9 posts tagged with "linked-accounts"

As mentioned in our previous update, we are implementing measures to combat Authorized Push Payment (APP) Fraud.

Effective:

• 28 October 2024 on Sandbox
• 29 October 2024 on Live

Changes in Buyer Onboarding​

To minimize risk, at this stage we will be limiting access to the product to only Enterprise Businesses. To differentiate between Enterprise and Micro Enterprise businesses, we are adding two additional steps to the current onboarding process:

1. New Terms & Conditions agreement onboarding screen​

Onboarding flows for Buyers will change to require an updated method of recording agreement to financial institution terms and conditions (FI T&Cs).

All Buyer Admin users will now be shown the following screen when onboarding:

This enables us to record the agreement of the End Customer to the FI T&Cs directly, as well as automatically update the version of T&Cs if they are revised in future. T&Cs updates will be communicated in advance in each case.

This FI T&Cs agreement screen will be added automatically to the KYB UI Component, prior to the Customer Due Diligence steps (e.g. identity verification and proof of address) in the rest of the process.

Documentation links:

• KYB Onboarding
• Buyer Due Dilligence

2. Updated/moved Micro-enterprise declaration in KYB onboarding​

As well as the above new T&Cs step for all onboarding flows, we will now require a clearer Micro-enterprise declaration, which we are adding into the KYB onboarding:

As shown, the Buyer's Admin User needs to answer the two additional questions and then agree to the declaration about whether the Buyer is or is not considered a Micro-enterprise.

Changes to the Linked Account Process​

We are strengthening the verification process for linking accounts by ensuring that the activation of a Linked Account requires the successful completion of two verification steps; a declaration of ownership via an SCA challenge and internal checks by Weavr:

1. Declaration of Ownership via SCA Challenge​

When adding a Linked Account via the Account Information Service (AIS) UI Component it is critical to confirm that the registered linked account belongs to the Identity attempting to link it. As a result, the state of the linked account will initially transition to PENDING_CHALLENGE rather than LINKED, A user with the Controller role of the Identity must then complete an Strong Customer Authentication (SCA) challenge to confirm ownership of the Linked Account.

More information about linked an account can be found in our documentation.

2. Internal Checks by Weavr​

A name verification check will be automatically triggered by the Weavr platform and, when necessary, flagged for review by the Weavr Compliance team. This ensures that the name of the Linked Account holder matches the Identity registered with Weavr. The internal checks are required as another layer in the verification process to verify that the Linked Account belongs to the same person of the Identity.

During this process, we have introduced a new state, PENDING_VERIFICATION, which will remain until the Compliance checks are completed. These checks will result in either a REJECTED or LINKED status.

Updates to the Linked Account webhooks and Get endpoints​

We have updated the Linked Account update webhook event and both the Get linked accounts and a linked account with the new states: PENDING_CHALLENGE, PENDING_VERIFICATION and REJECTED.

Updates to the Linked Account states on the Embedder Portal​

The linked accounts in the embedder portal have been updated to display the new states: PENDING_CHALLENGE, PENDING_VERIFICATION and REJECTED.

Action required​

Migrate your application to start handling the new updated states related to the Linked Account verification process:

• PENDING_CHALLENGE: The Linked Account is pending challenge.
• PENDING_VERIFICATION: The Linked Account is pending the completion of the required verification steps.
• REJECTED: The Linked Account did not pass one or more verification steps and is not eligible for use.

If no action is taken​

If no action is taken, your application will be unable to handle the updated responses when linking a new account, preventing your users from performing an SCA challenge. As a result, the linked account will remain in the PENDING_CHALLENGE state.

New Linked Account SCA Declaration Challenge UI Components

• Linked Account SCA Declaration Challenge.

Affected Webhook Events

• Linked Account Update

Affected API endpoints:

• GET/linked_accounts
• GET/linked_accounts/{linked_account_id}

In the UK, APP (Authorized Push Payment) Fraud is a growing type of scam, where fraudsters trick individuals into authorizing payments to accounts controlled by criminals. Unlike traditional fraud, where unauthorized transactions are made without the victim’s consent, APP fraud involves convincing the victim to willingly transfer money under false pretenses.

Weavr is committed to mitigating this type of fraud. To that end, we have enhanced our security measures for when your users add a linked account and we have refined the onboarding process.

Effective:

• 28 October 2024 on Sandbox
• 29 October 2024 on Live

Changes in Buyer Onboarding​

To minimize risk, at this stage we will be limiting access to the product to only Enterprise Businesses. To differentiate between Enterprise and Micro Enterprise businesses, we are adding two additional steps to the current onboarding process:

1. New Terms & Conditions agreement onboarding screen​

Onboarding flows for Buyers will change to require an updated method of recording agreement to financial institution terms and conditions (FI T&Cs).

All Buyer Admin users will now be shown the following screen when onboarding:

This enables us to record the agreement of the End Customer to the FI T&Cs directly, as well as automatically update the version of T&Cs if they are revised in future. T&Cs updates will be communicated in advance in each case.

This FI T&Cs agreement screen will be added automatically to the KYB UI Component, prior to the Customer Due Diligence steps (e.g. identity verification and proof of address) in the rest of the process.

Documentation links:

• KYB Onboarding
• Buyer Due Dilligence

2. Updated/moved Micro-enterprise declaration in KYB onboarding​

As well as the above new T&Cs step for all onboarding flows, we will now require a clearer Micro-enterprise declaration, which we are adding into the KYB onboarding:

As shown, the Buyer's Admin User needs to answer the two additional questions and then agree to the declaration about whether the Buyer is or is not considered a Micro-enterprise.

Changes to the Linked Account Process​

We are strengthening the verification process for linking accounts by ensuring that the activation of a Linked Account requires the successful completion of two verification steps; a declaration of ownership via an SCA challenge and internal checks by Weavr:

1. Declaration of Ownership via SCA Challenge​

When adding a Linked Account via the Account Information Service (AIS) UI Component it is critical to confirm that the registered linked account belongs to the Identity attempting to link it. As a result, the state of the linked account will initially transition to PENDING_CHALLENGE rather than LINKED, A user with the Controller role of the Identity must then complete an Strong Customer Authentication (SCA) challenge to confirm ownership of the Linked Account.

More information about linked an account can be found in our documentation.

2. Internal Checks by Weavr​

A name verification check will be automatically triggered by the Weavr platform and, when necessary, flagged for review by the Weavr Compliance team. This ensures that the name of the Linked Account holder matches the Identity registered with Weavr. The internal checks are required as another layer in the verification process to verify that the Linked Account belongs to the same person of the Identity.

During this process, we have introduced a new state, PENDING_VERIFICATION, which will remain until the Compliance checks are completed. These checks will result in either a REJECTED or LINKED status.

Updates to the Linked Account webhooks and Get endpoints​

We have updated the Linked Account update webhook event and both the Get linked accounts and a linked account with the new states: PENDING_CHALLENGE, PENDING_VERIFICATION and REJECTED.

Action required​

Migrate your application to start handling the new updated states related to the Linked Account verification process:

• PENDING_CHALLENGE: The Linked Account is pending challenge.
• PENDING_VERIFICATION: The Linked Account is pending the completion of the required verification steps.
• REJECTED: The Linked Account did not pass one or more verification steps and is not eligible for use.

If no action is taken​

If no action is taken, your application will be unable to handle the updated responses when linking a new account, preventing your users from performing an SCA challenge. As a result, the linked account will remain in the PENDING_CHALLENGE state.

New Linked Account SCA Declaration Challenge UI Components

• Linked Account SCA Declaration Challenge

Affected Webhook Events

• Linked Account Update

Affected API endpoints:

• GET/linked_accounts
• GET/linked_accounts/{linked_account_id}

We’ve introduced a new webhook that allows you to receive notifications when a linked account consent of a Buyer is set to expire within the next 10 days.

Effective:

• 01 October 2024 on Sandbox
• 01 October 2024 on Live

The webhook sends real-time notifications, helping you stay informed about upcoming buyer linked account consent expirations, this will reduce the risk of account disruptions due to expired consent.

You can subscribe to the webhook here.

Affected webhook event:

• Linked Account Expiring Soon

As previously communicated, we are removing the deprecated delete a linked account endpoint.

Effective:

• 12 August 2024 on Sandbox
• 20 August 2024 on Live

Action required​

Migrate your application to start using the new unlink an account endpoint and remove dependencies on the delete a linked account endpoint.

If no action is taken​

If no action is taken, you will receive an HTTP 404 error when calling the delete a linked account endpoint.

Affected API endpoints:

• DELETE/linked_accounts/{linked_account_id}

We have updated the linked accounts screen in the embedder portal to provide you with more information about your buyers linked accounts.

Effective:

• 01 July 2024 on Sandbox
• 09 July 2024 on Live

When logging in to you embedder portal, and you select a Buyer > Linked Bank Accounts you'll see two new columns displaying the 'Status' and the 'Consent expiries in'.

• The 'Status' will display the status of the linked bank account, Linked or Unlinked.
• The 'Consent expires in' will display the days left until the buyer is required to re-consent the linked account before it expires.

The consent information can be also retrieved from the get linked accounts or get linked account endpoints.

You can find more information about linked accounts and consents in our docs.

We are delighted to announce that Weavr is enabling EEA customers to make use of the Embedded Payment Run Solution. Apart from the UK, Embedded Payment Run is now available for end-customers in the European Economic Area. End-customers residing in the EEA can now onboard, fund and make domestic payments in Euros on the SEPA bank transfer rails.

Effective:

• 01 July 2024 on Sandbox
• 09 July 2024 on Live

EEA countries supported​

Weavr is now supporting buyers residing in the following countries:

Austria	Belgium	Cyprus	Denmark
Finland	France	Ireland	Italy
Estonia	Luxembourg	Latvia	Netherlands
Norway	Poland	Portugal	Slovakia
Slovenia	Spain	Sweden

Retrieve Open Banking Institutions​

To ensure that you can support your buyers to link an account and to fund a payment run we have created an endpoint that retrieves all the available institutions that use open banking.

We suggest that you enable your end-customers to verify that their current financial institutions are supported by Weavr before they onboard.

New API endpoints:

• Get Institutions

Account Information Service (AIS) Consent in the EEA​

In the EEA, the Account Information Service (AIS) consents can be granted up to 180 days. This means that your users are required to extend their consent to continue using the associated Linked Account every 180 days.

Retrieve the linked account consent expiry and status​

The Get Linked Accounts & Get a Linked Account endpoints have been updated to contain the consent information with the below fields:

• expiresAt
• expiresIn
• status

Note: If the consent, expired the:

• expiresAt will contain a value of '0'.
• expiresIn will contain the date in the past of the AIS consent expired.

You will also receive the AIS consent expiry and status (expiresAt, expiresIn & status) in the link account update event.

Extend the AIS consent​

To extend the consent in EEA you need to provide the linkedAccountId parameter of the linked account in the AIS UI Component.

• Extending an AIS consent before the 180 days pass​

  The consent can be initiated before 180 days elapse, this means that your user will be shown a consent renewal request screen for Weavr to continue accessing their bank account information. If the user clicks on 'I Consent' your user will be redirected to their Bank's portal to approve the consent request. In the Banking portal, the bank will ask them to authenticate and re-confirm the bank account to be shared.

• Extending an AIS consent after the 180 days pass​

  Initiating the AIS consent after 180 days, can still be extended, however your user will be shown an expired consent screen. To renew the consent, your user will be redirected to their Bank's portal to approve the consent request. In the Banking portal, the bank will ask them to authenticate and re-confirm the bank account to be shared.

Buyer endpoints updated to accept 'EUR'​

We have updated the buyer endpoints to accept the 'EUR' currency in the supportedCurrencies object:

• POST/buyers
• GET/buyers
• PATCH/buyers

Payment run endpoints updated to accept 'EUR'​

We have updated the payment run API and events endpoints to accept the 'EUR' currency in the currencies object:

• POST/payment_runs
• GET/payment_runs
• GET/payment_runs/{payment_run_id}
• GET/payment_runs/{payment_run_id}/fund

Events endpoints update:

• Payment Run Update
• Payment Update

Linked account endpoints updated to accept 'EUR'​

We have updated the linked account API and event endpoints to accept the 'EUR' currency in the currencies object:

• GET/linked_accounts
• GET/linked_accounts/{linked_account_id}
• POST/linked_accounts/{linked_account_id}/unlink

Updated Events endpoints

• Linked account update webhook

Embedder Portal settings​

When you open a sandbox account, upon the registration form you are required to choose the jurisdiction you are residing in. If you select "EEA" (European Economic Area) then by default, the EUR currency will be selected.

Effective:

• 05 June 2024 on Sandbox
• 26 June 2024 on Live

We have made improvements to our error messages within the Account Information Service (AIS) flow to ensure that users can only link one account at a time.

With this update, a specific error message, CANNOT_LINK_MULTIPLE_ACCOUNTS, will be generated if users try to link more than one account. This error message will only be received during the AIS UI Component phase.

Users with the controller role must now ensure they link only one account during the AIS flow. Attempting to add multiple accounts will trigger the linked account update webhook with the new CANNOT_LINK_MULTIPLE_ACCOUNTS error. This change aims to streamline the account linking process and reduce errors.

Affected Events

• Linked Account Update

Affected UI Components:

• AIS UI Component

Effective:

• 14 May 2024 on Sandbox
• 3 July 2024 on Live

The delete a linked account endpoint, currently deletes the linked account, and once a linked account is deleted it cannot be retrieved. This makes it difficult for your buyers to trace and reconcile which linked account was used to fund previous payment runs.

Therefore, we are marking the delete a linked account endpoint as deprecated following the release of the new unlink an account endpoint.

Action required​

Migrate your application to start using the new unlink an account endpoint and remove dependencies on the delete a linked account endpoint.

If no action is taken​

If no action is taken, you will receive an HTTP 404 error when calling the delete a linked account endpoint.

Affected API endpoints:

• DELETE/linked_accounts/{linked_account_id}

Effective:

• 14 May 2024 on Sandbox
• 17 May 2024 on Live

We have created a new endpoint to enable users with controller role to unlink bank accounts. Bank accounts should be unlinked if the buyer does not want to use them to fund payment runs anymore, thus removing the risk of using the wrong bank account in the future.

New POST unlink endpoint​

The new endpoint POST/linked_accounts/\{linked_account_id}/unlink will have the following parameters:

• Request: the linked_account_id to unlink
• Response: the updated linkedAccount object and the status will change from CONNECTED and DISCONNECTED to LINKED and UNLINKED.

If your buyers try to confirm and/or fund a payment run using an unlinked account, you will receive an HTTP 409 error code LINKED_ACCOUNT_INVALID_STATE.

Linked Account GET endpoint​

When calling the GET linked accounts or GET linked account endpoints, you will receive the unlinked account information with the status as UNLINKED and the consent of the account as EXPIRED.

Linked Account webhook event​

You will be notified when a buyer unlinks an account if you are subscribed to the linked account webhook event. The linked account webhook event will also be updated to receive the status as UNLINKED and the consent of the account as EXPIRED.

Affected Events

• Linked Account Update

Affected API endpoints:

• DELETE/linked_accounts/{linked_account_id}
• GET/linked_accounts
• GET/linked_accounts/{linked_account_id}
• GET/payment_runs/{payment_run_id}/fund
• POST/linked_accounts/{linked_account_id}/unlink