Requirements Relating to the Sharing of Data and Initiation of Transactions
Article (15) Obligations of licensees
Licensees who are Data Holders and Service Owners must:
1.1. establish and maintain a dedicated interface to provide secure on-line access to Accounts and Products by Open Finance Providers through the API Hub and other relevant components of the Open Finance Framework; 1.2. within fourteen (14) days of receipt of approval from the Central Bank to perform Open Finance Services, register and maintain their registration as a participant under the Trust Framework; and 1.3. co-operate openly and in a timely manner, as specified in this Regulation and any accompanying Regulations, with an Open Finance Provider with regard to the sharing of User Data of the Users who are customers of the Licensee and/or the initiation of Transactions, subject to the User’s consent. A Licensee must not share any User Data in its possession where that User is not a customer of the Licensee, or where the Licensee receives the User Data from a Service Owner. - No Person shall engage in data scraping, or any other similar data extraction activity, whether or not in conjunction with automated data entry, in order to undertake any activities subject to this Regulation except as permitted under applicable laws. No Person shall engage in the interception of digital connections, including but not limited to the application programming interface, between the public interfaces and other systems of a Licensee’s online or mobile applications by way of reverse engineering or any other similar activity, except as permitted under applicable State laws.
Article (16) Obligations relating to Data Sharing
- The Data Sharing obligations under Article 16 of this Regulation apply only in relation to User Data.
- Subject to provision of the User’s consent in accordance with Article 22 of this Regulation, where a User uses Data Sharing provided by a Data Service Provider to consolidate information relating to the User Data of that User, the Data Holder must:
2.1 communicate the information relating to the User Data in accordance with the request received; 2.2 treat a request for information relating to the User Data in the same way as a request solely received directly from the User; and 2.3 communicate securely with the Data Sharing Provider in accordance with this Regulation and other applicable Regulations and requirements of the Open Finance Framework. - A Data Sharing Provider must:
3.1 only provide Data Sharing in accordance with the User's explicit consent and instructions; 3.2 not Process any User Data that is Sensitive Data for the provision of Data Sharing, even with the explicit consent of the User; 3.3 ensure that the User's personalised security credentials, such as Personal Identification Numbers (PIN) and/or passwords, are: 3.3.1 not accessible to other parties, with the exception of the issuer of the credentials; and 3.3.2 transmitted through secure and efficient channels. - The Data Sharing Provider must identify itself to and communicate securely with the Data Holder and the User.
- The Data Sharing Provider must not use, access or store any information for any purpose except for the provision of the Data Sharing services explicitly requested by the User, except where necessary to comply with any applicable law of the State.
Article (17) Obligations relating to Service Initiation
1. The obligations under Article 17 of this Regulation relating to Service Initiation apply only in relation to relevant Accounts and Products. 2. Where a User gives explicit consent for a Transaction to be Initiated through a Service Initiation Provider, the Service Owner must: 2.1 communicate securely with the Service Initiation Provider in accordance with the Regulations and requirements of the Open Finance Framework; 2.2 immediately after receipt of the instruction to Initiate a Transaction for the User, provide or make available to the Service Initiation Provider all information required for the initiation of the Transaction, and subsequently display the status of the Transaction to the User, until its completion; and 2.3 treat the instruction to Initiate the Transaction in the same way as an instruction solely received directly from the User. 3. A Service Initiation Provider must: 3.1 only provide Service Initiation in accordance with the User's explicit consent and instructions; 3.2 ensure that the User's personalised security credentials, such as PIN and/or passwords, are: 3.2.1 not accessible to other parties, with the exception of the issuer of the credentials; and 3.2.2 transmitted through secure and efficient channels. 4. Each time it Initiates a Transaction, the Service Initiation Provider must identify itself to the Service Owner and communicate securely with the Service Owner. 5. In providing its services the Service Initiation Provider must not use, access or store any information for any purpose except for the provision of the services explicitly requested by the User, except where necessary to comply with any applicable law of the State.