LFI Integration Sessions
- How do we ensure that event notifications to LFIs are not lost due to circumstances like network error?
- How does a TPP know the customer segment for redirect? For example Retail vs Corporate
- When subscribing to events, will a separate URL be used?
- Are there procedures in place for Disaster Recovery and monitoring in production?
- Does the API Hub have responsibility for warehousing or scheduling future-dated or recurring payment initiation requests?
- When consent is revoked at the LFI does the Access Token need to be revoked?
- What is the LFI Authorization Endpoint?
- What is the difference between the interaction-id and the x-fapi-interaction-id?
- How long are tokens valid for that are issued by the Authorisation Server?
- How does the API Hub Ozone Connect Testing Tool work?
- Will Event API calls between the API Hub and the LFI be secured with JWT?
- What are the customer endpoints in the Ozone Connect Specifications used for?
- How will data be secured during transit over the internet between the API Hub and LFI?
- Can the API Hub support IP Whitelisting?
- How is data stored at rest in the API Hub?
- What version of Transport Layer Security (TLS) does the API Hub implement?
- Is the Health Check API mandatory?
- Is an identifier for a customer sent as part of the Pushed Authorization Request?
- Is access to the API Hub restricted to users in the UAE?
- Where are the Discovery Endpoints hosted?
- Can the Ozone Connect Testing Tool be used without certificates?
- Can an LFI be notified when a given consent changes?
- Where can I find more information about JWT Auth for API Hub Integration APIs?
- What is the process of certification for TPP?
- What is the process of certification for LFI?
- What are the SLAs for an a API response and how does it split between the API Hub and the LFI?
- What is the difference between request and consent body in the Consent Manager (CM) specification?
- What are the delivery timelines for the LFIs?
- Can the Consent Manager be used to manage consents that are outside of Open Finance Ecosystem?
- What is the format/standard for the Bulk/Batch payment report file?
- If a Customer has already authenticated, should they be forced to authenticate again to authorise consent?
- What is the format / standard for the payment report file?
- When a payment instruction has yet to complete, what HTTP status code should be returned from Ozone Connect?
- When a TPP redirects a User to an LFI, how will the URL be constructed?
- Who undertakes the Online Certificate Status Protocol (OCSP) checks for revocation?
- Does data returned in an API response need to be sorted in a specific order?
- What options are available for application layer security?
- How are Organization Administrators Defined when the LFI is registered on the OFTF
- What happens if the Organization Administrator leaves the company? How a New Admin can be Nominated.
- How can I add a Technical User to the Platform?
- Who should sign the Terms & Conditions Document?
- How Many Legal Representatives should be configured when issuing the Open Finance Terms & Conditions Document?
- Why do I receive an error when uploading the CSR during certificate generation?
- Why is the Trust Framework not accepting my TOTP during account registration?
- Why am I receiving notifications about admins or users being added to the platform?
- Why am I receiving a 401 error when calling the Trust Framework APIs?
- What is the redirect_uri that is required when creating an application?
- How can I add contacts to my organization's Contacts list in the participant Trust Framework?
- What is a technical user in the participant Trust Framework?
- How do you validate your information during the registration process?
- How can a user reset their OTP in case you lose or change your mobile device during the registration process?
- What should be done if a user cannot access the Trust Framework even after registering itself?
- What steps should be taken if a user receives an error message stating they need to be an active user in the Trust Framework?
- What steps should be followed if a user cannot create an account due to an error?
- How can an LFI discover Third Party Providers (TPPs) within the Trust Framework?
- How can an LFI define which TPPs it should accept?
- Who is capable of accessing information about Administrators and Technical Users?
- When Registering a new Application, what is the use of mtls_endpoint_aliases in the Trust Framework?
- When Registering a new Application, what is the token_endpoint_auth_method in the CBUAE ecosystem?
- When Registering a new Application, what are authorization_detail_types in the Trust Framework?
- When Accessing the Trust Framework U.I. and APis i'm receiving a 403 - Forbidden Error
- When Accessing the Trust Framework U.I. i'm receiving a Session Expired/Not Found Error
- Failure to Load TF U.I. when using a VPN
- Why can't I find an API Family on the Trust Framework's dropdown list when attempting to register?
- What is the difference between PaymentId and PaymentTransactionId attributes.
- What is the purpose of "status" and "consentBody.Data.Status" on the Consent body?
- What is an example of a data cluster that does NOT require a customer to select an account before authorisation?
- Will reports from the admin portal be available via APIs?
- What are the field size limits for Ozone Connect headers or body parameters?
- Should the LFI's Open Finance channel provide a similar feature set than the existing digital channels?
- When will domains be confirmed?
- Is there a list of validations undertaken by the API Hub?
- How long is an authorization code valid for?
- Can a Future Dated Payment be cancelled by revoking the consent?
- Who is responsible for performing a balance check?
- What verified claims data do we provide in the get /customer operation?
- Can the accounts associated with a data sharing consent be changed at the LFI?
- Does the API Hub throttle requests?
- Does an LFI need to validate an Authorization Request before invoking the getAuth operation?
- Could you clarify the testing process and documentation, including details on postman scripts, success criteria, quality gates, and promotion phases?
- What is the requirement for notifications ahead of VRP and future payments?
- Clarify payment journey diagram for incoming and outgoing Payments with required response timelines
- Is it possible to have two connections -one for WholeSale and other for Retail customers at the Ozone layer as the fulfillment journeys are different for the customers? Will there be any impact on the contribution fee payment if, there are 2 connection?
- Share list of account which are in scope as per regulation. Confirm if overdraft accounts / dormant accounts / unclaimed accounts are in scope.
- Share Nebras Article of Association, Liability Framework and T&Cs.
- Confirm if jailbroken devices (RASP) info is included in the Risk block and the action required from TPPs if customer triggers a consent request.
- Under get beneficiary API, what does activated and not activated enums mean?
- Confirm the log captured at OFP can be shared with LFI.
- What is the pricing model and how the yearly fees will change over time.
- Are there any logs of unauthorized attempts by TPP to get access to consent/data?
- Do we have any controls or tools to prevent DDoS-type attacks that can be triggered by TPP apps?
- Do we also need frontline / RCC screens to access customer consents and revoke them in case of a fraud notification from a customer?
- Can LFI download the LFI reports through of API Hub Admin portal?
- Using a unique, surrogate identifier instead of a domestic account number or IBAN in APIs
- What are the Primary Business Contact Role and Responsibilities?
- Is it required to sign T&C to onboard to Open Finance platform?
- Is it necessary to publish two authorization servers if LFI wish to trigger different user authentication journeys for Retail and Wholesale?
- Does the API Hub share any headers to identify a customer is Retail or Wholesale.
- Is it mandatory to call GET/auth and GET/consent api before SCA begins?
- What is the difference between request and consentBody for the consent manager payload?
- Will Ozone be a registered entity on the OFTF?
- What client authentication profiles does CBUAE support?
- Should service initiation operations in Ozone Connect implement idempotency keys?
- How are Virtual IBANs (VIBANs) supported by the Open Finance Framework?
- Is data ever stored in or transmitted to/from the API Hub in an un-encrypted format?
- What is the trust framework privacy policy?
- How many servers should an LFI create within the Trust Framework?
- Can an LFI test its TPP applications in a pre-production environment?
- What are the requirements for an LFI to gain access to OFTF production after being granted access to the OFTF sandbox?
- What roles Primary and Secondary Technical Contacts (PTC / STC) have at the Trust Framework
- When Registering an Account at the OFTF my Country Code is not displayed on the Drop Down List
- Will there be any networking requirements to access the API Hub?
- Can a TPP call the get /accounts operation when granted permission through a payment initiation consent?
- How does a TPP send the IBAN for the debtor and creditor account to the LFI?
- Are unauthorized connection attempts logged by the API Hub and provided in LFI Reports?
- Are we allowed to request the Identity and Accounts permissions irrespective of the merchant use case so that we can perform required transaction monitoring?
- What are the allowed methods of obtaining geolocation data to comply with TPP obligations?
- Do we need to do any automated KYB process for our customers? Or will the KYB process that we will have outlined as part of our application process be sufficient?
- What is the definition of Customer Present? Is a user on session considered to be present?
- Servicer field definition in Ozone Connect API
- What are the value limits for supported payment types?
- Is PII payload data encryption in place when customer data is shared by the LFI back to the OFP and then to the TPP?
- How are users identified within the PBC, SBC, and PTC roles, and how do access levels change based on their role?
- Why am I unable to add details under the Domain tab?
- How should PII be encrypted using JSON Web Encryption (JWE)?
- How is the customer IP Address transmitted?
- How is the Debtor Account sent to the LFI by the TPP?
- Can TPPs retrieve any details other than payment ID and status about a transaction after it’s been processed?
- How does the TPP get information about the accounts the user gave consent to?
- How long is a Pushed Authorization Request valid for before it expires?
- Where is all the Debtor related information for Delegated Authentication?
- How does an LFI identify an International Payment Consent?
- How to link Consents? What is a Base Consent ID (consentGroupId)?
- How Does A Receiving LFI Identify Open Finance Payments?
- Can LFIs used Risk Information for retrospective profiling of payment initiation requests?
- How should LFIs check for duplicate payments?
- How do LFIs identify Shariah-compliant TPPs?
- What can a PBC, PTC and STC do in the ecosystem?
- TPP and User Events to Agree to Initiate Payments
- Why do I encounter errors when generating a CSR for certificate creation?
- What are the requirements for management and communication of fraud notifications?
- How can I verify if my certificates are currently active on the Trust Framework
- How can a TPP create an App certificate?
- Customer T&Cs changes - LFIs
- How can a participant retrieve a list of active LFIs on Sandbox and Production?
- How Should Private keys bound to Open Finance Certificates be Stored
- Guide to Multi Payments Types
- What is the Frequency definition for the Standing Order resource
- What are the Trust Framework's Terms of Use?
© CBUAE 2025