Breaking change (28 October 2024) APP Fraud Prevention - Linking an Account

As mentioned in our previous update, we are implementing measures to combat Authorized Push Payment (APP) Fraud.

Effective:

• 28 October 2024 on Sandbox
• 29 October 2024 on Live

Changes in BuyerBuyer A business entity in the Payment Run solution that can be provided with financial services to perform embedded payment runs. Buyers are onboarded through a KYB process and can create payment runs to pay their suppliers. They have roles such as Admin, Controller, and Creator. Onboarding

To minimize risk, at this stage we will be limiting access to the product to only Enterprise Businesses. To differentiate between Enterprise and Micro Enterprise businesses, we are adding two additional steps to the current onboarding process:

1. New Terms & Conditions agreement onboarding screen

Onboarding flows for BuyersBuyer A business entity in the Payment Run solution that can be provided with financial services to perform embedded payment runs. Buyers are onboarded through a KYB process and can create payment runs to pay their suppliers. They have roles such as Admin, Controller, and Creator. will change to require an updated method of recording agreement to financial institution terms and conditions (FI T&Cs).

All BuyerBuyer A business entity in the Payment Run solution that can be provided with financial services to perform embedded payment runs. Buyers are onboarded through a KYB process and can create payment runs to pay their suppliers. They have roles such as Admin, Controller, and Creator. Admin users will now be shown the following screen when onboarding:

This enables us to record the agreement of the End Customer to the FI T&Cs directly, as well as automatically update the version of T&Cs if they are revised in future. T&Cs updates will be communicated in advance in each case.

This FI T&Cs agreement screen will be added automatically to the KYB UI Component, prior to the Customer Due Diligence steps (e.g. identity verification and proof of address) in the rest of the process.

Documentation links:

• KYB Onboarding
• Buyer Due Dilligence

2. Updated/moved Micro-enterprise declaration in KYBKYB Know Your Business - the identity verification process for corporate identities. This process allows you to seamlessly and securely verify your business customer's identity. Weavr will ask users to submit the necessary information and documentation so that they can get approved by financial providers. onboarding

As well as the above new T&Cs step for all onboarding flows, we will now require a clearer Micro-enterprise declaration, which we are adding into the KYBKYB Know Your Business - the identity verification process for corporate identities. This process allows you to seamlessly and securely verify your business customer's identity. Weavr will ask users to submit the necessary information and documentation so that they can get approved by financial providers. onboarding:

As shown, the BuyerBuyer A business entity in the Payment Run solution that can be provided with financial services to perform embedded payment runs. Buyers are onboarded through a KYB process and can create payment runs to pay their suppliers. They have roles such as Admin, Controller, and Creator.'s Admin User needs to answer the two additional questions and then agree to the declaration about whether the BuyerBuyer A business entity in the Payment Run solution that can be provided with financial services to perform embedded payment runs. Buyers are onboarded through a KYB process and can create payment runs to pay their suppliers. They have roles such as Admin, Controller, and Creator. is or is not considered a Micro-enterprise.

Error code micro-enterprise

If the business is a Micro-enterprise, the KYBKYB Know Your Business - the identity verification process for corporate identities. This process allows you to seamlessly and securely verify your business customer's identity. Weavr will ask users to submit the necessary information and documentation so that they can get approved by financial providers. UI Component will sendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary. you an error event with code MICRO_ENTERPRISE_NOT_SUPPORTED

Changes to the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. Process

We are strengthening the verification process for linking accounts by ensuring that the activation of a Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. requires the successful completion of two verification steps; a declaration of ownership via an SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). challenge and internal checks by Weavr:

1. Declaration of Ownership via SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). Challenge

When adding a Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. via the Account Information Service (AIS) UI Component it is critical to confirm that the registered linked accountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. belongs to the Identity attempting to link it. As a result, the state of the linked accountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. will initially transition to PENDING_CHALLENGE rather than LINKED, A user with the Controller role of the Identity must then complete an Strong Customer Authentication (SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics).) challenge to confirm ownership of the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers..

Linked Account declaration UI Component

More information about our Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. Declaration UI Component can be found here.

SCA challenge state

If the SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). challenge fails, the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. will remain in the PENDING_CHALLENGE state until a successful SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). challenge is completed.

More information about linked an account can be found in our documentation.

2. Internal Checks by Weavr

A name verification check will be automatically triggered by the Weavr platform and, when necessary, flagged for review by the Weavr Compliance team. This ensures that the name of the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. holder matches the Identity registered with Weavr. The internal checks are required as another layer in the verification process to verify that the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. belongs to the same person of the Identity.

During this process, we have introduced a new state, PENDING_VERIFICATION, which will remain until the Compliance checks are completed. These checks will result in either a REJECTED or LINKED status.

Compliance Checks

The Compliance will reach out to the Identity before rejecting the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers..

Updates to the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. webhooks and Get endpoints

We have updated the Linked Account update webhook event and both the Get linked accounts and a linked account with the new states: PENDING_CHALLENGE, PENDING_VERIFICATION and REJECTED.

Updates to the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. states on the Embedder PortalEmbedder Portal A web-based portal where embedders can access their Weavr account, manage API credentials, configure settings, view dashboards, and access documentation. The portal provides access to both sandbox and production environments, with separate credentials for each.

The linked accountsLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. in the embedder portalEmbedder Portal A web-based portal where embedders can access their Weavr account, manage API credentials, configure settings, view dashboards, and access documentation. The portal provides access to both sandbox and production environments, with separate credentials for each. have been updated to display the new states: PENDING_CHALLENGE, PENDING_VERIFICATION and REJECTED.

Action required

Migrate your application to start handling the new updated states related to the Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. verification process:

• PENDING_CHALLENGE: The Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. is pending challenge.
• PENDING_VERIFICATION: The Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. is pending the completion of the required verification steps.
• REJECTED: The Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. did not pass one or more verification steps and is not eligible for use.

If no action is taken

If no action is taken, your application will be unable to handle the updated responses when linking a new account, preventing your users from performing an SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). challenge. As a result, the linked accountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. will remain in the PENDING_CHALLENGE state.

New Linked AccountLinked Account An entity in the Weavr system that represents an external bank account or payment service provider (PSP) account which an Identity has verified they own and control. This feature enables users to perform transactions, such as outgoing and incoming wire transfers, between their Linked Accounts and their Managed Accounts as 'self-to-self' transfers. SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). Declaration Challenge UI Components

• Linked Account SCA Declaration Challenge.

Affected Webhook Events

• Linked Account Update

Affected API endpoints:

• GET/linked_accounts
• GET/linked_accounts/{linked_account_id}