Version | 1.1 |
|---|---|
Publication Date |
|
Classification | Public |
This Limitation of Liability Model is provisional and subject to change.
1. Responsibilities of Eco-System Participants
1.1 Duty of Care
Open Finance TPPs and LFIs have a duty of care to their Customers and Users to ensure that their services are provided with reasonable care and skill. This includes :
Secured systems/processes
Reliable services
Clear and accurate info
Accurate transaction execution
1.2 Breach of Duty
In case of any breaches, they may be liable for any direct losses suffered by their Users. For example, if a service provider fails to implement adequate security measures and a User's account is hacked, the service provider may be liable for any direct losses incurred by the User as a result of the hack.
1.3 Data Protection and Privacy
Service providers are also responsible for protecting the privacy and security of their Users' data. If a service provider fails to implement adequate data protection measures and a User's data is compromised or transmitted outside of the User’s intentions, they may be liable for any direct losses suffered by the User as a result.
1.4 Payment of Open Finance Compensation and Direct Losses
It is incumbent on all Open Finance TPPs and LFIs, in addition to other Eco-systems participants to pay to the Open Finance Compensation, and compensate for any direct losses suffered, from the liable party, to the affected party as soon a dispute verdict and has been reached its conclusion communicated to all relevant participants.
Indirect and Consequential losses will not be compensated as part of the Open Finance Rulebook and Standards, however, this does not remove the legal protection afforded by any applicable legislation / regulation within the UAE. The Open Finance limitation of liability does also not supersede or replace the Aani scheme rules and the disputes mechanisms / redress measures in place for transactions conducted on the Aani platform.
2. Liability
2.1 General / Consent / Authentication
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Open Finance Activity / Transaction taking place without relevant and valid consent having been issued by the LFI | User was not presented the consent as per guidelines or the User states that they did authenticate but not authorize the consent. | LFI | LFI | Direct Losses & Open Finance Compensation | Defined Below in specific cases |
Failure to Revoke Consent – Requested via TPP Channel | User had revoked the consent through the TPP but this was not communicated to the LFI as a result erroneously keeps initiating payments. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Failure to Revoke Consent – Requested via LFI Channel | User had revoked the consent through the LFI but this was not executed by the LFI leading to subsequent OF requests by the TPP unexpected by the User. | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Fraudulent or erroneous LFI authentication taking place via LFI direct channel or CAAP service | User states that they had not done the authentication for the OF service OR the LFI/CAAP authentication and authorization happened too quickly for them to comprehend. | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
Inaccurate or Incomplete articulation of the extent of a consent to User | The details of the consent e.g permissions requested, fees and charges, onward sharing details were not unambiguously and accurately communicated to the User leading to misunderstandings about scope of data usage. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Failure to execute valid Open Finance request within SLA by TPP | The TPP did not initiate a payment as scheduled resulting in unintended consequences like penalties for the User. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 – 12 hrs + 250 – 6 hrs + 200 – 6 hrs or under |
Failure to execute valid Open Finance request within SLA by LFI | The LFI did not execute a payment as scheduled by the TPP resulting in unintended consequences like penalties for the User. | LFI | LFI | Direct Losses & Open Finance Compensation | 350 – 12 hrs + 250 – 6 hrs + 200 – 6 hrs or under |
Failure to execute valid Open Finance request accurately by TPP | The TPP did not process account data using a long lived Data sharing consent as agreed with the User providing incorrect financial analysis influencing wrong financial decisions. | TPP | TPP | Direct Losses & Open Finance Compensation | 250 |
Failure to execute valid Open Finance request accurately by LFI | The LFI incorrectly resolved the beneficiary proxy resulting in the payment sent to the wrong beneficiary. | LFI | LFI | Direct Losses & Open Finance Compensation | 250 |
Open Finance activity pre or post notifications not taking place despite regulatory responsibility of / agreement with TPP | User is not sent mandated notifications by the TPP before executing a scheduled payment using a long lived consent resulting in the user account being overdrawn incurring a charge. | TPP | TPP | Direct Losses & Open Finance Compensation | 150 |
Centralized API Hub and / or Trust Framework failure | The consent control mechanism of the Open Finance Platform fails to control the existence and /or validity of user’s consent resulting in executing an unauthorized data sharing or transaction | Nebras | Nebras | Maximum of 5 million of direct loses per claim | N/A |
Inaccurate categorization of an API call causing invalid commercial model application due to incorrect details supplied by TPP | A collection transaction is incorrectly categorized as a large value transaction, leading to potential misclassification and causing incorrect pricing to be applied | TPP | TPP | Direct Losses & Open Finance Compensation | 1000 |
Inaccurate categorization of a corporate customer causing invalid commercial model application due to incorrect details supplied by LFI | An entity is incorrectly categorized as a corporate entity, leading to potential misclassification and causing incorrect pricing to be applied | LFI | LFI | Direct Losses & Open Finance Compensation | 1000 |
2.2 Security Incident
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Security Breach of LFI – Cyber or Physical (Leading to Data Loss or Fraudulent Transactions) | The authentication mechanism of the LFI has been hacked or is not adequate as mandated leading to unauthorized access of the Users accounts through the OF services. | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
Security Breach of TPP – Cyber or Physical (Leading to Data Loss or Fraudulent Transactions) | The authentication mechanism of the TPP has been hacked or is not adequate as result long lived consents previously authorized are being fraudulently used to access User’s account information or to initiate transactions. | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
Open Finance Data Transmitted to a Party outside Open Finance Eco-system by LFI | There was a breach of security at the LFI that led to the API being mis-used internally at the LFI, and Open Finance data sets were extracted and then sent outside of the LFI’s architecture as part of unapproved, unregulated activity. | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
Open Finance Data Transmitted to a Party outside Open Finance Eco-system by TPP | A TPP improperly shares data within the scope of open finance to external entities without consent of user thus jeopardising data privacy and security. | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
2.3 Data
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Misuse (outside of Consent or otherwise) or Loss of Data by TPP | TPP had requested a one-off consent for a Loan application, but the data was then shared with marketers without User’s consent resulting in a breach of data privacy. | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
Inaccurate data transmission, processing or analysis by TPP | The TPP is periodically accessing User account information and is erroneously processing the data to automate sweeping across multiple accounts resulting in financial losses. | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
Data shared by LFI outside of Consent or without Valid Consent and Authentication | The TPP has requested only User information for Identity Verification use case but the LFI ends up sending transactional data as well. | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
Data transmitted incorrectly by LFI leading to, inaccuracies, or is mis-mapped to Open Finance data model, in LFI mastered and stored Data | The LFI response to request by TPP has poor quality of data where information is either missing or incorrectly mapped to the OF data model adversely impacting the quality and reliability of the service offered by the TPP to the User. | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
Data shared by LFI which contained inaccuracies from the LFI mastered and stored Data | The LFI response to request by TPP has poor quality of data where information is either missing or incorrectly mapped to the OF data model adversely impacting the quality and reliability of the service offered by the TPP to the User. | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
Data Shared from an LFI containing inaccuracies in User contributed Data | An LFI disseminates data involving the user that contains errors or inaccuracies, which could potentially affect the user's financial interactions or status. | LFI | User | Direct Losses | N/A |
Misrepresentation of any Open Finance data or quotes by TPP to User or other Open Finance participants | TPP has knowingly used account information from only 2 out of 4 accounts held by the User across LFIs to assess their creditworthiness which is not a true reflection of the User’s financial position. The TPP has offered the User a more expensive product or inaccurate advice based on such assessment. | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
2.4 Payments
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Inaccurate or inconsistent payment initiation / execution due to incorrect beneficiary details supplied and approved by User | The User has provided an incorrect beneficiary proxy and not verified the resolved beneficiary details resulting in an error. | User | User | N/A | N/A |
Inaccurate or inconsistent payment initiation / execution due to incorrect beneficiary details supplied by TPP | The TPP has incorrectly configured the receiving account of their onboarded merchant resulting in misdirected payments from users for purchase of goods eventually causing fulfillment issues. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Inaccurate or inconsistent payment initiation / execution due to incorrect beneficiary details supplied by LFI (including via inaccurate proxy resolution) | The LFI has incorrectly resolved the beneficiary proxy provided by the User resulting the payment sent to the incorrect beneficiary. | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Payment initiation by TPP request contains mismatch to User stated intention / awareness | The shipping and/or service charges were obfuscated while requesting authorization for an eCommerce purchase resulting in the User feeling overcharged. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Fraudulent or erroneous payment initiation occurring using VRP or Delegated SCA payment consent by TPP | The User acknowledges that they authorized a Long-lived consent but is unable to recognize/reconcile transaction(s) for which they were not physically present Or they had not physically authorized the TPP to initiate the transaction(s). | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
Fraud monitoring of all payment activity from LFI held accounts | The LFI was not able to flag alerts and protect the User from fraud in spite of sharp increase in the transaction frequency or value for payments initiated by TPP using VRP or delegated SCA. | LFI | LFI | Direct Losses & Open Finance Compensation | 250 |
Payment initiated outside of VRP / future dated payment / bulk payment / part payment / refund consent | Processing errors possible by LFI where an LFI makes the incorrect copies of the consent from OFP and therefore add an inaccurate validation process. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Fraudulent payment requests (including RTP and similar) issued via a TPP | Fraudulent Request to pay using OF wherein User ends up making payments to a fabricated bank account. | TPP | User (Requesting) | Direct Losses & Open Finance Compensation | 500 |
Failure to execute payment within SLA by LFI, following valid payment initiation | The User has lost out on favorable contracts which depend on time sensitive purchases like trading for stocks or buying forex because the LFI took too long to execute such payments. | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Inaccurate or Incomplete articulation of Payment Consent for VRP or Delegated SCA to User | User was not unambiguously presented the available controls in form of transaction limits for a VRP which resulted in payments being initiated which were not as expected by the User. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Payment amount / date / currency / description / LFI / source account incorrect due to User Input | Payment details such as amount, date, currency, or account source are incorrect due to errors entered by the user, leading to failed or erroneous transactions. | User | User | N/A | N/A |
Payment amount / date / currency / description incorrect due to LFI processing error | The LFI system had addition or transposition errors or a glitch where mandatory payment references like those for Card/Bill payments were truncated. All of these could lead to erroneous execution of payment. | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Payment amount / date / currency / description incorrect due to TPP processing error | The TPP system had addition or transposition errors or a glitch where mandatory payment references like those for Card/Bill payments were truncated. All of these could lead to erroneous execution of payment by the LFI. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
AML / Financial Crime responsibilities for Payments including Transactional Monitoring and PEP / Sanction / Terrorism screening | The LFI must screen all payments required to be screened by AML regulation and legislation. | LFI | LFI | Direct Losses | N/A |
Payment execution duplication by LFI | The Payment has been executed incorrectly by the LFI (e.g. taken twice due to technical glitch). | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Payment initiation duplication by TPP | The TPP system has a technical glitch where the Payment initiated as part of a VRP or delegated SCA is duplicated. | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Breach of contract or misrepresentation by Merchant | Failure to deliver complete, usable or functional goods / services , as they were described, despite valid and completed payment via Open Finance, including in the case of Merchant insolvency | Merchant3 | Merchant3 | Direct Losses & Open Finance Compensation | 100 |
Merchant legitimacy and consistency of Entity Name / Account Name / KYC Status at LFI / Trading Name as presented to the User | The TPP must onboard the merchant via a KYB process which ensures that the trading name represented to their customers as part of payment collections processes are legitimate and are approved legally with relevant authorities. | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
User legitimacy and consistency of Legal Name / Account Name / KYC Status at LFI as presented within Open Finance ecosystem | The TPP must onboard individual users via a process which utilizes their KYC-ed record at an LFI, which contains verified data and has not expired as a valid KYC record. The user must only represent themselves on the OF platform and in OF transactions with the same name to be held at the LFI. | TPP | LFI | Direct Losses & Open Finance Compensation | 350 |
Inaccurate or invalid charging of customer for goods / services, when payment for those goods / services is settled via Open Finance payment initiation | The shipping and/or service charges were obfuscated while requesting authorization for an eCommerce payment resulting in the User feeling overcharged. | Merchant3 | Merchant3 | Direct Losses & Open Finance Compensation | 100 |
Refund failed to be initiated and completed from Merchant, despite complete return of goods / inability to utilise services, as they were described or delivered | The refund was only partially paid, despite a full refund being agreed / an entitlement of the customer, given the circumstances. | Merchant3 | Merchant3 | Direct Losses & Open Finance Compensation | 100 |
Payment funded from an incorrect account, caused by LFI error | The debited account for an OF initiated payment was one other than the one selected by the User with the TPP, due to a LFI processing error. | LFI | LFI | Direct Losses & Open Finance Compensation | 150 |
Payment funded from an incorrect account, caused by TPP error | The debited account for an OF initiated payment was one other than the one selected by the User with the TPP, due to a TPP user interface error. | TPP | TPP | Direct Losses & Open Finance Compensation | 150 |
Note
In the case of systemic errors and omissions, LFI and/or TPP must conduct a comprehensive internal assessment to proactively identify impacted consumers
Claims related to the same issue can't be submitted more than once within 36 hours period
In the event that a merchant, as the liable party, fails to compensate the customer for both direct losses and additional compensation, the TPP, as direct counterparty, will assume the liability. The TPP has the option to create back to back liability through contractual obligations with the merchant. However, ultimate liability will rest with the TPP, ensuring that the customer is protected even if the merchant defaults on payment.
3. Indirect and Consequential Losses
3.1 Indirect Losses
Losses that do not flow directly and immediately from the act but are a result of the act in a more roundabout way
Lost Profits: Income that would have been earned if the transaction had been executed as agreed
Lost of Opportunity: Cost associated with lost business opportunities due to inability to access funds or data errors
Reputational Damage: Harm to a company/individual's reputation due to failures or breaches
3.2 Consequential Losses
Losses that arise as a foreseeable consequence of the breach or failure but are not the direct result of it
Additional Operational Costs: Costs incurred to mitigate or rectify issues such as additional staffing and system checks
Extended Downtime Costs: Losses incurred from extended system downtime or service disruption
Increased Costs Business: Costs from securing emergency funds due to payment processing errors or delays
3.3 Tortuous Losses
Losses due to wrongful acts or omissions by a party handling, processing, or securing financial data and transactions
Tortuous Losses: Losses that occur as a result of a series of events that, while not directly linked to the initial breach or failure, are ultimately traceable back to it through a complex chain of causation