The obligations of PSPs when using the proxy directory are defined in the Nexus Rulebook. In particular:
Appropriate use of the service: The Source PSP is obliged to only send proxy resolution requests for the purpose of initiating a payment. However, the Source PSP is not obliged to complete a payment after initiating a proxy resolution (for example if the Sender decides not to proceed with the payment).
Restricted use of the data: When data is returned in response to a proxy resolution request, the PSP must use that data only for the purpose of processing this transaction, and not for any other purpose.
Confirmation of payee: Where the Recipient’s name is provided to the Source PSP (by the Proxy Directory or Destination PSP), the Source PSP must display this name to the Sender before they confirm the payment. This provides the Sender with greater confidence that they are sending funds to the correct account and reduces the chance of the proxy being used for fraud.
Prevention of abuse:
The Source PSP should monitor the number of proxy resolution requests a specific Sender makes to ensure that they are not ‘phishing’ for account details. At a basic level, this may involve imposing a timeout for the user if they look up, for example, five different proxies in a short period without initiating a payment (ie a rate limit on proxy resolution requests).
When sending acmt.023 proxy or account resolution requests, the Source PSP should include an unique Identification for the Sender which will allow the Proxy Directory Operator to identify whether multiple requests are initiated by the same individual in short succession. See Messaging & Translation for the correct placement of this Identification.