Product decisions
These are choices your product team makes in the customer-facing experience. They directly affect customer satisfaction and support volume.
Show the fee before the customer confirms
The two-step flow (initiate → process) is designed for this: your system receives the fee amount before any funds move. Use that window to show a clear confirmation screen:
Handle operating hours gracefully
TED OUT is available Monday–Friday, 06:30–17:00 (Brasília time). When a customer tries to initiate outside those hours, don’t just surface an error — tell them when they can try again:bacen_holidays table, seeded for 2026–2099. The daily refresher runs by default and re-applies the built-in seed; it does not fetch live from ANBIMA, because ANBIMA only publishes a legacy non-machine-readable spreadsheet — the seed is the authoritative source until that changes.
If a transfer is rejected due to a holiday, surface that reason to the customer. Instead of replicating the calendar on the client, rely on the plugin as the source of truth to avoid inconsistencies over time.
Communicate transfer limits before customers hit them
Show the customer’s remaining daily limit in your transfer UI — before they attempt a transfer that will be rejected. For example:Show confirmation receipts after completion
After a TED OUT or P2P transfer completes, display — or offer to download — a receipt with:- Transfer date and time
- Sender and recipient details
- Amount, fee, and total
confirmationNumber(your internal reference)controlNumber(JD SPB reference, for TED OUT only)
Keep customers informed in real time
Use webhooks to push transfer status updates to your UI as they happen. Don’t make customers refresh or wonder if their transfer went through. See TED webhooks for setup.Compliance decisions
These are requirements that apply to your integration regardless of your product choices.
LGPD and personal data
Transfer records contain personal data — customer names, CPF/CNPJ, and bank details. Ensure your privacy policy explicitly covers financial transaction data. Avoid logging CPF/CNPJ in plain text; mask it in interfaces as***.***.***-00.
A dedicated anonymization endpoint for LGPD right-to-erasure requests is planned for a future release. Until then, coordinate anonymization requests with your database administration team.
Data retention
| Data type | Retention period |
|---|---|
| Transaction records | 5 years (BACEN requirement) |
| Application logs | 90 days |
| Audit data | 5 years (anonymized after 2 years) |
Audit trail and reconciliation
Every transfer generates two reference numbers you must store:| Field | What it is | When to use |
|---|---|---|
transferId | Internal Lerian identifier | API lookups, support cases |
confirmationNumber | User-readable reference | Receipts, customer communication |
controlNumber | JD SPB reference (TED OUT only) | BACEN audit trail, regulatory reporting |
transferId and confirmationNumber in your own records for reconciliation. For TED OUT, also store the controlNumber.
Operating hours
BACEN mandates that TED operates Monday–Friday, 06:30–17:00 (Brasília time, UTC-3). The plugin enforces this window by default; the open/close times are operator-adjustable at runtime (within BACEN limits) via systemplane, but treat 06:30–17:00 as the norm. Build your UX around it — see Handle operating hours gracefully above.P2P transfers are not subject to operating hour restrictions and work 24/7.
Integration checklist
Before going live, verify the following:
- Idempotency keys on all write operations — Send a UUID v4
X-Idempotencyheader on every call toinitiate,process, andcancel. This prevents duplicate transfers from retries or double-clicks. - Webhook endpoint live before launch — Your webhook endpoint must be deployed and reachable before you go live. Transfer events start firing immediately on the first real transaction.
- 24-hour expiry handled — An initiated transfer expires if not confirmed within 24 hours. If your flow allows a customer to start a transfer and return later, handle the expiry case explicitly.
- Exponential backoff on 5xx errors — Implement retry with backoff (e.g., 2s, 4s, 8s) when the response is
503or500. JD SPB unavailability surfaces as503with a raw JD vendor code (TRANSPORT,ACE95, …); Midaz ledger unavailability surfaces asBTF-2000. Do not retry immediately in a loop. - Operating hours validated client-side — Check hours in the UI before calling the API. Reduces unnecessary failed API calls and gives a better customer experience.
- Both
transferIdandconfirmationNumberstored — Required for reconciliation and audit. For TED OUT, also storecontrolNumber.
Error handling
Use these error scenarios to map API errors to customer-friendly messages and define the correct recovery path.
| Scenario | Customer-facing message | Recovery |
|---|---|---|
Outside operating hours (BTF-0010) | “TED transfers are available Monday–Friday, 06:30–17:00. Next available time: [date/time].” | Recoverable — wait for the next window |
Insufficient balance (BTF-2003, HTTP 422) | “Your account doesn’t have enough balance for this transfer.” | Recoverable — customer adds funds or reduces the amount |
Daily limit reached (BTF-0011) | “You’ve reached your daily transfer limit of R$ [X]. Limit resets at midnight.” | Recoverable — wait for reset |
Invalid recipient (BTF-0500) | “Destination account not found. Please check the account details and try again.” | Recoverable — customer corrects details |
Service unavailable (TRANSPORT, HTTP 503, raw JD code) | “Transfer service is temporarily unavailable. Please try again in a few minutes.” | Recoverable — retry with backoff |
Duplicate transfer (BTF-0012) | “An identical transfer was sent recently. If this was intentional, wait a moment and try again.” | Conditional — wait for the deduplication window to clear |