Limitation of Liability Model
Version | 2.1 |
|---|---|
Publication Date | Nov 25, 2025 |
Classification | Public |
1. Responsibilities of Eco-System Participants
1.1 Duty of Care
We will operate liability within the AlTareq (Open Finance) Ecosystem according to a principle, each participant and actor is responsible and accountable for their assigned or voluntary tasks or actions, be they manual, automated, system based, technical or operational.
Each participant and actor will be held to be liable for their actions and the tasks for which they are responsible, should errors, breaches or issues occur. It is possible for TPPs to create arrangements with their customers where some of their liability is supported by contractual agreements with their customers, reflecting the roles that they play, however these must not (or seek to) divert, undermine, circumvent, or dilute any TPP responsibility from the Open Finance Regulations in the UAE and the AlTareq Open Finance Standards.
Such arrangements must not impact the responsibilities that TPPs have to consumers, under consumer protection regulation , data protection and other applicable notices / rulings from the Central Bank of the UAE. Any arrangements that contravene the obligations TPPs and LFIs have will be deemed to not affect the application of the limitation of liability model to the relevant TPP or LFI.
Open Finance TPPs and LFIs have a duty of care to their Customers and Users to ensure that their services are provided with reasonable care and skill. This includes :
Secured systems/processes
Reliable services
Clear and accurate info
Accurate transaction execution
1.2 Breach of Duty
In case of any breaches, they may be liable for any direct losses suffered by their Users. For example, if a service provider fails to implement adequate security measures and a User's account is hacked, the service provider may be liable for any direct losses incurred by the User as a result of the hack.
1.3 Data Protection and Privacy
Service providers are also responsible for protecting the privacy and security of their Users' data. If a service provider fails to implement adequate data protection measures and a User's data is compromised or transmitted outside of the User’s intentions, they may be liable for any direct losses suffered by the User as a result.
1.4 Payment of Open Finance Compensation and Direct Losses
It is incumbent on all Open Finance TPPs and LFIs, in addition to other Eco-systems participants to pay to the Open Finance Compensation, and compensate for any direct losses suffered, from the liable party, to the affected party as soon a dispute verdict and has been reached its conclusion communicated to all relevant participants.
Indirect and Consequential losses will not be compensated as part of the Open Finance Rulebook and Standards, however, this does not remove the legal protection afforded by any applicable legislation / regulation within the UAE. The Open Finance limitation of liability does also not supersede or replace the Aani scheme rules and the disputes mechanisms / redress measures in place for transactions conducted on the Aani platform.
2. Liability
2.1 General / Consent / Authentication
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED | |
|---|---|---|---|---|---|---|
| 1 | Open Finance activity / transaction taking place without relevant and valid consent issued by the LFI | User was not presented the consent as per guidelines or the User states that they did authenticate but not authorize the consent | LFI | LFI | Direct Losses & Open Finance Compensation | Defined Below in specific cases |
| 2 | Failure by TPP to maintain an up-to-date state of the consent causing end user detriment | TPP did not properly maintain the consent state due to ineffective polling or missed webhooks or otherwise. As a result, a status change to the consent was not reflected to the end user, causing a payment failure, and leaving insufficient time for the user to resolve the issue and thereby incurring a fee | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
| 3 | Failure to revoke consent – requested via TPP channel | User had revoked the consent through the TPP but this was not communicated to the LFI as a result erroneously keeps initiating payments | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
| 4 | Consumer Protection obligations under CBUAE regulations and circulars are not followed by the LFI / TPP | LFIs and TPPs can not remove their obligations in respect of consumer protection and must meet all CBUAE requirements, including when complying with AlTareq / Open Finance CX standards. TPPs and LFIs must ensure that their end-to-end customer experience (inside and outside of the consent journey) meets the standards / responsibilities set by CBUAE in their regulations and circulars concerning Consumer Protection. TPPs must issue Key Facts Statements for each of their AlTareq / Open Finance based services and products, as stated in the Open Finance Standards. | LFI / TPP | LFI / TPP | Direct Losses & Open Finance Compensation | 1000 |
| 5 | Failure to revoke consent – requested via LFI channel | User had revoked the consent through the LFI but this was not executed by the LFI leading to subsequent OF requests by the TPP unexpected by the User | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
| 6 | Fraudulent or erroneous LFI authentication taking place via LFI direct channel or CAAP service | User states that they had not done the authentication for the OF service OR the LFI/CAAP authentication and authorization happened too quickly for them to comprehend | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
| 7 | Inaccurate or incomplete articulation of the extent of a consent to User | The details of the consent e.g permissions requested, fees and charges, onward sharing details were not unambiguously and accurately communicated to the User leading to misunderstandings about scope of data usage | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
| 8 | Failure to execute valid open finance request within SLA by TPP | The TPP did not initiate a payment as scheduled resulting in unintended consequences like penalties for the User | TPP | TPP | Direct Losses & Open Finance Compensation | 350 – 12 hrs + |
| 9 | Failure to execute valid Open Finance request within SLA by LFI | The LFI did not execute a payment as scheduled by the TPP resulting in unintended consequences like penalties for the User | LFI | LFI | Direct Losses & Open Finance Compensation | 350 – 12 hrs + |
| 10 | Failure to execute valid Open Finance request accurately by TPP | The TPP did not process account data using a long lived Data sharing consent as agreed with the User providing incorrect financial analysis influencing wrong financial decisions | TPP | TPP | Direct Losses & Open Finance Compensation | 250 |
| 11 | Failure to execute valid Open Finance request accurately by LFI | The LFI incorrectly resolved the beneficiary proxy resulting in the payment sent to the wrong beneficiary | LFI | LFI | Direct Losses & Open Finance Compensation | 250 |
| 12 | Failure to properly maintain data mapping by LFI, resulting in a TPP losing long-lived access to an authorized long-lived consent | The LFI mismanages or incorrectly handles consent mapping in their system, causing an authorized long-lived consent to become invalid or inaccessible. As a result, the TPP is forced to request the end user to reauthorize consent to restore access to previously approved resources | LFI | LFI | Direct Losses & Open Finance Compensation | 5,000 |
| 13 | Misrepresented Service Offering by TPP | The TPP advertises or presents functionality to users that is not published or available from the LFI (e.g., offering direct debit services when no direct debit API is published). | TPP | TPP | Direct Losses & Open Finance Compensation | 1,000 |
| 14 | Failure to Manage Deprecation and Endpoint Updates | The TPP fails to update or migrate their services to supported API versions after an LFI publishes deprecation notices, leading to service disruption or outdated user experiences. | TPP | TPP | Direct Losses & Open Finance Compensation | 2,500 |
| 15 | Failure by LFI to Effectively Manage Breaking Changes or Deprecation | The LFI makes breaking changes to published APIs or fails to provide adequate notice of deprecation or retirement of older versions, causing disruption to TPP services. (Inadequate notice should be assessed against the Deprecation and Change Management Guidelines [link to attachment]). | LFI | LFI | Direct Losses & Open Finance Compensation | 5,000 |
| 16 | Open Finance activity pre or post notifications not taking place despite regulatory responsibility of / agreement with TPP | User is not sent mandated notifications by the TPP before executing a scheduled payment using a long lived consent resulting in the User account being overdrawn incurring a charge | TPP | TPP | Direct Losses & Open Finance Compensation | 150 |
| 17 | Centralized API hub and / or Trust Framework failure | The consent control mechanism of the Open Finance Platform fails to control the existence and /or validity of User’s consent resulting in executing an unauthorized data sharing or transaction | Nebras | Nebras | Maximum of 5 million of direct losses per claim | N/A |
| 18 | Inaccurate categorization of an API call causing invalid commercial model application due to incorrect details supplied by TPP | A collection transaction is incorrectly categorized as a large value transaction, leading to potential misclassification and causing incorrect pricing to be applied | TPP | TPP | Direct Losses & Open Finance Compensation | 1000 |
| 19 | Inaccurate categorization of a corporate customer causing invalid commercial model application due to incorrect details supplied by LFI | An entity is incorrectly categorized as a corporate entity, leading to potential misclassification and causing incorrect pricing to be applied | LFI | LFI | Direct Losses & Open Finance Compensation | 1000 |
2.2 Security Incident
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED | |
|---|---|---|---|---|---|---|
| 1 | Security breach of LFI – cyber or physical (leading to data loss or fraudulent transactions) | The authentication mechanism of the LFI has been hacked or is not adequate as mandated, leading to unauthorized access of the Users accounts through the OF services | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
| 2 | Security breach of TPP – cyber or physical (leading to data loss or fraudulent transactions) | The authentication mechanism of the TPP has been hacked or is not adequate as result long lived consents previously authorized are being fraudulently used to access User’s account information or to initiate transactions | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
| 3 | Open Finance data transmitted to a party outside open finance eco-system by LFI | There was a breach of security at the LFI that led to the API being mis-used internally at the LFI, and Open Finance data sets were extracted and then sent outside of the LFI’s architecture as part of unapproved, unregulated activity | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
| 4 | Open Finance data transmitted to a party outside open finance eco-system by TPP | A TPP improperly shares data within the scope of open finance to external entities without consent of User thus jeopardizing data privacy and security | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
| 5 | TPP fails to ensure controlled access to TPP applications | TPP fails to enforce secure authentication mechanisms such as MFA, enabling unauthorized access and fraudulent initiation of payments, leading to financial loss for the User | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
2.3 Data
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED | |
|---|---|---|---|---|---|---|
| 1 | Misuse (outside of consent or otherwise) or loss of data by TPP | TPP had requested a one-off consent for a Loan application, but the data was then shared with marketers without User’s consent resulting in a breach of data privacy | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
| 2 | Inaccurate data transmission, processing or analysis by TPP | The TPP is periodically accessing User account information and is erroneously processing the data to automate sweeping across multiple accounts resulting in financial losses | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
| 3 | Data shared by LFI outside of consent or without valid consent and authentication | The TPP has requested only User information for Identity Verification use case but the LFI ends up sending transactional data as well | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
| 4 | Data transmitted incorrectly by LFI leading to inaccuracies, or is mis-mapped to Open Finance data model, in LFI mastered and stored data | The LFI response to request by TPP has poor quality of mandatory data where information is either missing or incorrectly mapped to the OF data model adversely impacting the quality and reliability of the service offered by the TPP to the User | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
| 5 | Data shared by LFI which contained inaccuracies from the LFI mastered and stored data | The LFI response to request by TPP has poor quality of data where information is either missing or incorrectly mapped to the OF data model adversely impacting the quality and reliability of the service offered by the TPP to the User | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
| 6 | User-submitted error for incorrect onboarding | A user enters incorrect personal details (e.g., name, DoB, or ID number) during onboarding, leading to failed KYC verification. This results in account registration delays or rejection | User | User | N/A | N/A |
| 7 | TPP-submitted error for incorrect onboarding | A Third-Party Provider (TPP) submits incorrect user data (e.g., mismatched identity details) during onboarding. This results in the user being incorrectly categorized or misrepresented, leading to inaccurate quotes, account verification failures, compliance issues, or unintended service restrictions | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
| 8 | Data shared from LFI contains inaccuracies in User contributed data | An LFI disseminates data involving the User that contains errors or inaccuracies, which could potentially affect the User's financial interactions or status | LFI | User | Direct Losses | N/A |
| 9 | Misrepresentation of any open Finance data by TPP to User or other open finance participants | TPP has knowingly used account information from only 2 out of 4 accounts held by the User across LFIs to assess their creditworthiness which does not reflect the User’s true financial position. The TPP has offered the User a more expensive product or inaccurate advice based on such assessment | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
| 10 | TPP fails to attempt confirmation of payee (CoP) when the User is setting up a new beneficiary | Where functionally possible, TPP is liable if it does not require the customer to attempt to verify the beneficiary’s account details through a Confirmation of Payee check, leading to an incorrect or fraudulent transfer1 | TPP | TPP | Direct Losses & Open Finance Compensation | 250 |
| 11 | TPP fails to attempt conducting Confirmation of Payee (CoP) / KYC during the onboarding process of a new Merchant onto the TPP platform | Where functionally possible, TPP is liable if it does not require the customer to attempt to verify the Merchant’s account details through a Confirmation of Payee check, resulting in misrepresentation or unauthorized access | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
2.4 Payments / Exchange
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED | |
|---|---|---|---|---|---|---|
| 1 | Inaccurate or inconsistent exchange / remittance / payment initiation / execution due to incorrect beneficiary details supplied and approved by User | The User has provided an incorrect beneficiary proxy and not verified the resolved beneficiary details resulting in an error | User | User | N/A | N/A |
| 2 | Inaccurate or inconsistent exchange / remittance / payment initiation / execution due to incorrect beneficiary details supplied by TPP | The TPP has incorrectly configured the receiving account of their onboarded Merchant resulting in misdirected payments from Users for purchase of goods eventually causing fulfillment issues | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
| 3 | Inaccurate or inconsistent payment initiation / execution due to incorrect beneficiary details supplied by LFI (including via inaccurate proxy resolution) | The LFI has incorrectly resolved the beneficiary proxy provided by the User resulting the payment sent to the incorrect beneficiary | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
| 4 | Payment initiation by TPP request contains mismatch to User stated intention / awareness | The shipping and/or service charges were obfuscated while requesting authorization for an eCommerce purchase resulting in the User feeling overcharged | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
| 5 | Fraudulent or erroneous payment initiation occurring using VRP or delegated SCA payment consent by TPP | The User acknowledges that they authorized a Long-lived consent but is unable to recognize/reconcile transaction(s) for which they were not physically present or they had not physically authorized the TPP to initiate the transaction(s) | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
| 6 | Fraud monitoring of all payment activity from LFI held accounts | The LFI was not able to flag alerts and protect the User from fraud in spite of sharp increase in the transaction frequency or value for payments initiated by TPP using VRP or delegated SCA | LFI | LFI | Direct Losses & Open Finance Compensation | 250 |
| 7 | Payment initiated outside of VRP / future dated payment / bulk payment / part payment / refund consent | Processing errors possible by LFI where an LFI makes the incorrect copies of the consent from OFP and therefore add an inaccurate validation process | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
| 8 | Fraudulent payment requests (including RTP and similar) issued via a TPP | Fraudulent Request to pay using OF wherein User ends up making payments to a fabricated bank account | TPP | User (Requesting) | Direct Losses & Open Finance Compensation | 500 |
| 9 | Failure to execute payment within SLA by LFI, following valid payment initiation |
© CBUAE 2025