copyWIP-Establishing a card programme

Cards Overview

The 'Cards' section integrated the option for Directors and Account Owners to issue physical and virtual debit cards from the web and apps, as well as manage them in SME and CONSUMER. Also, from the Admin portal users will be able to manage and see card details by clients and users.

---

High-Level requirements

• Admin cards configuration by BaaS and customer
• Cards management
  • SCA Questions for all cardholders (Modulr only)
  • Issue new virtual card
  • Issue new physical card
  • Activate physical card
  • Block virtual or physical card
  • Unblock virtual or physical card
  • Cancel virtual or physical card
  • View PIN from physical card
  • View card details
  • View secure card details
  • Set card limits when issuing a card
  • Modify card limits
  • Change card alias
  • View card list
• View all card transactions

Product requirements:

- Admin portal configuration:

-Banking provider cards setup

To enable cards in the banking proposition it's necessary to have previously signed an agreement with the Banking provider in order to get all the data required to do the setup in the Admin portal. Once the BaaS has provided all the data, Toqio's internal team will be able to create the customer and fill up all required fields in the Admin during customer creation.

However, it is important to mention that banking providers that offer cards will have different configurations.

• Railsbank setup:

To make available cards in the Admin portal for a Modulr customer, the first step is selecting the types of cards for BUSINESS and/or CONSUMER. Then the selection of the partner product by currency. In the case of Railsbank cards EUR, GBP, and EU_1 (Euros in Lithuania) will be the available currencies.

• Cards programmes

Each customer will receive from Railsbank the corresponding card programmes for the cards contracted related to the partner product that was also contracted. Therefore, in the case of contract Business and Consumer cards, Toqio's internal team (informed by the customers) will need to choose each option in the Admin portal, by selecting the corresponding cards by platform (Business and/or Consumer).

Therefore, depending on the partner products also contracted by the customer, the card programmes need for setup will be according to this agreement. So a Business or Consumer card programme will be required by each partner product.

So, when a partner product is selected for each platform (Business and/or Consumer) the following fields will be required to configure the card programmes:

• Physical cards:
  • Physical card programme (currency)
  • Physical card design (currency)
• Virtual cards:
  • Virtual card programme (currency)
  • Virtual card design (currency)

Important! All fields must be filled as the card's functionality does not differentiate by physical or virtual cards. Therefore, the ON/OFF option in the Admin portal applies to all card types. In case of missing a product code for any of the card types, we will get an error from Railsbank.

• EML setup:

Currently, it is not possible to set up cards for EML customers (previously PFS) in the Admin portal. This configuration has to be made directly in the database.

• Modulr cards setup:

In the case of Modulr customers, the first step is selecting if the customer wants cards for BUSINESS and/or CONSUMER. The selection of currency will appear after. In the case of Modulr cards, EUR and GBP will be the available currencies.

Once this is done, the correspondent card types for each platform will be visible to insert card product codes provided by Modulr by currency and card types.

• Cards product codes:

Each customer will receive from Modulr the corresponding codes for the cards contracted. So, in the case of contract Business and Consumer cards, the Delivery Team (informed by the customer) will need to choose each option in the Admin portal by selecting the corresponding cards by platform (Business and/or Consumer).

Therefore, depending on the partner products also contracted by the customer, the card programmes need for setup will be according to this agreement. So a business physical product code in EUR and GBP will be required, there's a difference between them.

Once Business and/or Consumer cards are selected, then the product code fields by platform and currency will be shown to be included.

• Business
  • Physical cards: product code and card reference and packaging reference are mandatory and to be provided by Modulr.
    • Product code: ex. O120001F
    • Card reference: ex. CpayCard
    • Packaging reference: ex. CpayCard
  • Virtual cards: product code is mandatory and to be provided by Modulr.
    • Product code: ex. O120001M
• Consumer
  • Physical cards (same as the example above)
    • Product code
    • Card reference
    • Packaging reference
  • Virtual cards (same as the example above)
    • Product code

Important! All fields must be filled as the card's functionality does not differentiate by physical or virtual cards. Therefore, the ON/OFF option in the Admin portal applies to all card types. In case of missing a product code for any of the card types, we will get an error from Modulr.

• Company configuration

Aside from the current standard configuration for all Banking providers, Modulr includes an extra mandatory field for customer creation.

• Expected monthly spend: to provide the estimated expected monthly spend. This field must accomplish the following requirements. If not, an error message will be prompted.
• Type: integer (positive or negative number or zero)
• Min length: 0
• Max length: 2147483647

As explained by Modulr, this field is mandatory for back-end Modulr operations, and used for velocity controls but not for transaction monitoring.

- Card brand and design

• Railsbank:

Railbanks as a Banking Provider offers their customers Mastercard and Visa as card schemes.

• EML:

EML as a Banking Provider offers their customer XXX card scheme.

Modulr card brand

Modulr as a Banking provider offers their customers Visa as a card scheme.

As per Modulr requirements, we have to introduce in all customers' card designs the legend: Powered by Modulr - Limited use - Virtual account.

- Cards management

Cards integration for the different banking providers has been implemented in SME and CONSUMER webs and apps.

Following the high-level requirements specified before, in this section, you can find the full explanation of card functionality that can be done by a Director (SME) or an Account Owner (CONSUMER) and the main functionality available for cardholders. As well as the specification by BaaS as main differences will be marked and detailed.

---

- What can a Director or an Account Owner do for another user or for oneself?

• SCA Questions required before issuing a new card:
  • As a Modulr Strong Customer Authentication requirement, all team users will need to answer from 1 to 5 security questions during setup credentials on the onboarding process.
  • When a Director or Account Owner adds a new team member, the new user must answer the SCA Questions during the onboarding process of setting up their credentials.
  • If security questions are not answered during the onboarding process, cards will not be able to be issued for that team member and a warning message will appear to each team member in the Team section when selecting the cardholder from the Cards section.
• Issue a new virtual card:
  • A Director is the only role that can issue a new virtual card for a team member.
  • User flow to issue a virtual card is the same for SME and CONSUMER, and also for all banking providers, except for card limits which differ between Railsbank, EML, and Modulr. The flow is as below:
    • Director goes to the 'Cards' section
    • Select 'New card' at the top right button

• Select virtual debit card as card type

• Select the cardholder's account and add a name to be placed on the card

• Modulr Directors or Account Owners will see a warning message if the user has not answered the security questions yet

• Set card limits when issuing a virtual card:
  • Railsbank and EML virtual card limits are:
    • Business and consumer cards
      • Limit per transaction: maximum and minimum amount per transaction
        • Min: 1 GBP / 1 €
        • Max: 100.000 GBP / 115.000 €
      • Daily limit: maximum and minimum amount to be spent in a day
        • Min: 1 GBP / 1 €
        • Max: 100.000 GBP / 115.000 €
      • Monthly limit: maximum and minimum amount to be spent in a month
        • Min: 1 GBP / 1 €
        • Max: 250.000 GBP / 290.000 €

• Modulr virtual card limits are:
  • Business and consumer cards.
  • Lifetime spend limit: the total amount that can be spent on a card's lifetime. Once the card reaches the limit, it will be cancelled and no longer available.
    • Min: 1 GBP / 1 €
    • Max: 250.000 GBP / 295.000 €
  • Transaction limit: maximum and minimum amount per transaction. It will be specified that once the card is issued, this limit cannot be modified later.
    • Min: 1 GBP / 1 €
    • Max: 250.000 GBP / 295.000 €

• Confirm details

• Insert security code
  • If the security code is correct, the card will be issued and active after it, and the user can already start using it.
  • If not, an error message will be shown and the card will not be created.

• Issue a new physical card:
  • A Director is the only role that can issue a new physical card for a team member.
  • User flow to issue a physical card is the same for SME and CONSUMER, and also for all banking providers, except for card limits which differ between Railsbank, EML and Modulr. The flow is as below:
    • Director goes into the 'Cards' section
    • Select'New card' on the top right button
    • Select physical debit card as card type
    • Select cardholder and account and add a name to be printed on the card:
      • The name on the card must have between 1 and 21 characters (Modulr allows up to 20 characters to be shown on plastic cards. However, we allow up to 21 characters on other BaaS even when on the card only 20 characters will appear)
      • Insert the cardholder's address where the card has to be sent

• Set card limits when issuing a card:
  • Physical card limits are different for Business and Consumer.
  • Railsbank and EML physical card limits are:
    • Business and Consumer cards
    • Limit per transaction: maximum and minimum amount per transaction
      • Min: 1 GBP / 1 €
      • Max: 100.000 GBP / 115.000 €
    • Daily limit: maximum and minimum amount to be spent in a day
      • Min: 1 GBP / 1 €
      • Max: 100.000 GBP / 115.000 €
    • Monthly limit: maximum and minimum amount to be spent in a month
      • Min: 1 GBP / 1 €
      • Max: 250.000 GBP / 290.000 €
  • Modulr physical card limits are:
    • Business cards
      • Lifetime spend limit: the total amount that can be spent on a card's lifetime. Once the card reaches the limit, it will be cancelled and unavailable.
        • Min: 1 GBP / 1 €
        • Max: 500.000 GBP / 570.000 €
      • Transaction limit: maximum and minimum amount per transaction. It will be specified that once the card is issued, this limit cannot be modified later.
        • Min: 1 GBP / 1 €
        • Max: 250.000 GBP / 295.000 €
    • Consumer cards:
      • Lifetime spend limit: the total amount that can be spent on a card lifetime. Once the card reaches the limit, it will no be longer available.
        • Min: 1 GBP / 1 €
        • Max: 250.000 GBP / 295.000 €
      • Transaction limit: maximum and minimum amount per transaction. It will be specified that once the card is issued, this limit cannot be modified later.
        • Min: 1 GBP / 1 €
        • Max: 250.000 GBP / 295.000 €
• Important! Modulr can incur a delay of 10 hours on the physical card creation. During this time, the card can be created correctly, or give an error on creation (FAILED status in BE). If an error happens:
  • The Director or Account Owner will receive a notification regarding the fact that the card could not be created. Also, in the 'Cards' page details, you will see a warning message, as follows: Your physical card could not be created and it's been cancelled for security reasons. Please try again with a CTA to issue a new card.
  • Card Holders will see on the Card page details a warning message, as follows: Your physical card could not be created and it's been cancelled for security reasons.
  • In both cases, the card will also be shown in the card list as a CANCELLED card, and when filtering b that status, ex.: My card 5F.

• Modify card limits:
  • It can only be done by a Director or an Account Owner
  • As before, the card limit edition differs between Railsbank, EML, and Modulr as BaaS
  • Modifying card limit for Railsbank and EML will be as follows:
    • Entering an existing card (ACTIVE), a Director or Account Owner will have the option to select 'Modify limits' from the 3 dots menu.
      • If a card's status is BLOCKED or CANCEL, this option will not be available.
    • Once the option is selected, a new page will open to be able to modify the limits configured when the card was issued.
      • Business and Consumer cards will have the option to be modified on limits:
        • Limit per transaction: maximum and minimum amount per transaction
          • Min: 1 GBP / 1 €
          • Max: 100.000 GBP / 115.000 €
        • Daily limit: maximum and minimum amount to be spent in a day
          • Min: 1 GBP / 1 €
          • Max: 100.000 GBP / 115.000 €
        • Monthly limit: maximum and minimum amount to be spent in a month
          • Min: 1 GBP / 1 €
          • Max: 250.000 GBP / 290.000 €
    • After card limits are edited, a security code will be needed to confirm the changes.
    • If the security code is correct, a successful message will be shown.
      • If not, an error message will be shown in the security code modal and no changes will be applied.

• In the case of Modulr, Director or Account Owner will have the following card edition options:
  • Entering an existing card (ACTIVE), a Director or Account Owner will have the option to select 'Modify limits' from the 3 dots menu.
    • If a card's status is BLOCK or CANCEL, this option will not be available.
  • Once the option is selected, a new page will be open to modify the limits configured when the card was issued.
    • Lifetime spend limits: could be edited after issuing a card. However, once it reaches said limit it will automatically 'expire' and the card will appear as cancelled.
      • Business cards:
        • Lifetime spend limit: Total amount that can be spent on a card lifetime. Once the card reaches the limit, it will be cancelled and unavailable.
          • Min: 1 GBP / 1 €
          • Max: 500.000 GBP / 500.000 €
      • Consumer cards:
        • Lifetime spend limit: Total amount that can be spent on a card lifetime. Once the card reaches the limit, it will be cancelled and unavailable.
          • Min: 1 GBP / 1 €
          • Max: 250.000 GBP / 295.000 €
  • Transaction limit: it can only be modified when issuing a card. After that, it cannot be modified anymore. It will be shown as a disabled field while editing card limits.
• After card limits are edited, a security code will be needed to confirm the changes.
  • If the security code is correct, a successful message will be shown.
  • If not, an error message will be shown in the security code modal and no changes will be applied.

• View card page details:
  • A Director or Account Owner also has the option to consult every card in the platform. All details shown will be the following:
    • Account that the card belongs to: cardholder name
    • Card status: active, issue, blocked or cancelled
    • Card type: virtual or physical
    • Card product: debit
    • Card scheme: VISA
    • Card limits: lifetime spend limit (highlighted) and transaction limit
    • Card design:
      • Cardholder name
      • Security card details masked
    • Modals for other actions:
      • Block/Unblock
      • Card details:
        • Cardholder name
        • Name on card
        • Account to whom it belongs (cardholder name)
        • Card type
        • Card limits
      • Modify limits
      • Cancel
    • Cards transaction list

• Block virtual or physical card:
  • A card can be blocked for a Director or Account Owner for oneself, or for another cardholder.
  • A security code will be needed.
  • The option will only be shown if the card's status is NOT ISSUED, BLOCKED or CANCEL.

• Unblock a virtual or physical card:
  • A card can be unblocked for a Director or an Account Owner for oneself, or another cardholder.
  • If the card was blocked to another cardholder, a Director or an Account Owner as cardholders will not have the option to unblock it for themselves.
  • A security code will be needed.
  • The option will only be shown if the card's status is ISSUED, UNBLOCKED or CANCEL.

• Cancel virtual or physical card:
  • A card can be cancelled for a Director or an Account Owner for oneself, or another cardholder.
  • A security code will be needed.
  • No security card details can be consulted if the card is cancelled.

• View all card transactions:
  • For oneself and other cardholders.

---

- What can a cardholder do?

• Setup SCA Questions during the onboarding process
  • ONLY FOR MODULR CUSTOMERS!
    • As a new Modulr Strong Customer Authentication requirement, all team users will need to answer from 1 to 5 security questions during the setup of credentials during the onboarding process.
    • The security questions to be answered are:
      • FIRST_PET_NAME
      • MATERNAL_GRANDMOTHER_MAIDEN_NAME
      • FAVORITE_CHILDHOOD_FRIEND
      • FIRST_CAR
      • CITY_PARENTS_MET
    • All users will have to answer at least one to continue the process. Said answers must contain between 1 to 45 strictly Latin characters.
    • If the users do not answer the questions during the onboarding process, a placeholder will appear on the Cards page once the users log into the platform to set up security questions in the User Settings section.
    • The users will be required to provide the answers for specific transactions by OTP confirmation, as per Modulr's fraud algorithm.
    • Security questions answered can be consulted later on the User Settings by providing the security code.
• Activate a physical card:
  • It can only be done by the cardholder when the card is received at the address specified during issuing.
    • Users will need to click on the 'Activate now' button once the card has arrived at the specified address.
    • Then, a security code will be needed.
    • Railsbank and EML card activation will need the token printed on the card in order to be activated.

• Modulr card activation can be done once the card has been received with no more actions taken.
  • If the card has not been created on Modulr's side, front end will not show the activation CTA.
    • BE could have 2 different card statuses:
      • AWAITING: means the card has not yet been created by Modulr
      • INACTIVE: means the card has already been created by Modulr and can be activated

• View physical card's PIN:
  • It can only be done by the cardholder.
  • A security code will be needed.
  • After validating the security code, a PIN will be shown in the modal for 10 seconds.

• View Card page details:
  • Account that the card belongs to: cardholder's name
  • Card status: active, issue, blocked or cancelled
  • Card type: virtual or physical
  • Card product: debit
  • Card scheme: VISA
  • Card limits: lifetime spend limit (highlighted) and transaction limit
  • Card design:
    • Cardholder's name
    • Security card details masked
  • Modals for other actions:
    • Block/Unblock
    • Card details:
      • Cardholder's name
      • Name on card
      • Account to whom it belongs (cardholder's name)
      • Card type
      • Card limits
    • Change alias
    • Cancel
  • Card transactions
• View secure card details
  • It can only be done by cardholders.
  • Security card details are masked to be shown are:
    • PAN
    • CVV
    • Expiration date
  • A security code will be needed after you click on the card.
    • If the security code is correct, the secure card details will be unmasked and visible to the cardholder.
• See card limits
  • Cardholders can consult card limits on general Card page details.
  • 'Modify limits' option will not be available for this role.

• Change card alias
  • It can only be done by cardholders.
  • Numbers, symbols and Latin characters are allowed.
  • Min/max: between 1 and 20 characters.
  • This alias will only be shown on their own card list.

• Block virtual or physical card
  • It can only be done by cardholders or Directors/Account Owners.
• Unblock virtual or physical card
  • It can only be done by cardholders or Directors/Account Owners.
  • If a Director or Account Owner has blocked the card, the cardholder won't be able to unblock the card.
• Cancel virtual or physical card
  • It can only be done by cardholders or Directors/Account Owners.
• View all card transactions
  • It can only be done by cardholders or Directors/Account Owners.

---

- Webhooks

🚧

Railsbank Cards Webhooks work in progress

🚧

EML Cards Webhooks work in progress

🚧

Modulr Cards Webhooks work in progress

Modulr cards integration also includes webhook notifications that allow receiving more information about a card's events, such as transactions, status updates, etc.

This way we can synchronise information with Modulr as BaaS without having to ask each time we do an operation on their side.

During the integration of the Modulr card, we configured the following notifications to be received by email by the Admin user, and also for Directors and Account Owners.

• Customer creation:

We implemented the CARD_AUTH webhooks notifications which inform when a new client was created under a Modulr customer on our side so that it shows as a new customer on Modulr's side.

• CARDS WEBHOOKS:
  • We have also implemented 3 types of webhooks notifications related to cards:
    • CARDAUTH:
      • It will be saved in logs, but it will not be configured as a webhook transaction
        • Approved card Authorisation.
        • Declined card Authorisation (Reason field will specify the decline reason).
        • Subsequent Decline of previously Approved Authorisation (this happens in case of a network outage. Reason field will include Timeout information and PreviousActivityStatus will specify "APPROVED").
        • Authorisation Reversal (when the transaction is partially or fully reversed, OrderID can be used to link any reversed amount with a previously approved Authorisation).
        • Use of PAYIN and PAYOUT to identify any card payment from a CardID or refund linked to a specific AccountID.
        • To check transactions coming from different cards associated with a specific Account, search for the PaymentID field containing the card activity BID, which you can use to query additional details from the card activities API. We will also use the OrderID to match the settlement to the authorisation record as part of their internal reconciliation.
        • The relation between order and status will be:
          • 8, 11 and 20: FAILED. The scenario of the order in Modulr will be our failure Reason
          • 12 and 13: PENDING
          • 19, 21 and 22: ACCEPTED
          • See related documentation here
• CARDCREATION:
  • This sends a webhook notification that informs the outcome of a successfully submitted 'Create physical card' request. Possible results are:
    • Error: the Admin user or Director will receive an email if the card was not created.
    • Created: the Admin user or Director will receive an email when a new card was created successfully.
  • This is only supported for Physical Cards.
  • Webhooks will be retried in case of failure.
• CARDSTATUSUPDATE:
  • Admin users or Directors will receive an email notification in the following cases:
    • CREATED (just for Physical cards)
    • ACTIVE (Just for Physical cards)
    • BLOCK
    • UNBLOCK
    • CANCEL
    • EXPIRED
    • SUSPENDED
  • This sends a webhook notification in the event of a card changing status, regardless of what triggered/performed the status update. This can help customers be informed of card status changes that were not initiated by their API user e.g. card status change performed via the Customer Portal, or a card status initiated by an internal Modulr process e.g. card expiry.
• Modulr documentation related:
  • Card Notifications
  • Card Lifecycle

Modulr Cards specifications and differences from Railsbank and EML

Here are the main differences between Modulr and the rest of the card banking providers, such as Railsbank or EML, which are explained.

These differences have an impact on the debit card user flow, in cases such as security questions during onboarding or card limit editing during issuing of a new card. As well as others subjects related to customer creation, as is the Expected Monthly Spend located in the Admin portal.

At last, we will find a 'New address' field in User Settings for users' personal detail modifications if needed.

---

- Security Questions

As part of Modulr's commitment to security, an additional Strong Customer Authentication layer has been added. Users would need to set up answers to specific questions at the time of onboarding. These answers would be needed for specific transactions post-OP confirmation, as per Modulr's fraud algorithm.

These security questions have been included during the onboarding process of any new user. Therefore, when a Director or Account Owner adds a new user to the Team section, a warning about the need to complete the SCA Questions will be shown before issuing a new card. Once the user completes the set-up of credentials and security questions, the warning will disappear and the Director or Account Owner will be able to issue a new card for them.

Also, for Modulr customers that are already in LIVE, and with users already added to the Team section, a placeholder will appear in the platform to set up the SCA Questions in the User Setting section and no cards will be issued until that step is to be completed.

When security questions are already set up, the user will be able to view their answers from the User Settings section.

Editing of these questions will be added in further steps of the development.

---

- Modulr Card Limits edition

Currently, banking providers such as Railsbank's or EML's card limits edition are based on 3 different limits: daily, monthly and transactional.

However, for Modulr users, the limits are card lifetime limits and transaction limits.

Both limits will be edited during the process of issuing a new card.

Lifetime limits can be edited later. However, once it crosses it will automatically "expire" the card and it will be shown as cancelled.

Transaction limits cannot be edited later.

---

- Add address in Personal Details page

As a new requirement after Modulr integration, there was a need to implement a new field to capture user addresses for Business clients in the Personal details page, under the User Settings section.

This new feature consisted of adding all address fields needed for SME web and apps in order to let the users change their bank account data (IBAN and BIC/SWIFT).

---

- Expected monthly spend

As explained above, Modulr requires extra for customers to be registered in the Admin portal.

The new mandatory field Expected monthly spend needs to be provided by each customer based on an estimation of the company expenses to be done monthly.

As an estimation, Modulr does not require specific amounts and can be anywhere from 0 to 2147483647 GBP.

Also, as explained by Modulr, this field is mandatory for back-end Modulr operations, and used for velocity controls but not for transaction monitoring.

---

Prerequisites

What are the conditions a user needs to satisfy in order to use these features?

---

FAQs

Q: Can a Director issue a new card if the cardholder does not have security questions answered?

A: No, after adding a new team member, the new user must have previously set up credentials and SCA Questions to issue a new card for them.

Q: When must a cardholder set up the security questions?

A: All new users will need to set up credentials and answer the required SCA Questions during the onboarding form that is sent by a Director.

Q: Can a Director issue a new card for themselves?

A: Yes, they can issue a new card for themselves and for other team members.

Q: Can a cardholder modify card limits for themselves?

A: No, only a Director can modify card limits for employees or cardholders.

Q: Who can cancel a card?

A: Directors and cardholders have the ability to cancel a card.

Q: Can a customer in TEST env test the SCA Questions for card payments?

A: No, as security questions are asked during card payments, Modulr will send them randomly and based on the fraud algorithm. SCA Questions are to be answered after inserting the OTP to confirm the payment. As this is handled by Modulr, we do not have the capability to test this functionality in sandbox with mocked cards.

---

Glossary

---