Breaking change (October 2024) APP Fraud Prevention - Linking an Account

In the UK, APP (Authorized Push Payment) Fraud is a growing type of scam, where fraudsters trick individuals into authorizing payments to accounts controlled by criminals. Unlike traditional fraud, where unauthorized transactions are made without the victim’s consent, APP fraud involves convincing the victim to willingly transfer money under false pretenses.

Weavr is committed to mitigating this type of fraud. To that end, we have enhanced our security measures for when your users add a linked account and we have refined the onboarding process.

Effective:

• 28 October 2024 on Sandbox
• 29 October 2024 on Live

Changes in Buyer Onboarding

To minimize risk, at this stage we will be limiting access to the product to only Enterprise Businesses. To differentiate between Enterprise and Micro Enterprise businesses, we are adding two additional steps to the current onboarding process:

1. New Terms & Conditions agreement onboarding screen

Onboarding flows for Buyers will change to require an updated method of recording agreement to financial institution terms and conditions (FI T&Cs).

All Buyer Admin users will now be shown the following screen when onboarding:

This enables us to record the agreement of the End Customer to the FI T&Cs directly, as well as automatically update the version of T&Cs if they are revised in future. T&Cs updates will be communicated in advance in each case.

This FI T&Cs agreement screen will be added automatically to the KYB UI Component, prior to the Customer Due Diligence steps (e.g. identity verification and proof of address) in the rest of the process.

Documentation links:

• KYB Onboarding
• Buyer Due Dilligence

2. Updated/moved Micro-enterprise declaration in KYB onboarding

As well as the above new T&Cs step for all onboarding flows, we will now require a clearer Micro-enterprise declaration, which we are adding into the KYB onboarding:

As shown, the Buyer's Admin User needs to answer the two additional questions and then agree to the declaration about whether the Buyer is or is not considered a Micro-enterprise.

Error code micro-enterprise

If the business is a Micro-enterprise, the KYB UI Component will send you an error event with code MICRO_ENTERPRISE_NOT_SUPPORTED

Changes to the Linked Account Process

We are strengthening the verification process for linking accounts by ensuring that the activation of a Linked Account requires the successful completion of two verification steps; a declaration of ownership via an SCA challenge and internal checks by Weavr:

1. Declaration of Ownership via SCA Challenge

When adding a Linked Account via the Account Information Service (AIS) UI Component it is critical to confirm that the registered linked account belongs to the Identity attempting to link it. As a result, the state of the linked account will initially transition to PENDING_CHALLENGE rather than LINKED, A user with the Controller role of the Identity must then complete an Strong Customer Authentication (SCA) challenge to confirm ownership of the Linked Account.

Linked Account declaration

The ownership declaration is facilitated through an SCA challenge via a UI Component, which will be provided by Weavr.

SCA challenge state

If the SCA challenge fails, the Linked Account will remain in the PENDING_CHALLENGE state until a successful SCA challenge is completed.

More information about linked an account can be found in our documentation.

2. Internal Checks by Weavr

A name verification check will be automatically triggered by the Weavr platform and, when necessary, flagged for review by the Weavr Compliance team. This ensures that the name of the Linked Account holder matches the Identity registered with Weavr. The internal checks are required as another layer in the verification process to verify that the Linked Account belongs to the same person of the Identity.

During this process, we have introduced a new state, PENDING_VERIFICATION, which will remain until the Compliance checks are completed. These checks will result in either a REJECTED or LINKED status.

Compliance Checks

The Compliance will reach out to the Identity before rejecting the Linked Account.

Updates to the Linked Account webhooks and Get endpoints

We have updated the Linked Account update webhook event and both the Get linked accounts and a linked account with the new states: PENDING_CHALLENGE, PENDING_VERIFICATION and REJECTED.

Action required

Migrate your application to start handling the new updated states related to the Linked Account verification process:

• PENDING_CHALLENGE: The Linked Account is pending challenge.
• PENDING_VERIFICATION: The Linked Account is pending the completion of the required verification steps.
• REJECTED: The Linked Account did not pass one or more verification steps and is not eligible for use.

If no action is taken

If no action is taken, your application will be unable to handle the updated responses when linking a new account, preventing your users from performing an SCA challenge. As a result, the linked account will remain in the PENDING_CHALLENGE state.

New Linked Account SCA Declaration Challenge UI Components

• Linked Account SCA Declaration Challenge

Affected Webhook Events

• Linked Account Update

Affected API endpoints:

• GET/linked_accounts
• GET/linked_accounts/{linked_account_id}