Appendix

    SCA events and exemptions

    The table below identifies which customer actions require SCA. Contis as the regulated entity has full control over the use of exemptions and implements these where applicable.

    Customer Action Cross reference to table below Is SCA required? SCA Exemptions available? Notes

    Account Login*

    ID1

    ID2

    Yes

    Yes

    If can only see balance or <90 days transactions, then SCA not required but 2FA SCA on login must have been performed in the last 90 days to use this exemption

    Change address online

    ID12

    Yes

    No

    Change mobile online

    ID13

    Yes

    No

    Card Spend - Contactless

    n/a

    Yes

    Yes

    Limited by amount of all consecutive Contactless transactions

    Card Spend - Online (includes stored card details)

    ID8

    Yes

    Yes

    Transactional Risk Analysis

    Bank Transfer/

    Payment Out of Account

    P2P/Internal Transfers - Send via mobile no, email or username

    ID3

    ID4

    ID5

    ID6

    ID7

    ID14

    Yes

    Yes

    Trusted Beneficiary, Low Value Limit

    Creation/changing a standing order

    ID9

    ID10

    Yes

    No

    Trusted beneficiary added/changed/removed for payments/transfers

    ID11

    Yes

    No

    One payment to be made, before functionality available to customer

    It won’t be possible to predict for all transactions whether SCA will apply (or not), or if an exemption is available. For example, the low-value limit is set to EUR30, but not all amounts less than this will be exempted.

    The use of exemptions is discretionary and also certain exemptions are only permissible where fraud levels remain under prescribed limits. Therefore, the use of exemptions is always subject to change by Contis.

    The SDK has been made available to ensure that the friction introduced by PSD2 can be mitigated into quick-and-easy steps for the customer.

    SCA events and SDK screen content

    The below table details for each SCA event what will be shown in the SDK screen by way of Title and Description. Please refer the API reference section for a cross reference to each API linked to the SCA event

    ID SCA Event Title Displayed in SDK Description Displayed in SDK - Sample

    ID1

    Account Login*

    Login

    Authorise login

    ID2

    Historical Transactions (> 90 days) 

    Login

    Authorise login

    ID3 

    Send Money 

    Payment

    Authorise £5.00 payment to John Smith

    ID4 

    Bank Transfer 

    Payment

    Authorise £5.00 payment to John Smith

    ID5 

    Internal or Third-Party Transfer 

    Payment

    Authorise £5.00 payment to John Smith

    ID6

    Pay Request Money 

    Payment

    Authorise £5.00 payment to John Smith

    ID7

    Withdraw Money 

    Payment

    Authorise £5.00 payment to John Smith

    ID8

    Card Spend Online

    Card Payment

    Authorise payment £5.00 to Emirates Airlines
    card ending 4567

    ID9

    Add Standing Order 

    Standing Order

    Authorise standing order of £5.00 to British Gas

    1D10

    Edit Standing Order 

    Standing Order

    Amend standing order to British Gas

    ID11

    Edit Beneficiary Status 

    Trusted

    Change to trusted status

    ID12

    Change Address Online

    Change Details

    Change your address

    ID13

    Change Mobile Number Online

    Change Details

    Change your mobile number to *******789

    ID14

    Transfer

    Transfer

    Authorise your transfer of £5.00

    ID15

    Pay Your Fees 

    Pay your Fees

    Authorise £5.00 to pay fee

    ID16

    Device registration 

    Register Your Device

    Authorise device registration

    *SDK is only available for 2nd FA (not 1st FA) for login to a client app.

    SDK Screen Library

    The following screen examples use a payment journey, e.g. ID3-ID7 in the table above:

    ‘Tap on the App’

    Facial Recognition

    Fingerprint

    OTP

    mPIN

    Password

    Customer Push Notification: Please note that the biometric images are supplied by Contis and cannot at this time be themed, i.e. face recognition and fingerprint ID images.

    Inactivity Timer

    Basics of the inactivity timer

    • Contis needs to end the API session after 5 minutes (300 seconds) of inactivity from account holder in the app/portal - this will log the customer out of the Contis elements of the app/portal.
    • The SDK_PostLoginDetails API method allows clients to tell Contis that the account holder is still active within the app/portal in order to refresh the 5-minute inactivity timer to allow the customer continued access.
    • If the customer has been inactive for 5 minutes (300 secs), they are timed out and clients have to make a call again using the same method.
    • Trigger the refresh timer – 4 mins 30 seconds (270 seconds) maximum of 4-times only
    • Maximum inactivity per session – 25 mins (1500 seconds)