Table of Contents | ||
---|---|---|
|
Version Control
Version | Date | Author | Comments |
---|---|---|---|
3.0-draft1 | OB R/W API Team | First draft of v3 Changes to align with the structure of Accounts & Transactions API
| |
3.0-draft2 | OB R/W API Team |
| |
3.0-draft3 | OB R/W API Team | Draft 3 changes:
| |
3.0-draft4 | OB R/W API Team | Errata:
Draft 4 Changes:
| |
3.0-draft5 | OB R/W API Team | Draft 5 Changes:
| |
3.0-draft6/rc1 | OB R/W API Team | Draft6 Changes:
| |
3.0-draft7 | OB R/W API Team | Draft7 Changes:
Errata
| |
3.0-RC2 | OB R/W API Team | RC2 Changes:
| |
3.0-RC3 | OB R/W API Team | RC3 Changes:
| |
3.0 | OB R/W API Team | This is the baseline version. No change from RC3. |
Overview
This Payment Initiation API Specification describes the flows and payloads for initiating a general payment-order.
...
This specification should be read in conjunction with Read/Write Data API Specification which provides a description of the elements that are common across all the Read/Write Data APIs.
Document Overview
This document consists of the following parts:
...
Usage Examples: Examples for normal flows, and alternate flows.
Design Principles
Scheme Agnostic
The API will be designed so that it is agnostic to the underlying payment scheme that is responsible for carrying out the payment.
...
We will provide further mapping guidance to ensure that differences are understood between the Open Banking Payment API standard, and other message formats in the Domestic Payment Message Formats sub-page.
Status Codes
The API uses two status codes that serve two different purposes:
- The HTTP Status Code reflects the outcome of the API call (the HTTP operation on the resource).
The Status field for the payment-order consent reflects the status of the PSU consent authorisation.
The Status field for the payment-order resource reflects the status of the payment-order initiation or execution.
Basics
Overview
The figure below provides a general outline of a payment flow for all payment-order types using the Payment APIs. The payment-order types covered in this specification include:
...
The payment-order consent and payment-order resource in the following flow generalises for the different payment-order types. e.g. for a domestic payment, the payment-order consent resource is domestic-payment-consents; and the payment-order resource is domestic-payments.
Steps
Step 1: Agree Payment-Order Initiation
...
- If the ASPSP provides a status API, the PISP can check the status of the payment-order consent (with the ConsentId) or payment-order resource (with the payment-order resource identifier).
- This is carried out by making a GET request to the payment-order consent or payment-order resource.
Sequence Diagram
Code Block | ||||
---|---|---|---|---|
| ||||
participant PSU participant PISP participant ASPSP Authorisation Server participant ASPSP Resource Server note over PSU, ASPSP Resource Server Step 1: Agree Payment-Order Initiation end note PSU -> PISP: Agree payment-order initiation request note over PSU, ASPSP Resource Server Setup Payment-Order Consent end note PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Initiate Client Credentials Grant ASPSP Authorisation Server -> PISP: access-token PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /payment-order-consents state over ASPSP Resource Server: Consent Status: AwaitingAuthorisation ASPSP Resource Server -> PISP: HTTP 201 (Created), ConsentId note over PSU, ASPSP Resource Server Step 3: Authorize Consent end note alt Redirection (Using authorization code grant) PISP -> PSU: HTTP 302 (Found), Redirect (ConsentId) PSU -> ASPSP Authorisation Server: Follow redirect (ConsentId) PSU <-> ASPSP Authorisation Server: authenticate PSU <-> ASPSP Authorisation Server: SCA if required PSU <-> ASPSP Authorisation Server: Select debtor account if required state over ASPSP Resource Server: Consent Status: Authorised ASPSP Authorisation Server -> PSU: HTTP 302 (Found), Redirect (authorization-code) PSU -> PISP: Follow redirect (authorization-code) PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Exchange authorization-code for access token ASPSP Authorisation Server -> PISP: access-token else Decoupled (Using CIBA) PISP -> ASPSP Authorisation Server: POST /bc-authorize (login_hint_token) ASPSP Authorisation Server -> PISP: OK PSU -> ASPSP Authorisation Server: Authorise (Consent Id) PSU <-> ASPSP Authorisation Server: authenticate PSU <-> ASPSP Authorisation Server: SCA if required PSU <-> ASPSP Authorisation Server: select accounts state over ASPSP Resource Server: Consent Status: Authorised alt Using callback ASPSP Authorisation Server -> PISP: Callback (authorization-code) PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Exchange authorization-code for access token ASPSP Authorisation Server -> PISP: access-token else Using polling PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Poll at /token using auth-req-id ASPSP Authorisation Server -> PISP: access-token end alt end alt note over PSU, ASPSP Resource Server Step 4: Create Payment-Order end note PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /payment-orders state over ASPSP Resource Server: Consent Status: Consumed alt Immediate Payment state over ASPSP Resource Server: Payment Status: Pending state over ASPSP Resource Server: Payment Status: AcceptedSettlementInProcess state over ASPSP Resource Server: Payment Status: AcceptedSettlementComplete else Standing Order or Future Dated Payment state over ASPSP Resource Server: Payment Status: InitiationPending state over ASPSP Resource Server: Payment Status: InitiationCompleted end alt ASPSP Resource Server -> PISP: HTTP 201 (Created), Payment-Order Id note over PSU, ASPSP Resource Server Step 5: Get Payment-Order/Consent Status end note opt payment-order-consent PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: GET /payment-order-consents/{ConsentId} ASPSP Resource Server -> PISP: HTTP 200 (OK) payment-order-consent resource end opt opt payment-order PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: GET /payment-orders/{Payment-Order Id} ASPSP Resource Server -> PISP: HTTP 200 (OK) payment-order resource end opt option footer=bar |
Payment Restrictions
The standard does not provide a uniform set of restrictions for payment-order types that can be supported through this API.
...
An ASPSP must reject the payment-order consent if the ASPSP is unable to handle the request.
CutOffDateTime Behaviour
An ASPSP may return the specific CutOffDateTime when responding to a payment-order consent request.
...
- Reject the payment-order (and steps associated with the creation of payment-order) if received after the applicable CutOffDateTime
- Accept the payment-order (and steps associated with the creation of payment-order) if received after the applicable CutOffDateTime
Reject the Payment-Order
In this scenario, the behaviour of payment-order execution is explicit to the PISP and PSU.
...
For a payment-order consent or payment-order resource that has been rejected due to the elapsed CutoffDateTime, the PISP may decide to create corresponding schedule payment endpoint to create a new payment-order consent. E.g. if a PISP attempts to make a BACS payment after 16:00, it would be rejected. The PISP may use the /domestic-scheduled-payment-consents endpoint to create a consent for the same payment for the next working day.
Accept the Payment-Order
In this scenario, the behaviour of payment-order execution is not explicit to the PISP and PSU, and the payment-order will be executed on the next available working day.
- An ASPSP must accept the payment-order consent if the CutOffDateTime for specific payment-order type has elapsed.
- An ASPSP must accept an authorization request when the underlying intent object is associated with a CutoffDateTime that has elapsed.
- An ASPSP must accept the payment-order resource if the CutOffDateTime for specific payment-order type, has been established and has elapsed.
- An ASPSP may update the payment-order consent or payment-order resource with the CutOffDateTime, ExpectedExecutionDateTime and ExpectedSettlementDateTime - to communicate expected execution behaviour if the CutOffDateTime has elapsed.
Release Management
This section overviews the release management and versioning strategy for Payment Initiation API. It applies to all Payment Order Consent and Payment Order resources, specified in the Endpoints section.
Payment-Order Consent
POST
- A PISP must not create a payment-order consent ConsentId on a newer version and use it to create a payment-order resource in a previous version
- E.g., ConsentId created in v3, must not be used to create v1 PaymentSubmissionId
- A PISP must not create a payment-order consent ConsentId on a previous version and use it to create a payment-order resource in a newer version
- E.g., PaymentId created in v1, must not be used to create v3 DomesticPaymentId
GET
- A PISP must not access a payment-order ConsentId created in a newer version, via a previous version endpoint
- E.g., ConsentId created in v3 accessed via v1 PaymentId
- An ASPSP may choose to make ConsentIds accessible across versions
- E.g., for a PaymentId created in v1, an ASPSP may or may not make it available via v3 - as this is a short-lived consent
Payment-Order Resource
POST
- A PISP must use a payment-order consent ConsentId within the same version to create the payment-order resource (in that version)
- E.g., A v3 payment-order consent can only be used to create a payment-order resource in v3.
- An ASPSP must not allow a PISP to use a ConsentId from a previous version to create Payment Order in a newer version, and vice versa
GET
- A PISP must refer to the ASPSP's online Developer Portal for guidelines on accessibility of a payment-order resource in a newer version
- A PISP must not access the payment-order resource types introduced in a newer version, on an older version endpoint
- E.g., an international-payment created in v3, that is accessed via the v1 payment-submissions endpoint
- A PISP must not access the payment-order resource created in a newer version on an older version endpoint
- E.g., for a domestic-payment resource created in v3, access via the v1 payment-submissions endpoint is not permitted
- An ASPSP must document the behaviour on the accessibility of a payment-order resource in a newer version on ASPSP's online Developer Portal
- An ASPSP must allow access to the payment-order resource created in a previous version on a newer version endpoint (depending on an ASPSP's legal requirement for data retention):
- E.g., a payment-submission created in v1, must be accessible as a v3 domestic-payment, with sensible defaults for additional fields introduced in v3 (e.g., if an ASPSP must make payment resources available for 7 years).
- In the case where a payment-order type is same, but the structure is changed in a newer version - sensible defaults may be used, with ASPSP's Developer Portal clearly specifying the behaviour.
- E.g., a new field StatusUpdateDateTime was introduced in v3 - an ASPSPs must populate with this with the last status update time - as the StatusUpdateDateTime is a mandatory field
Endpoints
This section looks at the list of available API endpoints to complete a Payment flow and optionality (definitions of mandatory, conditional or optional are defined in the Design Principles section in Read/Write Data API Specification). For detail on the request and response objects - refer to the Data Model section of the specification.
...
Page Properties Report | ||||||||
---|---|---|---|---|---|---|---|---|
|
Security & Access Control
API Scopes
The access tokens required for accessing the Payment APIs must have at least the following scope:
Code Block | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
payments |
Grants Types
PISPs must use a client credentials grant to obtain a token to make POST requests to the payment-order consent endpoints. In the specification, this grant type is referred to as "Client Credentials".
PISPs must use grant using a redirect or decoupled flow to obtain a token to make POST requests to the payment-order resource endpoints. In the specification, this grant type is referred to as "Authorization Code".
PISPs must use a client credentials grant to obtain a token to make GET requests.
Consent Authorisation
OAuth 2.0 scopes are coarse-grained and the set of available scopes are defined at the point of client registration. There is no standard method for specifying and enforcing fine-grained scopes (e.g. a scope to enforce payments of a specified amount on a specified date).
...
The ASPSP responds with a ConsentId. This is the intent-id that is used when initiating the authorization code grant (as described in the Trust Framework).
...
Once these steps are complete, the consent is considered to have been authorised by the PSU.
Multiple Authorisation
In a multiple authorisation context, the same consent authorisation steps are followed for the first PSU to authorise or stage the payment-order consent.
...
Once the final authorisation is received by the ASPSP, the ASPSP may notify the PISP that the payment-order resource has been fully Authorised using an Event Notification (as described in the Event Notification API Specification).
Error Condition
If the PSU does not complete a successful consent authorisation (e.g. if the PSU is not authenticated successfully), the authorization code grant ends with a redirection to the TPP with an error response as described in RFC 6749 Section 4.1.2.1. The PSU is redirected to the TPP with an error parameter indicating the error that occurred.
Consent Revocation
A PSU cannot revoke a payment-order consent - once it has been authorized.
This is required to comply with Article 80 of PSD2.
Changes to Selected Account
For a payment-order consent, the selected debtor account cannot be changed once the consent has been authorized.
Consent Re-authentication
Payment consents are short-lived and cannot be re-authenticated by the PSU.
Risk Scoring Information
During the design workshops, ASPSPs articulated a need to perform risk scoring on the payments initiated via the Payment API.
...
These fields are documented further in the Data Payload section.
Swagger Specification
The Swagger Specification for Payment Initiation APIs can be downloaded from the following links:
Data Model
Reused Classes
OBRisk1
This section describes the Risk1 class - which is reused in the payment-order consent and payment-order resources.
UML Diagram
Data Dictionary
Name | Occurrence | XPath | EnhancedDefinition | Class | Codes | Pattern |
---|---|---|---|---|---|---|
OBRisk1 | OBRisk1 | The Risk section is sent by the initiating party to the ASPSP. It is used to specify additional details for risk scoring for Payments. | OBRisk1 | |||
PaymentContextCode | 0..1 | OBRisk1/PaymentContextCode | Specifies the payment context | OBExternalPaymentContext1Code | BillPayment EcommerceGoods EcommerceServices Other PartyToParty | |
MerchantCategoryCode | 0..1 | OBRisk1/MerchantCategoryCode | Category code conform to ISO 18245, related to the type of services or goods the merchant provides for the transaction. | Min3Max4Text | ||
MerchantCustomerIdentification | 0..1 | OBRisk1/MerchantCustomerIdentification | The unique customer identifier of the PSU with the merchant. | Max70Text | ||
DeliveryAddress | 0..1 | OBRisk1/DeliveryAddress | Information that locates and identifies a specific address, as defined by postal services or in free format text. | PostalAddress18 | ||
AddressLine | 0..2 | OBRisk1/DeliveryAddress/AddressLine | Information that locates and identifies a specific address, as defined by postal services, that is presented in free format text. | Max70Text | ||
StreetName | 0..1 | OBRisk1/DeliveryAddress/StreetName | Name of a street or thoroughfare. | Max70Text | ||
BuildingNumber | 0..1 | OBRisk1/DeliveryAddress/BuildingNumber | Number that identifies the position of a building on a street. | Max16Text | ||
PostCode | 0..1 | OBRisk1/DeliveryAddress/PostCode | Identifier consisting of a group of letters and/or numbers that is added to a postal address to assist the sorting of mail. | Max16Text | ||
TownName | 1..1 | OBRisk1/DeliveryAddress/TownName | Name of a built-up area, with defined boundaries, and a local government. | Max35Text | ||
CountrySubDivision | 0..2 | OBRisk1/DeliveryAddress/CountrySubDivision | Identifies a subdivision of a country, for instance state, region, county. | Max35Text | ||
Country | 1..1 | OBRisk1/DeliveryAddress/Country | Nation with its own government, occupying a particular territory. | CountryCode | ^[A-Z]{2,2}$ |
OBCharge1
This section describes the OBCharge1 class - which is reused in the response payloads in the payment-order consent and payment-order resources.
UML Diagram
Data Dictionary
Name | Occurrence | XPath | EnhancedDefinition | Class | Codes | Pattern |
---|---|---|---|---|---|---|
OBCharge1 | OBCharge1 | Set of elements used to provide details of a charge for the payment initiation. | OBCharge1 | |||
ChargeBearer | 1..1 | OBCharge1/ChargeBearer | Specifies which party/parties will bear the charges associated with the processing of the payment transaction. | OBChargeBearerType1Code | BorneByCreditor BorneByDebtor FollowingServiceLevel Shared | |
Type | 1..1 | OBCharge1/Type | Charge type, in a coded form. | Max40Text | ||
Amount | 1..1 | OBCharge1/Amount | Amount of money associated with the charge type. | OBActiveOrHistoricCurrencyAndAmount | ||
Amount | 1..1 | OBCharge1/Amount/Amount | A number of monetary units specified in an active currency where the unit of currency is explicit and compliant with ISO 4217. | ActiveCurrencyAndAmount_SimpleType | ||
Currency | 1..1 | OBCharge1/Amount/Currency | A code allocated to a currency by a Maintenance Agency under an international identification scheme, as described in the latest edition of the international standard ISO 4217 "Codes for the representation of currencies and funds". | ActiveOrHistoricCurrencyCode | ^[A-Z]{3,3}$ |
OBAuthorisation1
This section describes the OBAuthorisation1 class - which is used in the payment-order consent request and payment-order consent response payloads.
UML Diagram
Data Dictionary
Name | Occurrence | XPath | EnhancedDefinition | Class | Codes | Pattern |
---|---|---|---|---|---|---|
OBAuthorisation1 | OBAuthorisation1 | The authorisation type request from the TPP. | OBAuthorisation1 | |||
AuthorisationType | 1..1 | OBAuthorisation1/AuthorisationType | Type of authorisation flow requested. | OBExternalAuthorisation1Code | Any Single | |
CompletionDateTime | 0..1 | OBAuthorisation1/CompletionDateTime | Date and time at which the requested authorisation flow must be completed. | ISODateTime |
OBMultiAuthorisation1
This section describes the OBMultiAuthorisation1 class - which used in the response payloads of payment-order resources.
UML Diagram
Data Dictionary
Name | Occurrence | XPath | EnhancedDefinition | Class | Codes | Pattern |
---|---|---|---|---|---|---|
OBMultiAuthorisation1 | OBMultiAuthorisation1 | The multiple authorisation flow response from the ASPSP. | OBMultiAuthorisation1 | |||
Status | 1..1 | OBMultiAuthorisation1/Status | Specifies the status of the authorisation flow in code form. | OBExternalStatus2Code | Authorised AwaitingFurtherAuthorisation Rejected | |
NumberRequired | 0..1 | OBMultiAuthorisation1/NumberRequired | Number of authorisations required for payment order (total required at the start of the multi authorisation journey). | Number | ||
NumberReceived | 0..1 | OBMultiAuthorisation1/NumberReceived | Number of authorisations received. | Number | ||
LastUpdateDateTime | 0..1 | OBMultiAuthorisation1/LastUpdateDateTime | Last date and time at the authorisation flow was updated. | ISODateTime | ||
ExpirationDateTime | 0..1 | OBMultiAuthorisation1/ExpirationDateTime | Date and time at which the requested authorisation flow must be completed. | ISODateTime |
Identifier Fields
This section describes the identifiers used through the Payment API flows - the direction of flow through the system, and how they are used.
...
Generated | Identifier | Business Description |
---|---|---|
Merchant/PISP Sent in API Payload | EndToEndIdentification | The EndToEndIdentification reference is a reference that can be populated by the debtor (or merchant in the ecommerce space). This reference is important to the debtor (could be an internal reference Id against the transaction), it Is NOT the reference information that will be primarily populated on the statement of the creditor (beneficiary). |
Merchant/PISP Sent in API Payload | InstructionIdentification | PISP generates the InstructionIdentification which is a unique transaction Id and passes it to the ASPSP (this is mandatory), but this doesn’t have to go any further in the payment flow. The flow of this identifier needs to align with payment scheme rules. The expectation is that this is unique indefinitely across all time periods. The PISP can ensure this is indefinitely unique by including a date or date time element to the field, or by inserting a unique Id. |
Merchant/PISP Sent in API Payload | RemittanceInformation | The RemittanceInformation is the reference information that creditor (or beneficiary) will need to reconcile (e.g. Invoice 123). |
ASPSP / API System | ConsentId | Unique identification as assigned by the ASPSP to uniquely identify the payment-order consent resource. |
ASPSP / API System | Payment Order Id | Unique identification as assigned by the ASPSP to uniquely identify the payment-order resource. DomesticPaymentId DomesticScheduledPaymentId DomesticStandingOrderId InternationalPaymentId InternationalScheduledPaymentId |
ASPSP / Payment Scheme | Scheme Payment ID | This is generated by the ASPSP to uniquely identify a payment through a processing scheme. In the case of FPS - this is the FPID. |
...
<= upstream direction of flow
Merchant Flow
Identifier | PSU | Merchant | PISP | ASPSP Originating Bank | Payment Scheme | Beneficiary |
---|---|---|---|---|---|---|
EndToEndIdentification | O | => | => | => | => | |
RemittanceInformation | O | => | => | => | => | |
InstructionIdentification | O | => | ||||
ConsentId | <= | O | ||||
Payment Order Id | <= | O | ||||
Scheme Payment ID (e.g., FPID) | O | => | => |
Party to Party Flow
Identifier | PSU | Merchant | PISP | ASPSP Originating Bank | Payment Scheme | Beneficiary |
---|---|---|---|---|---|---|
EndToEndIdentification | O | => | => | => | ||
RemittanceInformation | O | => | => | => | => | |
InstructionIdentification | O | => | ||||
ConsentId | <= | O | ||||
Payment Order Id | <= | O | ||||
Scheme Payment ID (e.g., FPID) | O | => | => |
Payment Order Types
Each of the payment-order types are documented in sub-pages of this specification. Each payment-order type is documented with:
- Endpoints
- The API endpoints available for the resource
- Data Model
- Resource definition
- UML diagram
- Permissions as they relate to accessing the resource
- Data dictionary - which defines fields, re-usable classes, mandatory (1..1) or conditional (0..1) as defined in the Design Principles section, and enumerations
- Usage Examples
Enumerations
Static Enumerations
This section gives the definitions for enumerations used in the Payment APIs.
Code Class | Name | Definition |
---|---|---|
OBExternalPaymentContext1Code | BillPayment | The context of the payment initiation is a bill payment. |
OBExternalPaymentContext1Code | EcommerceGoods | The context of the payment initiation is a for goods via an ecommerce channel. |
OBExternalPaymentContext1Code | EcommerceServices | The context of the payment initiation is a for services via an ecommerce channel. |
OBExternalPaymentContext1Code | PartyToParty | The context of the payment initiation is a party to party payment. |
OBExternalPaymentContext1Code | Other | The context of the payment initiation is of an other type. |
OBTransactionIndividualStatus1Code | AcceptedSettlementCompleted | Settlement on the debtor's account has been completed. PISPs must not use this status as confirmation that settlement is complete on the creditor's account. |
OBTransactionIndividualStatus1Code | AcceptedSettlementInProcess | All preceding checks such as technical validation and customer profile were successful and therefore the payment initiation has been accepted for execution. |
OBTransactionIndividualStatus1Code | Pending | Payment initiation or individual transaction included in the payment initiation is pending. Further checks and status update will be performed. |
OBTransactionIndividualStatus1Code | Rejected | Payment initiation or individual transaction included in the payment initiation has been rejected. |
OBExternalConsentStatus1Code | AwaitingAuthorisation | The consent resource is awaiting PSU authorisation. |
OBExternalConsentStatus1Code | Rejected | The consent resource has been rejected. |
OBExternalConsentStatus1Code | Authorised | The consent resource has been successfully authorised. |
OBExternalConsentStatus1Code | Consumed | The consented action has been successfully completed. This does not reflect the status of the consented action. |
OBChargeBearerType1Code | BorneByCreditor | All transaction charges are to be borne by the creditor. |
OBChargeBearerType1Code | BorneByDebtor | All transaction charges are to be borne by the debtor. |
OBChargeBearerType1Code | FollowingServiceLevel | Charges are to be applied following the rules agreed in the service level and/or scheme. |
OBChargeBearerType1Code | Shared | In a credit transfer context, means that transaction charges on the sender side are to be borne by the debtor, transaction charges on the receiver side are to be borne by the creditor. In a direct debit context, means that transaction charges on the sender side are to be borne by the creditor, transaction charges on the receiver side are to be borne by the debtor. |
OBExternalAuthorisation1Code | Any | Any authorisation type is requested. |
OBExternalAuthorisation1Code | Multiple | Multiple authorisation type is requested. |
OBExternalAuthorisation1Code | Single | Single authorisation type is requested. |
OBExternalStatus1Code | InitiationCompleted | The payment-order initiation has been completed. |
OBExternalStatus1Code | InitiationFailed | The payment-order initiation has failed. |
OBExternalStatus1Code | InitiationPending | The payment-order initiation is pending. |
OBExternalStatus2Code | Authorised | The multiple authorisation flow has been fully authorised. |
OBExternalStatus2Code | AwaitingFurtherAuthorisation | The multiple authorisation flow is awaiting further authorisation. |
OBExternalStatus2Code | Rejected | The multiple authorisation flow has been rejected. |
OBExchangeRateType2Code | Actual | Exchange rate is the actual rate. |
OBExchangeRateType2Code | Agreed | Exchange rate is the agreed rate between the parties. |
OBExchangeRateType2Code | Indicative | Exchange rate is the indicative rate. |
OBPriority2Code | Normal | Priority is normal. |
OBPriority2Code | Urgent | Priority is urgent. |
OBAddressTypeCode | Business | Address is the business address. |
OBAddressTypeCode | Correspondence | Address is the address where correspondence is sent. |
OBAddressTypeCode | DeliveryTo | Address is the address to which delivery is to take place. |
OBAddressTypeCode | MailTo | Address is the address to which mail is sent. |
OBAddressTypeCode | POBox | Address is a postal office (PO) box. |
OBAddressTypeCode | Postal | Address is the complete postal address. |
OBAddressTypeCode | Residential | Address is the home address. |
OBAddressTypeCode | Statement | Address is the address where statements are sent. |
Namespaced Enumerations
LocalInstrument
This field is used to indicate the ASPSP's payment service to be used for making a payment.
...
UK.OBIE.SEPACreditTransfer
UK.OBIE.SEPAInstantCreditTransfer
UK.OBIE.SWIFT
UK.OBIE.Target2
UK.OBIE.Euro1
ChargeType
This field is used to indicate the type of fee/charge to be applied to the payment-order.
...
The enumerated values are available as part of the Open Data Standard are documented in Developer Zone. The values will be prefixed by UK.OBIE
. e.g.:
UK.OBIE.CHAPSOut
FileType
This field is used to indicate the file-type that is being submitted as part of a file-payment payload.
...
The UK.OBIE.PaymentInitiation.3.0 FileType is specified when an array of payments, which are compliant with the OBIE Initiation objects in the v3.0 standard, are staged in a .json file for the payment initiation.
Alternative and Error Flows
Idempotent Payment Order Consent
Note, this flow has been generalised for all payment-order types.
...
Code Block | ||||
---|---|---|---|---|
| ||||
participant PSU participant PISP participant ASPSP Authorisation Server participant ASPSP Resource Server note over PSU, ASPSP Resource Server Step 2: Setup Payment Order Consent (generalised for all payment orders) end note PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Initiate Client Credentials Grant ASPSP Authorisation Server -> PISP: token PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /payment-order-consents (x-idempotency-key={pisp-guid-1}) ASPSP Resource Server -> ASPSP Resource Server: Create new resource (ConsentId=1001) alt unexpected failure PISP -> ASPSP Resource Server: POST /payment-order-consents (x-idempotency-key={pisp-guid-1}) note right of ASPSP Resource Server The resource server recognizes that this is the same request as earlier. A new resource is not created. The ConsentId remains the same (e.g. 1001) as above. The status of the resource may be different if it has changed. This operation can be retried multiple times if required. end note end alt ASPSP Resource Server -> PISP: HTTP 201(Created), ConsentId=1001 PISP -> PSU: Redirect (ConsentId) option footer=bar |
Idempotent Payment Order
Note, this flow has been generalised for all payment-order types.
...
Code Block | ||||
---|---|---|---|---|
| ||||
participant PSU participant PISP participant ASPSP Authorisation Server participant ASPSP Resource Server note over PSU, ASPSP Resource Server Step 4: Create payment-order (generalised for all payment orders) end note PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /payment-orders ConsentId = 1001, x-idempotency-key={pisp-guid-2} alt PISP attempts to POST to /payment-orders with same ConsentId PISP -> ASPSP Resource Server: POST /payment-orders ConsentId = 1001, x-idempotency-key={pisp-guid-2} ASPSP Resource Server -> PISP: HTTP 201 (Created), PaymentOrderId note right of ASPSP Resource Server The resource server recognizes that this is the same request as earlier. A new resource is not created. The PaymentOrderId remains the same as above. The status of the resource may be different if it has changed. The operation can be retried multiple times if required. end note end alt option footer=bar |
Multi-Auth Payment Order Consent
Code Block | ||||
---|---|---|---|---|
| ||||
autonumber participant PSU Initial Authoriser participant PSU Final Authoriser participant PISP participant ASPSP Authorisation Server participant ASPSP Resource Server note over PSU Initial Authoriser, ASPSP Resource Server Step 1: Agree domestic payment Initiation end note PSU Initial Authoriser -> PISP: Agree domestic payment initiation request note over PSU Initial Authoriser, ASPSP Resource Server Step 2: Setup Payment-Order Consent end note PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Initiate Client Credential Grant ASPSP Authorisation Server -> PISP: access-token PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /domestic-payment-consents state over ASPSP Resource Server: Consent Status: AwaitingAuthorisation ASPSP Resource Server -> PISP: HTTP 201 (Created),ConsentId PISP -> PSU Initial Authoriser: HTTP 302 (Found),Redirect (ConsentId) note over PSU Initial Authoriser, ASPSP Resource Server Step 3: Authorize Consent - Initial Authoriser end note PSU Initial Authoriser -> ASPSP Authorisation Server: Follow redirect (ConsentId) PSU Initial Authoriser <-> ASPSP Authorisation Server: Authenticate (SCA if required) and Authorise consent state over ASPSP Resource Server: Consent Status: Authorised ASPSP Authorisation Server -> PSU Initial Authoriser: HTTP 302 (Found), Redirect (authorization-code) PSU Initial Authoriser -> PISP: Follow redirect (authorization-code) PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Exchange authorization-code for access token ASPSP Authorisation Server -> PISP: access-token note over PSU Initial Authoriser, ASPSP Resource Server Step 4: Create Payment-Order end note PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /domestic-payments ASPSP Resource Server -> PISP: HTTP 201 (Created) DomesticPaymentId state over ASPSP Resource Server: Consent Status: Consumed state over ASPSP Resource Server: Payment Status: Pending state over ASPSP Resource Server: MultiAuthorisation Status: AwaitingFurtherAuthorisation note over PSU Initial Authoriser, ASPSP Resource Server Step 5: Authorize Consent - Final Authoriser end note PSU Final Authoriser -> ASPSP Authorisation Server: Authenticate (SCA if required) and Authorise consent state over ASPSP Resource Server: MultiAuthorisation Status: Authorised state over ASPSP Resource Server: Payment Status: AcceptedSettlementInProcess state over ASPSP Resource Server: Payment Status: AcceptedSettlementComplete alt If PISP has registered a URL for event notification ASPSP Resource Server -> PISP: POST /event-notifications PISP -> ASPSP Resource Server: HTTP 200 (OK) PISP -> ASPSP Resource Server: GET /domestic-payments/{DomesticPaymentId} ASPSP Resource Server -> PISP: HTTP 200 (OK) domestic-payment resource else PISP may poll payment order status loop PISP -> ASPSP Resource Server: GET /domestic-payments/{DomesticPaymentId} ASPSP Resource Server -> PISP: HTTP 200 (OK) domestic-payment resource end end option footer=bar |
Reject the Payment Order Consent Creation After CutOffDateTime
This example illustrates the scenario when ASPSP choses to Reject the Payment-Order consent/resource request, after CutoffTime. We have a CHAPS payment-order consent created after the CutOffDateTime, and ASPSP rejects the Consent, and PISP chooses to place a Scheduled Payment-Order consent.
...
Code Block | ||||
---|---|---|---|---|
| ||||
autonumber participant PSU participant PISP participant ASPSP Authorisation Server participant ASPSP Resource Server note over PSU, ASPSP Resource Server Step 1: Agree Domestic Payment-Order initiation end note PSU <-> PISP: Initiate a funds transfer PSU -> PISP: Select debtor and creditor accounts note over PSU, ASPSP Resource Server Step 2: Setup Domestic Payment Consent end note PISP <-> ASPSP Authorisation Server: Establish TLS 1.2 MA PISP -> ASPSP Authorisation Server: Initiate Client Credentials Grant ASPSP Authorisation Server -> PISP: access-token PISP <-> ASPSP Resource Server: Establish TLS 1.2 MA PISP -> ASPSP Resource Server: POST /domestic-payment-consents note over PISP, ASPSP Resource Server CHAPS Payment cutoff time expired, so consent initiation is rejected end note ASPSP Resource Server -> PISP: HTTP 400 (BAD_REQUEST) PISP -> PSU: Try setting up a Scheduled Payment note over PSU, ASPSP Resource Server Step 3: Setup Domestic Scheduled Payment Consent end note note over PSU, ASPSP Resource Server Step 4: Authorize consent end note note over PSU, ASPSP Resource Server Step 5: Create Domestic Scheduled Payment-Order end note note over PSU, ASPSP Resource Server Step 6: Get Domestic Scheduled Payment-Order status end note option footer=bar |
Reject the Payment Order Creation After CutOffDateTime
This example illustrates the scenario when ASPSP choses to Reject the Payment-Order consent/resource request, after CutoffTime. We have a CHAPS payment-order Consent created and the Authorisation completed before the CutOffDateTime, but the Payment-Order submission happened after CutOffDateTime, so ASPSP rejected it.
...