Skip to content
/
TB-1221 - Transaction Ris...
Last updated

Notice of change - Transaction Risk Indicator fields available in v1 token requests

Issued: 6th November 2023 | TB-1221

What's changing?

The following new Transaction Risk Indicator (TRI) fields will be supported in:
requestPayload.transferBody.instructions.metadata.providerTransferMetadata.cma9TransferMetadata.risk
in the POST /token-requests endpoint:

  • paymentPurposeCode - to the recommended UK purpose code in the ISO 20022 payment messaging list, e.g., CASH, CORT, DVPM, INTC, TREA.

  • beneficiaryAccountType - to be provided if the account type is known, e.g., Personal or Business.

  • contractPresentIndicator - indicates whether the Payment Service Provider (PSP) has a contract with the payee and has undertaken some form of validation or due diligence on the payee; values: true or false. This field can be pre-populated by Token.io, for PSPs using Token.io's license.

  • beneficiaryPrepopulatedIndicator - indicates whether the PSP, rather than the user, has generated the Transaction Risk Indicator fields and that the user can't change them during the transaction journey; values: true or false. This field can be pre-populated by the PSP.

The following existing risk fields will continue to be supported:

  • merchantCustomerIdentification - the unique customer identifier of the user generated by the merchant (maximum 70 characters).

  • deliveryAddress - as defined by the postal address.

  • paymentContextCode - describes the context of the payment, e.g., INVALID_PAYMENT_CONTEXT_CODE, BILL_PAYMENT, ECOMMERCE_GOODS, ECOMMERCE_SERVICES, PARTY_TO_PARTY, OTHER.

The following existing risk field will be deprecated:

  • merchantCategoryCode - the category code conforming to ISO 18245, relating to the type of services or goods provided by the merchant.

Here is an example of the risk object with the new Transaction Risk Indicator fields populated:

"risk" : {
      "paymentContextCode" : "EcommerceMerchantInitiatedPayment",
      "merchantCustomerIdentification" : "053598653254"
      "contractPresentIndicator" : "false",
      "beneficiaryPrepopulatedIndicator" : "false",
      "paymentPurposeCode" : "EPAY"
      "beneficiaryAccountType" : "BUSINESS",
      "deliveryAddress" : {
            "addressLine" : [
                  "Flat 7",
                  "Acacia Lodge"
            ],
            "streetName" : "Acacia Avenue",
            "buildingNumber" : "27",
            "postCode" : "GU31 2ZZ",
            "townName" : "Sparsholt",
            "countrySubDivision" : "Wessex",
            "country" : "UK",
            "addressType" : "Business"
      }
}

What problem will this solve?

Certain OBIE banks expect these transaction risk indicator fields to be populated and will reject the request if they are not.

Does this change affect you?

This change will affect all customers making requests to certain OBIE banks. You will need to confirm with your banks whether these Transaction Risk Indicator fields are required.

What action do I need to take?

Please ensure that these Transaction Risk Indicator fields are populated in your POST /token-requests calls, if required, to prevent your requests from being rejected.

When will this change apply to all impacted customers?

This change is currently effective in the OBIE specifications.

Where can I get further information?

For assistance with the above and other operational aspects of the Token.io Account-to-Account Infrastructure, please contact Token.io Support.

Previous page
Next page