*Note : Clickable elements will not work when viewing in zoom/pan mode. Return to the previous screen to be able to click.
*Note : Clickable elements will not work when viewing in zoom/pan mode. Return to the previous screen to be able to click.
*Note : Clickable elements will not work when viewing in zoom/pan mode. Return to the previous screen to be able to click.
Begin by reviewing the Overview Flow below for the holistic front end and back end wiring diagram. You can zoom in on the Overview Flow by clicking the “View Pan & Zoomable Version” button. Exit out of the zoomable mode and click on a screen or service to review its requirements and technical details.
Pre-Fill Funnel Requirements
Product
Application Funnel and Screen Requirements
Internal Policy
Application Funnel and Screen Requirements
Prove Pre-Fill is required to sit at the beginning of the application funnel. After the client product page where the consumer selects “apply now” or “open account”, the CX screen should move to the Mobile Auth Authentication Page Requirements or Challenge Page
There should be no additional screens ahead of Pre-Fill or in between Pre-Fill steps. The CX requirements are in order and provide the EXACT number of screens expectedIf the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Link to Objection Handling
Flow
Possession Check
Scope
Display Requirements
Language Requirements
Internal Policy
Mobile
(Same Domain)
When Client Product Page and Challenge Data Page are same domain and Mobile Auth implemented
US MNO-required language should be displayed and implicitly accepted (referenced in Terms and Conditions)
Implicit US MNO Carrier Language
Example: If “apply now” page is www.capitalone.com and application flow stays on this domain
If the customer attempts to deviate, IPM needs to follow rulebook outlined in (Implementation Guide)
Mobile
(Cross-Domain*)
*please talk to your Implementation lead to confirm if applicable
When Client Product Page and Challenge Data Page are cross-domain and Mobile Auth Implemented
Do not insert MNO language
Do not insert MNO language
MNO Consent will need to live on challenge data page. See details there.
Example: if “apply now” page is www.lowes.com and application flow moves to apply.syf.com
Mobile
For Phase 1 Implementation prior to Mobile Auth Implementation
Do not insert MNO language
Do not insert MNO language
No MNO Language Needed for Phase 1
Desktop
Instant Link
Do not insert MNO language
Do not insert MNO language
[CURRENT STATE] For Phase v0.5 if MNO is in scope for Instant Link, customer WILL need to insert MNO language on the challenge data page for Instant link.
[FUTURE STATE] In Phase 1, No MNO Language will be needed for Instant Link because the MNO check will not included in P1 and P2 by default unless client has add-on InstantLink+
Summary:
The 3 major US MNO carriers have set the below requirements for accessing their data for relevant Prove services. Please reference your MSA for full details.
ATT requires additional considerations. Talk to your sales representative for more info
Internal Note
ATT considerations include ATT/Customer MSA, technical implementation and additional costSee IPM Confluence space
Required MNO Consent Language:
You authorize your wireless carrier to use or disclose information about your account and your wireless device, if available, to {Enterprise Customer Name} or its service provider for the duration of your business relationship, solely to help them identify you or your wireless device and to prevent fraud. See our Privacy Policy for how we treat your data.
Where the Language needs to be Accepted and Housed:
The US Mobile Carriers require consumers to implicitly accept carrier consent language in the customer UX flow prior to calling the endpoint in scope. For Pre-Fill flows, we recommend inserting this language in the Terms & Conditions or Privacy Policy and implicitly referencing
Prove Customer Prereqs prior to Prove MNO Application Submission:
The Production URL(s) where this language will live once published in Production
Estimated timeline of when it will be live. Note that T-Mobile will not approve until language is live
A mockup of the page where the end user accepts these terms and conditions (consumer should not be able to proceed until checking the consent box)
Ensure SMS OTP and Instant Link are implemented initially for the possession check.
Implement MobileAuth after initial implementation or in Phase 2.
Other Screens Following the Same Layout
*See Data Entry Requirements to help determine when phone number is required on this screen
Page Summary
Language
Page Summary Description
Internal Playbook
Required Language
Let’s Begin By Finding Your Info
We can prefill some of this request like your name, address, and contact info for you
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Scope
Consumer Prompt Requirements
Internal Policy
If same domain and Mobile Auth Passed
Challenge data field only
Displaying the challenge data only is ONLY for same-domain Prove customers
Example: If “apply now” page is www.capitalone.com and application flow stays on this domain
If cross-domain
Challenge data first
Then
Phone number field
If landing page is different from domain of Prove customer, the Challenge Page MUST have challenge data and phone number because MNO consent has to be collected on this page
Example: if “apply now” page is www.lowes.com and application flow moves to apply.syf.com
If Mobile Auth fails
Challenge data first
Then
Phone number field
Note: This would apply to both Desktop and Mobile Flows
When to attempt MobileAuth:
Customer can use existing tools (such as libraries, UA tools etc) to know when consumer is coming from Desktop vs Mobile and send down appropriate pathNote: This would apply to both Desktop and Mobile Flows
Alternatively customer can attempt MobileAuth irregardless of device
Contracted Solution
Consumer Prompt Language Requirements
Required
Challenge Data
Internal Policy
Prove CIP+
“Full SSN/ITIN”
In data entry field
Full 9-digit SSN
Prove CIP+ is the P2 SKU
If P2 (compliance) SKU is in scope, full SSN entry is mandatory to satisfy banking compliance requirements
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Prove US Pre-Fill
Customer can choose one from the following prompts:
“Last 4 SSN/ITIN”
“SSN/ITIN”
“MM/DD/YYYY”
"MM/YYYY"
"MM/DD"
Last 4 SSN/ITIN
Full SSN
Full DOB
DOB - Month & Year
DOB - Month & Day
Note: Customer can choose what format to prompt from the consumer (whether its a scroll button on DOB or MM/DD/YYYY) as long as they pass in the correct formatting into the API request
Prompt Requirements
Format
If Mobile Auth Failed
or
Desktop Flow
or
MNO consent not collected
Mobile Phone Number
(in data entry field)
(___)___-____
Prove US Pre-Fill
Customer can choose one from the following prompts:
“Last 4 SSN/ITIN”
“SSN/ITIN”
“MM/DD/YYYY”
"MM/YYYY"
"MM/DD"
Last 4 SSN/ITIN
Full SSN
Full DOB
DOB - Month & Year
DOB - Month & Day
Prompt Requirements
Format
Internal Policy
When cross-domain Mobile Auth Implemented
US MNO-required language should be implicitly accepted on this page
Implicit US MNO Carrier Language
Example: if “apply now” page is www.lowes.com and application flow moves to apply.syf.com
If Trust Score+ add-on to Pre-Fill is in scope
US MNO-required language should be displayed and implicitly accepted
Implicit US MNO Carrier Language
This would only apply if MP9 is an add-on. Trust+ is NOT in scope of P1 or P2 by default
Button
Action Taken
Continue
Continue button will move to the next screen in the process
Button
Opt-Out Required Language
Action Taken
Internal Notes
If consumer already completed Mobile Auth
Do not present opt out option
Implicit US MNO Carrier Language
There should be no opt out button here, only the challenge data. If the customer attempts to deviate, IPM needs to follow the rulebook outlined in Implementation Guide
If Mobile Auth Ineligible
I don’t have a mobile number
Send customer to manual entry screen
There should be no retries (see possession check policy)
If the customer attempts to deviate, IPM needs to follow the rulebook outlined in Implementation Guide
Page Summary Language
Internal Policy
Required Language
Verify Your MobilePlease enter the code we just sent to
(XXX) XXX-7890
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Button
Verification Code
Timeout Requirements
Internal Policy
Required Language
4-6 digit code
OTP needs to be entered within 5 minutes of the SMS being sent before dropping user to manual entry flow
Would suggest auto-populating this code into the web form field.
Required Submit Button Language
Submit Action
Internal Policy
If Possession Check Policy Passed
AND
Trust Policy Passed
AND
Pre-Fill API call Succeeds
Verify Now
Moves consumer to consumer’s PII Pre-Filled Page
There should be no intermediate page after the SMS entered. Consumer should land directly on Pre-Filled PII page or if Pre-FIll failed for any reason, land on the manual PII entry page.
Link to Implementation Guidance
If Possession Check Policy Failed
OR
Trust Policy Failed
OR
Pre-Fill Call Failed
If Possession Check Policy Passed
AND
Trust Policy Passed
AND
Pre-Fill API call Succeeds
PII Manual Entry Page
Possession Check
Language Requirements
SMS OTP
XXXX is your temporary code to continue [your application]. Caution: for your security, don’t share this code with anyone.
Possession Check
Number of Characters Requirement
Max Characters
The entire text is required to be <=160 characters total including the OTP code. Going over 160 characters will cause issues with any MNO that does not concatenate messages that spill over
Page Summary Language
Page Summary Language
Required Language
Make sure everything is correct
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
In-Order Required Display Field
Display Requirements
Does the Field Need to be Editable by consumer?
Upon Edit, Action Taken
Internal Policy
First Name
Yes - no masking
Yes
Upon Edit, Call Verify
Last Name
Yes - no masking
Yes
Upon Edit, Call Verify
Address
Yes - no masking
Yes
Upon Edit, Call Verify
Extended Address
Yes - no masking
Yes
Upon Edit, Call Verify
City
Yes - no masking
Yes
Upon Edit, Call Verify
State
Yes - no masking
Yes
Upon Edit, Call Verify
Postal Code
Yes - no masking
Yes
Upon Edit, Call Verify
Phone Number
Yes - no masking
No
Upon Edit, repeat PRO
If customer wanted this to be editable, Consumer must repeat PRO
SSN
Mask first 5 (display last 4)
The last 4 is required to be displayed to consumer for their review.
Please speak to your Implementation Lead if you do not need the consumers SSN as part of your onboarding flow.
Yes
Upon Edit, clear the data, require consumer to enter full SSN and Call Verify. First 5 of SSN should always remain masked
Customers should not mask the whole SSN, this defeats Product benefit of reviewing data.
If the client is collecting DOB as Challenge data and does NOT want to display the SSN, we will enforce the following:
We will not allow the SSN value to return on the Pre-Fill response (we will disable this field in the API response via the payfex config)
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
DOB
Yes - MM/DD/YYYY
Yes
Upon Edit, clear the data, require consumer enter full DOB MM/DD/YY and Call Verify
In-Order Required Display Field
Display Requirements
Editable?
Upon Edit, Action Taken
Internal Policy
First Name
Yes - no masking
Yes
Yes
Last Name
Yes - no masking
Yes
Yes
Address
Yes - no masking
Yes
Yes
Extended Address
Yes - no masking
Yes
Yes
City
Yes - no masking
Yes
Yes
State
Yes - no masking
Yes
Yes
Postal Code
Yes - no masking
Yes
Yes
Phone Number
Yes - no masking
No
No
If edited, Consumer must repeat PRO
SSN
Mask first 5 (display last 4)
The last 4 is required to be displayed to consumer for their review.
Please speak to your Implementation Lead if you do not need the consumers SSN as part of your onboarding flow.
No
Do not allow edit.
Justification: Consumer entered full SSN - it should not be editable
DOB
Yes - MM/DD/YYYY
Yes
Upon Edit, clear the data, require consumer enter full DOB MM/DD/YY and Call Verify
Justification: Consumer did not enter this - it was returned from Prefill. CIP compliance would dictate Address, DOB and SSN need to come directly from the consumer or be editable
Checkbox
Yes - Check box with the text: "I have reviewed the infomation provided and confirm its accurate"
N/A
N/A
Requirements
Internal Notes:
Edit Button
Should be below the pre-filled data.
Should be one edit button TOTAL and below the pre-filled data
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Required Submit Button Language
Fields Required Entry
Internal Policy
Required Language
Let’s Complete your Application
We would recommend limiting additional fields to the very minimum required to open the account/apply for product. The key is the minimum required.
Example fields you may wish to include are:
• Email address
• Confirm email address
• Income
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Optional Section
Texting Consent
If you need to have text message consent, this would be a good place for this disclosure
Requirements
Internal Notes
Consumer Confirmation
You are required to include the following statement just above the “submit” button:
I have reviewed the information provided and confirm it is accurate
If desired, you can include a check box by this statement but it is not required
This is a new statement required for customers to include by Prove Legal as of Jan 2024.
Requirements
Required Logic
Internal Notes
Submit Button
This button should convey a clear and decisive action, the button should alert the user of a final state.For example button can say ‘Submit’ or ‘Apply now’ signifying that the user will not be given the option to go back after proceeding.
Application submission should occur on the submit button
Customer should NOT have more screens with data entry before opening the account/applying for the product. Those steps should come POST acquisition. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Other Screens Following the Same Layout
Page Summary Language
Internal Notes:
Required Language
Your Information
All fields are required unless stated otherwise.
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
In-Order Required Display Field
Display Requirements
Required Pre-Population Implementation
Internal Policy
First Name
Yes
Customer should implement iPhone pre-population capabilities where possible
Name and Phone number are the only required fields. Customer will layer on whichever additional fields they need based on their requirements
Last Name
Yes
Street Address
Optional
Apartment Number
Optional
City
Optional
State
Optional
Postal Code
Optional
Phone Number
Yes
SSN
Optional
DOB
Optional
Additional Optional Data Fields
Required Language
Customer discretion
We would recommend limiting additional fields to the very minimum required to open the account/apply for product. Save additional steps for afterwards to minimize friction to consumer or a combo of this and what you said just above. The key is the minimum required.
Example fields you may wish to include are:
• Email address
• Confirm email address
• Income
Requirements
Required Logic
Internal Notes
Submit Button
This button should convey a clear and decisive action, the button should alert the user of a final state.
For example button can say ‘Submit’ or ‘Apply now’ signifying that the user will not be given the option to go back after proceeding.
Application submission should occur on the submit button
Customer should NOT have more screens with data entry before opening the account/applying for the product. Those steps should come POST acquisition.
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
We do not recommend doing UI transitions based on the MobileAuth redirects as this can lead to poor user experience. In other words, we would not recommend implementing web flow via full window redirects (or iFrame or any other user-visible components) (link to MobileAuth Guide)
Implementation
Recommended Screen/CX
Mobile Auth Web
Customer Discretion. Common option is spinner with company logo
Recommended Implementation
US Carriers in Scope
Recommended Implementation
How To
Internal Notes
Verizon and/or T-Mobile
Prove WEB SDK or FETCH (AJAX) Implementation
Please talk to your Implementation lead for more details
Pixel is also an option but Fetch is easier to implement
ATT and Verizon and
T-Mobile
Prove Web SDK or PIXEL Implementation (image load)
Prove customer implements an HTML 10x1 pixel image load and assigns the redirect URL to that image source <img src=“the redirect url that you got from the /ABR call goes here”>
If the GET call is successful, the FinalTargetURL with VFP would load in the 10x1 pixel
Please talk to your Implementation lead for more details
Phase 1 Required Services
Phase 2 Required Services
MobileAuth Technical Requirements
SMS Requirements
Internal Notes
SMSDelivery
(MP-3)
MobileAuth (MP-1)
/ABR /ABRF
If Fails, Waterfall to:
SMS OTP
/SMSDelivery
-Customer must pass in IPV6 when available
-Customer should attempt MobileAuth across all requests
6 digit code is required
OTP: SMSDelivery is included by default in scope of Pre-Fill. IPM: Please validate with SD they didn’t make any changes to default scope-If customer requests to use their own vendor, please follow exception process
MobileAuth:
MobileAuth is required for VZN and TMO assuming the customer can be approved by carriers. -If customer requests to not implement MobileAuth, please follow exception process-We require trying across all devices to maximize pass rates. User Agent and other detections can be inaccurate
Handling if customer wants to use Instant Link on Mobile Flow:
Not allowed as part of standard - Exception required. Prove/Customer needs to proceed with caution (if implemented poorly it will impact consumer experience)
Handling if customer wants to use Voice Verification:
Not allowed as part of standard - exception required. Higher risk
Handling if customer wants to use Email Verification:
Not permitted - will result in Staging Cert failure
Service
Requirements
Internal Notes
Mobile Auth MP1
Prove will not permit MobileAuth as a stand-alone possession check.
MobileAuth either needs to be implemented in a 2nd implementation phase or after having an alternate possession check in place.
If MobileAuth is implemented as a standalone implementation, it will significantly impact success rate.
Implementation of MobileAuth as a standalone possession check with result in failure of Staging Certification
Possession Check Retry Policy
# of Retries
Internal Notes
SMS OTP
SMS re-sends are not permitted. Pre-Fill is designed to keep the consumer moving forward during each step
Ideal flow is designed to keep the user moving forward with every step.
It’s better to keep the consumer moving forward than to have a consumer get frustrated and abandon the application
If the consumer doesn’t receive the text the first time it’s unlikely they will with a retry
MobileAuth
If MobileAuth fails at any step, waterfall to SMS OTP
Is Possession Check Required?
Conditions of Possession Check Pass
Internal Notes
Yes
MobileAuth Finish call with phone number retrieval
OR
SMS Code redeemed with the following requirements:
-5 minute timeout window
-The code is transmitted to consumer once: no resends allowed
-The consumer can retry the code up to 3 times in case of fat thumbing
-The code is required to be 6 digits
Omitting a possession check will result in failure of Staging Certification
Required Service
Required Model
Requirement Notes
Internal Notes
Trust Score (MP-7)
/trust/v2
Onboarding
A reputation check is required
Omitting a reputation check will result in failure of Staging Certification
MNO check is out of scope unless MP8 (Trust+) is purchased as an add-on. This includes all elements marked as “only returns if consentStatus=OptedIn”
Conditions of Reputation Check Pass
Internal Notes
trustScore >=630
If customer wants to use the reason codes and not the score, this requires an exception.Exception required if customer attempts to use lower score
Conditions for Displaying the Pre-Filled PII
Internal Notes
Display Pre-Filled PII if consumer passed the Possession and Reputation checks
The customer should still display Pre-Fill screens if OS and OV flag - customer should not be declining at this point for these reason codes. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO checks (MFP, DFP)
Scenario
Required Ownership Service
Conditions of Ownership Pass
Internal Notes
P1 Pre-Fill:
If consumer pre-fills and does not edit
Pre-FIll
-identity/v2
Successfully Pre-filled AND Reason Codes NOT: OS, OV
Prove Verify Required as IDV check:
Customer is required to use Prove Verify as opposed to their own vendor. If customer chooses to use their own vendor, exception is required and Prove cannot complete a fraud/product investigation without using Verify
Additional Reason Codes Logic:
Customer should NOT be declining for additional reason codes. If customer wants to go-live with a block in place, this is an exception. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO (MFP, DFP)
P1 Pre-Fill: If consumer Pre-Fills and edits or manually enters their info
Prove Verify
-verify/v2
Verified=True ANDReason Codes NOT: OS, OV
Scenario
Required Ownership Service
Conditions of Ownership Pass
Internal Notes
P2 Compliance Use Case
/verify/v2
Verified=True AND Reason Codes NOT: OS, OV
Prove Verify Required as IDV check:
Customer is required to use Prove Verify as opposed to their own vendor. If customer chooses to use their own vendor, exception is required and Prove cannot complete a fraud/product investigation without using Verify
Additional Reason Codes Logic:
Customer should NOT be declining for additional reason codes. If customer wants to go-live with a block in place, this is an exception. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO (MFP, DFP)
Phone Possession
Phone Reputation
Phone Ownership
Decision/Outcome
Pass
Pass
Pass
Identity Verified
Pass
Fail
Pass
Failed Prove Policy, client-owned decision
(e.g., step up, ID validation)
Pass
Fail
Fail
Pass
Pass
Fail
Fail
Fail
Pass
Fail
Pass
Fail
Fail
Pass
Pass
Fail
Fail
Fail
Instructions
Conditions of CIP Pass
Conditions of CDD Pass
Please use the CIP and CDD pass conditions along with the matrix below to decision appropriately
multiCipConfidence: High > PASS
KYC Total Hits = 0. No hits on sanctions, watchlists, or PEP based on watchlists your organization sets specific to your organization’s compliance policies
Phone Possession
Phone Reputation
Phone Ownership
CIP
KYC/CDD
Outcome
Pass
Pass
Pass
Pass
Pass
Auto Approve
Pass
Pass
Pass
Either CIP or CDD Fails
Failed Prove Policy. Enter Exception process - Pend & Review Policy
Fail
Pass
Pass
Pass or Fail
Pass or Fail
Pass
Fail
Pass
Pass or Fail
Pass or Fail
Pass
Pass
Fail
Pass or Fail
Pass or Fail
Pass
Fail
Fail
Pass or Fail
Pass or Fail
Fail
Fail
Pass
Pass or Fail
Pass or Fail
Fail
Pass
Fail
Pass or Fail
Pass or Fail
Fail
Fail
Fail
Pass or Fail
Pass or Fail
Pre-Fill Funnel Requirements
Product
Application Funnel and Screen Requirements
Internal Policy
Application Funnel and Screen Requirements
Prove Pre-Fill is required to sit at the beginning of the application funnel. After the client product page where the consumer selects “apply now” or “open account”, the CX screen should move to the Mobile Auth Authentication Page Requirements or Challenge Page
There should be no additional screens ahead of Pre-Fill or in between Pre-Fill steps. The CX requirements are in order and provide the EXACT number of screens expectedIf the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide Link to Objection Handling
Flow
Possession Check
Scope
Display Requirements
Language Requirements
Internal Policy
Mobile
(Same Domain)
When Client Product Page and Challenge Data Page are same domain and Mobile Auth implemented
US MNO-required language should be displayed and implicitly accepted (referenced in Terms and Conditions)
Implicit US MNO Carrier Language
Example: If “apply now” page is www.capitalone.com and application flow stays on this domain
If the customer attempts to deviate, IPM needs to follow rulebook outlined in (Implementation Guide)
Mobile
(Cross-Domain*)
*please talk to your Implementation lead to confirm if applicable
When Client Product Page and Challenge Data Page are cross-domain and Mobile Auth Implemented
Do not insert MNO language
Do not insert MNO language
MNO Consent will need to live on challenge data page. See details there.
Example: if “apply now” page is www.lowes.com and application flow moves to apply.syf.com
Mobile
For Phase 1 Implementation prior to Mobile Auth Implementation
Do not insert MNO language
Do not insert MNO language
No MNO Language Needed for Phase 1
Desktop
Instant Link
Do not insert MNO language
Do not insert MNO language
[CURRENT STATE] For Phase v0.5 if MNO is in scope for Instant Link, customer WILL need to insert MNO language on the challenge data page for Instant link.
[FUTURE STATE] In Phase 1, No MNO Language will be needed for Instant Link because the MNO check will not included in P1 and P2 by default unless client has add-on InstantLink+
Summary:
The 3 major US MNO carriers have set the below requirements for accessing their data for relevant Prove services. Please reference your MSA for full details.
ATT requires additional considerations. Talk to your sales representative for more info
Internal Note
ATT considerations include ATT/Customer MSA, technical implementation and additional costSee IPM Confluence space
Required MNO Consent Language:
You authorize your wireless carrier to use or disclose information about your account and your wireless device, if available, to {Enterprise Customer Name} or its service provider for the duration of your business relationship, solely to help them identify you or your wireless device and to prevent fraud. See our Privacy Policy for how we treat your data.
Where the Language needs to be Accepted and Housed:
The US Mobile Carriers require consumers to implicitly accept carrier consent language in the customer UX flow prior to calling the endpoint in scope. For Pre-Fill flows, we recommend inserting this language in the Terms & Conditions or Privacy Policy and implicitly referencing
Prove Customer Prereqs prior to Prove MNO Application Submission:
The Production URL(s) where this language will live once published in Production
Estimated timeline of when it will be live. Note that T-Mobile will not approve until language is live
A mockup of the page where the end user accepts these terms and conditions (consumer should not be able to proceed until checking the consent box)
Page Summary
Language
Page Summary Description
Internal Playbook
Required Language
Let’s Begin By Finding Your Info
We can prefill some of this request like your name, address, and contact info for you
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Scope
Consumer Prompt Requirements
Internal Policy
If same domain and Mobile Auth Passed
Challenge data field only
Displaying the challenge data only is ONLY for same-domain Prove customers
Example: If “apply now” page is www.capitalone.com and application flow stays on this domain
If cross-domain
Challenge data first
Then
Phone number field
If landing page is different from domain of Prove customer, the Challenge Page MUST have challenge data and phone number because MNO consent has to be collected on this page
Example: if “apply now” page is www.lowes.com and application flow moves to apply.syf.com
If Mobile Auth fails
Challenge data first
Then
Phone number field
Note: This would apply to both Desktop and Mobile Flows
When to attempt MobileAuth:
Customer can use existing tools (such as libraries, UA tools etc) to know when consumer is coming from Desktop vs Mobile and send down appropriate pathNote: This would apply to both Desktop and Mobile Flows
Alternatively customer can attempt MobileAuth irregardless of device
Contracted Solution
Consumer Prompt Language Requirements
Required
Challenge Data
Internal Policy
Prove CIP+
“Full SSN/ITIN”
In data entry field
Full 9-digit SSN
Prove CIP+ is the P2 SKU
If P2 (compliance) SKU is in scope, full SSN entry is mandatory to satisfy banking compliance requirements
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Prove US Pre-Fill
Customer can choose one from the following prompts:
“SSN/ITIN”
“Last 4 SSN/ITIN”
“MM/DD/YYYY”
"MM/YYYY"
"MM/DD"
Full SSN
Last 4 SSN
Full DOB
DOB - Month & Year
DOB -Month & Date
Note: Customer can choose what format to prompt from the consumer (whether its a scroll button on DOB or MM/DD/YYYY) as long as they pass in the correct formatting into the API request
Prompt Requirements
Format
If Mobile Auth Failed
or
Desktop Flow
or
MNO consent not collected
Mobile Phone Number
(in data entry field)
(___)___-____
Prove US Pre-Fill
Customer can choose one from the following prompts:
“SSN/ITIN”
“Last 4 SSN/ITIN”
“MM/DD/YYYY”
"MM/YYYY"
"MM/DD"
Full SSN
Last 4 SSN
Full DOB
DOB - Month & Year
DOB -Month & Date
Prompt Requirements
Format
Internal Policy
When cross-domain Mobile Auth Implemented
US MNO-required language should be implicitly accepted on this page
Implicit US MNO Carrier Language
Example: if “apply now” page is www.lowes.com and application flow moves to apply.syf.com
If Trust Score+ add-on to Pre-Fill is in scope
US MNO-required language should be displayed and implicitly accepted
Implicit US MNO Carrier Language
This would only apply if MP9 is an add-on. Trust+ is NOT in scope of P1 or P2 by default
Button
Action Taken
Continue
Continue button will move to the next screen in the process
Button
Opt-Out Required Language
Action Taken
Internal Notes
If consumer already completed Mobile Auth
Do not present opt out option
Implicit US MNO Carrier Language
There should be no opt out button here, only the challenge data. If the customer attempts to deviate, IPM needs to follow the rulebook outlined in Implementation Guide
If Mobile Auth Ineligible
I don’t have a mobile number
Send customer to manual entry screen
There should be no retries (see possession check policy)
If the customer attempts to deviate, IPM needs to follow the rulebook outlined in Implementation Guide
Where Link Was Sent
Required Language
A text message with a link was just sent to the phone ending in XXXX (last 4 digits of mobile number)
I Didn’t Receive The Text
Action
Internal Policy
Required Language
I didn’t receive the text
Move customer to Manual Flow
There should be no retries/resending of link. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Reference Possession Check Retry Policy
Possession Check
Language Requirements
Sample Text
Timeout Requirements
Instant Link
Should indicate company and/or purpose.
Warn the consumer to only click if expecting it
Warning: You are [requesting credit]. If you did not make this request, do not click this link. <hyperlink>
Link needs to be clicked within 5 minutes of text being sent before a timeout occurs
Number of Characters Requirement
Additional Notes
Max Characters including Payfone Authentication URL
The entire text is required to be <=160 characters total including the Payfone verification URL
Note: the Production Payfone URL is 45 characters so the remaining string including spaces must be <=115 characters
DO NOT PUT A PERIOD after the hyperlink. Certain devices treat as part of the URL causing an authentication issue. Going over 160 characters will cause issues with any MNO that does not concatenate messages that spill over.
Verification Link
Internal Policy
Standard URL
PayfoneURL
Customer can redirect to their own URL if desired but not required
Required Language
Purpose
Internal Policy
Mobile Browser screen
Your Mobile Verification is finished.
Please resume your application.
This prompts the consumer to return to their application flow on Desktop
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Page Summary Language
Required Language
Make sure everything is correct
In-Order Required Display Field
Display Requirements
Does the Field Need to be Editable by consumer?
Upon Edit, Action Taken
Internal Policy
First Name
Yes - no masking
Yes
Upon Edit, Call Verify
Last Name
Yes - no masking
Yes
Upon Edit, Call Verify
Address
Yes - no masking
Yes
Upon Edit, Call Verify
Extended Address
Yes - no masking
Yes
Upon Edit, Call Verify
City
Yes - no masking
Yes
Upon Edit, Call Verify
State
Yes - no masking
Yes
Upon Edit, Call Verify
Postal Code
Yes - no masking
Yes
Upon Edit, Call Verify
Phone Number
Yes - no masking
No
Upon Edit, repeat PRO
If customer wanted this to be editable, Consumer must repeat PRO
SSN
Mask first 5 (display last 4)
The last 4 is required to be displayed to consumer for their review.
Please speak to your Implementation Lead if you do not need the consumers SSN as part of your onboarding flow.
Yes
Upon Edit, clear the data, require consumer to enter full SSN and Call Verify. First 5 of SSN should always remain masked
Customers should not mask the whole SSN, this defeats Product benefit of reviewing data.
If the client is collecting DOB as Challenge data and does NOT want to display the SSN, we will enforce the following:
We will not allow the SSN value to return on the Pre-Fill response (we will disable this field in the API response via the payfex config)
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
DOB
Yes - MM/DD/YYYY
Yes
Upon Edit, clear the data, require consumer enter full DOB MM/DD/YY and Call Verify
In-Order Required Display Field
Display Requirements
Editable?
Upon Edit, Action Taken
Internal Policy
First Name
Yes - no masking
Yes
Yes
Last Name
Yes - no masking
Yes
Yes
Address
Yes - no masking
Yes
Yes
Extended Address
Yes - no masking
Yes
Yes
City
Yes - no masking
Yes
Yes
State
Yes - no masking
Yes
Yes
Postal Code
Yes - no masking
Yes
Yes
Phone Number
Yes - no masking
No
No
If edited, Consumer must repeat PRO
SSN
Mask first 5 (display last 4)
The last 4 is required to be displayed to consumer for their review.
Please speak to your Implementation Lead if you do not need the consumers SSN as part of your onboarding flow.
No
Do not allow edit.
Justification: Consumer entered full SSN - it should not be editable
DOB
Yes - MM/DD/YYYY
Yes
Upon Edit, clear the data, require consumer enter full DOB MM/DD/YY and Call Verify
Justification: Consumer did not enter this - it was returned from Prefill. CIP compliance would dictate Address, DOB and SSN need to come directly from the consumer or be editable
Checkbox
Yes - Check box with the text: "I have reviewed the infomation provided and confirm its accurate"
N/A
N/A
Requirements
Internal Notes:
Edit Button
Should be below the pre-filled data.
Should be one edit button TOTAL and below the pre-filled data
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Required Submit Button Language
Fields Required Entry
Internal Policy
Required Language
Let’s Complete your Application
We would recommend limiting additional fields to the very minimum required to open the account/apply for product. The key is the minimum required.
Example fields you may wish to include are:
• Email address
• Confirm email address
• Income
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Optional Section
Texting Consent
If you need to have text message consent, this would be a good place for this disclosure
Requirements
Internal Notes
Consumer Confirmation
You are required to include the following statement just above the “submit” button:
I have reviewed the information provided and confirm it is accurate
If desired, you can include a check box by this statement but it is not required
This is a new statement required for customers to include by Prove Legal as of Jan 2024.
Requirements
Required Logic
Internal Notes
Submit Button
This button should convey a clear and decisive action, the button should alert the user of a final state.For example button can say ‘Submit’ or ‘Apply now’ signifying that the user will not be given the option to go back after proceeding.
Application submission should occur on the submit button
Customer should NOT have more screens with data entry before opening the account/applying for the product. Those steps should come POST acquisition. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Other Screens Following the Same Layout
Page Summary Language
Internal Notes:
Required Language
Your Information
All fields are required unless stated otherwise.
We do not recommend any variation from this language. If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
In-Order Required Display Field
Display Requirements
Required Pre-Population Implementation
Internal Policy
First Name
Yes
Customer should implement iPhone pre-population capabilities where possible
Name and Phone number are the only required fields. Customer will layer on whichever additional fields they need based on their requirements
Last Name
Yes
Street Address
Optional
Apartment Number
Optional
City
Optional
State
Optional
Postal Code
Optional
Phone Number
Yes
SSN
Optional
DOB
Optional
Additional Optional Data Fields
Required Language
Customer discretion
We would recommend limiting additional fields to the very minimum required to open the account/apply for product. Save additional steps for afterwards to minimize friction to consumer or a combo of this and what you said just above. The key is the minimum required.
Example fields you may wish to include are:
• Email address
• Confirm email address
• Income
Requirements
Required Logic
Internal Notes
Submit Button
This button should convey a clear and decisive action, the button should alert the user of a final state.
For example button can say ‘Submit’ or ‘Apply now’ signifying that the user will not be given the option to go back after proceeding.
Application submission should occur on the submit button
Customer should NOT have more screens with data entry before opening the account/applying for the product. Those steps should come POST acquisition.
If the customer attempts to deviate, IPM needs to follow rulebook outlined in Implementation Guide
Phase 1 Required Services
Phase 2 Required Services
Instant Link Technical Requirements
Mobile Auth Technical Requirements
Internal Notes
Instant Link (MP-2)
/GetAuthURL
/InstantLinkResult
MobileAuth(MP-1)
/ABR
/ABRF
If Fails, Waterfall to:
Instant Link
-Customer must pass in IPV6 when available
-PhoneMatch is out-of scope without MP-6 add-on
-Customer must pass in IPV6 when available
-Customer should attempt MobileAuth across all requests
Instant Link:
The MNO check (PhoneMatch) falls under MP6 (InstantLink+). It is OUT of scope unless purchased as an add-on -Instant Link is the required possession check for desktop flow-If the customer attempts to deviate, IPM needs to follow the exception process
MobileAuth:
MobileAuth is required for VZN and TMO assuming the customer can be approved by carriers.
If customer requests to not implement MobileAuth, please follow exception process. Ensure that the business side is requesting and approves the exception as opposed to the tech folks
We require trying across all devices to maximize pass rates. User Agent and other detections can be inaccurate
Handling if customer wants to use SMS OTP on Desktop Flow:
Not allowed as part of standard - Exception required.
Handling if customer wants to use Voice Verification:
Not allowed as part of standard - exception required. Higher risk
Handling if customer wants to use Email Verification:
Not permitted - will result in Staging Cert failure
Service
Requirements
Internal Notes
Mobile Auth MP1
Prove will not permit MobileAuth as a stand-alone possession check.
MobileAuth either needs to be implemented in a 2nd implementation phase or after having an alternate possession check in place.
If MobileAuth is implemented as a standalone implementation, it will significantly impact success rate.
Implementation of MobileAuth as a standalone possession check with result in failure of Staging Certification
Possession Check Retry Policy
# of Retries
Internal Notes
SMS OTP
SMS re-sends are not permitted. Pre-Fill is designed to keep the consumer moving forward during each step
Ideal flow is designed to keep the user moving forward with every step.
It’s better to keep the consumer moving forward than to have a consumer get frustrated and abandon the application
If the consumer doesn’t receive the text the first time it’s unlikely they will with a retry
MobileAuth
If MobileAuth fails at any step, waterfall to Instant Link
Is Possession Check Required?
Conditions of Possession Check Pass
Internal Notes
Yes
LinkClicked=True
Phone Match: MNO should not be enabled by default. MNO (phone match) should only be enabled if IL+ (MP6) purchased.
IPAddressMatch: Customer should NOT be declining for IPAddressMatch=False. If customer wants to go-live with a block in place, this is an exception and impacts pass rates. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO (MFP, DFP)
Omitting a possession check will result in failure of Staging Certification
Required Service
Required Model
Requirement Notes
Internal Notes
Trust Score (MP-7)
/trust/v2
Onboarding
A reputation check is required
Omitting a reputation check will result in failure of Staging Certification
MNO check is out of scope unless MP8 (Trust+) is purchased as an add-on. This includes all elements marked as “only returns if consentStatus=OptedIn”
Conditions of Reputation Check Pass
Internal Notes
trustScore >=630
If customer wants to use the reason codes and not the score, this requires an exception. Exception required if customer attempts to use lower score"
Conditions for Displaying the Pre-Filled PII
Internal Notes
Display Pre-Filled PII if consumer passed the Possession and Reputation checks
The customer should still display Pre-Fill screens if OS and OV flag - customer should not be declining at this point for these reason codes. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO checks (MFP, DFP)
Scenario
Required Ownership Service
Conditions of Ownership Pass
Internal Notes
P1 Pre-Fill:
If consumer pre-fills and does not edit
Pre-FIll
-identity/v2
Successfully Pre-filled AND Reason Codes NOT: OS, OV
Prove Verify Required as IDV check:
Customer is required to use Prove Verify as opposed to their own vendor. If customer chooses to use their own vendor, exception is required and Prove cannot complete a fraud/product investigation without using Verify
Additional Reason Codes Logic:
Customer should NOT be declining for additional reason codes. If customer wants to go-live with a block in place, this is an exception. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO (MFP, DFP)
P1 Pre-Fill: If consumer Pre-Fills and edits or manually enters their info
Prove Verify
-verify/v2
Verified=True ANDReason Codes NOT: OS, OV
Scenario
Required Ownership Service
Conditions of Ownership Pass
Internal Notes
P2 Compliance Use Case
/verify/v2
Verified=True ANDReason Codes NOT: OS, OV
Prove Verify Required as IDV check:
Customer is required to use Prove Verify as opposed to their own vendor. If customer chooses to use their own vendor, exception is required and Prove cannot complete a fraud/product investigation without using Verify
Additional Reason Codes Logic:
Customer should NOT be declining for additional reason codes. If customer wants to go-live with a block in place, this is an exception. As best practice, Customer should monitor this behavior in Production and factor into overall risk decision during their final policy decision after completion of PRO (MFP, DFP)
Phone Possession
Phone Reputation
Phone Ownership
Decision/Outcome
Pass
Pass
Pass
Identity Verified
Pass
Fail
Pass
Failed Prove Policy, client-owned decision
(e.g., step up, ID validation)
Pass
Fail
Fail
Pass
Pass
Fail
Fail
Fail
Pass
Fail
Pass
Fail
Fail
Pass
Pass
Fail
Fail
Fail
Instructions
Conditions of CIP Pass
Conditions of CDD Pass
Please use the CIP and CDD pass conditions along with the matrix below to decision appropriately
multiCipConfidence: High > PASS
KYC total hits =0. No hits on sanctions, watchlists, or PEP based on watchlists your organization sets specific to your organization’s compliance policies
Phone Possession
Phone Reputation
Phone Ownership
CIP
KYC/CDD
Outcome
Pass
Pass
Pass
Pass
Pass
Auto Approve
Pass
Pass
Pass
Either CIP or CDD Fails
Failed Prove Policy. Enter Exception process - Pend & Review Policy
Fail
Pass
Pass
Pass or Fail
Pass or Fail
Pass
Fail
Pass
Pass or Fail
Pass or Fail
Pass
Pass
Fail
Pass or Fail
Pass or Fail
Pass
Fail
Fail
Pass or Fail
Pass or Fail
Fail
Fail
Pass
Pass or Fail
Pass or Fail
Fail
Pass
Fail
Pass or Fail
Pass or Fail
Fail
Fail
Fail
Pass or Fail
Pass or Fail
