This FAQ is provided as a complement to the rest of this SCA documentation and our email communications.

If your query is not addressed below or in the docs, please get in touch with our teams via the Dashboard.

Functional

Is the phone number mandatory for us? How should we handle existing phone number data?

A phone number is mandatory for SCA but in the API it is optional. Your users can conveniently provide their phone number when they are redirected to the Mangopay-hosted webpage to enroll in SCA. If you wish, you can provide it via the API to pre-populate the field in on the page (read more).

If a user’s phone number is associated with another account, will they be blocked or prevented from enrolling in SCA?

No. Our system is designed to efficiently manage phone number associations.

If a user refreshes the hosted webpage or doesn’t receive the SMS, can it be resent?

Yes. If the user refreshes the page, or closes and re-opens the same link, they will remain on the OTP verification screen. The feature is designed to give users control over when they receive an OTP, ensuring that the process is transparent and efficient for them.

If a KYC/KYB document is refused due to data mismatch, can we modify the data on behalf of our users or do we need to contact them?

Only modifications to phone number and email require validation through SCA by the end user. SCA has no impact on the existing KYC processes surrounding documents or the downgrade mechanism.

Can we delay enrollment if we create the user when they are not present on our website or app?

No. For some other actions, we plan to introduce a UserPresent API parameter to indicate whether the user is taking the action or not. For enrollment, however, this is not available. If your workflow involves automatic user creation, you may be able to request a specific exemption. In such cases, it is essential that your interface offers an option for your users to complete their SCA enrollment at the appropriate time.

Please begin integrating the user-related endpoints for legal users. Soletraders, as individuals, are already able to use the SCA feature. For businesses and other types of legal user, we will turn on SCA at a later stage and notify you in advance. The new functionality will allow designated authorized individuals within a legal entity to perform SCA, rather than limiting this capability solely to the declared legal representative.

We already have SCA or MFA on our website or app. Can we use our existing feature and send validation to Mangopay through the API?

No. Applicable regulations require Mangopay to perform SCA directly with users that have a Mangopay account.

What are the specific actions that require SCA?

This is a list of the actions that will require SCA. For more details, including possible exemptions, see Actions requiring SCA.

For Mangopay account holders (that is, where UserCategory is OWNER):

  • Creating a new OWNER account (user registration)
  • Transitioning a user from PAYER category (categorization)
  • Changing contact details: phone number or email (re-enrollment)

For registration of external beneficiary accounts:

  • Registering a new bank or payment account as a Recipient (API object)

For transfers:

  • Transferring funds between account holders (between OWNER users)

For wallets:

  • Viewing account balance
  • Listing transactions

What should we expect regarding SCA for transfers between Mangopay wallets?

Only transfers initiated directly by your end users will require SCA. Automated or programmed transfers for technical purposes in workflows will not be impacted by SCA requirements, in accordance with regulatory allowances. It will also be possible to exempt low-risk and low-amount transactions, again as per the possible regulatory exemptions.

For SCA-applicable actions not taken by the user, but rather as part of automated workflows, will SCA be required?

No, not for some specific actions that are not initiated by the user. Our transfer endpoint will include a the new parameter UserPresent which, if set to false, will not trigger SCA. This mechanism can similarly be applied to automated wallet balance checks and transaction history views. Please note that it is essential that we understand the context and legal justification for such actions made without user presence, as bypassing direct user consent may incur security risks. Therefore the use of the UserPresent parameter will be subject to workflow validation and implemented on a case-by-case basis.

What happens if we perform actions on behalf of users, without their direct involvement?

When actions are executed on behalf of Mangopay account holders without direct user authentication, each case will be evaluated individually to determine the appropriate SCA process. It is essential that we understand the context and legal justification for such actions, as bypassing direct user consent could expose us to security risks. We remain committed to maintaining the highest standards of security and compliance.

When will SCA be triggered for our existing users, and how will it work?

SCA will be triggered every time an existing user performs a SCA-triggering action, such as registering a Recipient (external bank or payment account), initiating a transfer (if UserPresent is true), or viewing their wallet balance and transaction history. The dedicated enrollment endpoint allows your platform to conveniently introduce SCA enrollment for existing users in your existing user journey.

Can we do SCA with the user later if it’s triggered by an action initiated on their behalf?

No, the SCA session starts immediately when the action is triggered. The user has 10 minutes to complete the authentication on the hosted webpage before the session expires. In the future, we may explore other possibilities once our product is further developed.

Will users be restricted if a user is not enrolled in SCA?

No, no actions will be restricted. However, in future, if an end user has not completed enrollment, we may be required by regulatory authorities to take action such as removing certain permissions, blocking the account, reverting the category to Payer, or closing the account. Mangopay will notify you in advance of any such measures.

If a user completes SCA enrollment and then registers a new Recipient (external account), will they need to authenticate again?

Yes, except it may be possible to use the same session if the external account registered in the same session is in the name of the user.

Commercial and contractual

Is SCA implementation compulsory for us?

Yes, it is a regulatory obligation imposed by the PSD2 directive with the purpose of protecting you and your users against fraud and abuse. As a payment service provider (PSP), it’s our role to protect your users from credential attacks and account takeovers by verifying their identities and ensuring the legitimacy of their actions.

What happens if we don’t integrate the new endpoints? What are the consequences for us?

Implementation of SCA is mandatory. Failure to integrate the new endpoints exposes your users to fraud and abuse and would prevent us from providing payments services to them, as outlined in our terms and conditions.

Do we need to sign a contract amendment?

No, you will not be required to sign any contract amendment – our existing contract remains in effect.

We have a Merchant Agreement. How will SCA impact us?

For platforms operating under a Merchant Agreement, SCA will be integrated as part of our ongoing commitment to regulatory compliance. While implementing SCA is mandatory, we are dedicated to supporting you through the transition and ensuring a smooth experience. Detailed guidance on the specific impacts will be provided shortly.

What should we say to our end users or customers who are asking us why we’re requiring them to perform SCA?

You can convey to your end users that their security is being strengthened through the implementation of strong customer authentication (SCA) on your platform as per regulatory requirements. This enhanced security measure provides additional protection against account takeovers resulting from phishing attempts, credential attacks, and personal data breaches. By adopting SCA, you are not only prioritizing their safety but also ensuring compliance with the latest regulatory standards. You can assure your end users that you and Mangopay remain committed to delivering a secure and seamless experience.

Was this page helpful?