Effective:

• 5 June 2024 on Sandbox
• 26 June 2024 on Live

We are removing the baseCurrency field from the Buyer object.

After the change, you will not be required to send the baseCurrency field when creating or updating a buyer. When retrieving the buyer details, the baseCurrency field will not be returned anymore.

Action required​

Review and update your application logic to remove dependencies on the baseCurrency field. This will help prevent and disruptions to your integration.

If no action is taken​

If no action is taken, your application may fail when retrieving the details of a buyer if it is expecting to receive the baseCurrency field as part of the response.

Affected API endpoints:

• POST/buyers
• GET/buyers
• PATCH/buyers

Effective:

• 29 April 2024 on Sandbox
• 30 April 2024 on Live

We are continuing to improve the payment run creation process by ensuring that a payment run cannot be created if the Zero Balance Account was not created.

A Zero Balance Account is automatically created for each supported currency as soon as your customers completed onboarding, therefore if your customer didn't complete onboard and tried to create a payment run the API endpoint will return an HTTP 409 error ZERO_BALANCE_ACCOUNT_INVALID_STATE.

You can find more information about the Zero Balance Account and Payment Run creation in our docs.

Affected API endpoints:

• POST/payment_runs

Effective:

• 23 April 2024 on Sandbox
• 1 May 2024 on Live

We understand the importance of accessibility and efficiency when it comes to monitoring your webhook events and for this reason, we have introduced an Event Log page within the Embedder Portal to provide you with a better user experience.

We restructured the list of webhook events to be presented in descending order, with the latest created event displayed first.

To view the webhook logs, please login to your sandbox embedder portal and go to Webhook Logs.

More details on webhook logs is available in our documentation.

Effective:

• 10 April 2024 on Sandbox
• 17 April 2024 on Live

We have updated the Controller role permissions so that a user that is assigned this role can retrieve payment runs.

Previously, if the view all payment runs and/or view a payment run where called by a user that has the Controller role, the endpoints would have returned an HTTP 403 error.

Following this change, the two endpoints will start returning the corresponding payment runs.

More details about the controller's permission are available here.

Affected Endpoints:

• GET/payment_runs
• GET/payment_runs/{payment_run_id}

Effective:

• 27 March 2024 on Sandbox
• 2 April 2024 on Live

The Account Information Service (AIS) consents are granted for up to 90 days, after which, your users are required to extend their consent to continue using the associated Linked Account therefore we have updated the AIS component to support the extension of the consent.

Retrieve the linked account consent expiry and status​

The Get Linked Accounts & Get a Linked Account endpoints have been updated to contain the consent information with the below fields:

• expiresAt
• expiresIn
• status

Note: If the consent has expired the:

• expiresAt will contain a value of '0'.
• expiresIn will contain the date in the past of the AIS consent expired.

You will also receive the AIS consent expiry and status (expiresAt, expiresIn & status) in the link account update event.

Extend the AIS consent​

To extend the consent you need to provide the linkedAccountId parameter of the linked account in the AIS UI Component.

• Extending an AIS consent before the 90 days pass​

The consent can be initiated before 90 days elapse, this means that your user will be shown a consent renewal request screen for Weavr to continue accessing their bank account information. If the user clicks on 'I Consent' then the AIS consent will extended for another 90 days.

• Extending an AIS consent after the 90 days pass​

Initiating the AIS consent after 90 days, can still be extended, however your user will be shown an expired consent screen. To renew the consent, your user will be redirected to their Bank's portal to approve the consent request. In the Banking portal, the bank will ask them to authenticate and re-confirm the bank account to be shared.

Affected API endpoints:

• Get Linked Accounts
• Get a Linked Account
• Linked account update webhook

More details on how to extend the AIS consent is available in our documentation

Effective:

• 27 March 2024 on Sandbox
• 2 April 2024 on Live

We have improved the security of payments in a payment run by validating and ensuring that the supplier bank account details provided by your buyers are not the linked account or the zero balance account bank account details.

A buyer can only perform supplier payments to third party bank accounts and cannot use the Payment Run to send payment betweens their accounts. A buyer can add a linked account in multiple stages of the payment run lifecycle, therefore we have added the validations in the below endpoints:

Create a payment run​

When a user is creating a payment run and the supplier bank details includes a:

• Linked account the endpoint will fail with an HTTP 409 error BANK_ACCOUNT_CANNOT_BE_LINKED_ACCOUNT
• Zero balance account the endpoint will fail with an HTTP 409 error BANK_ACCOUNT_CANNOT_BE_ZERO_BALANCE_ACCOUNT respectively.

The payment run together with all the payments within the payment run will transition to a CANCELLED status.

Confirm a payment run & Payment Initiation Service (PIS) UI Component​

When a user confirms the payment run or when a PIS is initiated and the supplier bank details include:

• Linked account the endpoint will fail with an HTTP 409 error BANK_ACCOUNT_CANNOT_BE_LINKED_ACCOUNT

The payment run together with all the payments within the payment run will transition to a CANCELLED status and you will receive a payment run update webhook and payment update webhook, informing you that the payment and payment run have transitioned to a CANCELLED status.

Affected API endpoints:

• Create a payment run
• Confirm a payment run

Affected UI components:

• Payment Initiation Service UI Component

Effective:

• 27 March 2024 on Sandbox
• 2 April 2024 on Live

We have exposed simulator endpoints that will help you trigger processes in Sandbox that in Production are triggered from an external action rather than from your application. This way you can test scenarios that otherwise you would only encounter in the Live environment.

Simulator API Endpoints​

• Link account:
  • This endpoint will allow you to simulate linking an account via Open Banking to fund payments within a payment run.
• Fund payment run:
  • This endpoint will allow you to simulate a funding of a payment run using a linked account.
• Verify KYB:
  • This endpoint will allow you to simulate due diligence (KYB) for your Buyers.

Note: These endpoints are only available on Sandbox and won’t work in the Live environment.

More details on simulators is available in our documentation

Effective:

• 27 February 2024 on Sandbox
• 19 March 2024 on Live

The Step up - Issue one time password endpoint now allows the end-user to re-send a new OTP up to one time, if the first issue a step-up challenge attempt resulted unsuccessful.

To be able to issue another step-up challenge, you need to wait 15 seconds (or more) from the first attempt.

• Triggering the step-up challenge API after 15 seconds from the first attempt then the first attempt will be invalidated and the user will need to respond to the new challenge.
• Triggering the step-up challenge API before 15 seconds will return an HTTP 409 RETRY_IN_15SEC.
• The step-up challenge can be retried 2 times after which an HTTP 400 INVALID_REQUEST will be returned. The user will have to logout and login again to issue a new step-up challenge.

Note: If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP will work.

Affected API endpoints:

• Issue a step-up challenge

More details on how to step-up a token are available in our documentation.

Effective:

• 27 February 2024 on Sandbox
• 20 March 2024 on Live

The creation of an Authorised User for a Buyer is a key moment in the integrity of the security for that Buyer. To mitigate against security risks, we are now requiring the user who is creating a new authorised user to step-up their token. Creating Authorised Users continues to be an operation that can be performed by a user that has the Admin role.

Affected API endpoints:

• Create a user

More details on how to step-up a token are available in our documentation.

Effective:

• 27 February 2024 on Sandbox
• 20 March 2024 on Live

To reduce the risk of fraud, we are now limiting the number of times a one-time-password can be submitted incorrectly.

Secure UI Components​

When the user inputs a wrong OTP, they will be shown an error message and will be allowed to re-enter a new OTP. If they reach the last try, a message will be shown specifying that is the last try. Once a wrong OTP is inputted for the last try the Secure UI Component will return an error event with code CHALLENGE_LIMIT_EXCEEDED.

Affected Secure UI Components:

• Payment Run Authorisation Secure UI Component
• Account Information Service Secure UI Component

API endpoints​

We have introduced 2 new error codes for the HTTP 409 response:

• ONE_CHALLENGE_LIMIT_REMAINING - returned when the user has one try left
• CHALLENGE_LIMIT_EXCEEDED - returned when the user has exceeded their OTP retries

Affected API endpoints:

• Verify a mobile device enrolment challenge
• Verify a step-up challenge