Standing Orders
A standing order token is used for recurring payments (installments) scheduled at regular intervals. The frequencies supported for standing orders comprise daily (DAIL), weekly (WEEK), twice-weekly (TOWK), monthly (MNTH), twice-monthly (TOMN), quarterly (QUTR), semiannually (SEMI), and yearly (YEAR).
You must also specify the startDate of the order, as well as the endDate, unless you want payments to continue indefinitely (not recommended).
Hence, if a customer wishes to authorize a standing order beginning on a startDate of 2020-08-01 and lasting until an endDate of 2022-07-31, with a frequency of MNTH, this represents 24 equal monthly payments to be executed on the first of each month or the next business day after, beginning in August of 2020 and ending July 2022.
CMA9 Standing Orders: The SDK also supports the more granular frequency settings for standing orders required by the specification, in addition to supporting variable payment amounts (first, recurring, last). Optional CMA9-specific parameters are labeled as such in the list of transfer token request fields below.
To test OBIE-CMA9 standing orders, please use Ozone Bank.
Once the token request is created, you store it, awaiting a corresponding request-id, which is returned by Token.io in a response payload. In addition to the request-id, the response payload reflects all the information you included in your original request.
Now equipped with the request-id, you can set your transfer destination(s), if you omitted a destination in the originating request, and redeem the token, thereby transferring the specified payment amount from the payer's bank account to the payee's bank account on the dates scheduled by startDate and frequency; or — for CMA9-specific orders — first_payment_date_time, next_payment_date_time, and final_payment_date_time for their respective (variable) amounts.
Tip: Remember, in the examples that follow, classes, methods and parameters are initially presented in their default Java syntax. Select the corresponding tab — Java, JavaScript or C# in the navigation bar — to display the correct syntax and field names for the SDK language chosen.
For standing orders, replace transferTokenRequestBuilder() used for the previous payment types (single immediate and future-dated) with standingOrderRequestBuilder(). Here's a sample structure for a standing order request call:
private static String initializeStandingOrderTokenRequestUrl(
Map<String, String> params,
String callbackUrl, Response response) {
double amount = Double.parseDouble(params.get("amount"));
String currency = params.get("currency");
String description = params.get("description");
TransferDestination destination = TransferDestination.newBuilder()
.setSepa(TransferDestination.Sepa.newBuilder()
.setBic("bic")
.setIban("DE16700222000072880129")
.build())
.setCustomerData(TransferInstructionsProtos.CustomerData.newBuilder()
.addLegalNames("merchant-sample-java")
.build())
.build();
LocalDate startDate = LocalDate.now();
LocalDate endDate = startDate.plusYears(1);
String refId = generateNonce();
// generate CSRF token
String csrfToken = generateNonce();
// set CSRF token in browser cookie
response.cookie(CSRF_TOKEN_KEY, csrfToken);
// create the token request
TokenRequest request = TokenRequest
.standingOrderRequestBuilder(amount, currency, "MNTH", startDate.toString(),
endDate.toString(), Collections.singletonList(destination))
.setDescription(description).setRefId(refId)
.setToAlias(merchantMember.firstAliasBlocking())
.setToMemberId(merchantMember.memberId()).setRedirectUrl(callbackUrl)
.setCsrfToken(csrfToken) // validates the session ID
// use keys in bank authorization metadata from getBanks() response
.putAllAuthorizationMetadata(new HashMap<>())
.build();
// now store the token request
String requestId = merchantMember.storeTokenRequestBlocking(request);
}
Shown above, the key fields comprising a token request for a standing order are defined in the following table.
| Field | Description | Required/ Optional |
|---|---|---|
| actingAs | Party or entity for which the to member is acting as a proxy. See Creating a Token on Behalf of another Party for details on setting the properties for this field. | Optional |
| amount |
Payment value calculated in currency. For recurring payments (standing orders), this is the payment value per scheduled transfer. For standing orders involving standard (non-variable) payments from a CMA9 bank, amount maps to first_payment, consistent with the standard. Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set its own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token.io Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions. |
Required |
| authorizationMetadata | Needed to capture additional information from the user for initial authorization by the bank, thereby allowing the user to proceed with providing consent for the initiation request. Maps the key-value pairs from the getBanks() response, where key is the name of the field and value is the value of the field. | Required |
| bankId | When specified, indicates you wish to bypass the Token.io bank selection UI and use your own bank selection UI for the request. See Using the getbanks Method. | Optional |
| callBackState | TPP-specified string that persists state between request and callback. | Optional, but recommended |
| creditor_account | CMA9-specific standing orders only. Payee's to which funds will be transferred. | Required |
| currency | ISO 4217 alpha-3 currency code. | Required |
| description |
Description of the payment with the following qualifiers:
This description field maps to description in the bank's consentRequest presented to the user. Warning: If description in a subsequent token request for lookups/changes/updates (retrieve, redeem, or cancel) doesn't match the description in the originating token request, an exception will be thrown. |
Optional |
| endDate | Specifies the end date for completing the order in ISO 8601 format (YYYY-MM-DD or YYYYMMDD). For non CMA9-specific standing orders involving a CMA9 bank, endDate maps to final_payment_date_time, consistent with the OBIE standard. |
Required |
| frequency | ISO 20022 code for the scheduled frequency of standing order payments: • DAIL – daily; once a day • WEEK – weekly; once a week • TOWK – twice weekly; two times a week • MNTH – monthly; once a month • TOMN – twice monthly; two times a month • QUTR – quarterly; once every 3 months • SEMI – semi-annually; two times each year • YEAR – annually; once a year Note: The day of the week for each installment will be based on the day of week for startDate (standard) or first_payment_date_time (CMA9-specific). For instance, if the date falls on a Wednesday, every subsequent payment will also occur on a Wednesday. However, if frequency is MNTH, the day of the month for startDate is used for standard orders (next_payment_date_time for CMA9-specific orders). Hence, if the date is the 5th of the month, all monthly installments will occur on the 5th day of each succeeding month), unless the date is the last day of the month. If so, all subsequent monthly installments will occur on the last day of each month. |
Required |
| from | member_id or alias of the user; if included, indicates you wish to bypass the Token.io user email entry UI. | Optional |
| member | The customer/user; payer of the token. | Required |
| ProviderTransferMetadata | Adds for the specified provider. | Optional |
| receiptRequested | Boolean; requests a receipt be sent to the from member's default email address. | Optional |
| final_payment | CMA9-specific standing orders only. Last and final payment in accordance with the OBIE standard. Value can be a different amount with respect to first_payment and next_payment.
Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set its own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token.io Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions. |
Required |
| final_payment_date_time | CMA9-specific standing orders only. Scheduled date and time for final_payment in accordance with the OBIE standard. Required if number_of_payments is not specified. | Required* |
| first_payment | CMA9-specific standing orders only. First or "down" payment in accordance with the OBIE standard. Value can be a different amount with respect to next_payment and final_payment.
Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set its own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token.io Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions. |
Required |
| first_payment_date_time | CMA9-specific standing orders only. Scheduled date and time for first_payment in accordance with the OBIE standard. | Required |
| next_payment | CMA9-specific standing orders only. Recurring installment payment amount scheduled by next_payment_date_time and frequency in accordance with the OBIE standard.
Precision: Recommended precision is rounding to 4 decimal places (), although the TPP can set its own desired precision. However, be aware that certain banks may handle rounding differently — some with greater precision (i.e., more decimal places), others with reduced rounding precision (fewer decimal places). The Token.io Platform strictly serves as the pipeline between the TPP and the bank, imposing no precision restrictions. |
Required |
| next_payment_date_time | CMA9-specific standing orders only. CMA9 recurring payment date and time for installments scheduled between first_payment_date_time and final_payment_date_time in accordance with the OBIE standard. | Required |
| number_of_payments | CMA9-specific standing orders only. int32 field specifying the total number of payments in accordance with the OBIE standard. Required if final_payment_date_time is not specified. | Required* |
| redirectUrl | Specifies the callback URL where your server will initiate token redemption. | Required |
| reference |
Augmenting refId and description, this is TPP-defined additional information pertinent to TPP's payments policies; for instance, could contain a full or partial credit card number when payment is being initiated for a credit card payment. Securely hashed to safeguard its transmission throughout the communication flow, this field should be considered by TPPs wishing to augment their transaction reference data for tracking and audit control. |
Optional |
| refId |
Reference identifier for the token; not to be confused with requestId. RefId is typically used by the TPP to reconcile transactions against payments received. RefId maps to tppRefId in the bank's consentRequest. It is needed to match/verify the originating token request with the bank's consent request.
Warning: A description mismatch between the originating token request and subsequent token lookups/changes/updates (retrieve, redeem, or cancel) will throw an exception. |
Required |
| remittance_information | CMA9-specfic standing orders only. Creditor reference or payment remit identification for end-to-end transaction identification in accordance with the OBIE standard. | Optional |
| risk | CMA9-specfic standing orders only. Used to specify additional details for risk scoring in accordance with the OBIE standard. | Optional |
| sourceAccountId | Account number from which the amount is being debited; set using the AccountIdentifier object, which allows four types of account identifiers:
Although setting source with the BankAccount object has been deprecated, it is still supported |
Optional |
| startDate | Date on which the standing order will begin in ISO 8601 format (YYYY-MM-DD or YYYYMMD; order will last until endDate, when specified. For non CMA9-specific standing orders involving a CMA9 bank, startDate maps to first_payment_date_time, consistent with the OBIE standard. |
Required |
| to | member_id and alias of the transfer recipient | Required |
| token_expiration | Sets the expiration date and time for the token request (default is 20 minutes); override of default value is not supported by all banks. | Optional |
| traceID | TPP-provided unique value captured by Token.io and sent across to the bank to be stored with the request throughout its lifecycle as an audit-trail aid. | Optional |
| transferDestinations |
Payment beneficiary bank account(s); where payment will be sent. Typically an for , or and Account Number(s) for . See Beneficiary Account Details for supported instruments.
Required by some banks, optional for others, the type of destination account (business or personal) is specified under transferDestinations in customerData.type as UNKNOWN, BUSINESS or PERSONAL. When not specified, the default destination account type is BUSINESS. A creditor name (customerData.legalNames) for the destination account is a required subfield parameter: transferInstructions.transferDestinations.customerData.legalNames |
Required |
| userRefId | Identifier that can be used to track a user member claimed by the TPP. | Optional |
| * CMA9-specific standing order only. Either number_of_payments or final_payment_date_time must be specified (not both) if the domestic standing order is not open ended. | ||
Caution: A is disallowed in the token request payload within the refId and description fields. In accordance with the security standard, is used for pattern matching of numeric strings that intentionally or inadvertently reveal or resemble a PAN in the refId or description of a token request. Potential PAN patterns found will now throw an exception.
Remember, whatever you specify as the transferDestination in the request will be reflected in the response. This means accuracy is extremely important here.
Payee Information
customerData within providerTransactionDetails for single transactions.
-
STET requires creditor account information.
-
CMA9, NextGenPSD2, and PolishAPI have the creditor name and account identifiers, as well as the creditor agent BIC. However, these are optional fields, so the presence of creditor account information is bank-dependent.
-
CMA9 needs the creditor agent address, whilst PolishAPI requires the creditor's address.
If you are initiating a payment to Barclays Bank UK or HSBC, the creditor name (creditorAcount.name) can be no more than 18 characters. If this limit is exceeded, the bank will reject the payment.
Otherwise, when providing creditor name and address for CMA9 international payments, bear in mind that certain banks, such as HSBC, require creditor information to process international payments, despite its designation as "optional" in the OBIE specification. To be safe with respect to CMA9 international payments, provide this information in the customerData fields of the transferDestination object. The OBIE information maps to its Token.io counterpart as follows:
| Token.io | OBIE |
|---|---|
flats
|
SubDepartment
|
house_name
|
Department
|
house_number
|
BuildingNumber
|
street
|
StreetName
|
post_code
|
PostCode
|
city
|
TownName
|
district
|
CountrySubDivision
|
country
|
Country
|
Click for additional Notes on providing creditor name and address for CMA9 international payments
Certain banks, such as HSBC, require creditor information to process international payments, despite its designation as "optional" in the OBIE specification. To be safe with respect to CMA9 international payments, provide this information in the customerData fields of the transferDestinations object, wherein the information maps to its Token.io counterpart as follows:
| Token.io | OBIE |
|---|---|
| flats | SubDepartment |
| house_name | Department |
| house_number | BuildingNumber |
| street | StreetName |
| post_code | PostCode |
| city | TownName |
| district | CountrySubDivision |
| country | Country |
These creditor post address fields can be found in Token.io's protobuffer technical reference.
As with single payments (immediate and future-dated), you can store the created request without a transfer destination and, instead, specify a transferDestinationsCallback URL for Token.io to call upon customer authentication and authorization. Or you can specify the destination when you redeem the token. Additional details can be found in Setting Transfer Destinations.