payment) via the Payment APIs for the specified period from the FromDateTime (i.e., the Frequency/Period) exceed the limits for the specified period (i.e., Frequency/TotalCount, Frequency/TotalAmount) in the enduring-payment-consent,
must have a DebtorAccount specified that matches the DebtorAccount linked to the enduring-payment-consent. This DebtorAccount linked to an enduring-payment-consent must not be modified by the Customer with the API Provider after authorisation.
must have a CreditorAccount specified that matches one of the CreditorAccount values in the enduring-payment-consent.
Data Dictionary
Name | Occurrence | XPath | Notes | Class | Codes |
---|---|---|---|---|---|
NZEnduringConsent1 | NZEnduringConsent1 | The Consent payload is sent by the Third Party to the API Provider. It is used to request a long lived payment consent to move funds from a debtor account to a creditor. | NZEnduringConsent1 | ||
FromDateTime | 1..1 | NZEnduringConsent1/FromDateTime | Start date time for which the enduring payment consent remains valid. | ISODateTime | |
ToDateTime | 0..1 | NZEnduringConsent1/ToDateTime | End date time for which the enduring payment consent remains valid. | ISODateTime | |
TotalCount | 0..1 | NZEnduringConsent1/TotalCount | Maximum number of instructions to be created and processed for the enduring payment consent. | DecimalNumber | |
DebtorAccountRelease | 0..1 | NZEnduringConsent1/DebtorAccountRelease | Flags whether the Customer has consented with the Third Party to release their debtor account information. | xs:boolean | |
TotalAmount | 0..1 | NZEnduringConsent1/TotalAmount | Maximum amount of money to be moved between the debtor and creditor as a cumulative total for the duration of the enduring payment consent, before deduction of charges, expressed in the currency as ordered by the initiating party. | OBActiveOrHistoricCurrencyAndAmount | |
Amount | 1..1 | NZEnduringConsent1/TotalAmount/Amount | A number of monetary units specified in an active currency where the unit of currency is explicit and compliant with ISO 4217. | ActiveCurrencyAndAmount_SimpleType | ^\d{1,13}\.\d{1,5}$ |
Currency | 1..1 | NZEnduringConsent1/TotalAmount/Currency | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". | ActiveOrHistoricCurrencyCode | ^[A-Z]{3,3}$ |
MaximumAmount | 1..1 | NZEnduringConsent1/MaximumAmount | Maximum amount of money to be moved between the debtor and creditor for an individual payment, before deduction of charges, expressed in the currency as ordered by the initiating party. | OBActiveOrHistoricCurrencyAndAmount | |
Amount | 1..1 | NZEnduringConsent1/MaximumAmount/Amount | A number of monetary units specified in an active currency where the unit of currency is explicit and compliant with ISO 4217. | ActiveCurrencyAndAmount_SimpleType | ^\d{1,13}\.\d{1,5}$ |
Currency | 1..1 | NZEnduringConsent1/MaximumAmount/Currency | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". | ActiveOrHistoricCurrencyCode | ^[A-Z]{3,3}$ |
Frequency | 1..1 | NZEnduringConsent1/Frequency | The payment limits for a specified period. | NZEnduringFrequency1 | |
Period | 1..1 | NZEnduringConsent1/Frequency/Period | Period for which the number of instructions are to be created and processed. | Frequency6Code | Annual |
TotalCount | 0..1 | NZEnduringConsent1/Frequency/TotalCount | Maximum number of instructions to be created and processed during the specified period. | DecimalNumber | |
TotalAmount | 1..1 | NZEnduringConsent1/Frequency/TotalAmount | Maximum amount of money to be moved between the debtor and creditor during the period specified, before deduction of charges, expressed in the currency as ordered by the initiating party. | OBActiveOrHistoricCurrencyAndAmount | |
Amount | 1..1 | NZEnduringConsent1/Frequency/TotalAmount/Amount | A number of monetary units specified in an active currency where the unit of currency is explicit and compliant with ISO 4217. | ActiveCurrencyAndAmount_SimpleType | ^\d{1,13}\.\d{1,5}$ |
Currency | 1..1 | NZEnduringConsent1/Frequency/TotalAmount/Currency | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". | ActiveOrHistoricCurrencyCode | ^[A-Z]{3,3}$ |
DebtorAccount | 0..1 | NZEnduringConsent1/DebtorAccount | Unambiguous identification of the account of the debtor to which a debit entry will be made as a result of the transaction. | OBCashAccountDebtor1 | |
SchemeName | 1..1 | NZEnduringConsent1/DebtorAccount/SchemeName | Name of the identification scheme, in a coded form as published in an external list. | OBExternalAccountIdentification2Code | BECSElectronicCredit |
Identification | 1..1 | NZEnduringConsent1/DebtorAccount/Identification | Identification assigned by an institution to identify an account. This identification is known by the account owner. For the NZ market, this will use the hyphen-delimited format: 2-4-7-2 where this is made up of bank-branch-account-suffix and each of the four components is a number, prepended with leading zeros to match the component length requirement. | Max34Text | |
Name | 0..1 | NZEnduringConsent1/DebtorAccount/Name | Name of the account, as assigned by the account servicing institution, in agreement with the account owner in order to provide an additional means of identification of the account. | Max70Text | |
SecondaryIdentification | 0..1 | NZEnduringConsent1/DebtorAccount/SecondaryIdentification | This is secondary identification of the account, as assigned by the account servicing institution. | Max34Text | |
CreditorAccount | 1..n | NZEnduringConsent1/CreditorAccount | Unambiguous identification of the account of the creditor to which a credit entry will be posted as a result of the payment transaction. | OBCashAccountCreditor1 | |
SchemeName | 1..1 | NZEnduringConsent1/CreditorAccount/SchemeName | Name of the identification scheme, in a coded form as published in an external list. | OBExternalAccountIdentification2Code | BECSElectronicCredit |
Identification | 1..1 | NZEnduringConsent1/CreditorAccount/Identification | Identification assigned by an institution to identify an account. This identification is known by the account owner. For the NZ market, this will use the hyphen-delimited format: 2-4-7-2 where this is made up of bank-branch-account-suffix and each of the four components is a number, prepended with leading zeros to match the component length requirement. | Max34Text | |
Name | 1..1 | NZEnduringConsent1/CreditorAccount/Name | Name of the account, as assigned by the account servicing institution, in agreement with the account owner in order to provide an additional means of identification of the account. | Max70Text | |
SecondaryIdentification | 0..1 | NZEnduringConsent1/CreditorAccount/SecondaryIdentification | This is secondary identification of the account, as assigned by the account servicing institution. | Max34Text |
Enduring Payment Consent - Request
The NZWriteEnduringConsent1 object will be used for the call to:
POST /enduring-payment-consents
UML Diagram
Notes
The enduring-payment-consent request contains these objects:
Consent
Risk
Data Dictionary
Name | Occurrence | XPath | Notes | Class | Codes |
---|---|---|---|---|---|
NZWriteEnduringConsent1 | NZWriteEnduringConsent1 | NZWriteEnduringConsent1 | |||
Data | 1..1 | NZWriteEnduringConsent1/Data | NZWriteDataEnduringConsent1 | ||
Consent | 1..1 | NZWriteEnduringConsent1/Data/Consent | The enduring payment consent payload is sent by the Third Party to the API Provider. | NZEnduringConsent1 | |
Risk | 1..1 | NZWriteEnduringConsent1/Risk | The Risk section is sent by the initiating party to the API Provider. It is used to specify additional details for risk scoring. | NZRisk1 |
Enduring Payment Consent - Response
The NZWriteEnduringConsentResponse1 object will be used for a call to:
POST /enduring-payment-consents
GET /enduring-payment-consents/{ConsentId}
UML Diagram
Notes
The enduring-payment-consent response contains the full original payload from the enduring-payment-consent request, with the additional elements below:
ConsentId
Status
CreatedDateTime
StatusUpdateDateTime
Data Dictionary
Name | Occurrence | XPath | Notes | Class | Codes |
---|---|---|---|---|---|
NZWriteEnduringConsentResponse1 | NZWriteEnduringConsentResponse1 | NZWriteEnduringConsentResponse1 | |||
Data | 1..1 | NZWriteEnduringConsentResponse1/Data | NZWriteDataEnduringConsentResponse1 | ||
ConsentId | 1..1 | NZWriteEnduringConsentResponse1/Data/ConsentId | Unique identification as assigned by the API Provider to uniquely identify the enduring payment consent. | Max128Text | |
CreationDateTime | 1..1 | NZWriteEnduringConsentResponse1/Data/CreationDateTime | Date and time at which the consent was created. | ISODateTime | |
Status | 1..1 | NZWriteEnduringConsentResponse1/Data/Status | Specifies the status of consent in code form. | OBExternalConsentStatus1Code | Authorised |
StatusUpdateDateTime | 1..1 | NZWriteEnduringConsentResponse1/Data/StatusUpdateDateTime | Date and time at which the consent status was updated. | ISODateTime | |
Consent | 1..1 | NZWriteEnduringConsentResponse1/Data/Consent | The Consent payload is sent by the Third Party to the API Provider. It is used to request a long lived payment consent to move funds from a debtor account to a creditor. | NZEnduringConsent1 | |
Risk | 1..1 | NZWriteEnduringConsentResponse1/Risk | The Risk section is sent by the initiating party to the API Provider. It is used to specify additional details for risk scoring. | NZRisk1 |
Usage Examples
Generic Flow
This example set of flows and payload examples are for a Third Party staging an enduring-payment-consent with an API Provider on behalf of a Customer.
Sequence Diagram
Illustrative Interactions
Create Enduring Payment Consent
Request
POST /enduring-payment-consents HTTP/1.1
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
x-idempotency-key: FRESCO.21302.GFX.20
x-fapi-auth-date: Sun, 10 Sep 2017 19:43:31 UTC
x-fapi-customer-ip-address: 104.25.212.99
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d
Content-Type: application/json
Accept: application/json
{
"Data": {
"Consent": {
"FromDateTime": "2019-05-05T00:00:00+00:00",
"MaximumAmount": {
"Amount": "100.00",
"Currency": "NZD"
},
"TotalAmount": {
"Amount": "10000.00",
"Currency": "NZD"
},
"Frequency": {
"Period": "Monthly",
"TotalAmount": {
"Amount": "1000.00",
"Currency": "NZD"
}
},
"CreditorAccount": [{
"SchemeName": "BECSElectronicCredit",
"Identification": "12-1234-1234567-12",
"Name": "ACME Inc"
}]
}
},
"Risk": {
"PaymentContextCode": "BillPayment"
}
}
Response
HTTP/1.1 201 Created
x-fapi-interaction-id: 93bac548-d2de-4546-b106-880a5018460d
Content-Type: application/json
{
"Data": {
"ConsentId": "89887",
"Status": "AwaitingAuthorisation",
"CreationDateTime": "2019-05-05T15:15:13+00:00",
"StatusUpdateDateTime": "2019-05-05T15:15:13+00:00",
"Consent": {
"FromDateTime": "2019-05-05T00:00:00+00:00",
"MaximumAmount": {
"Amount": "100.00",
"Currency": "NZD"
},
"TotalAmount": {
"Amount": "10000.00",
"Currency": "NZD"
},
"Frequency": {
"Period": "Monthly",
"TotalAmount": {
"Amount": "1000.00",
"Currency": "NZD"
}
},
"CreditorAccount": [{
"SchemeName": "BECSElectronicCredit",
"Identification": "12-1234-1234567-12",
"Name": "ACME Inc"
}]
}
},
"Risk": {
"PaymentContextCode": "BillPayment"
},
"Links": {
"Self": "https://api.alphabank.com/open-banking-nz/v2.1/enduring-payment-consents/89887"
},
"Meta": {
"TotalPages": 1
}
}
Retrieve Enduring Payment Consent
Request
Response
Delete Enduring Payment Consent
Request
Response
Subscription
The generic flow for setting up an enduring-payment-consent remains the same. However, the consent payload differs depending on the scenario.
In this scenario:
The payment-order using the enduring-payment-consent is for the same fixed amount for a regular monthly subscription.
The MaximumAmount is set to the maximum of NZD 100.
The Frequency is set to 1 successful payment per month.
The CreditorAccount is set to the account of the merchant.
Illustrative Interactions
Create Enduring Payment Consent
Request
Response
Direct Model
The generic flow for setting up an enduring-payment-consent remains the same. However, the consent payload differs depending on the scenario.
In this scenario:
The enduring-payment-consent is to an account authorised by the Customer
Illustrative Interactions
Create Enduring Payment Consent
Request
Response