SCA for funds transfers

Each time a user in the European Economic Area (EEA) wants to transfer funds, you must authenticate them using SCA. To do so:

1. Initiate authentication.
2. Initiate the transfer using the sdkOutput that you got when you checked the device eligibility.
3. Authenticate your user with the Authentication SDK.
4. Finalize the transfer using the sdkOutput from the authentication step.

Before you begin

• Ensure that you have installed the Authentication SDK.
  Ensure that you have registered a device for your user.
• Ensure that your API credential has the following role:
  • TransferService Webservice Initiate role

Initiate authentication

Before initiating a transfer, you must initiate the process to authenticate your users.

The following tabs explain how to initiate authentication using Kotlin or Swift.

You will use the sdkOutput when initiating the transfer.

Initiate transfer

Let's assume that your user chooses to make a funds transfer. To start the transfer:

1. Make a POST /transfers request, specifying the following parameters in the header:

   Parameter	Type	Description
   WWW-Authenticate	Header	SCA realm: Transfer. auth-param1: Base64-encoded value of sdkOutput you get when you initiate authentication.
   amount	Body	The amount of the transfer.
   category	Body	Set to internal.
   description	Body	A human-readable description for the transfer.
   balanceAccountId	Body	The unique identifier of the source balance account.
   reference	Body	A reference of the transfer, only used internally within your balance platform.
   referenceForBeneficiary	Body	A reference that is sent to the recipient.
   counterparty.balanceAccountId	Body	The unique identifier of the target balance account.

2. Verify that the response header contains the following fields:

   • status: 401
   • auth-param1: Base64-encoded blob of data. You will need auth-param1 when you authenticate your user.

3. Verify that the response body contains the following fields:

   • amount: An object containing the amount and currency of the funds that will be transferred.
   • counterparty: An object containing information about the counterparty that will receive the funds.

   You must show this data to your user when you authenticate your user.

4. Pass auth-param1 to the SDK.

Authenticate user

When authenticating your user, PSD2 requires you to show to your user the amount and the counterparty (payee) of the transfer that the user is authenticating for. To comply with these regulations, we recommend that you implement a push notification and use the amount and counterparty fields from the response in the previous step.

To authenticate your user with the Authentication SDK:

1. Trigger the SDK to start user authentication and pass the auth-param1 value from the previous step as sdkInput.

2. Pass sdkOutput to your server.

Finalize transfer

To finalize the transfer:

1. Make a POST /transfers request, specifying the following parameters:

   The parameter values must match the ones submitted to the /transfers endpoint previously when initiating the transfer.

   Parameter	Type	Description
   WWW-Authenticate	Header	SCA realm: Transfer. auth-param1: Base64-encoded value of sdkOutput you get when you initiate authentication.
   amount	Body	The amount of the transfer.
   category	Body	Set to internal.
   description	Body	A human-readable description for the transfer.
   balanceAccountId	Body	The unique identifier of the source balance account.
   reference	Body	A reference of the transfer, only used internally within your balance platform.
   referenceForBeneficiary	Body	A reference that is sent to the recipient.
   counterparty.balanceAccountId	Body	The unique identifier of the target balance account.

2. Verify that the response header contains status authorised. This means that the authentication and the transfer request were successful.
   The following example shows a response for a successful funds transfer.