Nexus needs to be aware of the different address types (such as IBAN, account, mobile) and address inputs available in each country, so that it can provide this information to Source PSPs through the Nexus APIs. Therefore when a new IPSO (or proxy service) is onboarded with Nexus, the IPSO must provide Nexus with reference data describing each address type and the input fields (address inputs) for that address type. This information can be provided via the Nexus Service Desk or APIs.
The IPS Operator is responsible for ensuring that the data is kept up to date.
The Nexus Scheme expects the IPS Operator to take on the responsibility for connecting its instance of the Nexus Gateway to the domestic proxy directory, particularly where:
The IPS Operator and the PDO are the same entity, AND/OR
In each country that the IPS Operator provides payment services to, there is only one PDO
Cases where there are multiple IPSOs or multiple Proxy Directories in a particular country or jurisdiction may need to be handled differently. The approach to this scenario will be developed in a future phase of Nexus development.
In most IPS, a proxy (or "alias") cannot be used directly in a payment instruction (such as ISO 20022 pacs.008). Instead, the proxy must first be sent to the local proxy directory, via a proxy resolution request. The proxy directory service will then lookup and return the corresponding account details.
Proxy Directory Operators (PDOs) provide and maintain the databases which contain a list of proxies and the accounts and FIs that each proxy is associated with.
PDOs typically provide:
A database of proxies and associated Financial Institution Identifications and Account Identifications
A method for account holders to register and deregister proxies, or change the account linked to a specific proxy, via their authorized PSPs
A method for PSPs to make a proxy resolution request to the proxy directory (ie sending a proxy and receiving back a Financial Institution Identification, Account Identification and name of the account holder)
In many countries (but not all), the PDO is the same entity as the Instant Payment System Operator (IPSO), and therefore the instant payment scheme and proxy resolution scheme are managed by the same entity, and the PDO and IPSO are the same entity.
The obligations of PSPs when using the proxy directory are defined in the Nexus Rulebook. In particular:
Appropriate use of the service: The Source PSP is obliged to only send proxy resolution requests for the purpose of initiating a payment. However, the Source PSP is not obliged to complete a payment after initiating a proxy resolution (for example if the Sender decides not to proceed with the payment).
Restricted use of the data: When data is returned in response to a proxy resolution request, the PSP must use that data only for the purpose of processing this transaction, and not for any other purpose.
Confirmation of payee: Where the Recipient’s name is provided to the Source PSP (by the Proxy Directory or Destination PSP), the Source PSP must display this name to the Sender before they confirm the payment. This provides the Sender with greater confidence that they are sending funds to the correct account and reduces the chance of the proxy being used for fraud.
Prevention of abuse:
The Source PSP should monitor the number of proxy resolution requests a specific Sender makes to ensure that they are not ‘phishing’ for account details. At a basic level, this may involve imposing a timeout for the user if they look up, for example, five different proxies in a short period without initiating a payment (ie a rate limit on proxy resolution requests).
When sending acmt.023 proxy or account resolution requests, the Source PSP should include an unique Identification for the Sender which will allow the Proxy Directory Operator to identify whether multiple requests are initiated by the same individual in short succession. See Messaging & Translation for the correct placement of this Identification.
When the PDO is enabled through Nexus, the PDO needs to fulfil the following obligations:
Availability
The PDO should have the ability to process proxy resolution requests, with the required availability (in principle 24/7/365), and with business continuity arrangements.
The PDO should maintain availability of at least 99.5%.
Accuracy
The PDO verifies, before a proxy can be shared through Nexus, that the proxy is in control of the account holder (i.e. payee), or otherwise authorized by the possessor of the proxy to link it to the Recipient’s account. The PDO guarantees that the proxy database will be kept current and changes made by proxy holders will be processed immediately.
The PDO is obligated to verify that the account holder name provided by the service is accurate (for example, by only allowing changes to the name associated to the proxy to be made by the PSP providing that account, rather than by the person controlling the proxy itself).
Data privacy and consent
The PDO needs to ensure that all required consents have been collected for any information disclosed to and via Nexus. The method to do this should be compliant with local standards where the information is collected.
The PDO will ensure that (contractual and implicit) privacy expectations of end users (both on the sending and receiving end of transactions) are met.
Compliance
The PDO will keep track of queries processed for the purpose of providing an audit trail to relevant parties involved.
The PDO establishes a secure channel with the Nexus Gateway for the protection of sensitive data.