Date Response That is correct, except maybe suspension or natural expiry of consent.

Date Response Yes, we will issue these shortly.

After engaging with insurers during industry onboarding sessions, a common question has emerged: “As an LFI planning to use CAAP, and with multiple lines of business (e.g., Health, Motor), how many Ozone API Hub tenants do we need?” This article aims to a

Date Response Yes, they haven’t changed. We’ll try to reduce them with API volume.

Date Response Yes

Date Response You can use them as you see fit, as long as the customer consents. The consent screens themselves will be defined and standardized

Date Response LFIs that provide English and Arabic digital services on their existing platforms should also continue to extend this to open banking services.

Date Response Yes, the API Hub will maintain logs of all 400 and 500 status codes, including where the TPP attempt to access an API resource at the LFI where there is no valid consent. These logs will be available to each LFI regarding their own endpoints

Date Response The infrastructure is all highly resilient with high availability deployments for each LFI spread across multiple Azure zones/data centres, self-healing and auto scaling capabilities. Databases are in high availability clusters with automati

Date Response Unauthorized connection attempts are logged by the API Hub and included in LFI Reports on the basis of how the unauthorized connection attempt is manifested. If any Client (TPP or otherwise) does not present a client certificate or the clien

Date Response The Open Finance Standard is explicit in the requirements for this, please refer to https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850555/Customer+Data#6.-Permissions-and-Data-Clusters https://openfinanceuae.atlas

Date Response Yes

Date Response Ultimate back stop through an expiry date, no consent can last longer than a year, which is the current proposal.

Date Response Yes. You would need a license if doing credit scoring in your own capacity, unless you are doing it as a technical service provider to a lender. The party seeking consent must obtain a license to carry out activities. If the consent involves

Date Response The OF Provider is responsible for ensuring that the consent received pertains to the same purpose as the handling of the data.

Date Response Yes, a separate consent is required for each LFI.

Date Response If you have consent from the customer for a specific service (modeling/scoring mechanism) - this is generally allowed. What is not: using the data for something different.

Date Response Not for the first version.

Date Response The TPP will have to manage fraud risks in authentication under delegated SCA for example.

Date Response There are no explicit regulations on partnerships. Entities operating within DIFC/ADGM may engage with banks in various roles. If they are providing any open finance services with onshore LFIs, it is essential for them to be regulated by the

Date Response Yes. There will be a CTA within the consent which will display the list of the payments to be made with these details.

Date Response No, once the payment is posted by the TPP and the consent is marked as Consumed and the payment instruction is warehouse at the LFI. The user will not be able to revoke consent as the Consumed state is terminal.

Date Response Users can initiate a payment by selecting the payment account within a single LFI, either from the TPP or within the LFI. For a payment consent, there is only 1 payment account bound to this consent (contrary to a Data Sharing consent which

Date Response No

Date Response TPPs can request the following Data Clusters when creating a Service Initiation payment consent: ReadAccountsBasic ReadAccountsDetail ReadBalances The Data Clusters list above allows TPPs to retrieve the account the user selected through the

Date Response Bulk payments are supported. However, this will discussed in a future engagement session.

Date Response TPP cannot determine whether a user is registered (i.e., has an account with an LFI). So, the TPP sends the COP request to the designated LFI, and the LFI provides a response without data indicating that the user cannot be found.

Date Response Yes, they can request more data.

Date Response This is not currently in place in the current draft versions of the Standard, but it is something that is being considered.

Date Response All the terminal states render the consent unusable for further operation.

Date Response An event can be generated and pushed to the LFI by the OFP when consent is changed. This is based on the configuration for a given LFI, which can be added when the LFI is onboarded. See https://openfinanceuae.atlassian.net/wiki/spaces/APIHub

Date Response Billing cycle process by the end of the month.

Date Response Yes, an LFI can test its TPP applications in a pre-production environment. The sandbox and staging environments are ideal for testing applications because it provides an isolated space where new features, configurations, or integrations can

Date Response While the user can update their consent, this will create a new consent under specific requirements, making it look like a modified consent to the user.

Date Response Having explicit separate states allows us to provide accurate reporting.

Date Response This is a standard practice, even outside of OF.

Date Response Yes, provided the primary data store is in the UAE. Secondary data storage is permissible elsewhere with customer consent for TPPs licensed by the CB and residing in the UAE.

Date Response If any cap in the BAU process, then this is applicable

Date Response Yes - reports will be available on the API Hub Admin portal See Admin Portal User Guide for more information

Date Response Login hint is optional for TPPs and contains several data fields as set out here (see item 2 https://openfinanceuae.atlassian.net/wiki/spaces/OF/pages/173473793/Standards+v1.0-final-errata2) https://openfinanceuae.atlassian.net/wiki/spaces/O

Date Response The information provided in the Risk Information block is to support LFIs with their risk profiling of transactions. If the Open Finance platform provides information that can be used retrospectively by the Fraud and AML monitoring system t

Date Response As platforms in the trust framework – yes. For billing – no.

Date Response The accounts associated with a given Data Sharing consent can only be changed when initiated at the TPP, as detailed in the Customer Data business rules: https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850555/Custo

Date Response The API Hub does not support IP whitelisting. However, there are multiple levels of security employed to limit access, including: Azure WAF DDoS protection Geofencing to UAE region All access to Admin Portal using SSO via credentials from th

Date Response LFIs cannot create custom consents at present. We are considering this feature in 2025.

Date Response LFIs and TPPs may revoke consents on behalf of users under certain circumstances, such as termination of their contract, closing their account with the LFI, or losing access to the account (e.g., joint user removed from a joint account, empl

Date Response No, not for the current release.

Date Response SSL certificates are necessary to establish a secure mTLS connection between the Testing Tool and LFI’s implementation of Ozone Connect. The method to generate test certificates is documented in the Certificates Generation section: https://o

Date Response Yes, centralized consent parameters allow for this functionality and any associated disputes. Consent Management Interfaces include the Service Initiation Consent parameters and a history of Service Initiations that occurred as part of the c

Date Response Yes, suppose the TPP is aware that a payment is scheduled by the User on a known bank holiday date, and the payment falls within the limits of execution for a non-24/7 payment system. In that case, the TPP can advise the User that the payme

Date Response Yes The response payload for a processed payment is the same for any other payment status. The fields that are available in the response for a paymentID is documented in the OpenAPI documentation: Bank Service Initiation OpenAPI GET /payment

Date Response We will make available practical insights into API functionality.

Date Response Yes that is correct.

Date Response Adoption of CAAP by LFIs is optional.

Date Response The 38 bps will be charged by the API Hub to the TPPs. Additionally, the CBUAE suggests an additional 25 bps as merchant collection. For end users, the CBUAE remains ready to step in in case of unsustainable amounts.

Date Response Please refer to the diagram showing how the expected SLA of 500ms for API performance is split between the API Hub and each LFI. API Hub v LFI Performance Service Levels

Date Response Please refer to errata 3 – point 59 Standards v1.0-final-errata3

Date Response The standard reports for LFIs have the information by API and operation. This includes errors divided into client-related and server side (which is an indicator for an error at the LFI). This does not include anything where transport layer s

Date Response No, it is available for every payment consent setup.

Date Response Yes, there may be scenarios where a user-facing entity is not a TPP but is using a TPP to get Data Sharing or Service Initiation services. The business rules will be developed to identify and define the roles of TPPs, LFIs and any other inte

Date Response Please refer to Certification Framework Testing Tool User Guide Information on LFI testing requirement will be subject of a further update.

Date Response Yes, this additional information falls within what we mention in the Business Rules as supplementary information. LFIs can present this to users where necessary and in parity with the existing LFI channels for payment initiation.

Date Response As part of compliance with the Open Finance Regulation, all Licensed Financial Institutions (LFIs) are encouraged to review and update their Terms and Conditions (T&Cs) to align with the regulatory framework. To ensure consistency and transp

Date Response Corp can raise directly otherwise through the LFI/TPP.

Date Response A similar approach would be followed in Open Finance, the same structure will be shared with you including the Dispute Model.

Date Response Yes - every message from OFP to LFI will indicate the consent under which this is being operated.

Date Response The APIs that are to be exposed will be formally defined.

Date Response Yes, the same guidelines will be applicable to TPPs in terms of consumer protection. Billing Dispute and Fraud Management

Date Response The Standard supports the ability to suspend active consents in the case of suspected fraud. Please refer to: https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151847205/Consent+Setup#4.-Consent-States https://openfinan

Date Response CBUAE has taken steps to protect against DDoS attacks. However, this will rely on all to implement the common tools. All participants have to define all their cyber security controls, including DDoS attacks, in the license form. At the TPP,

Date Response TPPs are encouraged to obtain KYB record data from LFIs, utilizing existing records, or conduct the full KYB process if the information cannot be obtained from LFIs. Variations in the KYB records, if a TPP had obtained it from the LFI, will

Date Response One of the features of the API Hub Authorization Server API (“Heimdall”) is to perform validation of Authorization Requests sent by TPPs at the start of Authorization Code flow. The LFI is the entry point to Authorisation Code flow. The LFI

Date Response There is no guidance in the standards on a specific sort order. The order does, however, need to be deterministic to support pagination. If the sort order is not deterministic a TPP will not be able to page through the result set successfull

Date Response FAPI 2.0 supports refresh tokens, facilitating ongoing access without repeated authentications.

Date Response Standing orders and direct directs will be shared data from the LFI. However, TPP payment consents should be available in the other direction.

Date Response This is a design question that is currently under development. The short answer is that it depends on the use case. Merchant payments where merchants have been onboarded and KYCed by TPPs may differ from P2P payments.

Date Response Fees only apply for successful payments.

Date Response The API Hub is not responsible for warehousing or scheduling future-dated or recurring payment initiation requests. All payment initiation requests that have been authorised based on the agreed-upon consent between the User and TPP are execu

Date Response The API Hub will include a header on each request made to the LFI Ozone Connect implementation. o3-provider-id (string): Identifier for the Financial Institution that the request is targeted to This identifier will be representative of each

Date Response Throttling is a typical feature of any platform with API management capabilities. The API Hub implements throttling of requests by TPPs, based on the counters described in the table below. TPP by Client by LFI, by API operation: A given Clie

Date Response A LFI will need to apply for deemed license to act as a TPP.

Date Response The concept of "owning" consent is not an appropriate frame of analysis. A consent is an agreement between three parties. All three parties must operate within the framework of this agreement. The LFI always holds the underlying asset (custo

Date Response The stipulation includes exceptions for retaining data as required by law, aligning with record-keeping requirements, and enabling refunds. It clarifies that transaction details can be retained for longer durations if the interaction with th

Date Response The OFP will not be doing such business validations on the file. This will be done by the LFI as per their BAU process and an appropriate status message will be received by the TPP.

Date Response Yes, it can validate that an account name matches the account holder's name at the LFI for a specific IBAN.

Date Response Yes. The Bulk files are for Single debit whereas the Batch files are for multiple debit accounts.

Date Response Yes, the TPP has already been accepted into the directory. They will be an approved and trusted provider.

Date Response This is a scenario where there's a payment transaction, and one of the parties is not a customer of the bank. It's a data privacy issue; LFIs can't store data about the non-customer in this particular transaction.

Date Response If proven to be used correctly, the user is held liable and responsible.

Date Response OFP will store.

Date Response The Directory UI may fail to load when accessing it via a VPN or remote machine due to network restrictions or a misconfigured proxy. These network configurations can block or modify certain requests, causing the page to show errors, such as

Date Response Please refer to the latest version of the standards for authorisation methods supported by Open Finance.

Date Response No additional charges will be applicable in this context.

Date Response Yes

Date Response The initial implementation of CAAP will only support customers with UAE PASS or Emirates ID

Date Response Here are the redirections used once ever for onboarding (UAE PASS if used) once for each new LFI to be linked. Once a user is onboarded with CAAP and has a linked an LFI, the journey is precisely similar in terms of redirections involved whe

Date Response Single future-dated payments will be stored at the LFI and processed by the LFI. Consequently, COP will be carried out as part of the Consent process. When dealing with Multi-payments that follow a schedule under a long-lived consent, the TP

Date Response 1. Introduction The Multi Payments types are based on two key elements: 1.1 Payment Amount Type: Fixed: The same payment amount, as defined in the consent, will be initiated throughout the lifetime of the consent. Variable: The payment amoun

Date Response This is not currently in place in the current draft versions of the Standard, but it is something that is being considered.

Date Response LFIs receive consent parameters via a PAR URL containing the consent ID encoded. The API hub ensures that LFI data matches specific standards before storage, with TPPs transacting data only after customer consent. LFIs can add additional par

Date Response Can be shared electronically or in paper form.

Date Response During the Participant Onboarding Process, the organization must designate at least one, and ideally no more than five, users who will be registered as Administrators of the Institution in the Trust Framework. Once the organization’s and use

Date Response All the Institutions authorized by CBUAE to share and receive data under the Open Finance scope will be included on the Trust Framework, and their regulatory scope (i.e., what data they can share and obtain ) will be defined granularly on th

Date Response Certificates will have a fixed expiration date of 13 months and will need to be replaced after this period. New certificates can be generated by onboarded organization administrators using the Trust Framework Web Application U.I. or APIs. Th

Date Response The fees should be settled on a monthly basis.

Date Response JSON Web Encryption.(JWE) is a means for securing data in transit and at rest, and is part of the JSON Object Signing and Encryption (JOSE) standards. A JWE is used to encrypt Event Notifications transmitted to TPPs. The encrypted payload of

Date Response The acronyms PBC, SBC, and PTC refer to specific roles: P stands for Primary, S for Secondary, B for Business, and T for Technical. Each user’s capabilities are defined by their role. For example, a PBC can manage Certificates, Applications,

Date Response The Open Finance Framework standards and API Hub makes no distinction between IBANs and Virtual IBANs (VIBAN): If a VIBAN is supported by a given payment rail then a payment initiation request can be instructed using the Open Finance Framewo

Date Response The /participants endpoint acts as a discovery tool for all participants within the ecosystem. Once an organization registers at least one Authorization Server and the endpoint is refreshed, their organization details, API resources, certifi

Date Response Pre-requisites Ensure you have already created an Application, and that it is set up and active. What are the types of certificates available? There are three types of certificates: Transport: Used for secure communication between endpoints.

Date Response If you need to reset your OTP in the production Trust Framework or if you change your mobile device during the registration process, you should request a reset of your two-factor authentication from the platform support team. Once the reques

Date Response Defining which TPPs to accept incoming connections is not a permitted action for LFIs. Data Providers are required to follow the metadata provided by the Trust Framework to define which APIs the Application controlled by the TPP should be ac

Date Response To discover TPPs registered in the ecosystem, users can call the organization endpoints of the Trust Framework. These endpoints are accessible through the TF Swagger, and the process for calling them is similar to other protected endpoints.

Date Response To add a Technical User to the Platform, follow these steps: Navigate to the Trust Frameworks’s main page and select the desired organization. Go to "Roles" and then select "Domain Users". Click on “New Domain User” to choose from the availa

Date Response To add contacts from organization’s personnel, log in to the Trust Framework, go to "Contacts", and click "Add New Contact." Fill in the required fields: Department name (if any), email (e.g. security@bank.com), phone number and any addition

Date Response Here is a short demo of how to raise a query via the API Hub Service Desk. Screen Recording 2024-09-09 at 10.49.58.mov

Date Dec 20, 2024 Response If your client is having problems when connecting to an LFI Server the problem might be on the client using an invalid or expired. In order to verify if the certificate is valid there are a few different validations that can be

Date Response TPPs MUST declare whether they are Shariah compliant when they onboard to the Trust Framework. The declaration MUST be accompanied by evidence in the form of an Islamic version of any other CBUAE license that is already in place for the same

Date Response Events sent to an LFI are sent as an API call and not through a webhook. These events form part of the Consent Event & Actions API. The reason this is implemented as an API is twofold: It is built on the premise of consistent, stable connect

Date Response Supervision and audits will ensure the compliance.

Date Response After filling out the registration form, you will receive a one-time password (OTP) via email and SMS. For email verification: Copy the OTP from the email and paste it into the "Email Verification Code" field. For phone verification: Copy th

Date Response The CreditorReference in the POST /payments is passed to Aani as part of payment initiation, and has a structured format The structured pattern for this CreditorReference field is: "^TPP=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-

Date Response It depends on the use case and the role of the TPP. For example, if the TPP also has long-lived consent for account information, it can provide the user with a list of his accounts with the LFI. Alternatively, the user can provide their pay

Date Response The customer is selecting the LFI they want to use from a list displayed on the TPP App. This list is provided by the OFTF Discovery endpoint and is effectively the list of Authorisation Servers. As an example: An LFI has two segments. One f

Date Response TPPs must send the creditor IBAN and can optionally send the debtor IBAN. The creditor IBAN is supplied in either the Pushed Authorization Request or Payment Initiation Request, depending on the type of payment consent agreed between the Use

Date Response The Consent Manager has an API to help LFIs change consent status.

Date Response The presence of the CurrencyRequest object in the consent determines if the payment consent (single or multi-payment) is an international payment. The CurrencyRequest.CurrencyOfTransfer is mandatory if the CurrencyRequest is present. This

Date Response Detailed flow diagrams will explain the consent redirection process and information exchange. The OFH checks if consent parameters are met, with the responsibility and liability for consent enforcement clarified to lie with the OFH.

Date Response A future-dated bulk consent is not a long lived consent. It is a one-off consent which is used to place the bulk or batch payment order and is then warehoused by the LFI. The User can request their LFIs to cancel any future dated payments as

Date Response You can find a testing tool user guide in the latest version of the API Hub documentation/User Guides. Please see the latest version of the API Hub Documentation for the Testing Tool User Guide. Testing Tool User Guide

Date Response When a User has completed Authentication and Authorization and consents to account access, the TPP will invoke the get /accounts API operation on the API Hub. The get /accounts API operation provides the list of AccountId values for the asso

Date Response We will be paginating the lines for any API call ensuring 100 lines per call.

Date Response This is a feature provided by Mongodb Atlas as described here https://www.mongodb.com/docs/atlas/security-azure-kms/ https://www.mongodb.com/docs/atlas/security-azure-kms/ The data is encrypted at rest using a secret that is securely held in

Date Response FAPI is a standard that provides a high level of security for accessing APIs. However, the resilience against DDoS attacks, including Layer 7, is not a result of the FAPI standards themselves but how the services that implement FAPI are desi

Date Response If a customer is present the TPP will communicate the User IP Address in every API call. The TPP provides the IP address in the x-fapi-customer-ip-address header field.

Date Response TPPs do not send the DebtorAccount in POST /payments The DebtorAccount is agreed either In the consent from the TPP using the DebtorAccount property in AEPaymentPII, which is delivered in the Pushed Authorization Request. If not specified by

Date Response The FileHash value provides a means to verify the bulk/batch payment payload based on a calculation performed by the TPP prior to transmission of the file payload. This value will be verified by the OFP as part of process of transmitting the

Date Response This information will be available via the OFP which will have all the supported file formats for each LFI.

Date Response The Authorization Server shall support the provisions specified in the 5.3.1 clause of the FAPI 2.0 Security Profile https://openid.net/specs/fapi-2_0-security-02.html#name-requirements-for-authorizat. Access token expiry is no longer than 1

Date Response This will be defined in the Standards. Consents requesting multiple approvers may remain in the "Awaiting Authorization" state longer.

Date Response A Pushed Authorization Request (PAR) is valid for 600 seconds from the point of issuance. Expiry is indicated using the expires_in property of the PAR response. The value of 600 seconds is based on the maximum allowable value prescribed in t

Date Response An authorisation code issued during the Authorisation Code flow in response to authentication and authorisation of the User is valid for a maximum of 60 seconds. This constraint is set in the FAPI 2.0 Security Profile: https://openid.bitbuck

Date Response The number of Legal Representatives required depends on what is defined in the institution’s governing documents, such as the Operating Agreement, Articles of Organization, or any relevant resolutions around how many representatives are requ

Date Response During the discovery journey within the Trust Framework, the TPP interacts with the authorization servers by querying the directory’s API. Each authorization server is associated with an organization, but the TPP does not interact directly w

Date Response The Open Finance standards support payment journeys that require multiple authorizers. This guide outlines how the authorization process works and the required behaviors for both TPPs and LFIs. Indicating Multi-Authorization Support When sub

Date Response LFIs are required to check for duplicate payment instructions and display a warning to Users as described here: https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot1final/pages/210800446/Common+Rules+and+Guidelines#22.-Supplementa

Date Response JSON Web Encryption.(JWE) is a means for securing data in transit and at rest, and is part of the JSON Object Signing and Encryption (JOSE) standards. A JWE is used to encrypt (Personally Identifiable Information) PII data, in three objects:

Date Response The Central Bank of the UAE, in its Guidelines for Financial Institutions Adopting Enabling Technologies, advises institutions to align with “internationally recognised and applicable security standards” when implementing encryption ( Item 3

Date Response To ensure optimal performance within the ecosystem, institutions should cache data retrieved from the Keystore and other public APIs, as defined in the Public APIs - TF Docs https://openfinanceuae.atlassian.net/wiki/spaces/tfdocsv6/pages/310

Date Response COP will not be applicable for Bulk payments at this stage.

Introduction While a LFI is doing their certification procedures - TPPs are not automatically active after the /tpp-registration endpoint is called successfully. The activation is done in three steps and has to be performed in this order. Activate the TPP

Date Response The Base Consent ID (consentGroupId) serves as a persistent reference that links related consents within a TPP’s service. It allows a common identifier to persist across multiple consents that belong to the same logical group—initiated by th

Date Response The customer consent verification process is the same as that for Bulk payments. The file uploaded is included in the consent. The user authenticates with the LFI. The LFI replays the consent given to the TPP which the user then authorizes.

Date Response The OFP provides a variety of methods for authenticating the interface between LFIs and API Hub at the application layer. This document provides an overview of the options available, the configurations that have to be agreed and the implemen

Date Response Open Finance will mandate standards for data retention, emphasizing consumer consent for data sharing and transaction authorization.

Date Response The LFI will provide a report to the TPP, transmitted on request via the OFP. The report will be encoded according to the type supported by the LFI. The OFP will act as a passthrough and will not validate the report content.

Date Response The legislation will facilitate data sharing with explicit consumer consent, ensuring data protection.

Date Response TPPs will be informed that the selected payment account requires multiple authorizers as per the authorization matrix of the LFI for the corporate account. The number of authorizations and other info will be provided to the TPP. Every time a

Date Response Although authorization occurs at the LFI, the consent parameters are stored and mastered in the Open Finance Hub. The consent parameters will be stored in a manner consistent with API specifications, including mandatory expiration dates set

Date Response The content of the file will be transmitted to the LFI over HTTPS, via the OFP. The file content should be encoded according to the type supported by the LFI. The OFP will act as a passthrough and will not validate the content.

Date Response This information needs to be populated within the TPP application. For e.g. They could support specific file formats and have a template provided using which the user can upload the file. Alternatively, the TPP could offer the ability to man

Date Response Yes

Date Response No, at this stage the scope of Open Finance payments does not include payments of different currencies other than local currency (AED) for single instant or multi-payments.

Date Response TPPs are regulated entities, so it would be advantageous to minimize data and access to only the data required by their use case.

Date Response Any entity already licensed by the CBUAE that is not an OF provider does not require a license to engage in OF. Instead, they only need a No Objection Certificate (NOC) from the Central Bank to act as a provider. We should acknowledge the ex

Date Response Under the current banking license, you are required to become a LFI. This is a regulatory requirement. To become a TPP as an existing LFI, need to apply for a deemed license and receive a NOC.

Date Response If the LFI has adopted the CAAP model, it does not have to offer consent management on its channels. The CAAP will handle it.

Date Response If a breach occurs with the TPP, LFI will record it in the dispute log.

Date Response The Open Finance Framework provides standardised user journeys that LFIs must adhere to when facilitating the authorisation of consent for a given TPP and data sharing or service initiation consent. As a very high-level, generic summary of t

Date Response The LFIs are making the payments and maintain their fraud responsibility to the customer.

Date Response UAEFTS provides an account name corresponding to an IBAN. The service does not provide a match/no match functionality. Also, it has been reported that the returned format of the names is inconsistent, making a match/no match process difficul

Date Response Yes, this is a requirement.

Date Response A single CAAP app instance always caters to all the LFI’s who have adopted the CAAP model. If the LFI is registered as two entities, the user will have to link each entity once in the CAAP app.

Date Response CBUAE only regulates the entities it regulates onshore.

Date Response High risk TPPs will be removed. OF will not allow any risky TPPs on the platform.

Date Response We will start with ISO20022, but it's important to note that we're not limiting ourselves to SWIFT. This flexibility allows us to explore other mechanisms offering cheaper and faster transactions.

Date Response The TPP will identify the LFI for which the user has their payment account, or the user may have indicated which LFI they want to use to select an account. Then, the TPP will redirect the user to the appropriate redirection path for the LFI.

Date Response This is a warehoused payment order and the consent is one-off consent for the posting of the payment order. The TPP will not be initiating individual payments. So they will not need a long-lived consent.

Date Response If there is no match, the user is clearly notified that the account does not match. The user can proceed with the payment at their own risk.

Date Response In the case of a payment, no connection to another AISP is required. Account selection will happen after redirection as a first step of the payment authorization journey. A user can initiate another consent for the AISP use case.

Date Response The approach reflects the separation of concerns at the OFP, where LFIs host separate endpoints. This separation of concerns is apparent regardless of IBAN vs IBAN and bank code.

Date Response Validation will take place centrally.

Date Response The merchant may be held responsible in cases where there are issues with the goods and services. In the realm of customer protection, these regulations will be overseen by the scheme rules established by Aani. Nothing prevents third-party p

Date Response Yes, the LFI has the authority to revoke consent for individual customers who have raised the dispute, but it does not have the ability to revoke consents en masse. The LFI would need to engage with the CBUAE and discuss the matter before ta

Date Response Verification does not have to happen on every transaction. Only during the consent setup. If the beneficiary is unknown during consent setup, the verification will happen the first time a payment will be initiated to this beneficiary.

Date Response The TPP is required to obtain authorization from the User before accessing their information for refund purposes. Subsequently, they can proceed to utilize the refund feature outlined in the standards.

Date Response The OFP will be keeping track of COP requests against the number of payment initiations. If any misuse of the COP service is identified, the offending TPP will be notified. It is important for TPPs, as regulated entities, to understand that

Date Response Regulations do not permit an Agency model (acting as an agent on behalf of another TPP). If the TSP relationship constitutes material outsourcing, the regulated TPP must declare this in their application or notify the regulator as required.

Date Response Indeed, all payments are charged the same.

Date Response Yes, this is removed from the latest version of the Standard.

Date Response And does the payment initiation involve authentication modes like OTP or Biometrics every time? VRPs can manage these use cases without additional consent if within the VRP parameters. However, the current version of the VRPs are limited to

Date Response The processing of the batch or bulk payment order once the LFI receives this through the OF channel will be as per their existing BAU processes.

Date Response Yes

Date Response If a pause is necessary, we can revoke all consent and remove from the trust framework. We will notify the LFIs. The CBUAE will compel TPPs to keep their customers informed.

Date Response It will not be any different from what the LFI is doing, as all information is passed back to the TPP. Any miscommunication will result in liability, warranting a separate discussion.

Date Response The authorization time window, as defined by the TPP, represents the acceptable timeframe within which they are willing to wait for all authorizations to be finalized. This will differ based on the use cases supported by the TPP.

Date Response Querying the status of payment can be completed using the Client Credentials grant type, so does not require ongoing consent of the user. This is consistent with all other open finance standards that deal with payment processing.

Date Response The assignment of a payment identifier in a bulk/batch payment file will be as per the existing BAU implementation at the LFI. This will be provided in the report file provided by the LFI via the OFP. Individual payments within the file will

Date Response Yes, a toolkit will be provided. Detail to follow in further engagement sessions.

Date Response Currently, there are no geographic restrictions on accessing the API Hub, including the Admin Portal, Headless Heimdall, or Consent Manager APIs.

Date Response Only the original consent, and therefore an Access Token associated with that consent, is required to retrieve the debtor account details. The consent endpoint specifically implements a flow using the Client Credentials grant type, so no aut

Date Response A TPP can send an Emirates ID or Trade License Number as the login_hint parameter in the Pushed Authorization Request, using the login_hint parameter. This must be sent as a JWE, encrypted using the LFI public encryption key. Please refer to

Date Response This is for corporate users.

Date Response No, it will only be available for domestic payees per the current scope.

Date Response All transactions (payments and service initiations) must be done under consent. It's not a 1:1 relationship; a VRP could result in multiple payments under a single consent.

Date Response Credit card is not part of this scope as we are currently focusing on account-to-account transactions.

Date Response At no point in the network is data ever stored or transmitted in an un-encrypted format. Data is only un-encrypted in the process space (kubernetes pod) where it is being processed. These pods sit in a private subnet in the Azure sovereign

Date Response It's for both depending on the transaction types/authentication methods.

Date Response …a corporate entity collecting payment from the customer or a distributor might not want to expose his account number like this, Only masked account number should be displayed with last 4 digits in clear. The TPP is expected to provide the O

Date Response First 200 AED would be free per merchant per day, and not per customer.

Date Response Yes, the LFI's existing authority matrix will have to be followed for authorizing Consent for accounts that require multiple authorizers, such as corporate accounts. LFIs are expected to initiate existing BAU processes and inform the TPPs vi

Date Response It is not required to call the two API before Strong Customer Authentication. Please keep the sequence that API Hub APIs are called the same. For example: > TPP redirects user to LFI < > SCA could be here < GET /auth GET /consent/{consentId}

Date Response This will depend on the how the retail and wholesale customer are currently using the LFI digital channels. If the LFI has two separate mobile and/or web apps used to access the LFI services - then there will be two Authorization servers on

Date Response No, this is not aligned with the OIDC/OAuth standards. Access Tokens linked to a user consent, those generated using the grant_type "authorization_code", are unique and always bound to one and only one consent.

Date Response It is possible for a single LFI to have different segments for personal/retail versus business etc under the same org by declaring additional authorisation servers and well-known endpoints that apply to each. Similarly, it is possible to dec

Date Response Yes, there will be a standardised liability model across the ecosystem for all participants.

Date Response To connect to the Open Finance platform, both LFIs (Licensed Financial Institutions) and TPPs (Third Party Providers) must review and sign the attached Terms & Conditions. These T&Cs outline the legal and operational framework for platform a

Date Response The ability to retrieve the debtor account details is bound to the original consent, to which only the initiating TPP has access. The OFP will enforce this rule and will not allow access to the debtor account details through the normal secur

Date Response We'll calculate all the charges, give the data, and change the fees on your behalf.

Date Response In the context of FAPI, mutual TLS (mTLS) is mandated for API communication between Third-Party Providers (TPPs) and Authorization Servers, ensuring encryption will happen at the transport layer. Additionally, FAPI 2.0 introduces key securit

Date Response All data (including PII) is transmitted between LFI and API Hub, and between API Hub and TPP, over MTLS (i.e. an encrypted communication channel) which guarantees only the two regulated parties can share this data. The data payloads (e.g. PI

Date Response We'll ensure that the information (file format) supported by the LFIs is available to the TPP (as metadata) without disrupting any standards. This will be published as part of the standards

Date Response Client Credentials Grant and Auth Code Grant, depending on the API call. We will document this for each API endpoint in the OAS3 (swagger) documentation that we produce.

Date Response It will be highly parameterizable consent from the customer. Users' Consent is not a blanket consent. It follows specific codification rules provided by the Standards, so Users are in control of what data they share with each TPP and what se

Date Response The Health Check API is mandatory as it allows simple connectivity tests to be performed between the API Hub and the LFI’s Ozone Connect implementation.

Date Response Yes

Date Response At the moment, we don't have a cap on the number of consents a User can provide to a TPP.

Date Response The limit will be checked by both TPPs and LFIs, and specific business rules will be defined for various payment scenarios. The limit will also be checked in the OFP when validating a single payment consent against the Standards and the Busi

Date Response Validations are in accordance with the business rules as described in the OFP Standards. For the auth call, Ozone implement all the checks that are required under the OIDC and FAPI standards. If an LFI is interested in gaining an insight int

Date Response When a change is initiated in the TPP consent, it will be triggered and pushed to the LFI. We will supply a documented version of the Ozone connect, which is the LFI facing equivalent of the TPP standards (to be covered in detail during onbo

Date Response Tier 1 banks first, then tier 1 insurance. plus tier 2 banks and then tier 2 insurers.

Date Response At this point there is no hard limit. We haven’t seen any market usage that could create a technical issue.

Date Response Yes, it's contained within the consent itself.

Date Response The Standards will define this. TPPs can set the consent validity period depending on their use cases. However, this will be limited to the maximum period defined in the Standards. From a security and fraud perspective, we will assess whethe

Date Response Specifically, in the context of corporate accounts with multiple signatories, what are the procedures to ensure the proper authorization of consent before granting access to APIs to be followed? Yes, there is a central consent management app

Date Response Compliance and fraud checks will be as per the existing BAU process for bulk/batch payments in place at the LFI.

Date Response Any limits on the number of records in a bulk/batch payment instruction will be as per the existing BAU implementation at the LFI. The OFP will impose a payload size that is the maximum supported size across all LFIs.

Date Response Max 13 months for one call.

Date Response Replay attack protection is ensured through the use of an idempotency key. Message security relies on the TPP's private keys and transport layer security.

Date Response Adoption of CAAP by LFIs is optional. LFI can use its existing authentication mechanism on its web/mobile channel.

Date Response The LFI to TPP fees include 15 fils. In addition, Aani payments and TPP to end customer fees include all the costs LFI and TPP incur.

Date Response Optional

Date Response Currently, the matching is an exact match, not a partial match.

Date Response Mapping the data model to use cases is not something we considered, but we can explore it for the UAE.

Date Response Either raising route can be used - yes.

Version 1.0 Publication Date Classification PUBLIC 1. Requirements for Key Facts Statement for Open Finance-related service offered by TPPs 1.1 Content Requirements: The Key Facts Statement (KFS) for Open Finance-related services provided by Third-Party P

Welcome! How can we help you? This space contains questions which have been raised by TPPs and LFIs during the development and implementation of Open Finance in the UAE. You can either search by keyword or browse by topic. General Standards Open Finance P

Date References Standards v1.2-final-errata1 Response As part of the update described in Standards v1.2-final-errata1 changes were made to the following objects in the GET /customer endpoint (API Hub v6): data[].verifiedClaims[].claims.residentialAddress

Date Response LFI authentication is expected to be Multi factor and as currently supported within their online channels (web and mobile).

Date Response CBUAE won’t suggest any pricing; LFI can go above the threshold.

The following documents and video guides are to be used by LFIs to support training their staff on Open Finance and the Al Tareq platform. Nebras Training Video Modules_Final.mp4

Date Response The program will be leveraging two layers of monitoring: at the Central Bank level and at the OF platform level. Central Bank level: A similar approach to the supervision that we currently do for quality providers, PSPs, etc. OF Platform lev

Date Response Generally, yes. There may be some edge cases once we work through the details (where the OFP cannot identify that the consent has been consumed), but we will point these out (if any) when we work through each consent's detail.

Date Response If the LFI currently supports this Batch capability within their online channel then they must support this through the TPP.

Date Response Yes, the LFI submits the payment to the payment rails when the user clicks "proceed."

gaDate Response Open Beneficiaries Open (or Variable) Beneficiaries refer to a process where the CreditorAccount is not specified during the payment consent phase (Par request) but is instead defined at the time of payment initiation. This approach is app

gaDate Response Delegated Authentication Delegated Authentication refers to a process where a TPP requests a one-time setup of a long-lived payment consent, authenticated and authorized by the user with their LFI. Unlike Multi-Payment setups, this model d

Date Response We’ll have dedicated sessions on that in the future to have specification processes between the TPP and the functionality.

Date Response The Servicer object in the AccountId response is the LFI that is servicing the account (the LFI where the account is held). So may be the BICFI for the LFI itself. The beneficiaries and scheduledpayments resources have the CreditorAgent obje

Date Response Please refer to errata 3 – point 58 Standards v1.0-final-errata3

Date Response Nebras Contract of Establishment and T&Cs will be circulated once finalized. For the Limitation of Liability model available here Limitation of Liability Model

Date Response Ozone has a housekeeping process that automatically moves consents to Expired. In this situation, LFIs do not have integration requirements. We have now reorganized the standards to state explicitly what the LFIs and TPPs need to do.

Date Response Many open finance standards implement an “idempotency key” as a means to protect against unintended replay of API operations due to transient failures such as HTTP timeouts. Payment initiation is a use case for an idempotency keys, due to th

Date Response Yes

Date Response Other than state changes that happen through the usage of consent and the passage of time.

Date Response It is not a white-labelled solution with an instance for each LFI. It will have central branding, and LFI will be linked to the CAAP app.

Date Response Yes, TPPs will pass all metadata to LFIs around payments, etc.

note In order to use SSO integrated with the OFTF, the user will need an account on the OFTF with either a PBC, PTC or STC role. Please see: https://openfinanceuae.atlassian.net/wiki/spaces/tfdocsv6/pages/310837277/Trust+Framework+User+Documentation#4.3-O

Date Response Yes, that is correct. In case of a payment to a merchant, if the TPP has onboarded the merchant, validation of the merchant account is part of the TPP onboarding obligations as per the Standard. In this case, COP is not required.

Date Response LFIs, including OF Service Providers, have to maintain records. The timeframes were not specified in the regulation, as this is the exact period provided in AML regulations. The purpose is to ensure that all LFIs have records of the transact

Date Response Correct

Date Response The TPPs MUST require Users to agree there will be one (or more) event(s) that the TPP will use to signal the User’s agreement for a payment initiation to be processed under the Multi-Payments consent. Examples of these events could be the

Date Response TPPs will have the option to not conduct COP in specific scenarios.

Date Response The beneficiary type indicates whether the customer added the beneficiary in an authorised session where Strong Customer Authentication was enforced. If an LFI does not record this information they may set the value to NotActivated.

Date Response The Open Finance Framework API standards, API Hub APIs and Ozone Connect API standards support and implement the practice of using unique, surrogate identifiers instead of domestic account numbers or IBANs in API operations that require a gi

Date Response They must be licensed to participate as a TPP in the UAE.

Date Response Please refer to latest version of the standards for further details.

Date Response TPPs are required to comply with relevant regulation which underpin the provision and use of geo-location data.

Date Response The customer endpoints in the Ozone Connect Specification is used when TPPs request GET /party or GET /accounts/{AccountId}/parties

Date Response Please see the documentation for API Hub LFI Implementation Plan for an overview of key milestone. https://openfinanceuae.atlassian.net/wiki/spaces/OF/pages/124321883/API+Hub+LFI+Implementation+Plan

Date Response The default character limits for API request headers and body parameters can vary depending on several factors, such as the specific API you're using, the server configuration, and any limitations set by the API provider. However, there are

Date Response Is there regulation in place for TPPs? Will there be any blacklist kept in place for this? The transactions are made and controlled ultimately by the banks. The TPPs can only initiate; therefore, BAU bank controls for fraud, and AML will app

Date Response Based on the process agreed for the ecosystem, the PBC will act as the primary point of contact between your organization and the CBUAE, ensuring smooth coordination and communication throughout the onboarding and operational phases. Below a

Date Response If the applicant has not received a license from CBUAE: Submit an updated application form and relevant supporting materials to the licensing team to update the desired category/services under Open Finance (OF). If the applicant is already l

Date Response To gain access to the OFTF production environment after being granted access to the sandbox, an LFI must meet two key requirements: First, the organization must sign the Terms & Conditions within the sandbox environment, formally agreeing to

Date Response LFIs are not required to take any additional actions regarding fraud notifications, as they will manage AML and fraud for Open Finance transactions in the same way they handle all other transactions

Date Response There is an 50:50 split between LFI and API Hub as defined in the availability and performance section of the operational guidelines. Detailed in section 4. API Performance (calculation column). The benchmark will be apportioned in an equal

Date Response Please refer to https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850897/Limits+and+Constants#C.-LFI-Channel-Limits https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151850897/Limits+and+Constan

Date Response It is important to highlight that these permissions can be altered by super users, if necessary, in Reference Data > Domain Users and selecting the user type. Based on the permission’s tables on the Al Tareq TF, the configuration is currentl

Date Response The Open Finance Framework standards at version 1.0 supports client authentication assertions based on the private_key_jwt profile. tls_client_auth is not in scope the Open Finance Framework. tls_client_auth may be supported in a future iter

Date Response All existing BAU checks of LFIs for sanctions checking, AML etc will still be applicable for the LFIs and all the necessary data will be provided.

Date Response The data elements and data model for the LFIs will be provided as part of the interface of OFP with the LFIs. It will include all the information provided by the TPP for payment initiation.

Date Response Unattended API calls represented automated initiation of data requests which can be used for scenarios such as data refresh.

Date Response The consent does not have to explicitly list out all the credit accounts and the debtor accounts. There will be a CTA within the consent which will display the list of the payments to be made with these details.

Date Response The Open Finance operating company will be able to take centralized actions to block the TPP immediately, revoking all their certificates issued on the Trust Framework and removing the institution from the Federation Endpoints.

Date Response The Standard will be updated to provide rules for retries of payments in this scenario.

Date Response There is no limit to how many Organization Administrators an organization can have on the Trust Framework. Therefore, we recommend registering multiple administrators on the platform to prevent losing access due to a single person leaving th

Date Response A technical user in the participant Trust Framework is a type of user with a set of predefined access rights within the Trust Framework. These users have specific access and permissions that are determined by their user type, rather than ass

Date Response The standards indicate that some data clusters do not require the customer to select one-or-more accounts as the information to be shared is correlated with the User rather than the accounts. An example of this is the ReadPartyUserIdentity d

Date Response There will be two core levels of functionality for insurance. These include Life Assurance Policy Data & Quotes and Non-Life Insurance Policy Data & Quotes (Including Travel Insurance, Car Insurance, Home Insurance, Renters Insurance, Health

This LFI Code value is used in three places. The LFI codes are used as an identifier for a particular tenant on the API Hub. The entry is collection on the API Hub Onboarding form. Screenshot 2025-06-12 at 15.54.44.png The sub domains of the pre-prod and

Date Response Escalation to CBUAE potentially or Sanadak.

Date Response This refers to a scenario where the customer is actively engaged in a transaction or authentication process, either physically or virtually, at the time it is being conducted. This could mean the customer is present in-person, providing cred

Date Response PaymentId The PaymentId is the resource identifier for the payments resource – is a UUID that uniquely identifies the payments resource. The PaymentId has no meaning for a customer, and is used for managing the payments resource. PaymentTran

Date Response See the consent manager specification request The request body for creating a new consent. The body consists of the RAR request that is sent by the TPP to the authorization server. requestBody An object representing the current state of the

Date Response The consent manager provides APIs for a number of consent management procedures and actions. request object This field contains a record of the consent at it was received from the TPP in the PAR request at the start of the the Consent Author

Date Response interaction-id This ID is an API Hub internal identifier used to track the lifecycle of the interaction object. The interaction is object is managed by the Headless Heimdall Auth server. Please see the Authorization Server OpenAPI Specificat

Date Response This is defined in the standards for Bank Service Initiation

Date Response All bulk/batch payment processes should be implemented as per your existing bulk/batch payment processes. The report file should therefore be formatted as per your existing report file format. https://openfinanceuae.atlassian.net/wiki/spaces

Date Response All Bulk/Batch payment processes should be implemented as per your existing bulk/batch payment processes. The report file should therefore be formatted as per your existing report file format. If you do currently support bulk/batch payment p

Date Response The Frequency field for the Standing Order resource is documented in the API specification Frequency: type: string minLength: 1 maxLength: 35 description: > * The frequency that the Standing Order payments are executed from the User1s accoun

Date Response The Authorization Endpoint is the URL where the user is redirected to authenticate and authorize the consent staged by the TPP. This URL should be provided to the API Hub Delivery team as part of the JSD Questionnaires.

Date Response The maximum validity period for the consent is set by the Standard and can be defined by CBUAE based on feedback from the industry. It is currently set to one year in Limit A1: Limits and Constants

Date Response The Open Finance Platform (Trust Framework and API Hub) is based on existing proven technology widely adopted in other markets. A localised instance (hosted in Microsoft Azure Sovereign Cloud in the UAE) is currently being updated based on t

Date Response Please refer to the pricing page Commercial and Pricing Model

Date Response There are a few alternatives available here, including MTLS, signed headers, and OIDC client credentials. We are also looking at adopting DPoP. However, we will have deep-dive sessions on OFH to LFI integration, including regular drop-in se

Date Response Documentation is published here: https://openfinanceuae.atlassian.net/wiki/spaces/OF/pages/124583943/Certification+Framework

Date Response Documentation is published here: https://openfinanceuae.atlassian.net/wiki/spaces/OF/pages/124583943/Certification+Framework

Date Response The status field is a convenient way for the LFI to read the status of a consent that is standards agnostic The statuswill always be kept in sync with consentBody.Data.Status and it is the API Hub’s responsibility to do so. { "data": [ { ...

Date Response Please refer to the latest version of the standards for further details.

Date Response The redirect_uri is a critical parameter in the OAuth 2.0 authorization process. It is the URL to which the authorization server sends the user after the authentication process is complete. This URL must be pre-registered with the authorizat

Date Response Please see item 32 here Standards v1.0-final-errata3

Date Response TPPs in Free Zones would need licenses to deal with the onshore LFIs. Branches and entities domiciled in Free Zones won’t be in scope as only entities regulated by CBUAE will be in scope.

Date Response Tier 1 banks will be this year, with the bulk of insurers next year with tier 2 banks.

Date Response The Open Finance Platform will be ready for service in October 2024. In advance of this (towards the end of the summer) the API Sandbox will be available for early testing by TPPs and the API Hub for integration testing by LFIs.

Date Response Tier 1 banks are asked to go live this year, the rest of the phases, next year, throughout the whole year

Date Response Deadline for health data insurance is August 2025 and around the end of 2025 for quotation functionality. Tier 2 will have a different set of deadlines.

The purpose of this policy is to provide you with a clear understanding of how your personal data is handled when interacting with the Trust Framework. You’ll find detailed information on the types of data collected, the methods used for collection, the p

Date Response Yes, it is a consentless API call to the LFI to provide the name data, and the OFP will run some algorithms to check for a match or a no-match of the name.

Date Response Details are available on the latest version of the API Hub Documentation space. https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv4/pages/168264072/Application+Layer+Authentication

Date Response Parameters can be found here https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final

Date Response Aani payment rails are used for domestic payment types that are currently supported.

Date Response The OpenID Federation model is utilized for TPP application metadata attestation, ensuring a trusted process for TPP onboarding. The integration between the Ozone and Raidiam Trust Framework facilitates seamless TPP registration.

Date Response Technical Contacts are roles assigned to Trust Framework users, allowing them to perform a series of actions within the Trust Framework. There are four main technical activities in the Trust Framework: Manage Applications Metadata: Create ne

Date Response If you cannot access the Trust Framework even after completing the registration and verification steps, follow these steps: Check Your Registration: Confirm that your registration process was completed successfully and that you have received

Date Response Ensure the user is added to the organization by an administrator. After this step is completed, the user should log out of the Trust Framework and retry the account creation process - https://web.sandbox.directory.openfinance.ae/ https://web

Date Response If a user receives this error message, their email needs to be added to the Trust Framework as part of an organization. The administrator should: Add the user as an active organization administrator on the Trust Framework. Assign the user's

Date Response The get /customer operation provides customer attributes that have been validated by the LFI during customer onboarding, KYC and AML processes. The API adopts the Identity assurance standard created by the OpenID Foundation: https://openid.n

Date Response The API Hub implements TLS based on the requirements of the FAPI 2.0 Security Profile. FAPI 2.0 requires that TLS 1.2 or later is used for both client and server connections. Client and server connections initiated or hosted by the API Hub w

Date Response The bulk/batch payments approach reflects the existing BAU process at a given LFI and will therefore reflect their SLAs. The OFP will deliver the file content real-time to the LFI so there will be no delay (other than normal network transmis

Date Response This is a single consent, not long-lived to change dates. This scenario will not occur.

Date Response This is based on feedback from TPPs in other regions that a suspended state would be helpful, e.g. for payment holidays on a VRP when an account is suspended for operational reasons. The suspended state can be driven by customer, TPP or LFI.

Date Response The LFI should return a 201 to indicate the payment resource has been created, which will be relayed to the LFI. When the payment instruction has been completed or changes, the Payment Log for the payment instruction on the Consent Manager m

Date Response A successful payment initiation does not mean the payment is successful and reached the beneficiary account. The payment status will change depending on the execution of the actual payment. For AANI payments, we can indicate a successful tr

Date Response The TPP will use the authorization_endpoint value from the LFI OpenID Discovery endpoint to build the root of the redirect URL. The TPP will then add the following as request parameters: client_id: The TPP OAuth 2.0 Client ID as specified de

Date Response The Trust Framework, along with other platforms in the Al Tareq ecosystem, is accessible to Third Party Providers (TPPs) and Licensed Financial Institutions (LFIs) within the UAE and other selected countries of operation. Countries outside t

Date Response If the user tries to access the Trust Framework from the URI of an authentication interaction that has expired or hasn’t been completed, such as : https://auth.directory.openfinance.ae/interaction/NqO4A8gcenHvZOMGiEATx https://auth.directory

Date Response If a consent is revoked and the status is successfully patched at Consent Manager the Access Token will no longer be valid. When a request is made at the LFI Resource Server instance at the API Hub the consent will be introspected, found to

Date Response The critical path involves defining the functionality that enables the ecosystem, as outlined in the regulation. It's primarily due to the fact that the OFP handles consent management, validation, security identification, and regulatory perm

Date Response The TPP, as the collector, is authorized to gather data on behalf of the merchant. This is permissible because the merchant is initially engaged in the transaction by receiving the payment.

Date Response The authorization_detail_types for a new application are determined by the roles assigned to users in the Trust Framework. These roles define what types of consent requests the client can initiate for data-sharing journeys. More details on h

Date Response In the CBUAE ecosystem, the token_endpoint_auth_method is always set to private_key_jwt, which is the only supported method. This ensures compliance with the ecosystem's Security Profile - FAPI

Date Response The use_mtls_endpoint_aliases field is automatically set to true for all new applications within the Trust Framework. This setting requires the client to use the MTLS (Mutual TLS) endpoints listed under the mtls_endpoint_aliases field. When

Date Response The OFTF is configured to support phone number validation for the most likely countries based on the expected LFIs and TPPs defined by the Schema. If your phone number is not from a geo-blocked country and you don't have a number from any of

Date Response The Ozone Connect implementation for Data Sharing and Service Initiation has the same domain so it will share the same domain for events. From Ozone’s perspective there is only 1 host for egress so yes will be on the same URL.

Date Response Unlike other countries, in terms of localization of data, we've taken an approach similar to other regulations, where the master copy has to be in the UAE (With a cloud service provider in the UAE). If LFIs want to store a copy of the data o

Date Response A page has been published in the latest version of the API Hub documentation detailing domain structure: API Hub Domains & DNS

Date Response This has been published in the PPT on confluence - see Limitation of Liability Model

Date Response There will be certainty on revocation or modification of consents as this can be called from the OFP.

Date Response There are two discovery endpoints: API Discovery This is hosted on the OFTF and provides the list of ecosystem participants including OpenID Connect Discovery URLs. OpenID Connect Discovery This provides OAuth metadata/OpenID Connect discove

Date Response See the latest version of API Hub documentation. https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3/pages/134938904/Application+Layer+Authentication https://openfinanceuae.atlassian.net/wiki/spaces/APIHubDocsv3/pages/134938986/JWT

Date Response In the Pushed Authorization Request (PAR) endpoint - there are several areas where information about the Debtor is passed from the TPP to the LFI (via the API Hub). These are primarily in the: login_hint This is where the TPP will either spe

Date Response Access to information about Administrators and Technical Users is restricted within the Trust Framework. Only Super Users or members of the same institution are authorized to view this information through either the user interface or API. Th

Date Response There will be a new license type with strict requirements and a CBUAE approval process.

Date Response The arbitration will take place at the Central Bank. Central Bank or one of its subsidiaries will deliver the verdict. TPPs and LFIs should raise the dispute on behalf of the customer.

Date Response The TPP is responsible for invoking a balance check, as per the Multi-Payment business rules: https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1final/pages/151848909/Multi-Payments#4.-Balance-Check https://openfinanceuae.atlassian.

Date Response The Terms & Conditions Document is issued on the Trust Framework by an Organization Administrator or PBC and must be signed by the designated Legal Representatives of the institution. These Legal Representatives should be specified when the

Date Response Anthony Jones Erick Domingues The Online Certificate Status Protocol (OCSP) checks for certificate revocation are conducted by the Trust Framework PKI Certificate Validation Service. When an organization's application needs to verify the rev

Date Response A 401 error when calling the Trust Framework APIs typically indicates an authentication issue, often due to an incorrectly issued or invalid access token. To successfully authenticate and access the Trust Framework APIs, it is essential to f

Date Response You are receiving notifications about new admins or users being added to the platform because you are registered as a user type that is configured to receive these alerts - https://openfinanceuae.atlassian.net/wiki/spaces/TFDocsv3/pages/1834

Date Response The management of Domains and Roles defines what data and APIs participants can access within the Open Finance Scheme. Only Super Users, with Central Bank Authorization, can manage Domains and Roles, as these functions are restricted for com

Date Response If you cannot find an API Family on the Trust Framework's dropdown list when attempting to register, it is likely because the API Family has not been registered within the Trust Framework yet. For an API Family to appear in the dropdown, it

Date Response When creating a certificate within the directory, the user must ensure that they are using an up-to-date version of OpenSSL to generate the key and the Certificate Signing Request (CSR). The default message digest in OpenSSL is sha256 starti

Date Response If you receive an error when uploading the Certificate Signing Request (CSR) during certificate generation, it could be due to field validation issues. Each field must match the corresponding information registered in the Trust Framework for

Date Response It is single consent; however, it lasts as long as the future and covers only that payment value. This isn't for recurring payments.

Date Response If the Trust Framework is not accepting your Time-Based One-Time Password (TOTP), it may be due to a time synchronization issue. Ensure that your device's time is accurately synced with the internet to match the server time.

Date Response The fixed fees costs will be included as part of the costs required to operate in the UAE. Consequently, it will ensure Open Finance functionalities.

Date Response If an LFI supports Bulk and Batch Payments then they will be mandated to support Bulk and Patch Payments for Open Finance.

Date Response CAAP will support authentication and authorization for any service in the scope of OF.

Date Response The scope of callbacks at the first release is for consent state changes only. Callbacks for other operations such as bulk/batch payment instructions will be introduced at future iterations of the OFP.

Date Response The consent Expiration Date on the consent will drive this.

Date Response We'll have a data portal to make that available in real-time.

Date Response If the optional JWT Auth is implemented between the API Hub and the LFI then all Ozone Connect calls made from the API Hub to the LFI will have the header included.

Date Response Rules have been added for cases where the account is inactive, dormant, blocked or in any other state that will cause the payment to be rejected. In this case, the COP service at OFP will receive no data from the LFI and will return no match

Date Response Ozone will be set up as a Participant in the Ecosystem with a “Technology Service Provider Role”.

Date Response The working assumption is that we can reuse AANI for proxy resolution. This is TBC, but we are looking for an approach with minimal or no impact on LFI implementation.

Date Response No, reports from the Admin Portal are only accessible through the portal and are not available via APIs.

Date Response Yes, the confluence content and the recordings will be made available for feedback.

Date Response We are standardizing fees for all types of payments.

Date Response Provided, the chosen method meets minimum CX and security guidelines, yes. The LFI is however expected to offer existing authentication methods that their customers are already familiar with.

Date Response Yes, this will be handled by the OFP.

Date Response The TPP will utilize the discovery operation to fetch the accurate authentication server and resource server URLs for the correct LFI. These details are interconnected through a lookup process utilizing the IBAN. Subsequently, the TPP will e

Date Response All API calls from the OFH to the LFI will have the Consent ID specified. It will always be included in the header, but if it has a business functionality in the API context, it will also be included as a path parameter or in the JSON body.

Date Response No, follow the existing LFI BAU process.

Date Response Yes, this is a design consideration.

Date Response Usually, the description used for reconciliation purposes is referred to as a Payment Reference. The standards mandate that this be provided for each Service Initiation, and depending on the use case, either the TPP or the User can provide i

Date Response CBUAE have sent a list of SIs we've briefed to the tier 1s; we can send this wider, too. However, we don't have a panel.

Date Response VRPs include 5 different consent control parameters. In summary these are: Max payment amount per each payment initiation (if not specified) Max cumulative number of payments during consent. This is the total number of payments allowed durin

Date Response Yes, this will be detailed in the API specification and covered by consultation. Usually, there is a block of data that provides state management information on consents going through a multi-auth journey (how many authorizers, how many have

Date Response The liability model and T&Cs will reflect the responsibilities of all parties.

Date Response There is no separate transaction type. For misuse, please refer to the answer above immediately.

Date Response Billing won't be via API, no.

Date Response We’ll be including such a feature, yes.

Date Response This is currently under consideration, with the risk assessment for merchant/P2P payments being treated differently.

Date Response The API Hub is an internet-facing platform without specific networking requirements. TPPs must, however, be enrolled on the Trust Framework and hold an appropriate client certificate to connect to any LFI instance.

Date Response The fraud controls will be the same real-time fraud controls that the LFIs have on IPP-based payments today. Fraud controls will not be implemented on the OFP. OFP will be validating consent parameters and will ensure requests are within the

Date Response For LFIs electing to use the Central Consent App provided by the platform, the Consent App will use EFR to authenticate and onboard users.

Date Response A form and phoneline will enable TPPs/LFIs to file disputes.

Date Response The APIs to be exposed to TPPs and the API Hub will both be formally defined to ensure harmonization.

Date Response Aani is effectively a TPP, but it is only the baseline. We want to open the functionality of Aani to TPPs and banks to encourage innovation - eDDA is only to one party, and the VRP can be multiple destinations with one TPP facilitating.

Date Response OFP does not monitor transactions for fraud.