Version | 1.0 |
|---|---|
Publication Date |
|
Classification | Public |
This Certification Framework is provisional and subject to change.
1. Introduction
1.1 Objectives
This Certification Framework is designed to ensure that LFIs and TPPs provide Open Finance solutions which are in strict conformance to the Standards.
For LFIs, this is to ensure that the APIs they expose are consistent, thereby removing the complexity and friction for TPPs in connecting to and consuming these APIs.
For TPPs, this is to ensure that they connect correctly to the APIs exposed by LFIs, thereby reducing (and where possible removing) the possibility of TPPs raising complaints or disputes against LFIs regarding the consistency of their API implementations.
The requirements below set out what each LFI and TPP must do in order to test and apply for certifications in order to prove their conformance to the Standards.
Please note, this Certification Framework does not cover any operational or general cyber security requirements for LFIs or TPPs which may be required as part of their licensing process.
1.2 Scope
LFIs and TPPs must:
obtain the relevant certifications (as set out below) prior to ‘go live’ for each version of the Standards they implement; and
obtain a separate complete set of certifications for each brand/application, e.g.
for LFIs, in cases where the LFI has a number of brands and/or customer segments, each with separate web or mobile apps; or
for TPPs, in cases where the TPP has more than one end customer facing web or mobile application.
LFIs and TPPs may carry out certifications in a production or pre-production environment, at the participant's choice. However, if opting for a pre-production environment, it should mirror the production environment, having the same architecture, network elements, software versions and customer experience elements as in production.
Wherever possible, the Open Finance Platform (OFP) will enforce conformance and thereby reduce the certification requirements for LFIs and TPPs.
1.3 Renewal
LFIs and TPPs must renew their certification:
every time they introduce a new version of the Standards;
every time they make any material changes to their infrastructure and/or Open Finance application API, web or mobile interfaces; and
if requested from time to time at the discretion of the Nebras Open Finance Company (Nebras).
1.4 Ongoing Monitoring
LFIs and TPPs will be subject to ongoing monitoring and enforcement action in case where they introduce any changes which would render a previously obtained certification invalid and where they fail to renew their certification.
This includes cases where an LFI or TPP obtains a certification in a pre-production environment which behaves differently from their production environment.
1.5 Roles, Responsibilities, Process and Fees
The following table summarises each certification component and sets out the responsibilities, certifying body, certification process and fees for each.
Component | Responsibility | Certifying Body | Certification Process | Fees |
|---|---|---|---|---|
LFI FAPI Certification | OFP | OIDF | The OFP will obtain a single certification from the OIDF and will renew this during the implementation of each major new version of the Standards. | N/A |
LFI Functional Certification | OFP | N/A | N/A | N/A |
LFI CX Certification | LFI | Nebras | LFIs must ensure that all authentication, authorisation and consent management screens in their web and mobile apps are in full conformance with the Customer Experience (CX) requirements in the Standards. LFIs must submit screen grabs for each of these, for each use case to Nebras prior to go live for each version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
TPP FAPI Certification | TPP | OIDF | TPPs must run the Relying Party (RP) tests for the UAE FAPI 2 profile in the OIDF Conformance Suite to ensure their application(s) passes all tests. TPPs must obtain a certification from the OIDF prior to go live for each application for each version of the Standards. | |
TPP Functional Certification | TPP | Nebras | TPPs must run a set of test API calls in the API Hub Sandbox to ensure that their application(s) can correctly call all API endpoints for each use case. TPPs must then submit their test results to Nebras prior to go live for each version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
TPP CX Certification | TPP | Nebras | TPPs must ensure that all and consent screens in their web and mobile apps are in full conformance with the Customer Experience (CX) requirements in the Standards. TPPs must submit screen grabs for each of these, for each use case to Nebras prior to go live for each version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
2. LFI Certification
2.1 LFI FAPI Certification
The OpenID Foundation (OIDF) have developed a Conformance Suite for testing and certifying the security scope of Authorization Servers (OpenID Providers - OPs) and Data Receiving Applications (Relying Parties - RPs). This tool is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, the OFP itself will obtain certification as an OpenID Provider (OP) in accordance with the UAE FAPI 2.0 security profile. The OFP will renew this certification during the implementation of each major new version of the Standards.
Because the OFP strictly enforces the UAE FAPI 2.0 security profile on behalf of LFIs, there is no need for LFIs to apply for and obtain FAPI certifications directly themselves.
2.2 LFI Functional Certification
The OFP will include a test suite which will enable LFIs to test their integration with the OFP during development and prior to any go-live.
Because the OFP will also strictly enforce the API specifications for each LFI, there is no need for LFIs to apply for or obtain a functional certification directly themselves.
However, LFIs will be subject to ongoing monitoring and supervision to address and remediate any data quality issues.
2.3 LFI Customer Experience Certification
Each LFI must ensure conformance to the Customer Experience (CX) requirements in the Standards for each use case, for each screen in their Open Finance consent flow and their Open Finance consent dashboard. Each of these screens must meet all the mandatory requirements set out in the Standard.
2.3.1 Process
LFIs must submit screen grabs for each of the following screens to Nebras as evidence of their conformance to the requirements for each outlined in the Standards. If the LFI has both a web and mobile application for the relevant brand/customer segment, then they must submit screens for each, otherwise they only need to submit screens for the supported application. All screens must be in English language.
Screen | Web | Mobile | |
|---|---|---|---|
| 1 | TPP to LFI Redirection Screen |
|
|
| 2 | LFI to TPP Redirection Screen |
|
|
| 3 | LFI Authentication Screen (1st Factor/Biometrics) |
|
|
| 4 | LFI Authentication Screen (2nd Factor) |
|
|
| 5 | LFI Authorization Screen (Single Immediate Payment) |
|
|
| 6 | LFI Authorization Screen (Single Immediate Payment, showing example Shari’ah compliance message) |
|
|
| 7 | LFI Authorization Screen (Future Dated Payment) |
|
|
| 8 | LFI Authorization Screen (Multi-Payment) |
|
|
| 9 | LFI Authorization Screen (International Payment) |
|
|
| 10 | LFI Authorization Screen (Refund) |
|
|
| 11 | LFI Authorization Screen (Delegated Authentication) |
|
|
| 12 | LFI Authorization Screen (Bulk/Batch Payment) |
|
|
| 13 | LFI Authorization Screen (Bank Data Sharing - One Time) |
|
|
| 14 | LFI Authorization Screen (Bank Data Sharing - Ongoing) |
|
|
| 15 | LFI Authorization Screen (Motor Insurance Data Sharing - One Time) |
|
|
| 16 | LFI Authorization Screen (Motor Insurance Data Sharing - Ongoing) |
|
|
| 17 | LFI Consent Dashboard (List) |
|
|
| 18 | LFI Consent Dashboard (Details) |
|
|
| 19 | LFI Consent Dashboard (Revocation Confirmation) |
|
|
Nebras will validate that these screens meet the stated requirements in the Standards and require the LFI to update these screens and resubmit screen grabs if required.
As soon as all screens meet the requirements, Nebras will issue a certification to the LFI.
2.3.2 Fees
N/A covered by OFP Fees.
2.3.3 Support
In due course this Certification Framework will be updated with detailed instructions for submission, validation and certification issuance.
3. TPP Certification
3.1 TPP FAPI Certification
As stated above, the OIDF’s Conformance Suite is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, each TPP must obtain a Relying Parties (RP) certification for their application(s) in accordance with the UAE FAPI 2.0 security profile. TPPs must renew this certification during their implementation of each major new version of the Standards.
3.1.1 Process
For running the conformance tests, please check the documentation issued by the OIDF:
After running tests, all used data, including public and private keys of certificates and client data from the test, will be made available in the ecosystem, visible to other participants and subject to audit. Therefore, if an institution opts to perform the certification in a productive environment, it must be aware and responsible for revoking the certificates used during the tests and for obtaining any required customer consent.
To request certification from the OIDF, TPPs should consult the instructions at the following address: https://openid.net/certification/op_submission/.
TPPs must inform Nebras immediately on receipt of a certification from OIDF.
3.1.2 Fees
The price table for FAPI certification is available at: https://openid.net/certification/fees/.
The fees for each certification are fixed and paid directly to the OIDF. Please note, these fees are significantly reduced for OIDF members. Therefore, it may be of interest for some institutions to join the OIDF. Below, we present some important information that can assist in the membership process.
The membership costs follow the OIDF table which can be found at: https://openid.net/foundation/members/registration.
To join, the institution must proceed directly through the OIDF website at: https://openid.net/foundation/members/registration.
The benefits of becoming a member, as well as further information, can be accessed at: https://openid.net/foundation/benefits-members/.
3.1.3 Support
If you have questions about the execution of conformance tests or the certification process, please contact the OIDF by email at certificate@oidf.org.
To report possible bugs or necessary changes, please open tickets at https://gitlab.com/openid/conformance-suite/-/issues/new.
3.2 TPP Functional Certification
Each TPP must ensure they can correctly call the APIs defined in the Standards for each use case relevant to their Open Finance license application.
3.2.1 Process
TPPs will be required to access the API Hub Sandbox and execute API calls for each API endpoint relevant to their use case as set out in the table below.
API Endpoint | Bank Service Initiation | Bank Data Sharing | Insurance Data Sharing |
|---|---|---|---|
GET |
| ||
GET |
| ||
Nebras will validate that the TPP has made successful API calls for each relevant use case and require the TPP to retry if required.
As soon as all APIs have been called successfully, Nebras will issue a certification to the TPP.
3.2.2 Fees
N/A covered by OFP Fees.
3.2.3 Support
In due course this Certification Framework will be updated with detailed instructions for submission, validation and certification issuance.
3.3 TPP Customer Experience Certification
Each TPP must ensure conformance to the Customer Experience (CX) requirements in the Standards for each use case relevant to their Open Finance license application, for each screen in their Open Finance consent flow and their Open Finance consent dashboard. Each of these screens must meet all the mandatory requirements set out in the Standard.
3.3.1 Process
TPPs must submit screen grabs for each of the following screens to Nebras as evidence of their conformance to the requirements for each outlined in the Standards. If the TPP has both a web and mobile application, then they must submit screens for each, otherwise they only need to submit screens for the supported application. All screens must be in English language.
Screen | Web | Mobile | |
|---|---|---|---|
| 1 | TPP to LFI Redirection Screen (one example from any use case) |
|
|
| 2 | LFI to TPP Redirection Screen (one example from any use case) |
|
|
| 3 | TPP Consent Setup Success Screen (one example from any use case) |
|
|
| 4 | TPP Payment Method Selection Screen |
|
|
| 5 | TPP Consent Screen (Single Immediate Payment) |
|
|
| 6 | TPP Consent Screen (Future Dated Payment) |
|
|
| 7 | TPP Consent Screen (Multi-Payment) |
|
|
| 8 | TPP Consent Screen (International Payment) |
|
|
| 9 | TPP Consent Screen (Refund) |
|
|
| 10 | TPP Consent Screen (Delegated Authentication) |
|
|
| 11 | TPP Consent Screen (Bulk/Batch Payment) |
|
|
| 12 | TPP Consent Screen (Bank Data Sharing - One Time) |
|
|
| 13 | TPP Consent Screen (Bank Data Sharing - Ongoing) |
|
|
| 14 | TPP Consent Screen (Motor Insurance Data Sharing - One Time) |
|
|
| 15 | TPP Consent Screen (Motor Insurance Data Sharing - Ongoing) |
|
|
| 16 | TPP Consent Screen (Motor Insurance Data Sharing - Ongoing) |
|
|
| 17 | TPP Consent Dashboard (List) |
|
|
| 18 | TPP Consent Dashboard (Details) |
|
|
| 19 | TPP Consent Dashboard (Revocation Confirmation) |
|
|
Nebras will validate that these screens meet the stated requirements in the Standards and require the TPP to update these screens and resubmit screen grabs if required.
As soon as all screens meet the requirements, Nebras will issue a certification to the TPP.
3.3.2 Fees
N/A covered by OFP Fees.
3.3.3 Support
In due course this Certification Framework will be updated with detailed instructions for submission, validation and certification issuance.