Authentication and Secure Communication
Article (18) Authentication
Licensees who are Data Holders and Service Owners must apply authentication procedures in accordance with Article 18(2) of this Regulation, where a User:
1.1. accesses Account or Product information through a Data Sharing Provider conducting Data Sharing activities; or 1.2. initiates a Transaction through a Service Initiation Provider conducting Service Initiation activities. - Licensees who are Data Holders and/or Service Owners must select and implement a reliable and effective authentication procedure to verify the identity and validate the authority of the User. At a minimum, the procedure must require two factor authentication, including elements of knowledge, possession or inherence. Additional procedures must be applied in higher risk circumstances. Licensees who are Data Holders and/or Service Owners must also comply with any additional requirements specified from time to time by the Central Bank.
- Providers of Data Sharing and/or Service Initiation may rely on authentication procedures performed by the Data Holder or Service Owner, as appropriate.
Article (19) Secure Communication
- All participants in Open Finance must use common and secure open standards of communication for the purpose of identification, authentication, notification and information, as well as for the implementation of security measures, between Licensees who are Data Holders and/or Service Owners in addition to Data Sharing Providers, Service Initiation Providers, Users, Payers, Payees and other relevant parties.
- All communications must be conducted in accordance with the Regulations, as prescribed from time to time by the Central Bank, pursuant to the Open Finance Framework.
Licensees offering Accounts or Products that are accessible online must have in place at least one interface which meets each of the following requirements:
3.1 Data Sharing Providers and Service Initiation Providers can identify themselves to the Licensees; 3.2 Data Sharing Providers can communicate securely to request and receive information on one or more Products and/or Accounts; and 3.3 Service Initiation Providers can communicate securely to provide Service Initiation and receive information on Service Initiation and the associated Transaction. - Licensees must establish the interface referred to in Article 19(3) of this Regulation by means of a dedicated interface or by allowing use by the Open Finance Providers, of the interface used for authentication and communication with the Licensee’s User.
- Licensees must also ensure that any dedicated interface referred to in Article 19(3) of this Regulation uses ISO 20022 elements, components or approved message definitions, for financial messaging, as amended/updated from time to time.
- Information held by the Data Holder or Service Owner must only be accessed for the purposes of providing Open Finance Services and any relevant ancillary activities in compliance with the requirements of this Regulation.
Article (20) Obligation Toward Users
- Open Finance Providers must operate prudently and ethically and with competence, in a manner that will not adversely affect the interests of a User or potential User.
- Open Finance Providers must provide a User with written terms and conditions governing their contractual relationship with the User in advance of entering into a relationship with a User for the provision of Open Finance Services.
- The terms and conditions referred to in Article 20(2) of this Regulation must be written in clear, plain and understandable language, in a manner that is not misleading, and must, at a minimum, be available in Arabic and in English. To the extent that the Open Finance Provider is contractually entitled to make changes to its terms and conditions, the Open Finance Provider must provide at least sixty (60) calendar days’ notice to the User of such changes.
- A User is entitled to terminate its relationship with an Open Finance Provider, at no charge (direct or indirect), if the User does not accept the change(s) to the Open Finance Provider’s terms and conditions notified to the User under Article 20(3) of this Regulation.
An Open Finance Provider’s terms and conditions with Users must at a minimum set out the following:
5.1 schedule of fees and charges; 5.2 contact details of the Open Finance Provider, including legal name and registered address, and the address of the agent, where applicable; 5.3 the communication channel(s) between the Open Finance Provider and the User; 5.4 the manner and timeline for notification by the User to the Open Finance Provider in case of unauthorised, delayed or incorrect Service Initiation; 5.5 information on the Open Finance Provider’s and the User’s respective liability for Unauthorized Transactions; 5.6 information on the Open Finance Provider’s complaints procedure; 5.7 information on the manner in which disputes between the Open Finance Provider and the User are to be resolved; and 5.8 the Open Finance Provider’s procedure for reporting of Unauthorized Transactions.