Onboard a Corporate
Register your corporate customers using the Weavr Multi API. Your customers need to complete due diligence before they can start using any financial services.
You can onboard corporates in 6 steps:
- Register a corporate identity
- Set the root user’s password
- Verify the root user’s email address
- Enrol the root user’s mobile device
- Enrol root user on alternative authentication factors (optional)
- Submit due diligence information/documents to verify the corporate
1. Register a Corporate Identity
A corporate represents a business entity that can be provided with financial services such as cards or IBANs. To start the onboarding process, create a corporate by providing the company and rootUser information.
The rootUser must be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. Once onboarded, the rootUser will always have full access to the identity and will be able to invite other users.
You can find your API key in the Multi Portal. Learn more about authentication and how to obtain your API key here.
Weavr returns the corporate object that contains the information you provided together with the id, which is used to identify this particular corporate in subsequent API calls.
2. Set the Root User’s Password
To set a password, you need to use a different API – not the one that you used to create the user. In this case, you need to set the root user’s password.
If you are not PCI compliant, you cannot handle your customers’ plain-text passwords. Instead, you must tokenise passwords. Find more information on how to transmit data securely here.
3. Verify the Root User’s Email Address
The root user must verify their email address before the corporate can start using their account.
You can start the verification process using the API, the root user will receive an email sent to the email address that you provided when you created the corporate.
To send the verification email, the root user does not need to be authenticated.
Email Verification
After you start email verification, the root user will receive an email message that contains a URL. You must create a page in your application to which this URL will point to. On this page, you must allow the root user to input the verification code they received in the email.
For the email verification to work, you need to configure your application’s base URL. Find more information on where and how to configure it here.
Verify the email address of the root user by submitting the verification code that the root user received in the email and then submitted to your application.
The email verification link is valid for 60 minutes and this begins from the moment that the verification is triggered. During the time that the link is valid, the user can continue to authenticate via the Weavr login (in case the page you have created is behind a login). A user can trigger a new email verification link (within the 60 minutes) and the new link will be valid for 60 minutes.
If the user does not verify their email via the link, they will not be allowed to initiate the KYC process.
Also, a user without a verified email (because the link has expired for example) is considered ABANDONED. Users with this state are still visible in the portal and are displayed as INACTIVE, with the further description of ABANDONED displayed in the side panel.
If an ABANDONED user registers again with the same email address (and completes the verification), the user becomes ACTIVE and will automatically be updated from the ABANDONED state.
4. Enrol the Root User’s Mobile Device
The root user must enrol their mobile device before the corporate can start using their account.
You can start the enrolment process using the API. The root user will receive a text message (SMS) on the mobile number that you provided when you created the corporate.
To send the enrolment text message, the root user must be authenticated.
Verify Mobile Device
You must build a page in your application where the user will be able to enter the verification code that they received in the text message. Then, you need to submit the verification code using the API.
To verify the verification code, the root user must be authenticated. The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud; the challenge remains in a Pending state until the last incorrect attempt has been consumed within the 5 minutes. A successful verification will also step-up the users current session, allowing access to the endpoints that require a stepped up token.
5. Enrol Root User on Alternative Authentication Factors (optional)
Weavr offers additional authentication methods other than SMS. The enrolled authentication method will be used instead of SMS once the enrolment is complete. Root users can be enrolled in alternative authentication methods using the below endpoint.
The root user should then accept the push notification received on the device.
We currently offer SMS, AUTHY and BIOMETRICS as available authentication factors. More channels are coming soon.
Twilio Authy must be activated in the Multi portal to enrol users to use this authentication method.
6. Submit Due Diligence Information/Documents to Verify the Corporate
With Weavr, you can embed a UI component in your application, which will capture all of the information and documentation required for KYB. Your user will not need to leave your application.
Email Verification is a prerequisite for starting KYB, so must have been completed before KYC can be initiated.
The following information will be captured as part of the due diligence process:
- Copy of the Certificate of Incorporation
- Copy of the Articles of Association (last amendment)
- Proof of business address such as a copy of a bank statement or lease agreement in the name of the business
- Recent commercial registry extract clearly showing company structure including UBOs (ultimate beneficial owners)
- UBO declaration form (downloadable here)
- List of UBOs owning at least 25% of the company
- KYC verification of at least one director or authorised representative (with Power of Attorney)
Trigger the KYB process by calling the API:
Weavr returns the reference parameter in the response body. Use this value to initialise the KYB UI component. You can find more information on the KYB UI component here.
You can get updates on the corporate’s KYB status by listening to the corporate KYB webhook. You can find more information on how to integrate with Weavr’s webhooks here.
Apart from the root user, corporate identities can authorise other users to access their account. Find out more information on how to authorise additional users here.