...
The Registration Framework defines the technical ways for licensed participants to register themselves by leveraging a Trust Framework. This describes how they can confirm the identity of another institution and what access scope the have in the open finance ecosystem. The Registration Framework is based on the OIDC Federation Standard. A Federation establishes trust between entities by creating a shared network of trust. OIDC Federation is an improvement over the commonly used DCR Standard, adopted internationally. It greatly simplifies technical complexity for Data Receivers all while laying the foundations for international interoperability.
2.2 API Security - FAPI 2.0
The Open Finance UAE Financial-grade API, a secure OAuth profile, is designed to offer detailed implementation guidelines for enhancing security and interoperability in UAE's Open Finance APIs. This Profile, a profile of the FAPI 2.0 Security Profile, aims to streamline optionality within the framework. Additionally, it incorporates specific features to address the Consent and Authorization Requirements pertinent to Open Finance UAE use cases.The CBUAE security profile has been based on the FAPI 2.0 Security Profile which is an API security profile based on the OAuth 2.0 Authorization Framework [RFC6749], that aims to reach the security goals laid out in the Attacker Model [Attacker Model]. The FAPI 2.0 Security Profile has been assessed by University of Stuttgart using formal analysis methods which is available for public review. By baselining the CBUAE Security Profile on FAPI 2.0 the ecosystem is leveraging the very latest in API Security Design.
Further detail on the security standards can be found here.
3. AML/KYC/KYB
3.1 UAE Sanction List
According to the Financing of Proliferation and UN sanctions regimes with Targeted Financial Sanctions, the below countries are currently considered high risk and therefore excluded from the Open Finance programme:
...
As licensed entities, TPPs are expected to apply KYC/KYB checks to their users when onboarding them in line with the CBUAE Rule Book.
3.3 AML
Financial institutions are required to adhere to strict AML regulations to prevent money laundering and terrorist financing activities, in line with the CBUAE Rule Book. Institutions are required to implement robust AML policies and procedures, (e.g., customer due diligence, enhanced due diligence) for high-risk customers.
...
User (Payer) Indicators: Information related to the User including User Name, Geo Location, Device ID, Date/time of last password change, Date/time onboarded by the TPP
Destination Delivery Address: Information for all related e-commerce payments, including recipient name and type, full delivery address, with region, and country
Transaction Indicators: Information in relation to the transaction itself including Customer Present flag, Confirmation of Payee flag, Contract Present flag and initiating Channel
Beneficiary Indicators: Information in relation to the Beneficiary of the initiated payment including Beneficiary Account Type (Retail or Corporate), Beneficiary Prepopulated by TPP flag, Merchant Details (with Name and SIC code), Merchant Trading Name, Beneficiary Verified by TPP flag and additional Beneficiary Account holder Identifiers (such as a national ID or Passport Number for Retail accounts or business registration number for Business and Corporate accounts).
Merchant Details: Include the Merchant Identification. For the UAE IPP Scheme, the format has the following:
A three character Emirates CodeĀ
A five character Issuer type code
A Trade License number
A four digit Economic activity code.
...