Limitation of Liability Model
- Chris Michael
- Rajeev Walia
- Nicolas Khoriati
Version | 2.0 |
|---|---|
Publication Date | May 9, 2025 |
Classification | Public |
1. Responsibilities of Eco-System Participants
1.1 Duty of Care
Open Finance TPPs and LFIs have a duty of care to their Customers and Users to ensure that their services are provided with reasonable care and skill. This includes :
Secured systems/processes
Reliable services
Clear and accurate info
Accurate transaction execution
1.2 Breach of Duty
In case of any breaches, they may be liable for any direct losses suffered by their Users. For example, if a service provider fails to implement adequate security measures and a User's account is hacked, the service provider may be liable for any direct losses incurred by the User as a result of the hack.
1.3 Data Protection and Privacy
Service providers are also responsible for protecting the privacy and security of their Users' data. If a service provider fails to implement adequate data protection measures and a User's data is compromised or transmitted outside of the User’s intentions, they may be liable for any direct losses suffered by the User as a result.
1.4 Payment of Open Finance Compensation and Direct Losses
It is incumbent on all Open Finance TPPs and LFIs, in addition to other Eco-systems participants to pay to the Open Finance Compensation, and compensate for any direct losses suffered, from the liable party, to the affected party as soon a dispute verdict and has been reached its conclusion communicated to all relevant participants.
Indirect and Consequential losses will not be compensated as part of the Open Finance Rulebook and Standards, however, this does not remove the legal protection afforded by any applicable legislation / regulation within the UAE. The Open Finance limitation of liability does also not supersede or replace the Aani scheme rules and the disputes mechanisms / redress measures in place for transactions conducted on the Aani platform.
2. Liability
2.1 General / Consent / Authentication
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Open Finance activity / transaction taking place without relevant and valid consent issued by the LFI | User was not presented the consent as per guidelines or the User states that they did authenticate but not authorize the consent | LFI | LFI | Direct Losses & Open Finance Compensation | Defined Below in specific cases |
Failure by TPP to maintain an up-to-date state of the consent causing end user detriment | TPP did not properly maintain the consent state due to ineffective polling or missed webhooks or otherwise. As a result, a status change to the consent was not reflected to the end user, causing a payment failure, and leaving insufficient time for the user to resolve the issue and thereby incurring a fee | TPP | TPP | Direct Losses & Open Finance Compensation | 250 |
Failure to revoke consent – requested via TPP channel | User had revoked the consent through the TPP but this was not communicated to the LFI as a result erroneously keeps initiating payments | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Failure to revoke consent – requested via LFI channel | User had revoked the consent through the LFI but this was not executed by the LFI leading to subsequent OF requests by the TPP unexpected by the User | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Fraudulent or erroneous LFI authentication taking place via LFI direct channel or CAAP service | User states that they had not done the authentication for the OF service OR the LFI/CAAP authentication and authorization happened too quickly for them to comprehend | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
Inaccurate or incomplete articulation of the extent of a consent to User | The details of the consent e.g permissions requested, fees and charges, onward sharing details were not unambiguously and accurately communicated to the User leading to misunderstandings about scope of data usage | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Failure to execute valid open finance request within SLA by TPP | The TPP did not initiate a payment as scheduled resulting in unintended consequences like penalties for the User | TPP | TPP | Direct Losses & Open Finance Compensation | 350 – 12 hrs + |
Failure to execute valid Open Finance request within SLA by LFI | The LFI did not execute a payment as scheduled by the TPP resulting in unintended consequences like penalties for the User | LFI | LFI | Direct Losses & Open Finance Compensation | 350 – 12 hrs + |
Failure to execute valid Open Finance request accurately by TPP | The TPP did not process account data using a long lived Data sharing consent as agreed with the User providing incorrect financial analysis influencing wrong financial decisions | TPP | TPP | Direct Losses & Open Finance Compensation | 250 |
Failure to execute valid Open Finance request accurately by LFI | The LFI incorrectly resolved the beneficiary proxy resulting in the payment sent to the wrong beneficiary | LFI | LFI | Direct Losses & Open Finance Compensation | 250 |
Failure to properly maintain data mapping by LFI, resulting in a TPP losing long-lived access to an authorized long-lived consent | The LFI mismanages or incorrectly handles consent mapping in their system, causing an authorized long-lived consent to become invalid or inaccessible. As a result, the TPP is forced to request the end user to reauthorize consent to restore access to previously approved resources | LFI | LFI | Direct Losses & Open Finance Compensation | 5,000 |
Misrepresented Service Offering by TPP | The TPP advertises or presents functionality to users that is not published or available from the LFI (e.g., offering direct debit services when no direct debit API is published). | TPP | TPP | Direct Losses & Open Finance Compensation | 1,000 |
Failure to Manage Deprecation and Endpoint Updates | The TPP fails to update or migrate their services to supported API versions after an LFI publishes deprecation notices, leading to service disruption or outdated user experiences. | TPP | TPP | Direct Losses & Open Finance Compensation | 2,500 |
Failure by LFI to Effectively Manage Breaking Changes or Deprecation | The LFI makes breaking changes to published APIs or fails to provide adequate notice of deprecation or retirement of older versions, causing disruption to TPP services. (Inadequate notice should be assessed against the Deprecation and Change Management Guidelines [link to attachment]). | LFI | LFI | Direct Losses & Open Finance Compensation | 5,000 |
Open Finance activity pre or post notifications not taking place despite regulatory responsibility of / agreement with TPP | User is not sent mandated notifications by the TPP before executing a scheduled payment using a long lived consent resulting in the User account being overdrawn incurring a charge | TPP | TPP | Direct Losses & Open Finance Compensation | 150 |
Centralized API hub and / or Trust Framework failure | The consent control mechanism of the Open Finance Platform fails to control the existence and /or validity of User’s consent resulting in executing an unauthorized data sharing or transaction | Nebras | Nebras | Maximum of 5 million of direct loses per claim | N/A |
Inaccurate categorization of an API call causing invalid commercial model application due to incorrect details supplied by TPP | A collection transaction is incorrectly categorized as a large value transaction, leading to potential misclassification and causing incorrect pricing to be applied | TPP | TPP | Direct Losses & Open Finance Compensation | 1000 |
Inaccurate categorization of a corporate customer causing invalid commercial model application due to incorrect details supplied by LFI | An entity is incorrectly categorized as a corporate entity, leading to potential misclassification and causing incorrect pricing to be applied | LFI | LFI | Direct Losses & Open Finance Compensation | 1000 |
2.2 Security Incident
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Security breach of LFI – cyber or physical (leading to data loss or fraudulent transactions) | The authentication mechanism of the LFI has been hacked or is not adequate as mandated, leading to unauthorized access of the Users accounts through the OF services | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
Security breach of TPP – cyber or physical (leading to data loss or fraudulent transactions) | The authentication mechanism of the TPP has been hacked or is not adequate as result long lived consents previously authorized are being fraudulently used to access User’s account information or to initiate transactions | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
Open Finance data transmitted to a party outside open finance eco-system by LFI | There was a breach of security at the LFI that led to the API being mis-used internally at the LFI, and Open Finance data sets were extracted and then sent outside of the LFI’s architecture as part of unapproved, unregulated activity | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
Open Finance data transmitted to a party outside open finance eco-system by TPP | A TPP improperly shares data within the scope of open finance to external entities without consent of User thus jeopardizing data privacy and security | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
TPP fails to ensure controlled access to TPP applications | TPP fails to enforce secure authentication mechanisms such as MFA, enabling unauthorized access and fraudulent initiation of payments, leading to financial loss for the User | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
2.3 Data
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Misuse (outside of consent or otherwise) or loss of data by TPP | TPP had requested a one-off consent for a Loan application, but the data was then shared with marketers without User’s consent resulting in a breach of data privacy | TPP | TPP | Direct Losses & Open Finance Compensation | 750 |
Inaccurate data transmission, processing or analysis by TPP | The TPP is periodically accessing User account information and is erroneously processing the data to automate sweeping across multiple accounts resulting in financial losses | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
Data shared by LFI outside of consent or without valid consent and authentication | The TPP has requested only User information for Identity Verification use case but the LFI ends up sending transactional data as well | LFI | LFI | Direct Losses & Open Finance Compensation | 750 |
Data transmitted incorrectly by LFI leading to inaccuracies, or is mis-mapped to Open Finance data model, in LFI mastered and stored data | The LFI response to request by TPP has poor quality of mandatory data where information is either missing or incorrectly mapped to the OF data model adversely impacting the quality and reliability of the service offered by the TPP to the User | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
Data shared by LFI which contained inaccuracies from the LFI mastered and stored data | The LFI response to request by TPP has poor quality of data where information is either missing or incorrectly mapped to the OF data model adversely impacting the quality and reliability of the service offered by the TPP to the User | LFI | LFI | Direct Losses & Open Finance Compensation | 500 |
User-submitted error for incorrect onboarding | A user enters incorrect personal details (e.g., name, DoB, or ID number) during onboarding, leading to failed KYC verification. This results in account registration delays or rejection | User | User | N/A | N/A |
TPP-submitted error for incorrect onboarding | A Third-Party Provider (TPP) submits incorrect user data (e.g., mismatched identity details) during onboarding. This results in the user being incorrectly categorized or misrepresented, leading to inaccurate quotes, account verification failures, compliance issues, or unintended service restrictions | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Data shared from LFI contains inaccuracies in User contributed data | An LFI disseminates data involving the User that contains errors or inaccuracies, which could potentially affect the User's financial interactions or status | LFI | User | Direct Losses | N/A |
Misrepresentation of any open Finance data by TPP to User or other open finance participants | TPP has knowingly used account information from only 2 out of 4 accounts held by the User across LFIs to assess their creditworthiness which does not reflect the User’s true financial position. The TPP has offered the User a more expensive product or inaccurate advice based on such assessment | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
TPP fails to attempt confirmation of payee (CoP) when the User is setting up a new beneficiary | Where functionally possible, TPP is liable if it does not require the customer to attempt to verify the beneficiary’s account details through a Confirmation of Payee check, leading to an incorrect or fraudulent transfer1 | TPP | TPP | Direct Losses & Open Finance Compensation | 250 |
TPP fails to attempt conducting Confirmation of Payee (CoP) / KYC during the onboarding process of a new Merchant onto the TPP platform | Where functionally possible, TPP is liable if it does not require the customer to attempt to verify the Merchant’s account details through a Confirmation of Payee check, resulting in misrepresentation or unauthorized access | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
2.4 Payments / Exchange
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Inaccurate or inconsistent exchange / remittance / payment initiation / execution due to incorrect beneficiary details supplied and approved by User | The User has provided an incorrect beneficiary proxy and not verified the resolved beneficiary details resulting in an error | User | User | N/A | N/A |
Inaccurate or inconsistent exchange / remittance / payment initiation / execution due to incorrect beneficiary details supplied by TPP | The TPP has incorrectly configured the receiving account of their onboarded Merchant resulting in misdirected payments from Users for purchase of goods eventually causing fulfillment issues | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Inaccurate or inconsistent payment initiation / execution due to incorrect beneficiary details supplied by LFI (including via inaccurate proxy resolution) | The LFI has incorrectly resolved the beneficiary proxy provided by the User resulting the payment sent to the incorrect beneficiary | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Payment initiation by TPP request contains mismatch to User stated intention / awareness | The shipping and/or service charges were obfuscated while requesting authorization for an eCommerce purchase resulting in the User feeling overcharged | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Fraudulent or erroneous payment initiation occurring using VRP or delegated SCA payment consent by TPP | The User acknowledges that they authorized a Long-lived consent but is unable to recognize/reconcile transaction(s) for which they were not physically present or they had not physically authorized the TPP to initiate the transaction(s) | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
Fraud monitoring of all payment activity from LFI held accounts | The LFI was not able to flag alerts and protect the User from fraud in spite of sharp increase in the transaction frequency or value for payments initiated by TPP using VRP or delegated SCA | LFI | LFI | Direct Losses & Open Finance Compensation | 250 |
Payment initiated outside of VRP / future dated payment / bulk payment / part payment / refund consent | Processing errors possible by LFI where an LFI makes the incorrect copies of the consent from OFP and therefore add an inaccurate validation process | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Fraudulent payment requests (including RTP and similar) issued via a TPP | Fraudulent Request to pay using OF wherein User ends up making payments to a fabricated bank account | TPP | User (Requesting) | Direct Losses & Open Finance Compensation | 500 |
Failure to execute payment within SLA by LFI, following valid payment initiation | The User has lost out on favorable contracts which depend on time sensitive purchases like trading for stocks or buying forex because the LFI took too long to execute such payments | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Inaccurate or incomplete articulation of payment consent for VRP or delegated SCA to User | User was not unambiguously presented the available controls in form of transaction limits for a VRP which resulted in payments being initiated which were not as expected by the User | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Exchange / Remittance / Payment transaction amount / date / currency / description / LFI / source account incorrect due to User Input | Payment details such as amount, date, currency, or account source are incorrect due to errors entered by the User, leading to failed or erroneous transactions | User | User | N/A | N/A |
Exchange / Remittance / Payment transaction amount / date / currency / description incorrect due to LFI processing error | The LFI system had addition or transposition errors or a glitch where mandatory payment references like those for Card/Bill payments were truncated. All of these could lead to erroneous execution of payment | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Exchange / Remittance / payment transaction amount / date / currency / description incorrect due to TPP processing error | The TPP system had addition or transposition errors or a glitch where mandatory payment references like those for Card/Bill payments were truncated. All of these could lead to erroneous execution of payment by the LFI | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
AML / Financial crime responsibilities for payments including transactional monitoring and PEP / sanction / terrorism screening | The LFI must screen all payments required to be screened by AML regulation and legislation | LFI | LFI | Direct Losses | N/A |
Exchange / remittance transaction or payment execution duplication by LFI | The Payment has been executed incorrectly by the LFI (e.g. taken twice due to technical glitch) | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Exchange / remittance transaction or payment initiation duplication by TPP | The TPP system has a technical glitch where the Payment initiated as part of a VRP or delegated SCA is duplicated | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Breach of contract or misrepresentation by Merchant | Failure to deliver complete, usable or functional goods / services , as they were described, despite valid and completed payment via Open Finance, including in the case of Merchant insolvency | Merchant | Merchant | Direct Losses & Open Finance Compensation | 100 |
Merchant legitimacy and consistency of entity name / account name / KYC status at LFI / trading name as presented to the User | The TPP must onboard the Merchant via a KYB process which ensures that the trading name represented to their customers as part of payment collections processes are legitimate and are approved legally with relevant authorities | TPP | TPP | Direct Losses & Open Finance Compensation | 500 |
User legitimacy and consistency of legal name / account name / KYC status at LFI as presented within Open Finance ecosystem | The TPP must onboard individual Users via a process which utilizes their KYC-ed record at an LFI, which contains verified data and has not expired as a valid KYC record. The User must only represent themselves on the OF platform and in OF transactions with the same name to be held at the LFI | TPP | LFI | Direct Losses & Open Finance Compensation | 350 |
Inaccurate or invalid charging of customer for goods / services, when payment for those goods / services is settled via Open Finance payment initiation | The shipping and/or service charges were obfuscated while requesting authorization for an eCommerce payment resulting in the User feeling overcharged | Merchant | Merchant | Direct Losses & Open Finance Compensation | 100 |
Refund failed to be initiated and completed from Merchant, despite complete return of goods / inability to utilise services, as they were described or delivered | The refund was only partially paid, despite a full refund being agreed / an entitlement of the customer, given the circumstances | Merchant | Merchant | Direct Losses & Open Finance Compensation | 100 |
Payment funded from an incorrect account, caused by LFI error | The debited account for an OF initiated payment was one other than the one selected by the User with the TPP, due to a LFI processing error | LFI | LFI | Direct Losses & Open Finance Compensation | 150 |
Payment funded from an incorrect account, caused by TPP error | The debited account for an OF initiated payment was one other than the one selected by the User with the TPP, due to a TPP User interface error | TPP | TPP | Direct Losses & Open Finance Compensation | 150 |
2.5 Quotation
Issue | Example / Requirement | Liable Party | Responsible Party | Extent of Redress | OF Compensation / AED |
|---|---|---|---|---|---|
Inaccurate data provided by TPP resulting in an incorrect quote | The TPP shares incorrect / incomplete User information with the LFI resulting in unreliable exchange / remittance quotation information provided by the LFI | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Inaccurate data provided by the user resulting in an incorrect quote | A user mistakenly enters incorrect personal or financial details, such as an inflated income, incorrect age, or an inaccurate credit score, when requesting a quote. As a result, the LFI generates a quote based on faulty data, leading to discrepancies in pricing or eligibility causing delays in processing, unexpected adjustments, or rejection upon verification | User | User | N/A | N/A |
Inaccurate quotation provided by LFI | The LFI provides an exchange / remittance quotation that, due to internal errors, resulted in higher prices | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Incomplete quotation provided by LFI | The LFI fails to provide complete information about applicable charges, resulting in the User being overcharged | LFI | LFI | Direct Losses & Open Finance Compensation | 350 |
Non-adherence to CX standards (e.g., Failure to communicate quotation expiry) | The TPP fails to notify Users about FX/remittance quote expirations, causing customers to accept outdated rates | TPP | TPP | Direct Losses & Open Finance Compensation | 350 |
Incorrect metadata relevant to LFI performance and context to a quote | The LFI provides incorrect or incomplete metadata related to a financial product or service quote, leading to misinterpretation of costs, terms, or service availability. This can result in users making decisions based on inaccurate information, potentially leading to financial losses or compliance issues | LFI | LFI | Direct Losses & Open Finance Compensation | 1,000
|
Incorrect quotation execution rate compared to the initially quoted rate (within acceptable tolerance) | The LFI provides a quoted rate for a financial transaction, but the executed rate deviates beyond an acceptable tolerance. This results in the customer receiving a different financial outcome than expected, potentially leading to dissatisfaction, financial loss, or disputes | LFI | LFI | Direct Losses & Open Finance Compensation | 5,000 |
Misalignment between the Open Finance quote and quotes provided through other channels | The LFI provides a quoted price for a financial product or service through the OF platform, but the same product is listed at a different price or terms when accessed through other official channels. This inconsistency leads to customer confusion, trust issues, and potential disputes. | LFI | LFI | Direct Losses & Open Finance Compensation | 5,000 |
Incorrect commission calculations by LFI (for products such as insurance or FX) | LFI calculates and pays incorrect commission amounts to brokers due to system errors, misconfiguration, or logic issues | LFI | LFI | Direct Losses & Open Finance Compensation | 2,500 |
Use of commissions received through Open Finance by an LFI acting as a TPP to subsidize its own quote, resulting in a distortion of competition | An exchange house may use commission it earns to artificially lower the price of its own quotes on the platform, making it’s offers appear more competitive to win business | LFI | LFI | OF compensation to other LFIs who submitted quotes to the user | 2,000 |
Note
In the case of systemic errors and omissions, LFI and/or TPP must conduct a comprehensive internal assessment to proactively identify impacted consumers
Claims related to the same issue can't be submitted more than once within 36 hours period
In the event that a merchant, as the liable party, fails to compensate the customer for both direct losses and additional compensation, the TPP, as direct counterparty, will assume the liability. The TPP has the option to create back to back liability through contractual obligations with the merchant. However, ultimate liability will rest with the TPP, ensuring that the customer is protected even if the merchant defaults on payment.
Open finance participants, particularly TPPs, are advised to secure appropriate insurance coverage to mitigate liability risks arising from transaction disputes, such as cases where goods or services are not delivered or other risks imposed by the liability model. This approach ensures financial protection for TPPs when merchants fail to meet their obligations, thereby managing potential exposure.
For FX transactions, LFIs provide validity period of the quote; for insurance quotes, the validity period is set at 30 days from the date the quote is issued
Open Finance participants (including LFIs and TPPs) should not be subject to liability model fines for late payments caused by delays due to fraud, sanctions, or AML checks
3. Indirect and Consequential Losses
3.1 Indirect Losses
Losses that do not flow directly and immediately from the act but are a result of the act in a more roundabout way
Lost Profits: Income that would have been earned if the transaction had been executed as agreed
Lost of Opportunity: Cost associated with lost business opportunities due to inability to access funds or data errors
Reputational Damage: Harm to a company/individual's reputation due to failures or breaches
3.2 Consequential Losses
Losses that arise as a foreseeable consequence of the breach or failure but are not the direct result of it
Additional Operational Costs: Costs incurred to mitigate or rectify issues such as additional staffing and system checks
Extended Downtime Costs: Losses incurred from extended system downtime or service disruption
Increased Costs Business: Costs from securing emergency funds due to payment processing errors or delays
3.3 Tortuous Losses
Losses due to wrongful acts or omissions by a party handling, processing, or securing financial data and transactions
Tortuous Losses: Losses that occur as a result of a series of events that, while not directly linked to the initial breach or failure, are ultimately traceable back to it through a complex chain of causation
© CBUAE 2025