Onboard a Consumer
Register your consumer customers using the Weavr Multi API. Your customers need to complete due diligence before they can start using any financial services.
You can onboard consumers in 6 steps:
- Register a consumer identity
- Set the consumer’s password
- Verify the customer's email address
- Enrol the customer's mobile device
- Enrol root user on alternative authentication factors (optional)
- Submit due diligence information/documents to verify the consumer
1. Register a Consumer Identity
A consumer represents a person that can be provided with financial services such as cards or IBANs. To start the onboarding process, create a consumer by providing your consumer’s personal information.
You can find your API key in the Multi Portal. Learn more about authentication and how to obtain your API key here.
Weavr returns the consumer object that contains the information you provided together with the id, which is used to identify this particular consumer in subsequent API calls.
2. Set the User’s Password
To set a password, you need to use a different API – not the one that you used to create the consumer.
If you are not PCI compliant, you cannot handle your customers’ plain-text passwords. Instead, you must tokenise passwords. Find more information on how to transmit data securely here.
3. Verify the Consumer’s Email Address
The consumer must verify their email address before they can start using their account.
You can start the verification process using the API, the consumer will receive an email sent to the email address that you provided when you created the consumer.
To send the verification email, the consumer does not need to be authenticated.
Email Verification
After you start email verification, the consumer will receive an email message that contains a URL. You must create a page in your application to which this URL will point to. On this page, you must allow the consumer to input the verification code they received in the email.
For the email verification to work, you need to configure your application’s base URL. Find more information on where and how to configure it here.
Verify the email address of the consumer by submitting the verification code that the consumer received in the email and then submitted to your application.
The email verification link is valid for 60 minutes and this begins from the moment that the verification is triggered. During the time that the link is valid, the user can continue to authenticate via the Weavr login (in case the page you have created is behind a login). A user can trigger a new email verification link (within the 60 minutes) and the new link will be valid for 60 minutes.
If the user does not verify their email via the link, they will not be allowed to initiate the KYC process.
Also, a user without a verified email (because the link has expired for example) is considered ABANDONED. Users with this state are still visible in the portal and are displayed as INACTIVE, with the further description of ABANDONED displayed in the side panel.
If an ABANDONED user registers again with the same email address (and completes the verification), the user becomes ACTIVE and will automatically be updated from the ABANDONED state.
4. Enrol the Consumer's mobile device
The consumer must enrol their mobile device before they can start using their account.
You can start the enrolment process using the API. The consumer will receive a text message (SMS) on the mobile number that you provided when you created the consumer.
To send the verification text message, the consumer must be authenticated.
Verify Mobile Device
You must build a page in your application where the user will be able to enter the verification code that they received in the text message. Then, you need to submit the verification code using the API.
To verify the verification code, the consumer must be authenticated. The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud; the challenge remains in a Pending state until the last incorrect attempt has been consumed within the 5 minutes. A successful verification will also step-up the users current session, allowing access to the endpoints that require a stepped up token.
5. Enrol Root User on Alternative Authentication Factors (optional)
Weavr offers additional authentication methods other than SMS. The enrolled authentication method will be used instead of SMS once the enrolment is complete. Consumers can be enrolled in new authentication methods using the below endpoint.
The customer should then accept the push notification received on the device.
We currently offer SMS, AUTHY and BIOMETRICS as available authentication factors. More channels are coming soon.
Twilio Authy must be activated in the Multi portal to enrol users to use this authentication method.
6. Submit Due Diligence Information/Documents to Verify the Consumer
With Weavr, you can embed a UI component in your application, which will capture all of the information and documentation required for KYC. Your user will not need to leave your application.
Email Verification is a prerequisite for starting KYC, so must have been completed before KYC can be initiated.
Trigger the KYC process by calling the API:
When initiating the KYC for a consumer identity, you can specify the level of due diligence that the consumer will initially be required to provide. In order to initiate the consumer on the most basic level, set the (optional) request parameter kycLevel to KYC_LEVEL_1. If this parameter is not provided, then the default KYC_LEVEL_2 will be assumed.
You can find more information on different KYC levels as well as how the consumer can move from one level to the other here.
Weavr returns the reference parameter in the response body. Use this value to initialise the KYC UI component. You can find more information on the KYC UI component here.
You can get updates on the consumer’s KYC status by listening to the consumer KYC webhook. You can find more information on how to integrate with Weavr’s webhooks here.
Apart from the owner of the consumer identity, additional users can be authorised to access the consumer identity. Find out more information on how to authorise additional users here.