IMPORTANT NOTE:

• LFIs & TPPs MUST comply with the rules and guidelines listed in this section.

• LFIs MUST connect all mandatory APIs to the Open Finance Platform and may provide direct access to TPPs.

  • Note: The Standard does not support the direct access of LFIs to TPPs.

Basic terminology

In the context of the Open Finance Standard, the following terms have been used:

• Debtor: Term used to describe the originating payer of an Open Finance bank service initiation. In most of the cases, the Debtor is the User of the Open Finance services offered by TPPs.

• Creditor: Term used to describe the beneficiary payee of an Open Finance bank service initiation.

• CRG-1.6 NOT impose any additional constraints to the Open Finance initiated payments on top of the LFI limits (minimum and maximum) stated in the Open Finance Standard. More specifically, subject to meeting the minimum values stated in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800530/Limits+and+Constants#C.-LFI-Channel-Limits LFIs MUST set the maximum transaction limits to the same value or higher as the transaction limits imposed on the following existing digital channels and use cases: 

  • Applicable Channels & Use Cases

    • Debit and Credit Card Transactions: Transactions made via point-of-sale (POS) and online purchases, encompassing payments to merchants onboarded by Third-Party Providers (Pay by account).

    • Proprietary online banking & Mobile banking applications: Transactions executed via the LFIs’ web portal or mobile app, including transfers, bill payments, and peer-to-peer (P2P) payments, enabling the following use cases

      • P2P/B2P Payments: Peer-to-peer payments between individuals and business-to-person payments.

      • Payments-to-self: Transfers made by customers to their accounts, whether within the same LFI or to accounts at other financial institutions.

      • Payments to Businesses non-onboarded by TPPs: Payments made to businesses not onboarded by TPPs.

• CRG-1.7 NOT impose any timing constraints on the Open Finance initiated payments. For example, cooling-off periods for new beneficiaries with reduced transactional limits or other constraints related to the number or value of payment transactions MUST NOT be applied to Open Finance initiated payments.

  CRG-1.8 Follow the principle that transaction limits and other constraints applied to the Open Finance services are not more restrictive than those applied across other commonly used banking digital channels. This establishes parity, ensuring that customer experience is consistent regardless of the digital channel used.

Provide Users at least one of the following options for selecting their payment account to be used for the Consent:

• Manually enter their Payment Account Identification details (e.g. IBAN, account number & LFI, and any other formats supported by the LFI holding the Users' payment account)

• Select their Payment Account Identification details. This assumes that these have been saved previously and the User has a long-term profile with the TPP, having completed a User onboarding step.

• Select their LFI only (so that they can select their Payment Account later on in the journey after authenticating with the LFI). The LFI MUST be identified using the trading name which is familiar to Users.

  • CRG-2.1.1 TPPs MUST use logos and the brand names of the LFIs as they are defined in the Trust Framework Directory.

Note: It is in the competitive space of TPPs to enable additional services for Users that may provide better customer experience. For example, a TPP with a long-term relationship with a User may have dual Data Sharing and Service Initiation roles and have access to the User list of accounts with a specific LFI, making it easier for the User to select the payment account they want to use for the payment initiation.

TPPs MUST:

CRG-43.1 Either allow Users to manually enter /select their Creditor Identification details or prethe payment amount or pre-populate them it for the Users.

Note: It is in the competitive space of TPPs to enable additional services for Users that may provide a better customer experience. For example, a TPP with a long-term relationship with a User may have dual Data Sharing and Service Initiation roles and have access to Users' list of Authorized Beneficiaries with a specific LFI, making it easier for Users to select the Creditor Identification details.

CRG-4.2 Allow the Creditor Identification using the following information:

• IBAN of the Creditor payment account

• Name of the Creditor

Note: Depending on the use case, the Creditor details may not be displayed to Users in full. However, these still need to be part of the payment Consent request sent by the TPP.

CRG-4.3 Display to Users the full IBAN details of the Credit payment account, if these details have been manually entered/provided by the User.

CRG-4.4 Display to Users the masked IBAN (only last 4 digits) of the Credit payment account, if these details have been populated/provided by the TPP (e.g. in case of merchant onboarded by TPPs).

CRG-4.5 Ensure that the format and other validation rules of the Creditor Identification details are correct in case Users manually enter the Creditor Identification details. If incorrect, TPPs MUST request Users to review and re-enter the information.

CRG-4.6 TPPs MUST send the Merchant Category Code where the Creditor is a Merchant onboarded by them.

This is dependent on the use case.

CRG-3.2 For domestic payments, ensure that Users clearly understand that the payment amount is in local currency (i.e. United Arab Emirates Dirham - AED) as used by the local payment systems infrastructure for domestic payments.

CRG-3.3 Ensure and validate that the lowest allowable amount is 0.01 AED. The amount of the payment MUST be specified with max 2 decimal digits.

CRG-3.4 Ensure that the maximum allowable amount is equal to https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800530/Limits+and+Constants#Max-Inter-bank-Payment-Amount for any payments to Creditor accounts managed by a different account holding entity than the User’s LFI.

• CRG-3.4.1 NOT apply any maximum amount limit for payments to Creditor accounts managed by the same LFI as the User’s LFI (i.e. Intra-bank payments).

CRG-3.5 Display a message to Users informing them that the payment amount cannot exceed the https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800530/Limits+and+Constants#Max-Inter-bank-Payment-Amount value for all Inter-bank payments.

TPPs MUST:

CRG-54.1 Allow Either allow Users to manually enter a Debtor Reference. This note is for the Users' reference and may be available to Users as additional information in relation to a payment by their LFIs. This information is optional for Users and may not be provided at all.

CRG-5.2 Validate that the format of the Debtor Reference is according to the UAE Open Finance Standard specifications.

CRG-5.3 Append to the Debtor Reference the TPP ID, Merchant ID, BIC for the Creditor Account for payments to Merchants.
CRG-5.4 Append to the Debtor Reference the TPP ID, BIC for the Creditor Account for all other Payments.

CRG-5.5 Include the Debtor Reference in each Payment Initiation Request as the default value. This information will not be transferred via the payment rails. For details on the format of Debtor Reference please refer to Bank Service Initiation OpenAPI

/select their Creditor Identification details or pre-populate them for the Users.

Note: It is in the competitive space of TPPs to enable additional services for Users that may provide a better customer experience. For example, a TPP with a long-term relationship with a User may have dual Data Sharing and Service Initiation roles and have access to Users' list of Authorized Beneficiaries with a specific LFI, making it easier for Users to select the Creditor Identification details.

CRG-4.2 Allow the Creditor Identification using the following information:

• IBAN of the Creditor payment account

• Name of the Creditor

Note: Depending on the use case, the Creditor details may not be displayed to Users in full. However, these still need to be part of the payment Consent request sent by the TPP.

CRG-4.3 Display to Users the full IBAN details of the Credit payment account, if these details have been manually entered/provided by the User.

CRG-4.4 Display to Users the masked IBAN (only last 4 digits) of the Credit payment account, if these details have been populated/provided by the TPP (e.g. in case of merchant onboarded by TPPs).

CRG-4.5 Ensure that the format and other validation rules of the Creditor Identification details are correct in case Users manually enter the Creditor Identification details. If incorrect, TPPs MUST request Users to review and re-enter the information.

CRG-4.6 TPPs MUST send the Merchant Category Code where the Creditor is a Merchant onboarded by them.

TPPs MUST:

CRG-65.1 Allow Users to manually enter a Payment Reference or pre-populate it for the Users, depending on the use case. Payment Reference is optional for Users. Payment Reference may be populated by the User (i.e. Debtor) using information requested by the beneficiary (i.e. Creditor) or any other information the User wants to provide to the beneficiary to assist in identifying and reconciling the payment. This information will be transferred via the payment rails to the beneficiary’s LFI, if different than the User’s LFI.

Note: TPPs may make the Payment Reference mandatory based on their specific use cases or business requirements (for example credit card payment, invoice payments, etc)

CRG-6.2 Validate that the format of the Payment Reference is according to the UAE Open Finance Standard specifications.

CRG-6.3 Include the Payment Reference in the Debtor Reference. This note is for the Users' reference and may be available to Users as additional information in relation to a payment by their LFIs. This information is optional for Users and may not be provided at all.

CRG-5.2 Validate that the format of the Debtor Reference is according to the UAE Open Finance Standard specifications.

CRG-5.3 Append to the Debtor Reference the TPP ID, Merchant ID, BIC for the Creditor Account for payments to Merchants.
CRG-5.4 Append to the Debtor Reference the TPP ID, BIC for the Creditor Account for all other Payments.

CRG-5.5 Include the Debtor Reference in each Payment Initiation Request as the default value. The Payment Reference This information will not be used by the LFI to populate the Remittance Information of the payment.transferred via the payment rails. For details on the format of Creditor Debtor Reference please refer to Bank Service Initiation OpenAPI

TPPs MUST:

CRG-76.1 Set Is Single Authorization flag in the Consent to specify that the Consent MUST be subject to single User authorization only. This is used when there is a clear requirement that the Consent on the account to be used cannot be subject to multiple User authorizations.

Allow Users to manually enter a Payment Reference or pre-populate it for the Users, depending on the use case. Payment Reference is optional for Users. Payment Reference may be populated by the User (i.e. Debtor) using information requested by the beneficiary (i.e. Creditor) or any other information the User wants to provide to the beneficiary to assist in identifying and reconciling the payment. This information will be transferred via the payment rails to the beneficiary’s LFI, if different than the User’s LFI.

Note: TPPs may make the Payment Reference mandatory based on their specific use cases or business requirements (for example credit card payment, invoice payments, etc)

CRG-6.2 Validate that the format of the Payment Reference is according to the UAE Open Finance Standard specifications.

CRG-6.3 Include the Payment Reference in the Payment Initiation Request as the default value. The Payment Reference will be used by the LFI to populate the Remittance Information of the payment.

For details on the format of Creditor Reference please refer to Bank Service Initiation OpenAPI

TPPs MUST:

CRG-9.17.1 Set ALL the available data Is Single Authorization flag in the Risk Information Block in order to provide additional information in relation to the Payment Consent and allow LFI to assess their risk. This includes the following information as shown in the table below, based on the type of payment/use case. The information MUST be provided as per the following requirements:

• M- Mandatory

• N - Not Required

• C- Conditional

• O - Optional (if available/applicable)]

Consent to specify that the Consent MUST be subject to single User authorization only. This is used when there is a clear requirement that the Consent on the account to be used cannot be subject to multiple User authorizations.

LFIs MUST:

CRG-9.2.1 Use all the available information of the Risk Information Block provided by the TPP for their risk profile analysis of the Payment Consent or a Payment Initiation in a non-discriminatory way of Open Finance initiated payments compared to payments initiated by other LFI channels such as online or mobile banking.

TPPs MUST:

CRG-9.3.1.1 Ensure that all Merchants onboarded follow KYC/KYB compliant processes. In addition to all other information the following Merchant details MUST be verified:

• Merchant’s Trading Name

• Merchant’s Bank Account details

• All other Merchant details are included in the Risk Information Block as defined in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#9.1-TPP-Obligations for the Payments to Merchants onboarded by TPPs (Pay by Account) type of payments.

Note: TPPs will be populating some of this information in the Risk Information Block when submitting Payment Initiation requests.

TPPs MUST:

CRG-9.3.2.1 Capture a user's Emirates ID for all payments where a long-lived consent is required.

CRG-9.3.2.2 Capture a user's Emirates ID for all data sharing use cases where transaction data is shared, regardless of the consent type.

CRG-9.3.2.3 Capture the user’s Emirates ID prior to initiating the prescribed user journey for the relevant use case.

• When a user is known to the TPP, the Emirates ID can be captured during onboarding.

• When a user is unknown to the TPP, the Emirates ID can be captured prior to the consent customer journey.

Note: TPPs are not required to verify the Emirates ID.

TPPs MUST:

CRG-10.1 Provide all the payment Consent parameters to OFP before redirecting Users to LFIs for authentication and proceed with payment Consent confirmation/authorization.

CRG-10.2 Setup the asynchronous event notifications (i.e. webhooks) with the OFP during this stage, in case TPPs want to use this method for any Consent or payment status updates.

OFP MUST:

CRG-10.3 Check the payment Consent parameters and validate their format and compliance to business rules.

CRG-10.4 Connect to the LFI and request the LFI to perform additional Consent parameter validations.

CRG-10.5 Reject the payment Consent and provide the appropriate error message to TPPs, if any of these validations performed fail.

CRG-10.6 Allow TPPs to retrieve information about the status of the Consent at any point in time.

LFIs MUST:

CRG-10.7 Check the payment Consent parameters requested by the OFP and validate them. If these are not validated, then LFIs MUST provide the appropriate error code to the OFP.

TPPs MUST:

CRG-11.1 Provide messaging to inform Users that they will be redirected to their LFIs to complete the payment Consent authorization.

Note: For guidelines on generic TPP to LFI redirection screens and messages, please refer to section https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210797382/Authentication+and+Authorization#5.-Effective-Use-of-Redirection-Screens.

CRG-11.2 Trigger the Authentication & Authorization process with the LFI by using the LFI's authorization endpoint.

LFIs MUST:

CRG-11.3 NOT present any additional inbound redirection screens.

CRG-11.4 Request the details included in the staged Consent from the OFP

OFP MUST:

CRG-11.5 Provide the Consent details to the LFIs based on the unique Consent identifier.

LFIs MUST:

CRG-11.6 Initiate the User Authentication process.

LFIs MUST:

CRG-12.1 Enable Users, after authentication, to select the payment account for the payment Consent from a list of their available payment accounts, if the payment Consent parameters do not contain this information. The payment accounts displayed to the User MUST be eligible for account information or initiating payments via online and mobile banking channels and have no AML or other related restrictions.

CRG-12.2 Display to Users the interim available balance including all credit lines and arranged overdrafts of each payment account in the list, if the purpose is Service Initiation.

CRG-12.3 Provide Users with the ability to cancel the payment journey, if Users decide to terminate the request. The LFI MUST hand-off the Users back to the TPP, providing the necessary error message to the TPP.

LFIs MUST:

CRG-13.1 Check if Is Single Authorization flag of the payment Consent is set against the authorization matrix of the account selected for the payment initiation. If the flag is set while the authorization matrix of the selected account requires multiple authorizers then LFIs MUST only display accounts that require single Authorization. If none exists, LFIs MUST decline the payment consent and cancel the payment journey and redirect the User back to the TPP with an appropriate response.

LFIs MUST:

CRG-14.1 Confirm to the OFP that the interaction session is now completed.

OFP MUST:

CRG-14.2 Initiate the User Redirection process by providing all necessary information to the LFI (including the required Authorization code)

LFIs MUST:

CRG-14.3 Provide messaging to inform Users that they will be taken back to their TPP.

CRG-14.4 Redirect Users to the TPP immediately after receiving the required information from the OFP.

TPPs MUST:

CRG-15.1 Check with the OFP for the status of a payment at various points in time throughout the payment lifecycle. The frequency of these queries to the OFP MUST be subject to fair usage policies. This is applicable in cases where TPPs are using the method of querying the payment status from the OFP.

CRG-15.2 Have the option to be notified by the OFP of the payment request status change when it occurs without requiring to query the OFP. This is only applicable in cases where TPPs selected to use the method of requesting the OFP to notify them asynchronously in the event of changes in the status of a payment.

• CRG-15.2.1 Setup the asynchronous event notifications (i.e. webhooks) with the OFP during the payment Consent Staging step as defined inhttps://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#10.-Consent-Staging in case they want to use this method for status updates.

OFP MUST:

CRG-15.3 Request the LFIs to notify it asynchronously on the event of changes in the status of a payment. The setup the asynchronous event notifications with the LFI will take place during the payment Consent staging.

CRG-15.4 Update the status of each payment initiated by the TPP throughout the payment lifecycle with the appropriate status value based on its progress through payment initiation processing and execution as provided by the LFI.

• 15.4.1 Check if the status of the payment has been set to ‘Rejected. In this case:

  • For all payments related to a VRP Consent, the OFP MUST decrement:

    • the cumulative Total Number of payments by 1 and,

    • the cumulative Total Value of payments by the value of the payment

  • For all payments related to a VRP Consent where a Control Period is set, the OFP MUST decrement:

    • the cumulative Total Number of payments per Control Period and,

    • the cumulative Total Value of payments per Control Period.

CRG-15.5 Respond to payment status query requests from a TPP with the appropriate status codes as listed below in section https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850813/Common+Rules+and+Guidelines#GRC-15.10-Payment-Status-Model based on the status information provided by the LFI.

CRG-15.6 Return to the TPP, in addition to the payment status, other payment system-specific status codes and payment rejection reasons codes as specified in the UAE Open Finance Standard specifications.

LFIs MUST:

CRG-15.7 Update the status of each payment initiated by the OFP throughout the payment lifecycle with the appropriate status value based on its progress through payment initiation processing and execution.

CRG-15.8 Be able to notify the OFP asynchronously about any changes in the status of the payment request. More specifically, LFIs MUST provide asynchronous notification to the OFP by sending the appropriate status codes as listed below in section https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850813/Common+Rules+and+Guidelines#GRC-15.10-Payment-Status-Model,

CRG-15.9 Return to the OFP in addition to the payment status, other payment system-specific status codes and payment rejection reasons codes as specified in the UAE Open Finance Standard specifications.

TPPs MUST:

CRG-16.1 Confirm to Users the outcome of their Consent Authorization with the LFI, in case of Long-lived Consents.

CRG-16.2 Inform Users if further authorizations are required for the Consent and provide additional information about the Authorizers supplied by the OFP as described in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#18.-Multi-User-Authorization-Flow.

CRG-16.3 Confirm to Users the outcome of the Service Initiation based on the payment status received by the OFP.

CRG-16.4 Confirm the payment outcome to Users using confirmation screens in line with the customer journey, for every Service Initiation that Users are present.

TPPs MUST:

CRG-17.1 Send a notification on the outcome of each Service Initiation to the beneficiary, if the beneficiary is onboarded by the TPP.

• 17.1.1 Notify the debtor about any upcoming scheduled payments, including fixed future payments, future variable payments, and recurring payments one day before the payment date. The notification must include details of the payment amount, date, and beneficiary and should be delivered through the same channels used for payment-related notifications (e.g., SMS, email, app notifications).

LFIs MUST:

CRG-17.2 Send a notification to Users on the success or failure of a Service Initiation in the following scenarios:

• A Single Use Consent payment is initiated by Users and is either successfully received by the Creditor or there is an error in processing the payment. This may include Single Instant Payments or Future Dated Payments.

• A Long-lived Consent is set up by Users, including information of the TPP or beneficiary party on behalf of the TPP which acquired the User Consent

• A Service Initiation request as part of a Long-lived Consent submitted by the TPP is either successfully received by the Creditor or there is an error in processing the payment

CRG-17.3 Use SMS as a minimum channel to notify Users and optionally any other allowable channels (e.g. email, app notifications) currently used for account access or payment-related notifications to their customers depending on UAE rules and regulations, for all Open Finance related notifications to Users.

CRG-17.4 Identify in the notifications the TPP initiating the payment, the beneficiary of the payment and additionally include the information provided in the on-behalf field.

LFIs MUST:

CRG-17.5.1 Inform all Users about the submission of a payment Consent for authorization.

CRG-17.5.2 Notify the other authorizers about any Single Use or Long-lived Consent that is pending their authorization, using all of the existing channels (e.g. SMS, email, app notifications) currently used for payment-related authorizations.

TPPs MUST:

CRG-17.5.3 Notify the Users of the updated status of the multi-user authorization received from the OFP, displaying the authorizers who have accepted, rejected or still have to authorize the payment.

The rules in this section are additional rules intended to cover authorization cases for multi-user payment initiation from payment accounts.

LFIs MUST:

CRG-18.1 Respond to the payment Consent request staged by the TPP with the OFP by providing an appropriate message to inform the User that the payment Consent to initiate one or more payments via the TPP is received by the LFI but is subject to further authorization. It is in the domain of the LFIs to determine how to do this in alignment with their own businesses' journeys.

CRG-18.2 Allow Users to use the payment initiation services if it is permitted within their user authority for the account, as defined by the LFI. In cases of shared personal accounts, a User will be able to initiate a payment Consent using a TPP, subject to having credentials with the LFI and the authority to initiate payments via the LFI’s channels under their profile permissions.

CRG-18.3 Allow a User acting with delegated user authority on behalf of a business, to only use the Service Initiation, if this is permitted within the parameters of the delegated user authority and appropriate profile permissions. Payment Consent requests MUST be resolved by the LFI in line with the entitlements (i.e. access privileges) held by each specific business\corporate user. These entitlements may be set via approvals from authorized signatories of the business\corporate entities, and LFIs are assumed to have these processes already.

CRG-18.4 Inform the OFP about the requirement for multiple authorizations of the staged payment consent. LFIs MUST make available to the OFP via the payment Consent further information in relation to multi-authorization process. This information includes:

• The total number of Authorizers required for the payment Consent to be fully authorized

• For each Authorizer:

  • the Type of Authorizer (for example, Financial, Manager, Director, Accountant etc.)

  • the date and time of when the Authorizer actioned the payment Consent

  • the status reflecting the Authorizer's final decision regarding the payment Consent (i.e. Pending, Approved or Rejected)

CRG-18.5 Be able to notify the OFP about the event of each authorizer in the chain authorizing or rejecting the payment Consent pending further authorization.

CRG-18.6 Change the state of the payment Consent with the OFP from Awaiting Authorization to Authorized when all Authorizers (one or more) have authorized the payment Consent.

OFP MUST:

CRG-18.7 Inform the TPP about the requirement for multiple authorizations of the staged payment consent. The OFP MUST make available to the TPPs via the payment Consent further information in relation to multi-authorization process. This information includes:

• All the information received from the LFI

• For each Authorizer:

  • the Type of Authorizer (for example, Financial, Manager, Director, Accountant etc.)

  • the date and time of when the Authorizer actioned the payment Consent

  • the status reflecting the Authorizer's final decision regarding the payment Consent (i.e. Pending, Approved or Rejected)

CRG-18.8 Notify the TPPs about the event of each authorizer in the chain authorizing or rejecting the payment Consent pending further authorization.

OFP MUST:

CRG-19.1 Reject a Consent Awaiting Authorization and move it to the terminal state in the following cases:

• CRG-19.1.1 The https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800530/Limits+and+Constants#Max-Submitter-Authorization-Time-Window has elapsed AND the Consent had not been authorized by any of the required authorizers AND the TPP has not set the Authorization Time Window as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#8.-Authorization-Expiration-DateTime.

• CRG-19.1.2 The Authorization Time Window as per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#8.-Authorization-Expiration-DateTime, if set by the TPP, has expired and the Consent has not been fully authorized.

TPPs MUST:

CRG-20.1 Support all category purpose codes including their descriptions as defined in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800530/Limits+and+Constants#Payment-Purpose-Codes of the UAE Open Finance Standard.

CRG-20.2 Either allow Users to select the available purpose of payment from a list or pre-populate it for Users.

CRG-20.3 Ensure and validate that the format of the payment purpose is according to the UAE Open Finance Standard.

TPPs MUST:

CRG-21.1 Provide information about their Shari’ah compliance when they are onboarded on the Open Finance Trust Framework OFTF.

OFP MUST:

CRG-21.2 Retrieve the information on the Shari’ah compliance of the TPP on receiving a Data Sharing or Service Initiation consent request from the TPP and pass this information to the LFI along with the consent request.

LFIs MUST:

CRG 21.3 Check for any information available on the Shari’ah compliance of the TPP in the consent request. If this information is present in the consent request then the LFI must present this information on the consent authorization screen.

CRG 21.4 Display the Shari’ah compliance information about the TPP, if available, on the consent dashboard against each consent

LFIs MUST:

22.1 Determine the situations where Supplementary Information is required to be shown to Users, keeping consideration of the principle that parity MUST be maintained between the Open Finance journeys and the LFIs' direct online channel https://openfinanceuae.atlassian.net/wiki/x/-YCQD that LFIs MUST maintain on the Open Finance journeys. Supplementary Information may be required in the following cases:

• Where fees, charges or Forex apply (e.g. international payments)

• Where interest rates apply

• To display a warning to Users that the relevant payment account will become overdrawn / exceed an overdraft limit as a result of the intended payment

• To show value-add information based on functionality implemented by LFIs in competitive space which provides positive customer outcome (e.g. cashflow prediction engine) 

• Where the payments may be duplicated by the User in a short period (e.g. LFI may display a warning that payment appears to be duplicated)

• To display fraud alerts to Users in relation to a specific Creditor or other general fraud alert occurrences which will also appear in the LFI’s direct online channels.

Note: The above list in only indicative and not exhaustive as there many other scenarios where LFIs may be presenting Supplementary Information to Users.

TPPs MUST:

CRG-23.1 ensure that proper KYC is carried out when Users are onboarded for any customer facing product that leverages Open Finance and has a regulatory requirement for KYC ( wallet, remittance app etc.)

CRG-23.2 ensure that some basic verification is carried out when Users are onboarded for any product that leverages Open Finance ( email, mobile number verification)

CRG-23.3 have the capability, within customer-facing product that supports multiple users within the same account, to create profiles with different sets of permissions. Certain profiles should be able to use specific OF features like authorizing a new Service/Data Request consent or using a Long-Lived consent setup by some other user with that account.