Engagement Round 1

Will the content that was shown in the engagement sessions be shared?
What is the Open Finance Hub's status and its release timeline?
What is the timeline for the commencement of testing by participants?
What is the timeline for releasing the mandate for LFIs?
Who is entitled to be recognised as a TPP?
What are the measures against fraudulent transactions?
Is it required for any parties to sign an indemnity form to help in case of disputes?
Does ‘Consent’ assume the TPP has already registered/identified itself?
How long can the consent request be in the 'awaiting authorization' state?
Is there an expiration date for Long-Lived Consent, and who set it?
Can the LFI or TPP revoke the consent on the user's behalf?
Can consent be modified via a TPP request after consent is created?
What is the maximum validity of long-term consent?
As a user, do I have to provide separate consent for every LFI I deal with?
Is the customer's consent a blanket consent, or would they be in a position to choose a variance of that consent? What would the personal data protection position of this data be?
Is it left to the LFIs to do the necessary mapping of an event 'consent' for the authority matrix in line with the bank mandate?
How will the authorization matrix for a corporate payment be embedded within this process? How will the TPP validate what is maintained at the LFI before sharing it with the LFI?
Are there any language requirements for consent to be in Arabic /English?
Could there be a scenario where the TPP is not a user-facing entity?
Will the Open Finance Hub pass the Consent ID to the LFI in the header?
Will there be a mechanism to help TPPs differentiate abandoned consents ("Awaiting Authorization") from ones that are still "Awaiting Authorization" while waiting for a second authorization?
Does the LFI own the consent?
How will the consent be stored?
What parameters and data points are included in a consent?
Can the user link consents with specific service initiations or data access through the dashboards, and can they dispute consents?
How multi-authorizer payments work?
With the API hub, does this mean that LFI has to design APIs in the format given by CBUAE, or does the LFI have the freedom of API contracts?
In a centralized implementation like CBUAE, will the TPP validation happen at the central platform level, or will the banks also have to do that?
Do LFIs have to design APIs in a format given by CBUAE?
What is the process for onboarding an LFI onto the Open Finance Hub, and does the LFI have to maintain tokens between the API hub and the LFI?
Will the LFI determine the authentication method?
Will UAE Pass be used for authentication?
How are participants onboarded, and will TPPs follow the same process as LFIs?
What registration framework is used?
How are the certificates rotated, and how are they renewed once they expire?
How is FAPI resilient to DDOS attacks, especially Layer 7 DDOS attacks, as this region has recently increased DDOS activities?
Is a toolkit/process provided for TPP onboarding related to Certificate enrollment and its life cycle management?
What happens if a TPP is compromised?
Will there be a novation of contracts/responsibilities as security moves between LFIs and the central hub?
Is it possible to have a binding between one access token and multiple consents for aggregator-type scenarios?
Does FAPI 2.0 support refresh tokens?
Is payload encryption considered for transactions between TPPs and the authorization server?
Is there a limit to the amount of a Single Payment? Where is it checked?
Can a payment be made from multiple accounts with the same LFI?
When a payment is successful, is the money guaranteed to be received in the bank account?
What payment rails will be used for OF payments?
Will there be a description or other payment identifier available in the transaction/status details, which is required by most SMEs to solve reconciliation challenges?
Does SIP Payments mandate that LFIs create beneficiaries at the LFI end, or will these payments be ad-hoc without adding beneficiaries?
If an LFI has its rules or fraud engine, will that supersede any central platform rules?
Will there be any limitation for first-time transfer as a risk mitigation?
Will payee info be validated in real-time using CBUAE APIs, including proxy validation?
Will there be any real-time fraud rules configured at the hub to restrict attempts, if any?
Can a TPP initiate a bulk payment request?
Will there be a Confirmation of Funds journey available for TPPs to check the availability of funds prior to a fast-track payment?
What happens if one of the recurring payments fails due to a low balance in the account? What are the rules for retries?
In the case of a payment from a TPP where the PSU has to make vendor payments, bills & supplier payments, can the PSU give long term payment consent to the LFI via the TPP?
Will there be a maximum ceiling for variable payments? What happens if the payment request is over the maximum amount authorised?
With the recent introduction of Aani, the eDDA, and eCheques, why is Open Finance now open, and what are the differences?
How are consent parameters shared with LFIs, and how is data treated before storage?
Does the requirement to destroy data immediately after a transaction contradict record-keeping requirements or refund provisions?
Can external TPPs outside the UAE integrate with OFH APIs?
How will data retention be managed, especially in light of regulatory requirements beyond the transaction or permission period?
How does consent redirection work, and what information is shared with TPP regarding consent?
Can we access Postman collections to examine how the APIs work?
Is there protection against replay attacks for requests?
How will personal data be protected, especially considering the new functionalities for the insurance sector?
What is expected from insurance companies in terms of Open Finance?
Payment Validations & Responsible Party