Block mobile number change for 24 hours after account password change or email address change
As a measure to improve the security of information belonging to end-customers, we are introducing a new rule that will help securing user’s account.
If a user changes their password (via the reset password flow)
/passwords/lost_password/start
/passwords/lost_password/resume
they will not be able to change the mobile number in the next 24 hours.
This guards against account-hijack risks by keeping the mobile number unchanged to receive security notifications, and preventing takeover of second-factor authentication.
Longer Requires_SCA validity for wire transfers and Sends
Until now, SCA authorisation for OWT and Send payments has allowed a pending/pending_challenge status for up to 30 minutes.
As more businesses use embedded payments within multi-party approval workflows, this may not be enough time for an approving person to complete the SCA step on a pending payment, especially where users are dealing with forward-dated or bulk payments (both features we are releasing soon). Accordingly we have increased the timeout to 7 days to accommodate these use cases.
Block list of commonly encountered spam or throwaway email domains
Working with accurate data and verifiable user-identities is essential to a well run embedded finance programme.
One problem that can face embedders, is end-users registering accounts with throwaway email domains. This could mean those users lose access to the email address, and is a common sign of invalid users, including potentially malicious sign ups.
Therefore we have implemented throughout our systems, a block list of commonly encountered temporary or spam email domains. We will validate all sign ups against this list and block any attempt to register with an email addresses from these domains.
Error 409 - "Email_Domain_Not_Allowed" - will be returned if an email domain on the list is used.
We review and maintain this block list regularly. However, please contact us if you feel sign ups are being blocked incorrectly.
Bulk Transactions
There are often times that end customers want to work through a list or batch of payments, and doing this one by one can be rather slow and inefficient.We’re introducing a new Bulk Transactions feature which enables Embedders to present a new workflow to end customers where they can execute multiple payments under a single SCA approval. The individual payments will be automated and status of each, plus the overall Bulk Transaction, communicated via webhooks.Both OWTs and Sends can be used as the payment method in Bulk Transactions.
Bulk Transactions can also handle mixtures of GBP and EUR in the Payables, provided a Corporate has funding accounts in the right currencies.If all Payables in a Bulk Transaction list are to Payees previously registered in a Corporate Trusted Payees list then an SCA exemption can be applied, further reducing friction in business payments use cases.
Sender ID of SMS OTPs to Singaporean phone numbers (+65)
We have updated the Sender ID of the SMS OTP for card transactions of cardholders with a Singapore mobile number (+65). This will now show as being originated by “Thredd”, and will ensure the SMS message is not blocked due to an unregistered Sender ID. This is as a result of a regulatory change in Singapore coming into effect on 31st July that requires all SMS Sender IDs to be registered.