...
Register an intent to stage a payment-order consent
Optionally confirm available funds for a payment-order for Domestic payments and international immediate payments only
Subsequently submit the payment-order for processing
Retrieve the status of a payment-order consent or order consent or payment-order resourceorder resource
1.1 Document Overview
This document consists of the following parts:
...
Security & Access Control: Specifies the means for PISPs and Userusers/Customers customers to authenticate themselves and provide consent
...
Step 1: Agree Payment-Order Initiation
This flow begins with a Useruser/Customer customer consenting to a payment being made. The consent is between the Useruser/Customer customer and the PISP
The debtor account details can optionally be specified at this stage
...
The PISP connects to the ASPSP that services the Useruser’s/Customercustomer's payment account and creates a new paymentnew payment-order consent resourceconsent resource. This informs the ASPSP that one of its Userusers/Customers customers intends to make a paymenta payment-order. The ASPSP responds with an identifier for the payment-order consent resource (the ConsentId, which is the intent identifier)
This step is carried out by making a POST request to the payment-order consent resource
Step 3: Authorise Consent
The PISP requests the Useruser/Customer customer to authorise the consent. The ASPSP may carry this out by using a redirection flow or a decoupled flow
In a redirection flow, the PISP redirects the Useruser/Customer customer to the ASPSP
The redirect includes the ConsentId generated in the previous step
This allows the ASPSP to correlate the payment order consent that was setup
The ASPSP authenticates the Useruser/Customercustomer
The Useruser/Customer customer selects the debtor account at this stage (if it has not been previously specified in Step 1)
The ASPSP updates the state of the payment order consent resource internally to indicate that the consent has been authorised
Once the consent has been authorised, the Useruser/Customer customer is redirected back to the PISP
In a decoupled flow, the ASPSP requests the Useruser/Customer customer to authorise consent on an authentication device that is separate from the consumption device on which the Useruser/Customer customer is interacting with the PISP
The decoupled flow is initiated by the PISP calling a back-channel authorisation request
The request contains a 'hint' that identifies the Useruser/Customer customer paired with the consent to be authorised
The ASPSP authenticates the Useruser/Customercustomer
The Useruser/Customer customer selects the debtor account at this stage (if it has not been previously specified in Step 1)
The ASPSP updates the state of the payment order consent resource internally to indicate that the consent has been authorised
Once the consent has been authorised, the ASPSP can make a callback to the PISP to provide an access token
Step 4: Confirm Funds (Domestic and international immediate Payments Only)
Once the Useruser/Customer customer is authenticated and has authorised the payment-order-consent, the PISP can check whether funds are available to make the payment
This is carried out by making a GET request, calling the funds-confirmation operator on the payment-order-consent resource
...
The maximum InstructedAmount allowable
The maximum future date on a future dated payment
Each ASPSP must determine ASPSP must determine appropriate restrictions that they support based on their individual practices, standards and limitations. These restrictions should be documented on ASPSP developer portals.
An ASPSP must reject ASPSP must reject the payment-order consent if order consent if the ASPSP is unable to handle the request.
2.2.1 CutOffDateTime Behaviour
An ASPSP may return ASPSP may return the specific CutOffDateTime when responding to a payment-order consent request.
An ASPSP must document ASPSP must document the behaviour for a payment receipt before and after the CutOffDateTime for a payment-order has elapsed.
...
In this scenario, the behaviour of payment-order execution is explicit to the PISP and Useruser/Customercustomer.
An ASPSP must reject ASPSP must reject the payment-order consent if order consent if the CutOffDateTime for a specific payment-order type has elapsed
An ASPSP must reject ASPSP must reject an authorisation request when the underlying intent object is associated with a CutoffDateTime that has elapsed. The ASPSP must not issue ASPSP must not issue an access token in such a situation. The ASPSP must set ASPSP must set the status of the payment-order consent resource to “Rejected”
An ASPSP must reject ASPSP must reject the payment-order resource if order resource if the CutOffDateTime for a specific payment-order type, has been established and has elapsed
A PISP must ensure PISP must ensure that the Useruser/Customer customer consent authorisation is completed and the payment-order resource is created before the CutOffDateTime elapses
For a payment-order consent or order consent or a payment-order resource that order resource that has been rejected due to the elapsed CutoffDateTime, the PISP may decide PISP may decide to create a corresponding future dated payment endpoint to create a new payment-order consent. The PISP may use the /domestic-future-dated-payment-consents endpoint to create a consent for the same payment for the next working day.
...
In this scenario, the behaviour of the payment-order execution is not explicit to the PISP and Useruser/Customercustomer, and the payment-order will be executed on the next available working day.
An ASPSP must accept ASPSP must accept the payment-order consent if order consent if the CutOffDateTime for a specific payment-order type has elapsed
An ASPSP must accept ASPSP must accept an authorisation request when the underlying intent object is associated with a CutoffDateTime that has elapsed
An ASPSP must accept ASPSP must accept the payment-order resource if order resource if the CutOffDateTime for a specific payment-order type, has been established and has elapsed
An ASPSP may update ASPSP may update the payment-order consent or payment-order resource with order resource with the CutOffDateTime, ExpectedExecutionDateTime and ExpectedSettlementDateTime, to communicate expected execution behaviour if the CutOffDateTime has elapsed
...
2.3.1 Payment-Order Consents
2.3.1.1 POST
A PISP must not create PISP must not create a payment-order consent ConsentId on a newer version and use it to create a payment-order resource in a previous version
E.g., A ConsentId created in v3, must not be used to create a v1 PaymentSubmissionId
A PISP must not create PISP must not create a payment-order consent ConsentId on a previous version and use it to create a payment-order resource in a newer version
E.g., A PaymentId created in v1, must not be used to create a v3 DomesticPaymentId
2.3.1.2 GET
A PISP must not access PISP must not access a payment-order ConsentId created in a newer version, via a previous version endpoint
E.g., A ConsentId created in v3 accessed via a v1 PaymentId
An ASPSP may choose ASPSP may choose to make ConsentIds accessible across versions
E.g., for a PaymentId created in v1, an ASPSP may or may not make it available via v3, as this is a short-lived consent
2.3.2 Payment-Order Consents (Confirm Funds)
2.3.2.1 GET
A PISP must not confirm PISP must not confirm funds using a payment-order-consent ConsentId created in a different version
E.g. a ConsentId created in v3, must not be used to confirm funds on a v1 endpoint
2.3.3 Payment-Order Resource
2.3.3.1 POST
A PISP must use PISP must use a payment-order consent ConsentId within the same version to create the payment-order resource (in that version)
E.g., a v3 payment-order consent can order consent can only be used to create a payment-order resource in order resource in v3
An ASPSP must not allow ASPSP must not allow a PISP to use a ConsentId from a previous version to create a Payment Order in a newer version, and vice versa
2.3.3.2 GET
A PISP must refer PISP must refer to the ASPSP's online Developer Portal for guidelines on accessibility of a payment-order resource in a newer version
A PISP must not PISP must not access the payment-order resource types introduced in a newer version, on an older version endpoint:
E.g., an domestic-payment created in v3, which is accessed via the v1 payment-submissions endpoint
A PISP must not PISP must not access the payment-order resource created in a newer version on an older version endpoint:
E.g., for a domestic-payment resource created in v3, access via the v1 payment-submissions endpoint is not permitted
An ASPSP must document ASPSP must document the behaviour on the accessibility of a payment-order resource in a newer version on the ASPSP's online Developer Portal
An ASPSP must allow ASPSP must allow access to the payment-order resource created in a previous version on a newer version endpoint (depending on an ASPSP's legal requirement for data retention):
E.g., a payment-submission created in v1, must be accessible as a v3 domestic-payment, with sensible defaults for additional fields introduced in v3 (e.g., if an ASPSP must make payment resources available for 7 years)
In the case where a payment-order type is the same, but the structure has changed in a newer version, sensible defaults may be used, with the ASPSP's Developer Portal clearly specifying the behaviour
E.g., a new field StatusUpdateDateTime was introduced in v3, an ASPSPs must populate this with the last status update time (as the StatusUpdateDateTime is a mandatory field)
...
Payments: Generic payment scope
3.2 Grants Types
PISPs must use PISPs must use a client credentials grant to obtain a token to make POST requests to the payment-order consent endpointsorder consent endpoints. In the specification, this grant type is referred to as "Client Credentials".
PISPs must use PISPs must use an authorisation code grant using a redirect or decoupled flow to obtain a token to make POST requests to the payment-order resource endpointsorder resource endpoints. This token may also be used to confirm funds on a payment-order consent resourceorder consent resource. In the specification, this grant type is referred to as "Authorisation Code".
PISPs must use PISPs must use a client credentials grant to obtain a token to make GET requests (excluding confirming funds).
...
A consent authorisation is used to define the fine-grained scope that is granted by the Useruser/Customer customer to the PISP.
The PISP must begin PISP must begin a payment-order request by creating a paymenta payment-order consent resource through a POST operationconsent resource through a POST operation. These resources indicate the consent that the PISP claims it has been given by the Useruser/Customercustomer. At this stage, the consent is not yet authorised as the ASPSP has not yet verified this claim with the Useruser/Customercustomer.
The ASPSP responds with a ConsentId. This is the intent-id that is used when initiating the authorisation code grant.
...
The ASPSP authenticates the Useruser/Customercustomer
If the consent did not indicate a debtor account the ASPSP presents the Useruser/Customer customer with a list of accounts from which the Useruser/Customer customer may select one
The ASPSP plays back the consent (registered by the PISP) back to the Useruser/Customer customer to get consent authorisation. The Useruser/Customer customer may accept or reject the consent in its entirety (but not selectively)
Once these steps are complete, the consent is considered to have been authorised by the Useruser/Customercustomer.
3.3.1 Error Condition
If the Useruser/Customer customer does not complete a successful consent authorisation (e.g., if the Useruser/Customer customer has not authenticated successfully), the authorisation code grant ends with a redirection to the PISP with an error response. The Useruser/Customer customer is redirected to the PISP with an error parameter indicating the error that occurred.
3.3.2 Consents Revocation
A Useruser/Customer customer cannot revoke a payment-order consent once it has been authorised.
...
Payment consents are short-lived and cannot be re-authenticated by the Useruser/Customer.
3.4 Risk Scoring Information
Note: This section currently considers indicative data fields required for banks to do Transactional risk analysis where needed.
Information for risk scoring and assessment will come via:
...
Name | Occurrence | Xpath | Enhanced Definition | Class | Codes | Pattern |
OBRisk |
| OBRisk | The Risk section is sent by the initiating party to the ASPSP. It is used to specify additional details for risk scoring for Payments | OBRisk |
|
|
PaymentContextCode | 0..1 | OBRisk/PaymentContextCode | Specifies the payment context | String | Enum: · BillPayment · EcommerceGoods · EcommerceServices · Other · PartyToParty |
|
MerchantCategoryCode | 0..1 | OBRisk/MerchantCategoryCode | Category code conform to ISO 18245, related to the type of services or goods the merchant provides for the transaction | String |
|
|
MerchantCustomerIdentification | 0..1 | OBRisk/MerchantCustomerIdentification | The unique customer identifier of the Useruser/Customer customer with the merchant | String |
|
|
DeliveryAddress | 0..1 | OBRisk/DeliveryAddress | Information that locates and identifies a specific address, as defined by postal services or in free format text | OBRisk/DeliveryAddress |
|
|
AddressLine | 0..7 | OBRisk/DeliveryAddress/AddressLine | Information that locates and identifies a specific address, as defined by postal services, presented in free format text | String |
|
|
StreetName | 0..1 | OBRisk/DeliveryAddress/StreetName | Name of a street or thoroughfare | String |
|
|
BuildingNumber | 0..1 | OBRisk/DeliveryAddress/BuildingNumber |
| String |
|
|
PostCode | 0..1 | OBRisk/DeliveryAddress/PostCode | Identifier consisting of a group of letters and/or numbers that is added to a postal address to assist the sorting of mail | String |
|
|
TownName | 0..1 | OBRisk/DeliveryAddress/TownName | Name of a built-up area, with defined boundaries, and a local government | String |
|
|
CountrySubDivision | 0..1 | OBRisk/DeliveryAddress/CountrySubDivision |
| String |
|
|
Country | 0..1 |
|
| String |
|
|
...
Name | Occurrence | Xpath | Enhanced Definition | Class | Codes | Pattern |
OBSCASupportData |
| SCASupportData | Supporting Data provided by PISP, when requesting SCA Exemption | OBSCASupportData |
|
|
RequestedSCAExemptionType | 0..1 | SCASupportData/RequestedSCAExemptionType | This field allows a PISP to request specific SCA Exemption for a Payment Initiation | String |
Enum:
This field is under discussion with the CBB, will be finalised in the next version |
|
AppliedAuthenticationApproach | 0..1 | SCASupportData/AppliedAuthenticationApproach | Specifies a character string with a maximum length of 40 characters Usage: This field indicates whether the Useruser/Customer customer was subject to SCA performed by the PISP | String | Enum: · CA · SCA |
|
ReferencePaymentOrderId | 0..1 | SCASupportData/ReferencePaymentOrderId | Specifies a character string with a maximum length of 140 characters Usage: If the payment is recurring, then the transaction identifier of the previous payment occurrence so that the ASPSP can verify that the PISP, amount and the payee are the same as the previous occurrence | String |
|
|
...
Code Class | Name | Definition |
OBExternalPaymentContextCode | BillPayment | The context of the payment initiation is a bill payment |
OBExternalPaymentContextCode | EcommerceGoods | The context of the payment initiation is for goods via an ecommerce channel |
OBExternalPaymentContextCode | EcommerceServices | The context of the payment initiation is for services via an ecommerce channel |
OBExternalPaymentContextCode | PartyToParty | The context of the payment initiation is a party to party payment |
OBExternalPaymentContextCode | Other | The context of the payment initiation is of another type |
OBTransactionIndividualStatusCode | AcceptedSettlementCompleted | Settlement on the debtor's account has been completed Usage: this can be used by the first agent to report to the debtor that the transaction has been completed
Warning: this status is provided for transaction status reasons, not for financial information. It can only be used after bilateral agreement PISPs must not use PISPs must not use this status as confirmation that settlement is complete on the creditor's account |
OBTransactionIndividualStatusCode | AcceptedSettlementInProcess | All preceding checks such as technical validation and customer profile were successful and therefore the payment initiation has been accepted for execution |
OBTransactionIndividualStatusCode | Pending | Payment initiation or individual transaction included in the payment initiation is pending. Further checks and status update will be performed |
OBTransactionIndividualStatusCode | Rejected | Payment initiation or individual transaction included in the payment initiation has been rejected |
OBTransactionIndividualStatusCode | AcceptedWithoutPosting | Payment instruction included in the credit transfer is accepted without being posted to the creditor customer's account |
OBTransactionIndividualStatusCode | AcceptedCreditSettlementCompleted | Settlement on the creditor's account has been completed |
OBExternalConsentStatusCode | AwaitingAuthorisation | The consent resource is awaiting Useruser/Customer customer authorisation |
OBExternalConsentStatusCode | Rejected | The consent resource has been rejected |
OBExternalConsentStatusCode | Authorised | The consent resource has been successfully authorised |
OBExternalConsentStatusCode | Consumed | The consented action has been successfully completed. This does not reflect the status of the consented action |
OBChargeBearerTypeCode | BorneByCreditor | All transaction charges are to be borne by the creditor |
OBChargeBearerTypeCode | BorneByDebtor | All transaction charges are to be borne by the debtor |
OBChargeBearerTypeCode | FollowingServiceLevel | Charges are to be applied following the rules agreed in the service level and/or scheme |
OBChargeBearerTypeCode | Shared | In a credit transfer context, means that transaction charges on the sender side are to be borne by the debtor, transaction charges on the receiver side are to be borne by the creditor. In a direct debit context, means that transaction charges on the sender side are to be borne by the creditor, transaction charges on the receiver side are to be borne by the debtor |
OBExternalAuthorisationCode | Single | Single authorisation type is requested |
OBExternalStatusCode | InitiationCompleted | The payment-order initiation has been completed |
OBExternalStatusCode | InitiationFailed | The payment-order initiation has failed |
OBExternalStatusCode | InitiationPending | The payment-order initiation is pending |
OBExternalStatusCode | InitiationCompleted | The payment-order initiation has been completed |
OBExternalStatusCode | InitiationFailed | The payment-order initiation has failed |
OBExternalStatusCode | InitiationPending | The payment-order initiation is pending |
OBExternalStatusCode | Cancelled | Payment initiation has been successfully cancelled after having received a request for cancellation |
OBExchangeRateTypeCode | Actual | Exchange rate is the actual rate |
OBExchangeRateTypeCode | Agreed | Exchange rate is the agreed rate between the parties |
OBExchangeRateTypeCode | Indicative | Exchange rate is the indicative rate |
OBPriorityCode | Normal | Priority is normal |
OBPriorityCode | Urgent | Priority is urgent |
OBAddressTypeCode | Business | Address is the business address |
OBAddressTypeCode | Correspondence | Address is the address where correspondence is sent |
OBAddressTypeCode | Residential | Address is the home address |
OBTransactionIndividualExtendedISOStatusCode | Accepted | Request is accepted |
OBTransactionIndividualExtendedISOStatusCode | AcceptedCancellationRequest | Cancellation is accepted |
OBTransactionIndividualExtendedISOStatusCode | AcceptedCreditSettlementCompleted | Settlement on the creditor's account has been completed |
OBTransactionIndividualExtendedISOStatusCode | AcceptedCustomerProfile | Preceding check of technical validation was successful. Customer profile check was also successful |
OBTransactionIndividualExtendedISOStatusCode | AcceptedFundsChecked | Preceding check of technical validation and customer profile was successful and an automatic funds check was positive |
OBTransactionIndividualExtendedISOStatusCode | AcceptedSettlementCompleted | Settlement on the debtor's account has been completed
Usage: this can be used by the first agent to report to the debtor that the transaction has been completed
Warning: this status is provided for transaction status reasons, not for financial information. It can only be used after bilateral agreement |
OBTransactionIndividualExtendedISOStatusCode | AcceptedSettlementInProcess | All preceding checks such as technical validation and customer profile were successful and therefore the payment initiation has been accepted for execution |
OBTransactionIndividualExtendedISOStatusCode | AcceptedTechnicalValidation | Authentication and syntactical and semantical validation are successful |
OBTransactionIndividualExtendedISOStatusCode | AcceptedWithChange | Instruction is accepted but a change will be made, such as date or remittance not sent |
OBTransactionIndividualExtendedISOStatusCode | AcceptedWithoutPosting | Payment instruction included in the credit transfer is accepted without being posted to the creditor customer’s account |
OBTransactionIndividualExtendedISOStatusCode | Cancelled | Request is cancelled |
OBTransactionIndividualExtendedISOStatusCode | NoCancellationProcess | No cancellation process |
OBTransactionIndividualExtendedISOStatusCode | PartiallyAcceptedCancellationRequest | Cancellation is partially accepted |
OBTransactionIndividualExtendedISOStatusCode | PartiallyAcceptedTechnicalCorrect | Authentication and syntactical and semantical validation are successful |
OBTransactionIndividualExtendedISOStatusCode | PaymentCancelled | Transaction has been cancelled |
OBTransactionIndividualExtendedISOStatusCode | Pending | Payment initiation or individual transaction included in the payment initiation is pending. Further checks and status update will be performed |
OBTransactionIndividualExtendedISOStatusCode | PendingCancellationRequest | Cancellation request is pending |
OBTransactionIndividualExtendedISOStatusCode | Received | Payment initiation has been received by the receiving agent |
OBTransactionIndividualExtendedISOStatusCode | Rejected | Payment initiation or individual transaction included in the payment initiation has been rejected |
OBTransactionIndividualExtendedISOStatusCode | RejectedCancellationRequest | Cancellation request is rejected |
OBTransactionIndividualStatusReasonCode | Cancelled | Reason why the payment status is cancelled |
OBTransactionIndividualStatusReasonCode | PendingFailingSettlement | Reason why the payment status is pending (failing settlement) |
OBTransactionIndividualStatusReasonCode | PendingSettlement | Reason why the payment status is pending (settlement) |
OBTransactionIndividualStatusReasonCode | Proprietary | Defines a free text proprietary reason |
OBTransactionIndividualStatusReasonCode | ProprietaryRejection | Defines the reason that has been used by the Local Instrument system to reject the transaction |
OBTransactionIndividualStatusReasonCode | Suspended | Reason why the payment status is suspended |
OBTransactionIndividualStatusReasonCode | Unmatched | Reason why the payment status is unmatched |
OBExternalAppliedAuthenticationApproachCode | CA | Single Factor Strong Customer Authentication |
OBExternalAppliedAuthenticationApproachCode | SCA | Multi Factor Strong Customer Authentication |
OBReadRefundAccountCode | Yes | Yes |
OBReadRefundAccountCode | No | No |
...