Confirmation of Payee — Requirements v2.1
The User Journeys for this service also apply and must be adhered to.
The tables below list the validation rules that apply to Confirmation of Payee. The Validated by column indicates where each rule is enforced.
All requests require an active Trust Framework application with the BSIP role, a valid transport certificate presented on every request via mTLS, and an active signing key for JWT signing.
Mandatory CoP Requirement
For all Open Finance account-to-account transfers where the creditor is unknown to the TPP — for example, entered by the customer at the time of payment — a Confirmation of Payee request must be made prior to consent creation, provided the receiving bank supports the CoP service.
A creditor is considered unknown when the TPP does not already hold a verified record of the payee (for example, a pre-enrolled beneficiary confirmed by a prior successful CoP check). Where CoP has been performed, the full raw JWS response from the /confirmation endpoint must be included in the ConfirmationOfPayeeResponse field of the creditor entry in the payment consent PII.
POST /discovery — Payee Discovery
| # | Field | Rule | Validated by |
|---|---|---|---|
| 1 | Authorization | Must contain a valid Bearer access token obtained via a client_credentials grant with the confirmation-of-payee scope. | API Hub |
| 2 | Request body | Must be a compact signed JWT (Content-Type: application/jwt). | API Hub |
| 3 | message.Data.Identification | Required. Must be a valid UAE IBAN. | API Hub |
| 4 | OpenAPI schema | The request must conform exactly to the POST /discovery OpenAPI schema. No additional or undocumented parameters are permitted. | API Hub |
| 5 | x-fapi-interaction-id | Should be included. Should be a valid UUID (RFC 4122). An invalid value will not cause a failure but tracing will not be possible. | N/A |
POST /confirmation — Name Match
| # | Field | Rule | Validated by |
|---|---|---|---|
| 1 | Authorization | Must contain a valid Bearer access token obtained via a client_credentials grant with the confirmation-of-payee scope. | API Hub |
| 2 | Request body | Must be a compact signed JWT (Content-Type: application/jwt). | API Hub |
| 3 | message.Data.Identification | Required. Must be a valid UAE IBAN. | API Hub |
| 4 | ConfirmationOfPayeeResponse in PII | Where CoP has been performed, the full raw JWS response string from /confirmation must be included in the ConfirmationOfPayeeResponse field of the creditor entry in the payment consent PII. | TPP |
| 5 | OpenAPI schema | The request must conform exactly to the POST /confirmation OpenAPI schema. No additional or undocumented parameters are permitted. | API Hub |
| 6 | IBAN not recognised | If the IBAN is not recognised, the response will be 204 with no body. | LFI |
| 7 | Account state | The account identified by the IBAN must not be blocked from receiving payments. If the account is blocked for a temporary reason (e.g. account status is Suspended), the response will be 403 with errorCode: Consent.AccountTemporarilyBlocked and errorMessage: The account is blocked from receiving payments. If the account is blocked permanently (e.g. account status is Closed, Deceased, or Unclaimed), the response will be 403 with errorCode: Consent.PermanentAccountAccessFailure and errorMessage: The account is blocked from receiving payments. | LFI |
| 8 | x-fapi-interaction-id | Should be included. Should be a valid UUID (RFC 4122). An invalid value will not cause a failure but tracing will not be possible. | N/A |