1

User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs authentication, data grouping and/or service initiation capabilities.

2

User-facing TPPs MUST make the User aware on the inbound redirection screen(User-facing TPP to CAAP) that the authorisation for the request needs to be done through the CAAP app and provide additional information related to CAAP app.

3

Since the User does not have the CAAP app the redirection MUST take the User to a web page hosted by the CAAP.

4

The CAAP webpage MUST provide the following

1. Summary of CAAP app and why it’s required

2. QRCode to download the CAAP app which deeplinks to the appstore, for Users that want to install the CAAP on a device separate to the device on which the TPP service is being consumed

3. Appstore deeplinks on mobile devices for Users that want to install the CAAP on the same device on which the TPP service is consumed

5

On redirection to the CAAP webpage in Step 4 the consent details will be persisted for the User which will be retrieved and presented after the User installs the app (using the mechanism of deferred deep linking).

6

After installing the CAAP app the User MUST be presented with a one time consent to be given to the CAAP app to

• carry out an Identity verification of the User

• link LFIs selected by the User

• handle authorisation of OF requests for these LFIs

• handle the OF consents authorised by the User

7

The CAAP app MUST perform a provide the option for manual ID verification of the User which will involve

• scanning one or more documents from a list of acceptable documents (passport , driving license etc)

• liveness test where the User MUST upload a short video to prove their physical presence

Each step MUST be presented with clear instructions

8.

The CAAP app MUST provide the option for ID verification of the User using their UAE Pass identification which will involve the following steps

• The user will be redirected to the UAE Pass app on the same device

• The user will be presented with the consent for ID Verification request by the CAAP and the data that will be shared with the CAAP as part of this verification. This will include the Verified Emirates ID number.

• On successful authentication of the user with UAE Pass, the user is redirected back to CAAP with a successful verification of users Identity.

9

On successful verification of the User’s identity, the CAAP app MUST link the LFI which was selected as part of the consent. For this

• The CAAP app retrieves the User contact details like email and mobile number which are registered with the LFI.

• The CAAP sends a One Time Passcode(OTP) to the contact details retrieved and the User is asked to enter the OTP

• The User enters this OTP to confirm these details with the LFI

910

On successfully linking the LFI, the User MUST be presented the OF consent given to the TPP.

If the Consent Authorisation Window as expected by the TPP has expired then the User MUST be informed that they need to initiate the request again from the TPP.

1011

As an additional step for authorization of the consent the CAAP COULD conditionally request another biometric authentication only for the following scenarios

• authentication requested again MUST be biometric authentication

• the request is for Service Initiation of Single Instant Payment for a value greater than [TBD]

• the request is for setting up a Variable Recurring Payment

1112

On successful authorization MUST have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP.

1213

CAAP MUST inform the User on the outbound redirection screen that their session with the CAAP was closed.

1314

User-facing TPPs MUST confirm the successful completion of the OF Request (DSR, SIR).