1. Introduction

This Certification Framework is designed to ensure that LFIs and TPPs provide Open Finance solutions which are in strict conformance to the Open Finance Standards.

• For LFIs, this is to ensure that the APIs they expose are consistent and thereby to remove the complexity and friction for TPPs in connecting to LFIs and consuming these APIs.

• For TPPs, this is to ensure that they connect correctly to the APIs exposed by LFIs and thereby to reduce (and where possible remove) the possibility of TPPs raising complaints or disputes against LFIs regarding the consistency of their API implementations.

The requirements below set out what each LFI and TPP must do in order to test and apply for certifications in order to prove their conformance.

Wherever possible, the Open Finance Platform (OFP) will enforce conformance and reduce the ‘burden’ of certification activity, especially for LFIs.

Please note, this Certification Framework does not cover any operational or general cyber security requirements for LFIs or TPPs as part of their licensing process.

2. LFI Certification

Subject to the requirements below, LFIs will be:

• required to obtain the relevant certifications (as set out below) prior to ‘go live’ for each version of the standards;

• required to obtain a separate certification for each separate set of infrastructure (e.g. in cases where the LFI has a number of brands and/or customer segments, each with separate core systems, web or mobile apps);

• required to renew their certification every time they introduce any new version of the standards and/or every time they make any material changes to their infrastructure;

• required to renew their certification from time to time at the discretion of the CBUAE; and

• subject to ongoing monitoring and enforcement action by the CBUAE in case where they introduce any changes which would render a previously obtained certification invalid and where they fail to renew their certification.

2.1 LFI FAPI Certification

The OpenID Foundation (OIDF) have developed a tool (Security Compliance Engine) for testing and certifying the security scope of Authorization Servers (OpenID Providers - OPs) and Data Receiving Applications (Relying Parties - RPs). This tool is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the security profile set out in the CBUAE Open Finance Standards.

As and when this is made available, the OFP itself will be certified by the OIDF as an OpenID Provider (OP) in accordance with the UAE FAPI 2.0 profile. The OFP will renew this certification during the implementation of each major new version of the standards.

Because the OFP strictly enforces the security profile on behalf of LFIs, there is no need for LFIs to apply for and obtain FAPI certifications directly themselves.

2.2 LFI Functional Certification

The OFP will include a test suite which will enable LFIs to test their integration with the OFP during development and prior to any Go Live.

Because the OFP will also strictly enforce the API specifications for each LFI, there is no need for LFIs to apply for and obtain a functional certification directly themselves.

However, LFIs will be subject to ongoing monitoring and supervision by CBUAE to address and remediate any data quality issues.

2.3 LFI Customer Experience Certification

Each LFI will be required to submit screen grabs to the CBUAE for:

• each screen in their Open Finance authentication and authorization flow; and

• each screen of their Open Finance consent dashboard.

3. TPP Certification

3.1 TPP FAPI Certification

TBC

3.2 TPP Functional Certification

TBC

3.3 TPP Customer Experience Certification

TBC

4. Summary

The following table summarises each certification component for LFIs and TPP, and sets out the responsibilities, certifying body and process in each case.