Version | 1.2 |
|---|---|
Publication Date |
|
Classification | Public |
This Testing and Certification Framework is designed to ensure that LFIs and TPPs provide Open Finance solutions which are in strict conformance to the Standards.
For LFIs, this is to ensure that the APIs they expose are consistent, thereby removing the complexity and friction for TPPs in connecting to and consuming these APIs.
For TPPs, this is to ensure that they connect correctly to the APIs exposed by LFIs, thereby reducing (and where possible removing) the possibility of TPPs raising complaints or disputes against LFIs regarding the consistency of their API implementations.
The requirements below set out what each LFI and TPP must do in order to test and apply for certifications in order to prove their conformance to the Standards.
This Testing and Certification Framework does not cover any operational or general cyber security requirements for LFIs or TPPs which may be required as part of their licensing process. |
Wherever possible, the Open Finance Platform (OFP), and in particular the API Hub, will enforce conformance and thereby reduce the testing and certification requirements for LFIs and TPPs. However, these requirements are summarised as follows.
LFIs and TPPs must:
conduct appropriate testing and obtain the relevant certifications (as set out below) prior to ‘go-live’ for each version of the Standards they implement;
when testing and obtaining certifications in a Pre-Production Environment, warrant that their Pre-Production Environment mirrors their Production Environment, having the same architecture, network elements, software versions and customer experience elements;
conduct this testing and obtain a separate complete set of certifications for each brand/application, e.g.
for LFIs, in cases where the LFI has a number of brands and/or customer segments, each with separate web or mobile apps; or
for TPPs, in cases where the TPP has more than one end customer facing web or mobile application;
conduct penetration testing (as required below) using a reputable independent third party company.
LFIs and TPPs may conduct stress testing (as required below) using their own internal resources and tools.
LFIs must:
conduct Functional Testing (using Ozone Connect Test Suite and Postman Collection) in their Pre-Production Environment prior to promotion to Production Environment and again prior to go-live;
submit and obtain CX Certification for their web and/or mobile applications prior to prior to promotion to Production Environment;
perform penetration and stress testing (to meet all NFRs in the Standards) before go-live; and
engage with TPPs to conduct Live Proving immediately after promotion to Production Environment before go-live.
TPPs must:
carry out testing and obtain FAPI, Functional and CX Certifications using their production web/mobile app(s) connected to the API Hub Sandbox, in order to be granted access to the API Hub Production Environment;
perform penetration testing before go-live; and
engage with at least one LFI to test all relevant endpoints (pertaining to business model) in the LFI’s Production Environment before go-live.
Stage | LFI Exit Criteria | TPP Exit Criteria |
|---|---|---|
Internal Development |
|
|
API Hub Sandbox and Pre-Production | API Hub Pre-Production:
| API Hub Sandbox:
|
API Hub Production |
|
|
Live Proving (prior to go-live) |
|
|
LFIs and TPPs must retest and renew their certification:
every time they introduce a new version of the Standards;
every time they make any material changes to their infrastructure and/or Open Finance application API, web or mobile interfaces; and
if requested from time to time at the discretion of the Nebras Open Finance Company (Nebras).
LFIs and TPPs will be subject to ongoing monitoring and enforcement action in case where they introduce any changes which would render a previously obtained certification invalid and where they fail to retest and/or renew their certification.
This includes cases where an LFI or TPP provides test results and/or obtains a certification in a pre-production environment which behaves differently from their production environment.
The following table summarises each component and sets out the responsibilities, certifying body, certification process and fees for each.
Component | Responsibility | Certifying Body | Testing & Certification Process | Fees |
|---|---|---|---|---|
OFP | OIDF | The API Hub will obtain a single FAPI Certification from the OIDF and will renew this during the implementation of each major new version of the Standards. Therefore, there is no requirement for LFIs to obtain FAPI Certifications. | N/A | |
LFI | N/A | LFIs must test both their integration into the OFP (using the Ozone Connect Test Suite) and conduct end-to-end tests as a TPP (using the Postman Collections) in their Pre-Production and Production Environments. LFIs must submit evidence of this testing to Nebras as an exit criteria from Pre-Production and again in Production prior to go-live. However, because the OFP enforces the functional mapping of all APIs to the Standards, there is no requirement for LFI Functional Certification per-se. | N/A | |
LFI | Nebras | LFIs must ensure that all authentication, authorisation and consent management screens in their web and mobile apps are in full conformance with the Customer Experience (CX) requirements in the Standards. LFIs must submit screen grabs for each of these (using the template below), for each use case, to Nebras as an exit criteria from Pre-Production for each version of the Standards. Nebras will validate these and issue a LFI CX Certification. | Included in OFP Fees | |
TPP | OIDF | TPPs must run the Relying Party (RP) tests for the UAE FAPI 2 profile in the OIDF Conformance Suite to ensure their application(s) passes all tests. TPPs must obtain a FAPI Certification from the OIDF as an exit criteria from the API Hub Sandbox for each of their applications for each version of the Standards. | ||
TPP | Nebras | TPPs must run a set of test API calls in the API Hub Sandbox to ensure that their application(s) can correctly call all API endpoints for each use case. TPPs must then submit their test results to Nebras as an exit criteria from the API Hub Sandbox for each version of the Standards. Nebras will validate these and issue a TPP Functional Certification. | Included in OFP Fees | |
TPP | Nebras | TPPs must ensure that all and consent screens in their web and mobile apps are in full conformance with the Customer Experience (CX) requirements in the Standards. TPPs must submit screen grabs for each of these (using the template below), for each use case to Nebras as an exit criteria from the API Hub Sandbox for each version of the Standards. Nebras will validate these and issue a TPP CX Certification. | Included in OFP Fees |
The OpenID Foundation (OIDF) have developed a Conformance Suite for testing and certifying the security scope of Authorization Servers (OpenID Providers - OPs) and Data Receiving Applications (Relying Parties - RPs). This tool is currently being enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
As and when this is made available, the OFP itself will obtain certification as an OpenID Provider (OP) in accordance with the UAE FAPI 2.0 security profile. The OFP will renew this certification during the implementation of each major new version of the Standards.
Because the OFP strictly enforces the UAE FAPI 2.0 security profile on behalf of LFIs, there is no need for LFIs to apply for and obtain FAPI Certifications directly themselves. |
The OFP includes a number of testing tools which will enable LFIs to test their integration with the OFP during development and prior to any go-live.
Because the OFP will also strictly enforce the API specifications for each LFI, there is no need for LFIs to apply for or obtain a LFI Functional Certification directly themselves. However, LFIs will be required to conduct testing as set out below and will be subject to ongoing monitoring and supervision to address and remediate any data quality issues. |
The testing process is summarised below:
Prior to updating their Production Environment in the API Hub, LFIs must run two sets of tests in their Pre-Production and Production Environments:
Using the API Hub Testing Tool to test their integration with the API Hub.
Using the Postman Collection to test that a TPP can successfully call all API endpoints defined in the Standards. LFIs can either do this using their own TPP credential from the Trust Framework, or they can partner with a TPP to run these end to end tests. Tests must be executed for each API endpoint relevant to LFI deployment as set out in this template: 
Once all tests have been passed, the LFI must submit evidence (a test report in any format agreed between the LFI and Nebras, along with the above functional checklist) to Nebras, so that Nebras can validate.
Nebras will then confirm acceptance for the LFI to exit Pre-Production.
LFIs must rerun both sets of tests in their Production Environment and resubmit test reports to Nebras prior to go-live.
LFIs must rerun both sets of tests and resubmit results whenever they implement any new version of the Standards or whenever they make any substantive changes to their integration with the API Hub. These retests must be conducted in both their Pre-Production Environment and again in their Production Environment before go-live each time.
N/A
Please contact openfinance@cbuae.gov.ae
Each LFI must ensure conformance to the Customer Experience (CX) requirements in the Standards for each use case, for each screen in their Open Finance consent flow and their Open Finance consent dashboard. Each of these screens must meet all the mandatory requirements set out in the Standard.
The certification process is summarised below:
LFIs must submit a certification request using this template: 
LFIs must use a separate copy of this template for each brand/segment (e.g. retail v sme v corporate) and for each interface (web v mobile).
For each template, LFIs must complete the required fields on the first tab and then paste in the relevant screen grabs on each subsequent tab.
All screens must be in English language.
These screens can be from the LFI’s Pre-Production Environment or their Production Environment. However, if LFIs submit screens based on their Pre-Production Environment, they must confirm and warrant that these screens are an exact match for their Production Environment.
Nebras will validate that these screens meet the stated requirements in the Standards and require the LFI to update these screens and resubmit screen grabs if required.
As soon as all screens meet the requirements, Nebras will issue a certification to the LFI.
LFI CX Certification is an exit criteria from Pre-Production.
N/A covered by OFP Fees.
Please contact openfinance@cbuae.gov.ae
Prior to Live Proving, LFIs must:
Conduct Penetration Testing and address/fix all critical or high priority issues and provide evidence of such to Nebras.
Conduct Stress Testing to demonstrate that all NFRs are compliant with Standards and provide evidence of such to Nebras. These NFR must be achieved at a volume of API calls which will vary according to each LFI’s customer base and these volumes will be agreed individually between each LFI and Nebras.
LFIs must engage with TPPs to validate and test their APIs in their Production Environment to provide assurance to Nebras that their APIs are working fully in accordance with the Standards in a real life scenario. This ‘Live Proving’ must be conducted as follows:
LFIs must engage with at least one TPP who can test and validate all API resources/endpoints in the LFI’s Production Environment.
LFIs can either provide the TPP with test user accounts in their Production Environment or agree with the TPP to use volunteer (e.g. friends and family) users to enable end-to-end testing.
LFIs must provide evidence to Nebras of such testing, so that Nebras can validate and approve the Production Environment meets all requirements in the Standards.
This testing must be conducted immediately after each new deployment into Production and prior to go-live, whether this be their publication of new endpoints or indeed a new version of the standards.
As stated above, the OIDF’s Conformance Suite has been enhanced by the OIDF to include a set of Financial Grade API (FAPI) 2.0 security tests in accordance with the UAE FAPI 2.0 security profile set out in the Standards.
Each TPP must obtain a Relying Parties (RP) certification for their application(s) in accordance with the UAE FAPI 2.0 security profile. TPPs must renew this certification during their implementation of each major new version of the Standards.
For running the conformance tests, please check the documentation issued by the OIDF:
After running tests, all used data, including public and private keys of certificates and client data from the test, will be made available in the ecosystem, visible to other participants and subject to audit. Therefore, if an institution opts to perform the certification in a productive environment, it must be aware and responsible for revoking the certificates used during the tests and for obtaining any required customer consent. |
To request certification from the OIDF, TPPs should consult the instructions at the following address: https://openid.net/steps-for-conformance-certification-submission/.
TPPs must inform Nebras immediately on receipt of a FAPI Certification from OIDF. This is an exit criteria from the API Hub Sandbox.
The price table for FAPI certification is available at: https://openid.net/certification/fees/.
The fees for each certification are fixed and paid directly to the OIDF. Please note, these fees are significantly reduced for OIDF members. Therefore, it may be of interest for some institutions to join the OIDF. Below, we present some important information that can assist in the membership process.
The membership costs follow the OIDF table which can be found at: https://openid.net/foundation/members/registration.
To join, the institution must proceed directly through the OIDF website at: https://openid.net/foundation/members/registration.
The benefits of becoming a member, as well as further information, can be accessed at: https://openid.net/foundation/benefits-members/.
If you have questions about the execution of conformance tests or the certification process, please contact the OIDF by email at certificate@oidf.org.
To report possible bugs or necessary changes, please open tickets at https://gitlab.com/openid/conformance-suite/-/issues/new.
Each TPP must ensure they can correctly call the APIs defined in the Standards for each use case relevant to their Open Finance license application.
The certification process is summarised below:
TPPs must access the API Hub Sandbox and execute API calls for each API endpoint relevant to their use case as set out in this template:
TPPs must then submit a certification request using this template.
If the TPP has more than one application, the TPP must use a separate copy of this template for each separate application.
For each template, the TPP must complete the required fields on each tab, i.e.
Bank Data
Bank Service Initiation
Insurance Data
However, TPPs only need to complete the tabs relevant to their use case (e.g. if the TPP does not offer insurance services then they do not need to make calls to the Insurance Data endpoints, nor complete this tab).
Nebras will validate that the TPP has made successful API calls for each relevant use case and require the TPP to retry if required.
As soon as all APIs have been called successfully, Nebras will issue a certification to the TPP.
This is an exit criteria from the API Hub Sandbox.
N/A covered by OFP Fees.
Please contact openfinance@cbuae.gov.ae
Each TPP must ensure conformance to the Customer Experience (CX) requirements in the Standards for each use case relevant to their Open Finance license application, for each screen in their Open Finance consent flow and their Open Finance consent dashboard. Each of these screens must meet all the mandatory requirements set out in the Standard.
The certification process is summarised below:
TPPs must submit a certification request using this template: 
If the TPP has both a web and mobile application, then they must submit screens for each, otherwise they only need to submit screens for the supported application
For each template, TPPs must complete the required fields on the first tab and then paste in the relevant screen grabs on each subsequent tab.
All screens must be in English language.
Nebras will validate that these screens meet the stated requirements in the Standards and require the TPP to update these screens and resubmit screen grabs if required.
As soon as all screens meet the requirements, Nebras will issue a certification to the TPP.
This is an exit criteria from the API Hub Sandbox.
N/A covered by OFP Fees.
Please contact openfinance@cbuae.gov.ae
Prior to Live Proving, TPPs must conduct Penetration Testing and address/fix all critical or high priority issues and provide evidence of such to Nebras.
TPPs must engage with at least one LFI to validate and test that their application(s) work successfully with the LFI’s Production APIs to provide assurance to Nebras that their app is working fully in accordance with the Standards in a real life scenario. This ‘Live Proving’ must be conducted as follows:
TPPs must engage with at least one LFI to test and validate they can successfully call all API resources/endpoints relevant to their business model in the LFI’s Production Environment.
LFIs can either provide the TPP with test user accounts in their Production Environment or agree with the TPP to use volunteer (e.g. friends and family) users to enable end-to-end testing.
TPPs must provide evidence to Nebras of such testing, so that Nebras can validate and approve the TPP app meets all requirements in the Standards.
This testing must be conducted prior to go-live, for each major new version of the TPP app and/or the implementation of any new version of the Standards.
In this phase, a "buddying" process will be used to pair up TPPs and LFIs to ensure their systems align with each other’s functionality and data expectations. Each TPP must work with their assigned LFI to ensure the integration is functioning as expected in a production environment.
TPP's Responsibility: The TPP will validate their connectivity to the LFI's system, check the authentication protocols, and ensure that all services are accessible in the production environment. They will test endpoints for their ability to make requests and receive correct responses.
LFI's Responsibility: The LFI will confirm that it can handle the TPP’s requests, properly mapping data fields and responding with appropriate responses. This includes confirming that the data returned to the TPP is in the correct format and meets quality standards (such as accuracy, timeliness, and completeness).
Once the buddying phase confirms that the systems are connected and functioning correctly, a formal confirmation process will be implemented. This will involve a detailed review of the data exchanged between TPPs and LFIs to ensure compliance with required standards.
Data Quality Assurance: Both parties will assess the quality of the data being exchanged. This includes ensuring that the data provided by the LFI is accurate, complete, and timely. The TPP will test that the data is usable for the intended purposes (such as account information, transaction history, or payment initiation).
Test Scenarios: The TPP will conduct a series of functional tests, verifying that the data sent by the LFI is consistent with the data expected, ensuring no discrepancies. The tests will cover all use cases and will include error scenarios to verify how the systems handle issues like missing data or failed requests.
Functional Certification Comparison: During this process, the TPP will compare the current system’s behaviour with the certification results from previous functional certification. This will allow them to confirm that the system still meets all the necessary functional criteria.
Throughout the production proving process, it is crucial to ensure that the data quality remains appropriate for its intended use. The TPP will evaluate the following:
Completeness: All relevant data fields should be filled with the correct information.
Accuracy: The data received must match the expected values, with no discrepancies or errors.
Timeliness: The data should be provided within the expected timeframes, ensuring real-time or near-real-time processing where applicable.
Usability: The TPP will verify that the data provided can be effectively used in the intended business processes, ensuring that there are no issues with interpreting or processing the data.
By ensuring that both the TPP and LFI systems meet these standards, the production proving process will ensure that all services are fully operational.