Version | 1.0 |
|---|---|
Publication Date |
|
Classification | Public |
1. Introduction
1.1 Objectives
This Certification Framework is designed to ensure that LFIs and TPPs provide Open Finance solutions which are in strict conformance to the Standards.
For LFIs, this is to ensure that the APIs they expose are consistent, thereby removing the complexity and friction for TPPs in connecting to and consuming these APIs.
For TPPs, this is to ensure that they connect correctly to the APIs exposed by LFIs, thereby reducing (and where possible removing) the possibility of TPPs raising complaints or disputes against LFIs regarding the consistency of their API implementations.
The requirements below set out what each LFI and TPP must do in order to test and apply for certifications in order to prove their conformance to the Standards.
Please note, this Certification Framework does not cover any operational or general cyber security requirements for LFIs or TPPs which may be required as part of their licensing process.
1.2 Scope
LFIs and TPPs will be required to:
obtain the relevant certifications (as set out below) prior to ‘go live’ for each version of the Standards they implement; and
obtain a separate complete set of certifications for each brand/application, e.g.
for LFIs, in cases where the LFI has a number of brands and/or customer segments, each with separate web or mobile apps; or
for TPPs, in cases where the TPP has more than one end customer facing web or mobile application.
LFIs and TPPs may carry out certifications in a production or pre-production environment, at the participant's choice. However, if opting for a pre-production environment, it should mirror the production environment, having the same architecture, network elements, software versions and customer experience elements as in production.
Wherever possible, the Open Finance Platform (OFP) will enforce conformance and thereby reduce the ‘burden’ of certification activity for LFIs and TPPs.
1.3 Renewal
LFIs and TPPs will be required to renew their certification:
every time they introduce a new version of the Standards;
every time they make any material changes to their infrastructure and/or Open Finance application API, web or mobile interfaces; and
if requested from time to time at the discretion of the CBUAE.
1.4 Ongoing Monitoring
LFIs and TPPs will be subject to ongoing monitoring and enforcement action in case where they introduce any changes which would render a previously obtained certification invalid and where they fail to renew their certification.
This includes cases where an LFI or TPP obtains a certification in a pre-production environment which behaves differently from their production environment.
1.5 Roles, Responsibilities, Process and Fees
The following table summarises each certification component and sets out the responsibilities, certifying body, certification process and fees for each.
Component | Responsibility | Certifying Body | Certification Process | Fees |
|---|---|---|---|---|
LFI FAPI Certification | OFP | OIDF | The OFP will obtain a single certification from the OIDF and will renew this during the implementation of each major new version of the Standards. | N/A |
LFI Functional Certification | OFP | N/A | N/A | N/A |
LFI CX Certification | LFI | Nebras | LFIs will be required to ensure that all authentication, authorisation and consent management screens in their web and mobile apps are in full conformance with the Customer Experience (CX) requirements in the Standards. LFIs will be required to submit screen grabs for each of these, for each use case to Nebras prior to go live for each version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
TPP FAPI Certification | TPP | OIDF | TPPs will be required to run the Relying Party (RP) tests for the UAE FAPI 2 profile in the OIDF Conformance Suite to ensure their application(s) passes all tests. TPPs will then be required to obtain a certification from the OIDF prior to go live for each application for each version of the Standards. | |
TPP Functional Certification | TPP | Nebras | TPPs will be required to run a set of test API calls in the API Hub Sandbox to ensure that their application(s) can correctly call all API endpoints for each use case. TPPs will then be required to submit their test results to Nebras prior to go live for each version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
TPP CX Certification | TPP | Nebras | TPPs will be required to ensure that all and consent screens in their web and mobile apps are in full conformance with the Customer Experience (CX) requirements in the Standards. TPPs will be required to submit screen grabs for each of these, for each use case to Nebras prior to go live for each version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
2. LFI Certification
2.1 LFI FAPI Certification
The OpenID Foundation (OIDF) have developed a Conformance Suite for testing and certifying the security scope of Authorization Servers (OpenID Providers - OPs) and Data Receiving Applications (Relying Parties - RPs). This tool is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, the OFP itself will obtain certification as an OpenID Provider (OP) in accordance with the UAE FAPI 2.0 security profile. The OFP will renew this certification during the implementation of each major new version of the Standards.
Because the OFP strictly enforces the UAE FAPI 2.0 security profile on behalf of LFIs, there is no need for LFIs to apply for and obtain FAPI certifications directly themselves.
2.2 LFI Functional Certification
The OFP will include a test suite which will enable LFIs to test their integration with the OFP during development and prior to any go-live.
Because the OFP will also strictly enforce the API specifications for each LFI, there is no need for LFIs to apply for or obtain a functional certification directly themselves.
However, LFIs will be subject to ongoing monitoring and supervision to address and remediate any data quality issues.
2.3 LFI Customer Experience Certification
Each LFI will be required to ensure conformance to the Customer Experience (CX) requirements in the Standards for each use case, for each screen in their Open Finance consent flow and their Open Finance consent dashboard. Each of these screens must meet all the mandatory requirements set out in the Standard.
2.3.1 Process
LFIs will be required to submit screen grabs for each of these screens to Nebras as evidence of their conformance.
Nebras will validate that these screens meet the stated requirements in the Standards and require the LFI to update these screens and resubmit screen grabs if required.
As soon as all screens meet the requirements, Nebras will issue a certification to the LFI.
2.3.2 Fees
N/A covered by OFP Fees.
2.3.3 Support
In due course this Certification Framework will be updated with detailed instructions for submission, validation and certification issuance.
3. TPP Certification
3.1 TPP FAPI Certification
As stated above, the OIDF’s Conformance Suite is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, each TPP will be required to obtain a Relying Parties (RP) certification for their application(s) in accordance with the UAE FAPI 2.0 security profile. TPPs will renew this certification during the implementation of each major new version of the Standards.
3.1.1 Process
For running the conformance tests, please check the documentation issued by the OIDF:
After running tests, all used data, including public and private keys of certificates and client data from the test, will be made available in the ecosystem, visible to other participants and subject to audit. Therefore, if an institution opts to perform the certification in a productive environment, it must be aware and responsible for revoking the certificates used during the tests and for obtaining any required customer consent.
To request certification from the OIDF, TPPs should consult the instructions at the following address: https://openid.net/certification/op_submission/.
TPPs must inform Nebras immediately on receipt of a certification from OIDF.
3.1.2 Fees
The price table for FAPI certification is available at: https://openid.net/certification/fees/.
The fees for each certification are fixed and paid directly to the OIDF. Please note, these fees are significantly reduced for OIDF members. Therefore, it may be of interest for some institutions to join the OIDF. Below, we present some important information that can assist in the membership process.
The membership costs follow the OIDF table which can be found at: https://openid.net/foundation/members/registration.
To join, the institution must proceed directly through the OIDF website at: https://openid.net/foundation/members/registration.
The benefits of becoming a member, as well as further information, can be accessed at: https://openid.net/foundation/benefits-members/.
3.1.3 Support
If you have questions about the execution of conformance tests or the certification process, please contact the OIDF by email at certificate@oidf.org.
To report possible bugs or necessary changes, please open tickets at https://gitlab.com/openid/conformance-suite/-/issues/new.
3.2 TPP Functional Certification
Each TPP will be required to ensure they can correctly call the APIs defined in the Standards for each use case relevant to their Open Finance license application.
3.2.1 Process
TPPs will be required to access the API Hub Sandbox (reference implementation).
Nebras will validate that the TPP has made successful API calls for each relevant use case and require the TPP to retry if required.
As soon as all APIs have been called successfully, Nebras will issue a certification to the TPP.
3.2.2 Fees
N/A covered by OFP Fees.
3.2.3 Support
In due course this Certification Framework will be updated with detailed instructions for submission, validation and certification issuance.
3.3 TPP Customer Experience Certification
Each TPP will be required to ensure conformance to the Customer Experience (CX) requirements in the Standards for each use case relevant to their Open Finance license application, for each screen in their Open Finance consent flow and their Open Finance consent dashboard. Each of these screens must meet all the mandatory requirements set out in the Standard.
3.3.1 Process
TPPs will be required to submit screen grabs for each of these screens to Nebras as evidence of their conformance.
Nebras will validate that these screens meet the stated requirements in the Standards and require the TPP to update these screens and resubmit screen grabs if required.
As soon as all screens meet the requirements, Nebras will issue a certification to the TPP.
3.3.2 Fees
N/A covered by OFP Fees.
3.3.3 Support
In due course this Certification Framework will be updated with detailed instructions for submission, validation and certification issuance.