Version | 1.0 |
|---|---|
Publication Date |
|
Classification | Public |
1. Introduction
1.1 Objectives
This Certification Framework is designed to ensure that LFIs and TPPs provide Open Finance solutions which are in strict conformance to the Standards.
For LFIs, this is to ensure that the APIs they expose are consistent, thereby removing the complexity and friction for TPPs in connecting to and consuming these APIs.
For TPPs, this is to ensure that they connect correctly to the APIs exposed by LFIs, thereby reducing (and where possible removing) the possibility of TPPs raising complaints or disputes against LFIs regarding the consistency of their API implementations.
Please note, this Certification Framework does not cover any operational or general cyber security requirements for LFIs or TPPs which may be required as part of their licensing process.
1.2 General Requirements
The requirements below set out what each LFI and TPP must do in order to test and apply for certifications in order to prove their conformance to the Standards.
In summary, LFIs and TPPs will be required to:
obtain the relevant certifications (as set out below) prior to ‘go live’ for each version of the Standards they implement;
obtain a separate complete set of certifications for each brand/application, e.g.
for LFPs, in cases where the LFI has a number of brands and/or customer segments, each with separate core systems, web or mobile apps, or
for TPPs, in cases where the TPP has more than one end customer facing web or mobile application;
renew their certification every time they introduce a new version of the Standards and/or every time they make any material changes to their infrastructure; and
renew their certification from time to time at the discretion of the CBUAE.
Furthermore, LFIs and TPPs will be subject to ongoing monitoring and enforcement action by the CBUAE in case where they introduce any changes which would render a previously obtained certification invalid and where they fail to renew their certification.
Wherever possible, the Open Finance Platform (OFP) will enforce conformance and reduce the ‘burden’ of certification activity, especially for LFIs.
1.3 Roles, Responsibilities, Process and Fees
The following table summarises each certification component and sets out the responsibilities, certifying body, process and fees for each.
Component | Responsibility | Certifying Body | Process | Fees |
|---|---|---|---|---|
LFI FAPI Certification | OFP | OIDF | The OFP will obtain a single certification from the OIDF and will renew this during the implementation of any major new version of the Standards. | N/A |
LFI Functional Certification | OFP | N/A | N/A | N/A |
LFI CX Certification | LFI | Nebras | Each LFI will be required to submit screen grabs to Nebras prior to go live for any version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
TPP FAPI Certification | TPP | OIDF | ||
TPP Functional Certification | TPP | Nebras | Included in OFP Fees | |
TPP CX Certification | TPP | Nebras | Each TPP will be required to submit screen grabs to Nebras prior to go live for any version of the Standards. Nebras will validate these and issue a certification. | Included in OFP Fees |
2. LFI Certification
2.1 LFI FAPI Certification
The OpenID Foundation (OIDF) have developed a tool (Security Compliance Engine) for testing and certifying the security scope of Authorization Servers (OpenID Providers - OPs) and Data Receiving Applications (Relying Parties - RPs). This tool is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, the OFP itself will be certified by the OIDF as an OpenID Provider (OP) in accordance with the UAE FAPI 2.0 security profile. The OFP will renew this certification during the implementation of each major new version of the Standards.
Because the OFP strictly enforces the UAE FAPI 2.0 security profile on behalf of LFIs, there is no need for LFIs to apply for and obtain FAPI certifications directly themselves.
2.2 LFI Functional Certification
The OFP will include a test suite which will enable LFIs to test their integration with the OFP during development and prior to any go-live.
Because the OFP will also strictly enforce the API specifications for each LFI, there is no need for LFIs to apply for and obtain a functional certification directly themselves.
However, LFIs will be subject to ongoing monitoring and supervision by Nebras to address and remediate any data quality issues.
2.3 LFI Customer Experience Certification
Each LFI will be required to submit screen grabs to Nebras for each of a) bank data and b) service initiation for:
each screen in their Open Finance authentication and authorization flow; and
each screen of their Open Finance consent dashboard.
In due course this Certification Framework will be updated with detailed instructions as to how LFIs will be able to submit their
3. TPP Certification
3.1 TPP FAPI Certification
TBC
3.2 TPP Functional Certification
TBC
3.3 TPP Customer Experience Certification
TBC