Open Finance Regulation
C 7 /2023 Effective from 15/4/2024Introduction and Scope
This Open Finance Regulation (this Regulation) establishes a framework for the licensing, supervision and operation of an Open Finance Framework in the United Arab Emirates. The Open Finance Framework consists of a Trust Framework, an API Hub and Common Infrastructural Services, which provide Open Finance access for the cross-sectoral sharing of data and the initiation of Transactions, on behalf of Users.
Mandated Entities
Participation in the Open Finance Framework is mandatory for all Licensees with respect to the Products and Services within its scope. Licensees (as Data Holders and Service Owners) are required under this Regulation to provide participants in the Open Finance Framework (as data recipients and service initiators) with access to customer data and the ability to Initiate Transactions on customer Accounts and Products.
Data Sharing and Service Initiation of Transactions is in all cases subject to the express consent of Users, the application of appropriate authentication processes and the use of secure communication. This Regulation and the rights of access to data and Accounts established hereunder, do not apply with respect to activities that are not regulated by the Central Bank.
Licensees mandated by this Regulation to provide Open Finance access include the following entities:
a. Banks incorporated in the UAE. b. branches of foreign Banks/representative offices of foreign Banks. c. specialized Banks. d. restricted license Banks. e. Islamic Banks and Islamic windows. f. Finance Companies. g. payment service providers (category 1/2/3/4). h. retail payment systems providers. i. stored value facility providers. j. exchange houses. k. loan-based crowdfunding companies. l. Insurance Brokers. m. Insurance Companies (national companies and foreign branches). n. any other entity deemed to be a relevant Licensee by the Central Bank. The Licensees which are mandated to provide Open Finance access, pursuant to this Regulation, will be onboarded in phases. The first phase will include all Banks, including branches of foreign banks, and Insurance Companies (national companies and foreign branches) only. Later phases of the onboarding will be announced by the Central Bank through official channels.
Open Finance Providers and their Licensing
In order to facilitate the adoption of Open Finance and the participation of businesses as licensed Data Sharing Providers and/or Service Initiation Providers, this Regulation establishes a new category of regulatory license for providers of Open Finance Services. Open Finance Providers will be the holders of such a license, which enables them to undertake Data Sharing and/or Service Initiation.
Providers of Open Finance Services can opt for either one or both of the options to undertake Data Sharing or Service Initiation under an Open Finance License.
Without prejudice to other regulatory licenses that they hold, an Open Finance License will not permit license holders to perform any other category of licensed activity and, in particular, will not entitle license holders to provide any form of Advice or to arrange or mediate Transactions in licensed activities, or hold customer funds in any form. Open Finance Providers must separately obtain or hold the additional regulatory licenses required to undertake any other licensed activity or activities.
Persons Deemed Licensed
Certain categories of Licensees, as specified in Article 3 of this Regulation, are treated as Persons Deemed Licensed. A Person Deemed Licensed must notify the Central Bank in writing of the intention to provide any Open Finance Service, setting out full details of its intended activities, and obtain the approval of the Central Bank prior to commencing such activities.
Articles Applicable to Licensees
All Licensees, whether or not they are engaged in the provision of Open Finance Services, must comply with the requirements of this Regulation with regard to Data Sharing and Service Initiation by Users through Open Finance Providers and specifically the requirements in Articles 18 to 22 of this Regulation.
Objectives
In exercising its powers and functions under this Regulation, the Central Bank has regard to the following objectives:
a. Ensuring the safety and soundness of Open Finance Services; b. Adoption of effective and risk- based licensing requirements for Data Sharing and Service Initiation; c. Promoting the reliability and efficiency of Open Finance Services as well as public confidence; d. Encouraging innovation to promote competition and to benefit consumers through. enhanced transparency across all financial products and services; and e. Reinforcing the UAE's status as a leading financial technology hub in the region. Where this Regulation, or its accompanying Regulations, includes a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements that are additional to those provided in the relevant article. Article (1) Definitions
The following terms shall have the meaning assigned to them below for the purposes of this Regulation:
- Account: an account held by a User with a Licensee relating to one or more of the Products specified in Article 5 of this Regulation.
- Advice: advice on Products or Accounts and includes any method of communication that provides an opinion, evaluation, recommendation, and/or biased information / comparisons to a User or when acting as a User’s agent, provided that it could reasonably be regarded as having the intent to influence a User’s choice or decision to select, buy, sell, hold or subscribe to a particular Product or Account, related options or an interest in a particular Product or Account.
- AML Laws: Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations and Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended, and any instructions, guidelines and notices issued relating to their implementation.
- API Hub: the centralized Application Programming Interface Hub established by the Central Bank, through which parties will be able to access the Open Finance Framework.
- Applicant: any juridical person duly incorporated in the State which submits an Application.
- Application: a written request for obtaining an Open Finance License.
- Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law to primarily carry on the activity of taking deposits and any other Licensed Financial Activities.
- Board: the board of directors of an Applicant or Open Finance Provider in accordance with applicable State law.
- Central Bank: the Central Bank of the United Arab Emirates.
- Central Bank Law: the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Services, as amended.
- Chief Executive Officer: the most senior executive appointed by the Board.
- Common Infrastructural Services: the services specified in Schedule 1 of this Regulation.
- Confidential Data: data relating to a User, who is or can be identified, either from the confidential data, or from the confidential data in conjunction with other information that is in, or is likely to come into, the possession of a Person or entity that is granted access to the confidential data.
- Controller: a Person that alone or together with the Person’s associates has an interest in at least 20% of the shares in an Open Finance Provider or is in a position to control at least 20% of the votes in an Open Finance Provider.
- Data Holder: a Licensee holding User Data.
- Data Sharing: an on-line service to provide a User with consolidated User Data relating to one or more Accounts and/or Products held with a Data Holder.
- Data Sharing Provider: a juridical person who is licensed by the Central Bank to carry on Data Sharing activities.
- Finance Company: the juridical person who is licensed as a Finance Company under the Finance Companies Regulation.
- Finance Companies Regulation: Central Bank Circular No. 3/2023, as amended.
- Initiate: (1) an electronic instruction to a Service Owner to effect a transfer, credit, debit, placement, withdrawal, redemption, sale, order or cancellation; or (2) communicating a User’s agreement to open, effect, enter into or take any other action in relation to an Account or Product. Initiate does not include the execution of any Transaction.
- Insurance Broker: a juridical person licensed to practice insurance brokerage activity in the State, under the Insurance Law.
- Insurance Company: any juridical person licensed to engage in insurance business in the State, under the Insurance Law.
Insurance Intermediation: the activity of soliciting, negotiating or selling insurance contracts through any medium where:
(a) “solicit” means attempting to sell insurance or asking a Person to apply for a particular kind of insurance from a particular insurer for compensation; (b) “negotiate” means the act of conferring directly with, or offering Advice directly to, a purchaser or prospective purchaser of a particular contract of insurance concerning any of the substantive benefits, terms or conditions of the contract, provided that the person engaged in that act either sells insurance or obtains insurance from insurers for purchasers; (c) “sell” means to exchange a contract of insurance by any means for money or its equivalent on behalf of an Insurance Company. - Insurance Law: the Federal Decree-Law No. (48) of 2023 Regulating Insurance Activities and its Executive Regulations, and any amendments thereof.
- Insurance Underwriting: evaluating the risk and establishing the price of insurance.
- Licensed Financial Activities: the financial activities subject to Central Bank licensing and supervision, which are specified in Article (65) of the Central Bank Law.
- Licensed Financial Institution: Banks and Other Financial Institutions licensed in accordance with the provisions of the Central Bank Law to carry on a Licensed Financial Activity, including those which carry on the whole or a part of their business in compliance with the provisions of Islamic Shari`ah, and are either incorporated inside the State or have branch offices inside the State.
- Licensees: Banks, Insurance Companies, Insurance Brokers and Other Financial Institutions.
- Master System of Record: the collection of all data, including Confidential Data, required to conduct all core activities of a Licensee, including the provision of services to clients, managing all risks, and complying with all legal and regulatory requirements.
- Open Finance Framework: the framework for Open Finance Services established and operated under this Regulation.
- Open Finance License: the license granted under this Regulation to provide Data Sharing and/or Service Initiation.
- Open Finance Provider: a juridical person who is licensed by the Central Bank to carry on Open Finance Services.
- Open Finance Service: Data Sharing and/or Service Initiation.
- Other Financial Institutions: any juridical person, other than Banks, licensed, in accordance with the provisions of the Central Bank Law, to carry on a financial activity or more, of the Licensed Financial Activities.
- Outsourcing: an agreement with another party either within or outside the UAE, including a party related to the Open Finance Provider, to perform on a continuing basis an activity which currently is, or could be, undertaken by the Open Finance Provider itself.
- Payee: a Person who is the intended recipient of funds, which have been the subject of a Transaction.
- Payer: a Person who holds a Payment Account and gives a payment order from that Payment Account, or, where there is no Payment Account, a Person who gives a payment order.
- Payment Account: an account with a Payment Service Provider held in the name of at least one user of a Retail Payment Service which is used for the execution of payment Transactions.
- Payment Service Provider: a juridical person that has been licensed in accordance with the Retail Payment Services and Card Schemes Regulation to provide one or more Retail Payment Services and has been included in the register of Licensed Financial Institutions as per Article (73) of the Central Bank Law.
- Person: a natural or juridical person, as the case may be.
- Personal Data: any information, which is related to an identified or identifiable natural person.
- Person Deemed Licensed: a Person specified in Article 3 of this Regulation as deemed licensed under this Regulation.
- Processing: in relation to Personal Data and for the purposes of Article 22 of this Regulation, any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Product: a product specified in Article 5 of this Regulation.
- Regulations: any resolution, regulation, circular, rule, standard or notice issued by the Central Bank.
- Retail Payment Service: any business activity set out in Annex I of the Retail Payment Services and Card Schemes Regulation, as amended.
- Retail Payment Services and Card Schemes Regulation: Central Bank Circular No. 15/2021, as amended.
- Senior Management: the executive management of the Open Finance Provider responsible and accountable to the Board for the sound and prudent day-to-day management of the Open Finance Provider, generally including, but not limited to, the Chief Executive Officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
- Sensitive Data: any Personal Data related to the health of a person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to healthcare services provided thereto that reveals his/her health status.
- Service Initiation: the service of initiating by electronic means a Transaction relating to an Account or Product.
- Service Initiation Provider: a juridical person who is licensed by the Central Bank to carry on Service Initiation activities.
- Service Owner: a Licensee that holds an Account or Product for a User.
- State: the United Arab Emirates (UAE).
- Stored Value Facilities Regulation: Central Bank Circular No. 6/2020, as amended.
- Technical Service Provider: a Person who provides technical support to third parties for the provision of Open Finance Services, including information technology services, communication network provision, the processing and storage of data, the obtaining and processing of Account and Product information and trust and privacy protection services.
- Transaction: an act Initiated by a User through the Service Initiation Provider to effect a transfer, credit, debit, placement, withdrawal, redemption, sale, order or cancellation in relation to an Account or a Product.
- Trust Framework: the trust framework established and operated pursuant to Article 2 and Schedule 1 of this Regulation.
- Unauthorized Transaction: a transaction, the execution or initiation of which, the User has not given consent for.
- User: a Person who uses Data Sharing or Service Initiation.
- User Data: information relating to a User that is: (1) in relation to Accounts and Products as specified in Article 5 of this Regulation; and (2) data more particularly described in the relevant Regulations issued by the Central Bank for that purpose.
The Open Finance Framework
Requirements to be Licensed
Article (2) Licensing and Licensing Procedures
- No juridical person may engage in providing an Open Finance Service within the State unless it obtains an Open Finance License from the Central Bank or is specified as a Person Deemed Licensed.
- An Applicant for an Open Finance License must submit an Application (together with the required supporting documents and information) to the Central Bank in accordance with the procedure specified by the Central Bank’s Licensing Division and according to its licensing guidelines.
- An Applicant must submit an Application which includes the options for which it would like to apply in respect of Data Sharing or Service Initiation. If the Licensee later seeks to change the options selected under their license, they must re-apply and obtain approval from the Central Bank.
- An Applicant must at the time of submitting its Application satisfy all requirements as to legal form, minimum capital and fit and proper requirements and any other requirements set by the Central Bank.
- The Central Bank will issue its decision of approval or dismissal of the Application within a period not exceeding sixty (60) working days from the date of the Applicant meeting all conditions and requirements for licensing. The lapse of this period without decision on the Application shall be considered an implicit rejection thereof.
- The granting by the Central Bank of an Open Finance License permits the holder of that license to provide an Open Finance Service (Data Sharing and/or Service Initiation) but no other Licensed Financial Activities or services.
- A Technical Service Provider does not require an Open Finance License provided that its services are limited to the provision of support services to Open Finance Providers and/or Persons Deemed Licensed and it does not directly engage in any activities regulated under this Regulation.
- In the event of use of a Technical Service Provider by an Open Finance Provider or a Person Deemed Licensed, the responsibility, regulatory requirements, legal basis and liability as a result of operation within the Open Finance Framework cannot be transferred to the Technical Service Provider or any other third party.
Article (3) Persons Deemed Licensed
The following are Persons Deemed Licensed:
1.1. Banks licensed in accordance with the Central Bank Law; 1.2. Finance Companies licensed in accordance with the Finance Companies Regulation; 1.3. Persons licensed by the Central Bank to provide Retail Payment Services under the Retail Payment Services and Card Schemes Regulation; 1.4. Insurance Brokers licensed in accordance with the Insurance Law; 1.5. Insurance Companies licensed in accordance with the Insurance Law; and 1.6. Stored value facility providers licensed in accordance with the Stored Value Facilities Regulation. - A Person Deemed Licensed must provide prior written notice to the Central Bank of its intention to provide an Open Finance Service. The notice must be in the form prescribed by the Central Bank from time to time and must provide a description of the Open Finance Service that the Person intends to provide, the resources that will be utilised in the provision of the Open Finance Service and the governance arrangements relating to them. The Central Bank’s approval must be obtained prior to the commencement of the provision of the Open Finance Service. The Central Bank will issue its decision of approval or rejection within a period not exceeding sixty (60) working days from the date of the notice. The lapse of this period without decision on the request shall be considered an implicit rejection thereof.
- All articles of this Regulation apply to Persons Deemed Licensed, when their approval to provide the Open Finance Service is granted by the Central Bank.
Article (4) Limitations
An Open Finance Provider must not:
1.1. receive, hold or transfer any funds for or on behalf of a User; 1.2. provide Advice to a User in relation to a particular Account or Product; 1.3. provide any personal and specific recommendation to a User in relation to a particular Account or Product; 1.4. receive any fee, commission, payment or other benefit from the provider of an Account or Product; 1.5. process any User Data that is Sensitive Data for the provision of any Open Finance Service, even with the explicit consent of the User; 1.6. negotiate, mediate, effect or enter into any agreement or Transaction on behalf of a User in relation to an Account or Product; or 1.7. engage in any form of Insurance Intermediation or Insurance Underwriting. - The limitations specified in Article 4(1) of this Regulation, do not prevent an Open Finance Provider from providing Users with information, including information based on analyses, relating to commercially available but nonspecific Accounts and/or Products. This can be communicated by displaying the information on-line or otherwise, but must not involve the provision of Advice.
- The limitations specified in Article 4(1) of this Regulation do not apply to an Open Finance Provider who holds any required additional license to perform the relevant activities from the Central Bank.
Accounts and Products in Scope of Open Finance
Article (5) Accounts and Products
An Account or a Product is within the scope of this Regulation where it relates to any of the following offered or issued by a Licensee:
1.1 deposits; 1.2 payment accounts and services; 1.3 savings accounts and term deposits; 1.4 credit, debit and charge card accounts and products (including acquiring and processing card transactions); 1.5 standing orders; 1.6 direct debits; 1.7 stored value facilities and prepaid payment accounts; 1.8 post-paid payment accounts; 1.9 foreign exchange accounts and products; 1.10 credit, loans and any other personal finance accounts and products; 1.11 mortgages and other loans secured on property or other assets; 1.12 virtual accounts or products providing for the items specified in 1.1 – 1.11 above; and 1.13 insurance products, including life and general insurance. - The Central Bank may, from time to time, amend or supplement the list in Article 5(1) of this Regulation.
- The list in Article 5(1) of this Regulation shall not include accounts or products regulated by the Securities and Commodities Authority, unless approved by the Securities and Commodities Authority.
Initial and Ongoing Requirements
Article (6) Minimum Capital
- For the purpose of being granted a license by the Central Bank to perform an Open Finance Service, an Open Finance Provider will be required to hold a minimum capital amount of one million Dirham (AED 1,000,000).
- Additional capital requirements may be imposed by the Central Bank, at its sole discretion and notified to the Open Finance Provider, with the Central Bank taking into account factors such as the risk, size and/or complexity associated with the activities conducted by the Open Finance Provider.
Article (7) Aggregate Capital Funds
- An Open Finance Provider must hold, at all times, aggregate capital funds that do not fall below the minimum capital requirements set in Article 6 of this Regulation.
- The minimum capital held as aggregate capital funds must be the higher of the figure stated in Article 6 of this Regulation and the Central Bank’s estimate of the wind down costs for the Open Finance Provider.
- The Central Bank may at its sole discretion impose aggregate capital funds requirements higher than the requirements referred to in Article 7(1) of this Regulation, if, taking into consideration the risk, scale and complexity of the Open Finance Provider’s business, it considers such higher requirements are necessary for ensuring that the Open Finance Provider has the ability to fulfil its obligations under this Regulation.
Article (8) Capital Instruments
An Open Finance Provider’s aggregate capital funds consist of:
1.1. paid-up capital; 1.2. reserves, excluding revaluation reserves; and 1.3. retained earnings. - An Open Finance Provider’s aggregate capital funds cannot be met by any capital held within their entity which is otherwise allocated as any other regulatory capital for Licensed Financial Activities.
The following items must be deducted from the aggregate capital funds:
3.1 accumulated losses; 3.2 goodwill; and 3.3 any other items as determined by the Central Bank.
Article (9) Professional Indemnity Insurance
An Open Finance Provider must hold professional indemnity insurance of an amount and scope suitable and proportionate to the risks arising from the Open Finance Service it provides, as determined by the Central Bank on a case-by-case basis. Subject to this, the minimum limits of indemnity per year are:
1.1. for a single claim, five million Dirham (AED 5,000,000); and 1.2. in aggregate the higher of five million Dirham (AED 5,000,000) or an amount equivalent to 50% of annual income from the Open Finance Provider’s Open Finance Services. The Central Bank may determine that an Open Finance Provider must hold minimum limits of indemnity in excess of these amounts. - The professional indemnity insurance must at a minimum cover liabilities of the Open Finance Provider and its employees in respect of, inter alia, Unauthorized Transactions, data loss and breaches, cyber security risks and delayed or incorrectly Initiated Transactions.
Article (10) Control of Controllers
- A Person must not become a Controller of an Open Finance Provider without obtaining prior authorisation from the Central Bank.
The Central Bank may grant authorisation under Article 10(1) of this Regulation if it considers that:
2.1 having regard to the likely influence of the Controller, the Open Finance Provider will remain compliant with the requirements of this Regulation and any other relevant Regulations, including Regulations issued in accordance with this Regulation and any relevant law; and 2.2 the Controller meets the fit and proper and suitability requirements specified by the Central Bank. The approval under Article 10(2) of this Regulation may be granted subject to any conditions that the Central Bank may impose on the Person, including, but not limited to:
3.1 conditions restricting the Person’s disposal or further acquisition of shares and/or voting powers in the Open Finance Provider; and 3.2 conditions restricting the Person’s exercise of voting power in the Open Finance Provider.
Article (11) Corporate Governance
- Open Finance Providers must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
The corporate governance arrangements referred to in Article 11(1) of this Regulation must be comprehensive and proportionate to the nature, scale and complexity of the Open Finance Provider’s business, and must contain, at a minimum:
2.1 a Board approved organisation structure which records in writing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities; 2.2 controls on conflicts of interest; 2.3 controls on integrity and transparency of the Open Finance Provider’s operations; 2.4 controls to ensure compliance with applicable laws and Regulations; 2.5 methods for maintaining confidentiality of information and complying with data privacy requirements; and 2.6 procedures for regular monitoring and auditing of all corporate governance arrangements. - The Senior Management of an Open Finance Provider must fulfil fit and proper and suitability requirements specified by the Central Bank from time to time, including that each member of Senior Management:
3.1 is competent and possesses the necessary knowledge, skills, qualifications and experience; 3.2 has a record of acting honestly, ethically, with integrity and is of good repute; 3.3 has a good record of financial conduct; 3.4 is able to make his/her own decisions in a reasoned, objective and independent manner; and does not have any conflict of interest that could affect their conduct; 3.5 has sufficient time to devote to fully performing his/her duties/responsibilities under this Regulation; 3.6 contributes to the collective suitability of the Senior Management; and 3.7 meets any additional requirements specified in applicable Regulations. Article (12) Risk Management, Compliance and Internal Audit
- Open Finance Providers must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational, security and other risks to which they are or might become, exposed.
The framework established under Article 12(1) of this Regulation must be proportionate to the nature, scale and complexity of the Open Finance Provider’s business, and must contain, at a minimum:
2.1 incident management procedures, including for the detection and classification of major operational and security incidents; 2.2 business continuity and disaster recovery plans, which include: (i) an adequate business continuity management programme to ensure continuation, timely recovery, or in extreme situations, orderly scale-down of critical operations in the event of major disruptions. The programme must comprise business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and information technology recovery; and (ii) appropriate software development life cycle practices to ensure operational resilience and minimise application failures that may pose risks to users; and 2.3 sound administrative and accounting procedures. - Open Finance Providers must establish a risk management function, an internal audit function and a compliance function and ensure that they are adequately resourced.
- Open Finance Providers must establish and maintain on an ongoing basis a wind down plan that is acceptable to the Central Bank.
- The risk management function must be independent, permanent, have a reporting line directly to the Board and effectively monitor, report on and mitigate the operational, market, credit, legal and other risks to which the Open Finance Provider is exposed.
- The compliance function must be independent, permanent, have a reporting line directly to the Board and must monitor and report on observance of all applicable laws, regulations and standards and on adherence by staff and Senior Management to legal requirements, proper code of conduct and the requirements of this Regulation and other Regulations, where applicable.
- The internal audit function must be independent, permanent, report directly to the Board, employ best practice in internal audit, and be effective. It must provide independent assurance to Senior Management on the quality of the Open Finance Provider’s internal controls, risk management, compliance, systems, and controls.
- Open Finance Providers must not Outsource any material activity, including to any related party without the prior receipt of notification of non-objection from the Central Bank. Open Finance Providers will retain full responsibility for the services provided by any Outsourced service provider. Although all requests for non-objection will be considered on their individual merits, the Central Bank will, in general, not permit the Outsourcing of core activities, and key management and control functions.
- Regulatory requirements for specific functions including risk management, internal audit and compliance, may be established in separate Regulations.
Article (13) Record Keeping
Open Finance Providers must maintain records relating to the provision of their Open Finance Services, which must at a minimum include records of the following matters:
1.1. User consent to access User Data and/or Initiate Transactions as required under Article 22 of this Regulation; 1.2. Evidence of all User Data provided to the Open Finance Provider by Licensees who are Data Holders on behalf of Users; 1.3. All Transactions Initiated by the Open Finance Provider on the instruction of Users; and 1.4. Evidence of all User Data related to a Transaction which was destroyed or otherwise disposed of. - All records maintained pursuant to Article 13 of this Regulation must be kept securely, in a durable medium and must be capable of being made available to the Central Bank promptly upon request.
- Open Finance Providers must retain the records referred to in Article 13 of this Regulation for a period of at least five (5) years from the date of creation of such records, unless otherwise required by applicable laws or the Central Bank.
Article (14) Notification and Reporting Requirements
- An Open Finance Provider must be open and cooperative with the Central Bank and notify the Central Bank of all matters that the Central Bank might reasonably require notice of, including to support the performance of the Central Bank’s supervisory functions.
- An Open Finance Provider must comply with all regulatory reporting requirements, including ongoing requirements specified by the Central Bank from time to time.
- Where any material change affects the accuracy and completeness of information provided in an Application, the Applicant or Open Finance Provider, as the case may be, must immediately notify the Central Bank of such change and provide all necessary information and documents.
- An Open Finance Provider must immediately notify the Central Bank of any violation or potential violation of a material requirement under this Regulation or other applicable legal or regulatory requirement.
An Open Finance Provider must immediately notify the Central Bank if it becomes aware that any of the following events have occurred or are likely to occur:
5.1 if a Data Holder or Service Owner unjustifiably refuses access to an Account or Product and/or information relating to them; 5.2 any event that prevents access to or disrupts the operational or security status of the Open Finance Provider; 5.3 any legal action taken against the Open Finance Provider or any member of its Senior Management or director of the Board either in the State or outside the State; 5.4 the commencement against the Open Finance Provider or any member of its Senior Management or director of the Board of any insolvency, winding up, liquidation or equivalent proceedings, or the appointment of any receiver, administrator or provisional liquidator in any jurisdiction; 5.5 any disciplinary measure or sanction taken against the Open Finance Provider or any member of its Senior Management or director of the Board or any measure or sanction imposed on any of them by a body other than the Central Bank, whether in the State or outside the State; 5.6 any material change in regulatory requirements to which the Open Finance Provider is subject beyond those of the Central Bank, whether in the State or outside the State; or 5.7 any other event specified by the Central Bank.
Requirements Relating to the Sharing of Data and Initiation of Transactions
Article (15) Obligations of licensees
Licensees who are Data Holders and Service Owners must:
1.1. establish and maintain a dedicated interface to provide secure on-line access to Accounts and Products by Open Finance Providers through the API Hub and other relevant components of the Open Finance Framework; 1.2. within fourteen (14) days of receipt of approval from the Central Bank to perform Open Finance Services, register and maintain their registration as a participant under the Trust Framework; and 1.3. co-operate openly and in a timely manner, as specified in this Regulation and any accompanying Regulations, with an Open Finance Provider with regard to the sharing of User Data of the Users who are customers of the Licensee and/or the initiation of Transactions, subject to the User’s consent. A Licensee must not share any User Data in its possession where that User is not a customer of the Licensee, or where the Licensee receives the User Data from a Service Owner. - No Person shall engage in data scraping, or any other similar data extraction activity, whether or not in conjunction with automated data entry, in order to undertake any activities subject to this Regulation except as permitted under applicable laws. No Person shall engage in the interception of digital connections, including but not limited to the application programming interface, between the public interfaces and other systems of a Licensee’s online or mobile applications by way of reverse engineering or any other similar activity, except as permitted under applicable State laws.
Article (16) Obligations relating to Data Sharing
- The Data Sharing obligations under Article 16 of this Regulation apply only in relation to User Data.
- Subject to provision of the User’s consent in accordance with Article 22 of this Regulation, where a User uses Data Sharing provided by a Data Service Provider to consolidate information relating to the User Data of that User, the Data Holder must:
2.1 communicate the information relating to the User Data in accordance with the request received; 2.2 treat a request for information relating to the User Data in the same way as a request solely received directly from the User; and 2.3 communicate securely with the Data Sharing Provider in accordance with this Regulation and other applicable Regulations and requirements of the Open Finance Framework. - A Data Sharing Provider must:
3.1 only provide Data Sharing in accordance with the User's explicit consent and instructions; 3.2 not Process any User Data that is Sensitive Data for the provision of Data Sharing, even with the explicit consent of the User; 3.3 ensure that the User's personalised security credentials, such as Personal Identification Numbers (PIN) and/or passwords, are: 3.3.1 not accessible to other parties, with the exception of the issuer of the credentials; and 3.3.2 transmitted through secure and efficient channels. - The Data Sharing Provider must identify itself to and communicate securely with the Data Holder and the User.
- The Data Sharing Provider must not use, access or store any information for any purpose except for the provision of the Data Sharing services explicitly requested by the User, except where necessary to comply with any applicable law of the State.
Article (17) Obligations relating to Service Initiation
1. The obligations under Article 17 of this Regulation relating to Service Initiation apply only in relation to relevant Accounts and Products. 2. Where a User gives explicit consent for a Transaction to be Initiated through a Service Initiation Provider, the Service Owner must: 2.1 communicate securely with the Service Initiation Provider in accordance with the Regulations and requirements of the Open Finance Framework; 2.2 immediately after receipt of the instruction to Initiate a Transaction for the User, provide or make available to the Service Initiation Provider all information required for the initiation of the Transaction, and subsequently display the status of the Transaction to the User, until its completion; and 2.3 treat the instruction to Initiate the Transaction in the same way as an instruction solely received directly from the User. 3. A Service Initiation Provider must: 3.1 only provide Service Initiation in accordance with the User's explicit consent and instructions; 3.2 ensure that the User's personalised security credentials, such as PIN and/or passwords, are: 3.2.1 not accessible to other parties, with the exception of the issuer of the credentials; and 3.2.2 transmitted through secure and efficient channels. 4. Each time it Initiates a Transaction, the Service Initiation Provider must identify itself to the Service Owner and communicate securely with the Service Owner. 5. In providing its services the Service Initiation Provider must not use, access or store any information for any purpose except for the provision of the services explicitly requested by the User, except where necessary to comply with any applicable law of the State. Authentication and Secure Communication
Article (18) Authentication
Licensees who are Data Holders and Service Owners must apply authentication procedures in accordance with Article 18(2) of this Regulation, where a User:
1.1. accesses Account or Product information through a Data Sharing Provider conducting Data Sharing activities; or 1.2. initiates a Transaction through a Service Initiation Provider conducting Service Initiation activities. - Licensees who are Data Holders and/or Service Owners must select and implement a reliable and effective authentication procedure to verify the identity and validate the authority of the User. At a minimum, the procedure must require two factor authentication, including elements of knowledge, possession or inherence. Additional procedures must be applied in higher risk circumstances. Licensees who are Data Holders and/or Service Owners must also comply with any additional requirements specified from time to time by the Central Bank.
- Providers of Data Sharing and/or Service Initiation may rely on authentication procedures performed by the Data Holder or Service Owner, as appropriate.
Article (19) Secure Communication
- All participants in Open Finance must use common and secure open standards of communication for the purpose of identification, authentication, notification and information, as well as for the implementation of security measures, between Licensees who are Data Holders and/or Service Owners in addition to Data Sharing Providers, Service Initiation Providers, Users, Payers, Payees and other relevant parties.
- All communications must be conducted in accordance with the Regulations, as prescribed from time to time by the Central Bank, pursuant to the Open Finance Framework.
Licensees offering Accounts or Products that are accessible online must have in place at least one interface which meets each of the following requirements:
3.1 Data Sharing Providers and Service Initiation Providers can identify themselves to the Licensees; 3.2 Data Sharing Providers can communicate securely to request and receive information on one or more Products and/or Accounts; and 3.3 Service Initiation Providers can communicate securely to provide Service Initiation and receive information on Service Initiation and the associated Transaction. - Licensees must establish the interface referred to in Article 19(3) of this Regulation by means of a dedicated interface or by allowing use by the Open Finance Providers, of the interface used for authentication and communication with the Licensee’s User.
- Licensees must also ensure that any dedicated interface referred to in Article 19(3) of this Regulation uses ISO 20022 elements, components or approved message definitions, for financial messaging, as amended/updated from time to time.
- Information held by the Data Holder or Service Owner must only be accessed for the purposes of providing Open Finance Services and any relevant ancillary activities in compliance with the requirements of this Regulation.
Article (20) Obligation Toward Users
- Open Finance Providers must operate prudently and ethically and with competence, in a manner that will not adversely affect the interests of a User or potential User.
- Open Finance Providers must provide a User with written terms and conditions governing their contractual relationship with the User in advance of entering into a relationship with a User for the provision of Open Finance Services.
- The terms and conditions referred to in Article 20(2) of this Regulation must be written in clear, plain and understandable language, in a manner that is not misleading, and must, at a minimum, be available in Arabic and in English. To the extent that the Open Finance Provider is contractually entitled to make changes to its terms and conditions, the Open Finance Provider must provide at least sixty (60) calendar days’ notice to the User of such changes.
- A User is entitled to terminate its relationship with an Open Finance Provider, at no charge (direct or indirect), if the User does not accept the change(s) to the Open Finance Provider’s terms and conditions notified to the User under Article 20(3) of this Regulation.
An Open Finance Provider’s terms and conditions with Users must at a minimum set out the following:
5.1 schedule of fees and charges; 5.2 contact details of the Open Finance Provider, including legal name and registered address, and the address of the agent, where applicable; 5.3 the communication channel(s) between the Open Finance Provider and the User; 5.4 the manner and timeline for notification by the User to the Open Finance Provider in case of unauthorised, delayed or incorrect Service Initiation; 5.5 information on the Open Finance Provider’s and the User’s respective liability for Unauthorized Transactions; 5.6 information on the Open Finance Provider’s complaints procedure; 5.7 information on the manner in which disputes between the Open Finance Provider and the User are to be resolved; and 5.8 the Open Finance Provider’s procedure for reporting of Unauthorized Transactions.
Liability
Article (21) Liability for Unauthorised Transactions, Defective Transactions and Data Breaches
- An Open Finance Provider is liable to a User for loss or damage suffered by the User where there has been unauthorized access to or loss of the User Data of that User held by the Open Finance Provider.
- In relation to Initiation Services, a Service Initiation Provider is liable to a User for loss or damage suffered by the User in relation to the non- execution or late or defective execution of a Transaction (arising from the late initiation and/or late processing of the initiation of Transactions), including where there has been a failure by the Service Initiation Provider to ensure that the Transaction was appropriately authorised, authenticated, accurately recorded or failure to use appropriate secure methods of communication.
- In the case of a dispute between the Service Initiation Provider and the User as to the Service Initiation Provider’s liability under Article 21(2) of this Regulation, it is for the Service Initiation Provider to prove that the Transaction was correctly processed, with supporting evidence.
- In relation to Initiation services, a Service Owner is liable to a User for loss or damage suffered by the User in relation to the non-execution or late or defective execution of a Transaction, unless such loss or damage occurred as a result of any act or omission of the Service Initiation Provider as provided for in Article 21(2) of this Regulation.
- Any breach of security or other action that leads to the illegal, unauthorised, or accidental access, alteration, destruction, disclosure or loss of User Data that is a User’s Personal Data during storage, transmission or otherwise that is caused directly or indirectly, in whole or in part, by an Open Finance Provider may subject the Open Finance Provider to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank, without prejudice to any other sanctions or penalties set out under applicable laws.
Data Privacy and Users’ Consent
Article (22) Data Privacy and Consent for the Use of Personal Data
- An Open Finance Provider must not Process any Personal Data for the provision of its services unless it has the explicit consent of the User to do so. Article 22 of this Regulation is subject to the prohibitions on Processing Sensitive Data set out in Article 4(1)(5) and in Article 16(3)(2) of this Regulation.
A User’s consent must:
2.1 be specific to the purpose for which it is provided, informed, unambiguous, and freely given; 2.2 be given using a clear, objective and affirmative statement or action to signify agreement to the Processing of Personal Data of that User; 2.3 if the Processing is intended to cover multiple purposes, be obtained for each purpose in a manner that is clearly distinguishable; 2.4 in case of a recurring Transaction, specify the period for which the consent is valid, up to a maximum period of twelve (12) months; and 2.5 be able to be withdrawn by the User at any time and for any reason, upon notice to the Open Finance Provider. - An Open Finance Provider must inform the User of this right to withdraw consent and how to exercise that right at the time the consent is obtained. Withdrawing consent should not require undue effort on the part of the User and should be at least as simple, quick and easy as the process of giving consent. Withdrawal of consent does not affect the lawfulness of Processing carried out before the date of withdrawal and shall not prevent the Open Finance Provider from retaining Personal Data required for compliance with Article 13 of this Regulation or applicable laws.
In the case of Service Initiation, a User’s consent must be obtained in relation to each Transaction to be Initiated by the Service Initiation Provider or, in the case of a recurring Transaction, a User’s consent must be obtained at the time that the User first establishes the recurring Transaction, and its parameters. A User’s consent in the case of Service Initiation must include details, as relevant, of:
4.1 The relevant Account(s) or Product(s) to which the Transaction(s) relates; 4.2 The nature of the relevant Transaction(s) to be Initiated (including whether it is a recurring Transaction); 4.3 The value(s) of the relevant Transaction(s); 4.4 The beneficiary(ies) of the relevant Transaction(s); and 4.5 The value date(s) of the relevant Transaction(s). - A User’s consent will not be considered valid in circumstances where the Open Finance Provider has obtained that User’s consent to Process Personal Data which includes Personal Data that is not relevant or not limited to what is necessary for the relevant purpose for which it is provided.
- If User Data contains Personal Data of natural persons other than the User, Open Finance Providers must anonymise such Personal Data of these other natural persons, or ensure that the consent of such natural persons to whom the Personal Data relates, is obtained prior to Processing such Personal Data in accordance with this Regulation (unless the Processing of that Personal Data is otherwise permissible under applicable laws concerning the protection of Personal Data).
- Nothing in this Regulation derogates from the obligations of a Licensee under all other applicable laws and regulations relating to protection of Personal Data including other Regulations.
- Open Finance Providers must comply with all other applicable laws and regulations relating to the protection of Personal Data.
Without prejudice to Articles 22(7) and (8) of this Regulation, Personal Data Processed by a Licensee or an Open Finance Provider relating to Open Finance Services must be:
9.1 Processed lawfully, fairly and in a transparent manner; 9.2 collected for specified, explicit and legitimate purposes and not Processed at any time, in a manner that is incompatible with those purposes; 9.3 adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed; 9.4 accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified without delay; and 9.5 Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. - Open Finance Providers must destroy User Data that is Personal Data which allows for the identification of the User, after the purpose of its provision to the Open Finance Provider has been completed, subject to the record retention requirements in Article 13 of this Regulation and any mandatory data retention requirements under applicable laws, including AML Laws.
Open Finance Providers must store all data relating to Open Finance Services within the State and are not permitted to maintain copies of the data they obtain through Open Finance Services outside of the State, unless the Open Finance Provider has obtained:
11.1 approval from the Central Bank and additional approvals from any other relevant competent authority, as necessary; 11.2 prior written consent from the User. For the purpose of obtaining such consent from a User, the User must be informed of the following, prior to or at the time of being asked to give consent: 11.2.1 where the User Data will be stored; 11.2.2 why it will be stored outside the State; and 11.2.3 that consent is sought only for the purpose which has been approved by the Central Bank; and 11.3 written acknowledgement from the User that his/her User Data may be accessed under legal proceedings outside the State in such circumstances. - Subject to Central Bank approval, and in accordance with relevant laws and Regulations, licensed branches of foreign banks may store data relating to Open Finance Services outside of the State, provided a copy of the Master System of Record, updated on at least a daily basis, is stored in the State.
Anti-Money Laundering, Terrorist Financing and Security
Article (23) Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations
- Open Finance Providers must have comprehensive and effective internal Anti-Money Laundering and Combating the Financing of Terrorism policies, procedures and controls in place to ensure compliance with the AML Laws and Regulations, as amended from time to time.
- Open Finance Providers must have robust fraud control policies and systems in place, which should address identification and access controls requirements, to comply with the requirements of this Regulation.
Article (24) Technology Risk and Information Security
- Open Finance Providers must establish an appropriate information technology (IT) governance framework. IT governance must cover various aspects, including a clear structure of IT functions and the establishment of IT control and risk management policies, and at a minimum, must include an effective IT function, a robust technology risk management function, and an independent technology audit function.
- The Board, or a committee designated by the Board, shall be responsible for ensuring that a sound and robust risk management framework is established and maintained to manage technology risks in a manner that is proportionate to all risks that the Open Finance Provider is exposed to.
- Open Finance Providers must adhere to the security and other standards set by the operator to ensure that the software used by the Open Finance Provider is not compromised at any stage in its development process.
- Open Finance Providers must adopt and implement industry standards and best practices in relation to security risk management as directed by the Central Bank from time to time.
- Open Finance Providers must identify, manage and adequately address all cybersecurity risks through the implementation of a technology risk management framework. Open Finance Providers must commit adequate skilled resources to ensure its capability to identify the risk and protect its critical infrastructure and services against any attack and contain the impact of cybersecurity incidents and restore its services.
- Open Finance Providers must establish a cybersecurity incident response and management plan to swiftly isolate and neutralise a cybersecurity threat and to resume affected services as soon as possible. The plan must, inter alia, describe the procedures to respond to plausible cyber threat scenarios.
Supervisory Examinations
Article (25) Supervision
- The Central Bank may conduct periodic examinations of the operation of Open Finance Providers to ensure their financial soundness and compliance with the requirements of this Regulation and all applicable laws and Regulations
- Open Finance Providers must provide the Central Bank with full and unrestricted access to their premises, Senior Management and employees, accounts, records and documents, and must promptly supply such information and facilities as may be required by the Central Bank to conduct the monitoring and examination referred to in Article 25(1) of this Regulation.
Supporting Regulatory Technical Standards
Article (26) Supervision
- The Central Bank may, from time to time, and, in cooperation with relevant government bodies and consultation with relevant stakeholders, develop and issue regulatory technical standards addressed to Open Finance Providers with the aim of establishing additional requirements and/or providing additional details, controls and guidance on areas relating to the provision of Open Finance Services within the scope of Open Finance activities, including, but not limited to:
1.1. digital access specification; 1.2. cyber security; 1.3. overall customer journey design; 1.4. management and journeys of centralised consent including consent; app-to-app 1.5. right to implement capped charging or to inhibit charging to third party providers; and 1.6. any other area as may be required. Enforcement and Sanctions
Article (27) Enforcement and Sanctions
- Violation of any provision of this Regulation or committing any of the violations provided for under the Central Bank Law or other applicable laws may subject the Open Finance Provider and/or Licensee to administrative and financial sanctions and penalties as deemed appropriate by the Central Bank.
Article (28) Consumer Protection
- Open Finance Providers will be subject to applicable consumer protection laws and their implementing regulations as well as any Regulations issued.
Article (29) Interpretation
- The Regulatory Development Department of the Central Bank shall be the reference for interpretation of the provisions of this Regulation.
Article (30) Publication and Application
- This Regulation shall be published in the Official Gazette in both Arabic and English and shall come into effect in phases as notified by the Central Bank.
Khaled Mohamed Balama
Governor of the Central Bank of the United Arab Emirates
Schedule 1 – Details of the Open Finance Framework
The Introduction to this Regulation specifies that the Open Finance Framework consists of the Trust Framework, the API Hub, the Common Infrastructural Services and such other matters as might be determined from time to time by the Central Bank.
The Trust Framework, the API Hub and the Common Infrastructural Services shall at a minimum include the following:
Trust Framework
The Trust Framework shall include:
The Participant Directory
1.1. to facilitate the validation of participants in the Open Finance Framework and the secure exchange of information. 1.2. to provide identity and access management services to enrolled market participants providing secure access to use Open Finance Services, contact and enrolment management, digital certificate validation and Application registration and validation services. - Digital Certificates: to facilitate secure communication between participants with respect to the provision of Open Finance Services. The operator of the Trust Framework will mint, revoke and validate digital certificates used to access Open Finance Services.
- API Portal: to hold all documentation on standards, technical specification, requirements and business rules for all participants.
- Sandbox: to facilitate participants’ ongoing testing and official conformance certifications.
API Hub
The API Hub shall include an API Manager. The API Manager will provide an API Aggregator to aggregate participant API’s and provide a single point of implementation. The API aggregator will provide a harmonised and standardised API for participants in the Open Finance Framework for all of the underlying APIs included in this Regulation with which it integrates.
A Participant Integration Layer used to receive and manage information related to Accounts, Transaction Initiation Services and all other data exposed to the Open Finance Framework.
Common Infrastructural Services
The Common Infrastructural Services shall include:
- A Consent and Authorization Manager: a standalone App for Users or a set of APIs for participants that supports the creation, management, enforcement and revocation of consumer, organisational and jurisdictional privacy directives.
- Service Assurance: a platform for managing all service level enquiries relating to onboarding and registration requests as well as technical enquiries relating to all key components covering data and Transaction flow enablement.
- Reporting and Analytics: a platform used to analyse and report operational data and KPIs across participants including service performance, service availability and service adoption.
- Administration Tools: a platform used to facilitate the management, tracking, adjudication and resolution of cases and disputes among participant (whether between participants or in relation to end Users).
- Value added enablers as appropriate.