SCA events and exemptions
The table below identifies which customer actions require SCA. Contis as the regulated entity has full control over the use of exemptions and implements these where applicable.
|CUSTOMER ACTION||CROSS REFERENCE TO TABLE BELOW||IS SCA REQUIRED?||SCA EXEMPTIONS AVAILABLE?||NOTES|
|Yes||Yes||If can only see balance or <90 days transactions, then SCA not required but 2FA SCA on login must have been performed in the last 90 days to use this exemption|
|Change address online||ID12||Yes||No|
|Change mobile online||ID13||Yes||No|
|Card Spend – Contactless||n/a||Yes||Yes||Limited by amount of all consecutive Contactless transactions|
|Card Spend – Online (includes stored card details)||ID8||Yes||Yes||Transactional Risk Analysis|
Payment out of account
P2P/Internal Transfers – Send via mobile no, email or username
|Yes||Yes||Trusted Beneficiary, Low Value Limit|
|Creation/changing a standing order|
|Trusted beneficiary added/changed/removed for payments/transfers||ID11||Yes||No||One payment to be made, before functionality available to customer|
It won’t be possible to predict for all transactions whether SCA will apply (or not), or if an exemption is available. For example, the low-value limit is set to EUR30, but not all amounts less than this will be exempted.
The use of exemptions is discretionary and also certain exemptions are only permissible where fraud levels remain under prescribed limits. Therefore, the use of exemptions is always subject to change by Contis.
The SDK has been made available to ensure that the friction introduced by PSD2 can be mitigated into quick-and-easy steps for the customer.
SCA events and SDK screen content
The below table details for each SCA event what will be shown in the SDK screen by way of Title and Description. Please refer the API reference section for a cross reference to each API linked to the SCA event.
|ID||SCA EVENT||TITLE DISPLAYED IN SDK||DESCRIPTION DISPLAYED IN SDK – SAMPLE|
|ID1||Account login*||Login||Authorise login|
|ID2||Historical transactions (> 90 days)||Login||Authorise login|
|ID3||Send money||Payment||Authorise £5.00 payment to John Smith|
|ID4||Bank transfer||Payment||Authorise £5.00 payment to John Smith|
|ID5||Internal or Third-Party transfer||Payment||Authorise £5.00 payment to John Smith|
|ID6||Pay request money||Payment||Authorise £5.00 payment to John Smith|
|ID7||Withdraw money||Payment||Authorise £5.00 payment to John Smith|
|ID8||Card spend online||Card Payment||Authorise payment £5.00 to Emirates Airlines|
card ending 4567
|ID9||Add standing order||Standing Order||Authorise standing order of £5.00 to British Gas|
|1D10||Edit standing order||Standing Order||Amend standing order to British Gas|
|ID11||Edit beneficiary status||Trusted||Change to trusted status|
|ID12||Change address online||Change Details||Change your address|
|ID13||Change mobile number online||Change Details||Change your mobile number to *******789|
|ID14||Transfer||Transfer||Authorise your transfer of £5.00|
|ID15||Pay your fees||Pay your Fees||Authorise £5.00 to pay fee|
|ID16||Device registration||Register Your Device||Authorise device registration|
*SDK is only available for 2nd FA (not 1st FA) for login to a client app.
SDK screen library
The following screen examples use a payment journey, e.g. ID3-ID7 in the table above:
‘Tap on the App’
Customer Push Notification: Please note that the biometric images are supplied by Contis and cannot at this time be themed, i.e. face recognition and fingerprint ID images.
Basics of the inactivity timer
- Contis needs to end the API session after 5 minutes (300 seconds) of inactivity from account holder in the app/portal – this will log the customer out of the Contis elements of the app/portal.
- The SDK_PostLoginDetails API method allows clients to tell Contis that the account holder is still active within the app/portal in order to refresh the 5-minute inactivity timer to allow the customer continued access.
- If the customer has been inactive for 5 minutes (300 secs), they are timed out and clients have to make a call again using the same method.
- Trigger the refresh timer – 4 mins 30 seconds (270 seconds) maximum of 4-times only
- Maximum inactivity per session – 25 mins (1500 seconds)