Skip to main content
Release: CX-Io (preview)

CX-0080 BPDM Fraud Prevention Service v1.1.0

ABSTRACT

Digital fraud risks are constantly increasing, e.g., in the form of fake invoices sent in the name of real suppliers, but with third-party (fraudster) account data. The Fraud Prevention Service provides information on most recent fraud cases which have been shared within the Catena-X (CX) network by contributing companies. It therefore benefits from the overall idea of data sharing within the Catena-X community as such information is nowhere available in any data source accessible along the automotive supply chain.

There is a strong need to create such a reliable data source by anonymously sharing fraud details within the CX member network.

This data shall be made accessible and consumable via dashboard & reporting functionalities.

By using this information, the CX community has the chance to prevent fraud cases in their own companies as they can use shared data about e.g., fraudulent bank accounts to stop payments and so avoid financial losses and reputation damage.

The purpose of this standard is to describe guidelines and requirements specific for the challenges of fraud risks in order to minimize such threats and implications for the own company. It focuses on fraudulent bank data as the most common fraud type although other relevant fraud types are also considered.

FOR WHOM IS THE STANDARD DESIGNED

This standard is designed for Business Application Provider.

COMPARISON WITH THE PREVIOUS VERSION OF THE STANDARD

VersionPublishing DateDescription of Change
1.1.02024-03-13Updated to template v2.0.0. Added chapter 2.6 Data Types and 2.8 Data Attributes, Added chapter 2.7 for data sovereignty as additional requirement.

1 INTRODUCTION

1.1 AUDIENCE & SCOPE

This section is non-normative

This standard is relevant for the following audience:

  • Catena-X certified Operational Companies acting as:
    • Business Application Provider
    • Data Provider and Consumer

This document focuses on the requirements regarding provision of fraud data and getting access to such data via reporting- / dashboard functionalities.

It is relevant for business application providers who want to provide services for collecting, aggregating and reporting fraud data by empowering the CX companies to provide such data in an easy but formalized, secure and anonymous way.

It is also relevant for data providers and consumers as it is initially the CX community who acts as data provider and consumer itself and can be extended with other communities or data providers.

Data Sovereignty: The FPS API allows to download DQD quality results of business partner data in a data sovereign way, because each Catena-X member has its own area of business partner data in BPDM, where private data (like customer / supplier relationships) is only visible to the Catena-X member.

1.2 CONTEXT AND ARCHITECTURE FIT

This section is non-normative

Fraud prevention service (FPS) is a value-added service (VAS) in the area of Business Partner Data Management which addresses the challenges for a company in terms of legal, compliance- and finance-related requirements.

FPS has to visualize the outcome of the fraud prevention screening results via a dashboard.

FPS uses the Gate API CX-0074_v3.0.0 and the Pool API CX-0012_v4.0.0 based on the CX-0018 Data Space Connectivity 3.0.0 for pulling BP data records. FPS is a client/ server cloud application which contains a Web Client and a Cloud Server Application.

1.3 CONFORMANCE AND PROOF OF CONFORMITY

This section is non-normative

All sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD and SHOULD NOT in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

All participants and their solutions will need to prove, that they are conform with the Catena-X standards. To validate that the standards are applied correctly, Catena-X employs Conformity Assessment Bodies (CABs).

To prove conformity with this standard providing a self-audited, stated and signed document that the syntax of the number is established is needed.

1.4 EXAMPLES

N/A

1.5 TERMINOLOGY

This section is non-normative

TermDescription
Fraud Case TypeDescribes the type of fraud case, e.g., active warning, fake bank data change or falsified Invoice.
Confirmation StateSpecifies whether a fraud case is confirmed or not.
Date of AttackSpecifies the date of the attack.
DescriptionSome explanation and background to a fraud case.
International Bank Account Identifier (IBAN)IBAN as to be defined by the European Payments Council for SEPA, European Committee for Banking Standards (ECBS) for IBAN based on ISO 13616
Business Identifier Code (BIC)This field contains the BIC code according to ISO 9362 and is also known as SWIFT-BIC, SWIFT ID, or SWIFT code, after the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which is designated by ISO as the BIC registration authority (SWIFT).
Country CodeCountry the bank account is present respectively where the fraud case has occurred. Country Code as defined in ISO 3166-1
Region or State CodeCode represents the region or dependent state as defined in ISO 3166-2
National Bank Account Number (NBAN)National Bank Account Number
Bank NameName of the bank
Fraudster EmailEmail the fraudster used to communicate with the affected company
Fraudster PhonePhone the fraudster used to communicate with the affected company

The Fraud Prevention Service has to provide at a minimum the following results:

TermDescription
Reporting Data and TimeSpecifies the date and time the fraud case was reported.
Reporting OrganizationSpecifies the organization that reported the fraud case. So, the organization that submitted the fraud case in the CX system.
Internal IDSequential and unique number to identify the fraud case.
FrequencyNumeric field how often the fraud case was confirmed e.g., by using the same IBAN-no.
Fraud Case CounterTotal no. of reported fraud cases within this service

2 MAIN CONTENT

This section is normative

The Fraud Prevention Service (FPS) is a reporting and monitoring solution and MUST provide the following capabilities as minimum requirement:

1. Fraud case reporting:

  • User interface for unified reporting of fraud cases, integrated in the Fraud Prevention Dashboard (FPD)
  • Template for entering fraud data by the CX member
  • Individual selection of different fraud case types and status
  • Anonymized distribution of fraud cases to an aggregated CX fraud case database as basis for dashboard display (although the information about the fraud case originator MUST be retrievable by the service provider for e.g., audit reasons)

2. Dashboard functions:

  • Administration functionality
    • Switch between languages (MUST: German and English, others optional)
    • User information (name, corresponding CX-registered organization) based on CX-role and authorization management
    • Export / Download function for dashboard content (including graphical reports)
  • Selection functionality
    • Individual selection of fraud case types (including multi-selection)
    • Individual selection of time periods of interest
  • Display functionality
    • Graphical reports:
      • Graphical reports MUST reflect the chosen time period as well as the selected fraud case types
      • The reports MUST illustrate the following:
        • CX-Fraud case distribution per country (with figures)
        • Number of CX-reported fraud cases over time per fraud case type
    • List report:
      • The list report MUST contain all CX-reported fraud cases
      • There MUST be filter and sort functions for the list content in order to focus on e.g., relevant time periods, fraud case types or countries
      • There MUST be a search function for a content look-up like IBAN-Number. (if provided in the reported fraud cases)
      • There MUST be an export function for the list report in a common standard format

The Fraud Prevention Service has to contain the following functionalities:

  • Getting informed about most recent fraud cases reported by CX members
  • Selecting different fraud types and time ranges
  • Discovering trends and conspicuities by using graphical front ends
  • Searching the CX fraud database for different values/strings, e.g., IBAN
  • Retrieving fraud case details with sort- & filter functions
  • Reporting new fraud cases directly out of the dashboard
  • Exporting in different formats and on different levels

2.1 FRAUD PREVENTION SERVICE DATA ATTRIBUTES

The Fraud Prevention Service API MUST contain at least the following data attributes:

Fraud Case TypeDescribes the type of Fraud Case, e.g., active warning, fake bank data change or falsified Invoice.
Confirmation StateSpecifies whether a fraud case is confirmed or not.
Date of AttackSpecifies the date of the attack.
DescriptionSome explanation and background to a fraud case.
International Bank Account Identifier (IBAN)IBAN number as to be defined by the European Payments Council for SEPA, European Committee for Banking Standards (ECBS) for IBAN based on ISO 13616
Business Identifier Code (BIC)This field contains the BIC code according to ISO 9362 and is also known as SWIFT-BIC, SWIFT ID, or SWIFT code, after the Society for Worldwide Interbank Financial Telecommunication (SWIFT), which is designated by ISO as the BIC registration authority (SWIFT).
Country CodeCountry the bank account is present respectively where the fraud case has occurred. Country Code as defined in ISO 3166-1
Region or State CodeCode represents the region or dependent state as defined in ISO 3166-2
National Bank Account Number (NBAN)National Bank Account Number
Bank NameName of the bank

2.2 API ENDPOINTS AND RESOURCES

The resources MUST use the well-known HTTP request methods for CRU(D) operations:

  • POST MUST be used for create requests  
  • PUT MUST be used for update requests  
  • GET MUST be used for read requests  

POST MAY also be used for read requests, if input is not given by parameters but rather by an HTTP body to bypass maximum URL length. PUT MAY also be used for upsert requests (create or update) if this is required. A state (active / inactive) at each entity MUST be used for a soft delete, so that the request method DELETE SHALL NOT be used. Other HTTP request methods SHALL NOT be used, including PATCH.

Uploading and downloading data to/from the FPD API MUST follow a staging concept with two stages, so that consumers of the FPD API can compare what they have uploaded into the input stage against what kind of BDV rule results and status code was provided for each bank data in the output stage. The following controllers MUST distinguish between an input and an output stage.

The resources MUST use the HTTP request methods for READ operations:

  • GET MUST be used for read requests

2.3 FRAUD PREVENTION API DATA ATTRIBUTES

The Fraud Prevention Dashboard API MUST support requests for the following data attributes or combinations of these for read operations:

Fraud Prevention Service API Data FieldsFormat
IBANAlphanumeric String
BIC/SWIFTAlphanumeric String
NBANAlphanumeric String
Bank NameAlphanumeric String
Country Code2-digit alphanumeric string
Region or State Code6-digit alphanumeric string
Confirmation StateEnum
Date of AttackDate format
Fraud Case CounterNumeric
Fraud Case TypeEnum

2.4 Fraud Prevention DATA CONTROLLER

The fraud prevention data controller MUST allow to create, update, or read (search / return) i.e. bank data records related to an External Identifier or BPN ID. It MUST have the following resources:

Fraud Prevention Data Controller Resources Description 
PUT/api/fpd/input/bank data Creates bank data record or updates existing bank data record. 
GET/api/fpd/output/bank data recordReturns bank data record by different search parameters. 
GET/api/fpd/input/bank data recordsReturns bank data record by different search parameters. 

2.5 Fraud Prevention DATA SHARING STATE CONTROLLER

The sharing state controller MUST allow to create, update, or read sharing state entries of bank data records.  The sharing state controller MUST have the following resources:

Sharing State Resources Description 
GET/api/fpd/sharing-state Returns sharing states of bank data filtered by IBAN, BIC, NBAN, External Identifier, BPN ID and type, country, fraud status code 
PUT/api/fpd/sharing-state Creates or updates a sharing state of a bank data record 

2.6 AVAILABLE DATA TYPES

The API MUST use JSON as the payload format transported via HTTP. Other formats can be added. These are then, however, OPTIONAL.

2.7 DATA ASSET STRUCTURE

The following data assets MUST be registered at the Core Service Provider so that the Sharing Member can negotiate an API usage contract with the Core Service Provider and access its dedicated BPDM Gate (hosted by the Core Service Provider) through these data assets[^6]:

NameTypeVersionDescription
UploadAccessForSharingMemberFPD1.0Grants the Sharing Member full access to the FPD Admin function, FPD database and FPD changelog. This contains create / update FPD admin settings by Sharing Member role by FPD function, activate and deactivate the usage of external data sources via defined APIs and license keys.
UploadBankingDataAccessForSharingMemberFPD1.0Grants the Sharing Member full access to create / update Banking data records from Sharing Member
ReadAccessFPDOutputForSharingMemberFPD1.0Grants the Sharing Member read access of the FPD changelog.
The OAuth2 client permissions MUST be configured to solely allow access to the API resources defined in the corresponding asset, checking HTTP method (read vs. full access), path, query parameters and body of the HTTP request.

2.8 ADDITIONAL REQUIREMENTS

2.8.1 CONVENTIONS FOR USE CASE POLICY IN CONTEXT OF DATA EXCHANGE

In alignment with our commitment to data sovereignty, a specific framework governing the utilization of data within the Catena-X use cases has been outlined. A set of specific policies on data offering and data usage level detail the conditions under which data may be accessed, shared, and used, ensuring compliance with legal standards.

For a comprehensive understanding of the rights, restrictions, and obligations associated with data usage in the Catena-X ecosystem, we refer users to

  • the detailed ODRL policy repository. This document provides in-depth explanations of the terms and conditions applied to data access and utilization, ensuring that all engagement with our data is conducted responsibly and in accordance with established guidelines.
  • the ODRL schema template. This defines how policies used for data sharing/usage should get defined. Those schemas MUST be followed when providing services or apps for data sharing/consuming.

2.8.2 ADDITIONAL DETAILS REGARDING ACCESS POLICIES

A Data Provider may tie certain access authorizations ("Access Policies") to its data offers for members of Catena-X and one or several Data Consumers. By limiting access to certain Participants, Data Provider maintains control over its anti-trust obligations when sharing certain data. In particular, Data Provider may apply Access Policies to restrict access to a particular data offer for only one Participant identified by a specific business partner number:

  • Membership
  • BPNL

2.8.3 ADDITIONAL DETAILS REGARDING USAGE POLICIES

In the context of data usage policies (“Usage Policies”), Participants and related services MUST use the following policy rules:

  • Use Case Framework (“FrameworkAgreement”)
  • at least one use case purpose (“UsagePurpose”) from the above mentioned ODRL policy repository.

Additionally, respective usage policies MAY include the following policy rule:

  • Reference Contract (“ContractReference”).

Details on namespaces and ODRL policy rule values to be used for the above-mentioned types are provided via the ODRL policy repository.

2.9 ERROR HANDLING

The following http response codes MUST be defined for all resources:

  • 200 – OK
  • 400 – Bad Request
  • 401 – Unauthorized
  • 403 – Forbidden
  • 404 – Not Found
  • 500 – Internal Server Error

HTTP Status Code Registry MUST be adhered to in the implementation for the decision on when to use which error code: https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml

3 REFERENCES

3.1 NORMATIVE REFERENCES

This section is normative

  • The country codes and the country names used in FPD MUST comply with ISO 3166-1.
  • The Region or State Codes used in FPD MUST comply with ISO 3166-2.

3.2 NON-NORMATIVE REFERENCES

This section is non-normative

  • BPDM Catena-X Website

  • The Fraud Prevention Dashboard design relies on the Catena-X style guide.

  • The Business Identifier Code (BIC) provided in the fraud reporting template shall be according to ISO 9362.

  • The International Bank Account Number provided in the fraud reporting template shall be according to ISO 13616.

3.3 REFERENCE IMPLEMENTATIONS

This section is non-normative

Not applicable.

ANNEXES

FIGURES

This section is non-normative

Not applicable.

TABLES

This section is non-normative

Not applicable.

Copyright © 2024 Catena-X Automotive Network e.V. All rights reserved. For more information, please visit here.