AlTareq Consent Mobile App User Guide
Version | 1.0 |
|---|---|
Publication Date | Mar 31, 2025 |
Classification | PUBLIC |
1. Description
The AlTareq Consent Mobile Application is a Centralized Authentication and Authorization Provider (CAAP) designed to facilitate secure and seamless digital authentication and authorization for Open Finance transactions. It allows users to onboard, manage consents, and authorize payments and data-sharing requests across different financial institutions and third-party providers (TPPs).
1.1 Compliance & Standards
The CAAP is built in accordance with:
CAAP Principles - The app follows the Centralized Authentication and Authorization Provider (CAAP) principles as outlined in the document: CAAP Principles.
UAE Open Finance Standards - The initial version of the CAAP is fully compliant with version 1.2 of the UAE Open Finance Standards and Customer Experience (CX) Requirements, ensuring alignment with regulatory expectations and best practices: UAE Open Banking Standard.
Strong Customer Authentication (SCA) Guidelines - The CAAP complies with the Strong Customer Authentication (SCA) requirements, ensuring enhanced security for user authentication and transaction authorization: SCA Guidelines.
2. Key Functionality
The CAAP provides the following functionalities:
2.1 User Onboarding & Identity Verification
The CAAP supports multiple onboarding journeys, either initiated by a Third-Party Provider (TPP) or through pre-onboarding directly with a Licensed Financial Institution (LFI). Users have the flexibility to verify their identity using one of the available secure authentication methods.
Emirates Face Recognition (EFR) - Users can verify their identity by scanning their Emirates ID and using facial recognition.
UAE Pass Integration (Upcoming Feature) - Users will be able to verify their identity using UAE Pass for a secure and seamless experience. Support for UAE Pass will be added after the initial release.
2.2 Consent Management
The CAAP supports all consent types introduced in the supported CBUAE Open Banking Standard, allowing users to efficiently manage their consents with full transparency and control. Users can:
View both active and inactive consents.
Access detailed consent information.
Revoke active consents at any time.
The app provides consent management through the following functionality:
Consent Dashboard - that provides users with an overview of all granted active and not active consents across different financial institutions, ensuring they have full visibility and management capabilities.
Filtering & Search Functionality - To enhance ease of use, the app offers advanced filtering and search options:
Filter by Consent Type - Users can filter consents by Bank Data, Insurance, Payments, and FX.
Search Consents - Users can quickly find specific consents based on LFI Name, TPP Name, Consent ID, or other relevant details.
Search Functionality - Users can search for specific consent details based on LFI Name, TPP Name, Consent ID, and other relevant metadata.
Consent Details - Users can review comprehensive consent information, including:
TPP Name - The third-party provider that requested the consent.
Consent Status - Whether the consent is active or inactive.
Permission Details - Specific access rights granted within the consent.
Consent Creation Date - The date when the consent was established.
Other Relevant Details - Any additional information applicable to the particular consent type (e.g., expiration date, data-sharing specifics, or payment authorization scope).
Consent Revocation - Users have the ability to revoke consent at any time, immediately severing authorization between the financial institution and the third-party provider. This ensures greater control and security over personal financial data.
2.3 Data Sharing Authorization Requests
The CAAP supports data-sharing consent authorization requests for different services supported by UAE Open Finance Standards, including Bank Data and Insurance, as well as varying consent permission types, such as One-time and Ongoing. The consent request screens are designed in accordance with UAE Open Finance Standards CX requirements, ensuring a clear and user-friendly experience. Specifically, each consent request screen includes:
TPP Information - Displaying the name of the third-party provider requesting authorization.
Accounts/Policies - Users can see which bank accounts or insurance policies they wish to share.
Detailed Data Scope - Information on exactly what data will be shared with the TPP.
Consent Validity Period - For ongoing consents, the duration of validity is clearly stated.
2.3.1 Supported Data Sharing Type Consents
Bank Data Sharing - Users authorize sharing of account details, transactions, and regular payments with a selected TPP.
Insurance Data Sharing - Users authorize sharing of policy details, customer information, and payment history with a selected TPP.
2.3.2 Supported Data Sharing Consents Validity
One-Time Consent - A single-use authorization to share specific data with a TPP for a defined request.
Ongoing Consent - A continuous authorization that allows a TPP to access user data periodically until revoked or expired.
2.4 Payment Authorization Requests
The CAAP supports payment consent authorization requests for various payment types supported by UAE Open Finance Standards, enabling users to securely authorize and manage different transactions. The consent request screens are designed in accordance with UAE Open Finance Standards CX requirements, ensuring transparency and user control. Specifically, each consent request screen includes:
TPP Information - Displaying the name of the third-party provider requesting payment authorization.
Payment Details - Information on the amount, payee details, IBAN, payment reference, and purpose of the transaction.
Consent Validity Period - For recurring payments, users are informed of the duration of authorization.
User Confirmation - Users are presented with a final review and approval step before authorizing the payment.
2.4.1 Supported Payment Type Consents
Single Instant Payment - Users can authorize secure, one-time payments that are processed immediately.
Multi-Payments: Includes support for:
Fixed Recurring Payments (FRPs) - Recurring payments of a fixed amount at scheduled intervals.
Variable Recurring Payments (VRPs) - Recurring payments with variable amounts based on user consent.
Combined Payments - Recurring payments with a One-Time Setup.
International Payments - Users can approve cross-border transactions, with details on FX rates, transaction fees, and destination country clearly displayed.
Bulk and Batch Payments - Users can authorize multiple transactions at once, providing efficient processing for business and multi-recipient transactions.
Payment Refunds - Users can authorize and track refunds for previously completed transactions.
2.5 Third-Party Provider (TPP) Redirections
The CAAP seamlessly integrates with Third-Party Provider (TPP) applications via secure redirection mechanisms, supporting multiple authentication approaches to ensure a smooth and secure user experience.
2.5.1 Supported Authentication Approaches
Redirect Authentication - The user is redirected from the TPP’s interface to the CAAP to complete authentication and authorization before returning to the TPP.
Decoupled Authentication - The authentication process is initiated by the TPP, but the user completes it separately on the CAAP, using Web page with generated QR code.
2.5.2 Supported Redirection Types
Decoupled Redirection - User using QR code on a Web page to redirect to the mobile app and continue with authorization.
App-to-App Redirection - Users accessing the TPP from a mobile app are redirected to the CAAP for authentication and authorization.
Web-to-App Redirection - The app supports mixed redirection flows, allowing users to start authentication on a web interface and complete it in the mobile app.
2.5.3 Redirection Flow
Inbound Redirection - Users are securely redirected from the TPP (web or app) to the CAAP (web or app) for authentication and authorization.
Outbound Redirection - After successfully completing authentication, users are automatically redirected back to the originating TPP, ensuring a seamless continuation of their journey.
2.6 Additional Features & Considerations
Deferred Deep Linking - If a user does not have the app installed, redirections provide app download links and save consent details for retrieval post-installation.
Multiple LFI Linking - Users can link multiple financial institutions without re-verification.
Session Management - Sessions automatically expire after authorization, requiring re-authentication for new requests.
Offline Mode - Users can view their consent details even without an internet connection (syncs upon reconnection).
Multi-Device Support - Users can access the app from different devices securely using their credentials.
3. Supported User Flows
Below are examples of key user flows available within the CAAP, covering the essential interactions users can perform. These flows are designed to ensure a secure, seamless, and intuitive experience when onboarding, managing consents, and authorizing transactions.
3.1 Pre-Onboarding Flow
The onboarding process allows users to create their profile and verify their identity. This can be initiated either by a Third-Party Provider (TPP) or directly by the user with a Linked Financial Institution (LFI). Users are guided through a secure authentication process using methods such as Emirates Face Recognition (EFR) or UAE Pass (upcoming feature), ensuring compliance with regulatory standards.
Below examples show the onboarding flow directly initiated by the user:
No. | Screen Description |
|---|---|
1 | User selects which Identity Verification to proceed with, in this case the user will proceed with Emirates Face Recognition (EFR). |
2 | User will scan their Emirates ID for EFR to ensure a secure Identity verification process, until this is completed the screen will display “Scanning” at the bottom. |
3 | As part of the EFR process, the user aligns their face with the on-screen frame for identity verification. |
4 | User has successfully verified their identity using EFR, the continue button will take them to the next screen for Authorization with the LFI. |
5 | User will authorize a connection with RAKBANK via the CAAP, this will be done via a 6 digit OTP with the option to “Add your provider” |
6 | User has successfully authorized a connection between RAKBANK and CAAP. |
3.2 Data Sharing Authorization Flow
When a Third-Party Provider (TPP) requests access to a user's data, the user is redirected to the CAAP to review and authorize the request. Users can select which accounts or policies to share, view the specific data being accessed, and set the consent validity period for ongoing authorizations. Once approved, the user is redirected back to the TPP, completing the secure data-sharing process.
Below examples show the bank data sharing authorization flow:
No. | Screen Description |
|---|---|
1 | User is redirected from the TPP app to the CAAP, informing them to keep the window open. |
2 | Loading screen is displayed for the user after redirecting to the CAAP. |
3 | User authenticates into the CAAP via Face ID. |
4 | User selects which account(s) they want to authorize as part of the consent to the TPP for the LFI Orange Bank, a review of the information that will be shared as part of this consent is listed |
5 | User has selected which account(s) they want to authorize as part of the consent, with an option to ‘Proceed’. |
6 | User is redirected from AlTareq to the TPP after proceeding with the authorization of the consent. |
3.3 Payment Authorization Flow
When a TPP requests a payment authorization, users are redirected to the CAAP to securely review and approve the request. Depending on the payment type—Single Instant Payment, Multi-Payments (FRPs, VRPs, Combined Payments), International Payments, Bulk and Batch Payments, or Refunds—users can confirm transaction details before authorization. Recurring payment consents also display the validity period and amount limits.
Below examples show the single instant payment authorization flow:
No. | Screen Description |
|---|---|
1 | User is redirected from the TPP app to the CAAP, informing them to keep the window open. |
2 | Loading screen is displayed for the user after redirecting to the CAAP. |
3 | User authenticates into the CAAP via Face ID. |
4 | User selects which account(s) they want to initiate a Single Immediate Payment from, a review of the payment details is displayed on the screen. |
5 | User has selected which account(s) they want to initiate a Single Immediate Payment from, a review of the payment details is displayed on the screen. |
6 | User is redirected from CAAP to the TPP after proceeding with the authorization of the consent. |
3.4 Consent Management Flow
Users have full control over their granted consents. Through the Consent Dashboard, they can review details of all past and active consents, revoke authorizations, or adjust sharing preferences. The system ensures transparency by clearly indicating who the consent was granted to, what data is being shared, and for how long.
Below examples show the consent management and revocation flow:
No. | Screen Description |
|---|---|
1 | This screen displays a consent dashboard, which provides the user with a categorised list of all their consents with the LFI listed on the left and the TPP on the right. The consents are categorised between Bank, Insurance, Payments & FX and also shows an active / history breakdown with a number of overall consents on each. |
2 | User selects an active consent to view its details. |
3 | User has the ability to confirm that they want to revoke their consent between the LFI and the TPP, or the option to cancel. |