This section outlines a number of measures within the Standard that contribute to the prevention of fraud.

1. Regulation and Licensing

1.1 Licensing

All LFI and TPP participants in the Open Finance ecosystem will be regulated by CBUAE. While LFIs are already regulated by default, TPPs are required to submit an application with specific supporting documentation in order to be approved as a licensed Open Finance provider. Licensed providers will be included in an Open Finance directory, allowing visibility and transparency of which providers may partake in Open Finance activities. This restricts unlicensed providers from committing fraudulent activity.

2. Trust Framework

2.1 Registration Framework

The Registration Framework defines the technical ways for licensed participants to register themselves by leveraging a Trust Framework. This describes how they can confirm the identity of another institution and what access scope the have in the open finance ecosystem. The Registration Framework is based on the OIDC Federation Standard. A Federation establishes trust between entities by creating a shared network of trust.

2.2 API Security - FAPI 2.0

The Open Finance UAE Financial-grade API, a secure OAuth profile, is designed to offer detailed implementation guidelines for enhancing security and interoperability in UAE's Open Finance APIs. This Profile, a profile of the FAPI 2.0 Security Profile, aims to streamline optionality within the framework. Additionally, it incorporates specific features to address the Consent and Authorization Requirements pertinent to Open Finance UAE use cases.

Further detail on the security standards can be found in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot2draft1/pages/266371127.

3. AML/KYC/KYB

3.1 UAE Sanction List

According to the Financing of Proliferation and UN sanctions regimes with Targeted Financial Sanctions, the below countries are currently considered high risk and therefore excluded from the Open Finance programme:

• Democratic People’s Republic of Korea (DPRK)

• Islamic Republic of Iran

• Somalia

• Iraq

• Congo

• Libya

• Central African Republic

• Yemen

• South Sudan

• Mali

3.2 KYC/KYB

KYC (Know Your Customer) and KYB (Know Your Business) are essential processes for preventing fraud in financial institutions and other regulated industries. They are designed to verify the identities of individuals and businesses to ensure that they are legitimate and to mitigate the risk of illicit activities such as money laundering, terrorist financing, and other forms of financial fraud.

As licensed entities, TPPs are expected to apply KYC/KYB checks to their users when onboarding them in line with the CBUAE regulations.

3.3 AML

Financial institutions are required to adhere to strict AML regulations to prevent money laundering and terrorist financing activities, in line with the CBUAE regulations. Institutions are required to implement robust AML policies and procedures, (e.g., customer due diligence, enhanced due diligence) for high-risk customers.

4. Functionality

4.1 Risk Information Block

A TPP is expected to provide additional information in relation to the Payment Consent in the Risk Information Block, allowing an LFI to assess their risk. This includes the following:

• User (Debtor) Indicators: Information related to the User including User Name, Geo Location, Device ID, Date/time of last password change, Date/time onboarded by the TPP

• Destination Delivery Address: Information for all related e-commerce payments, including recipient name and type, full delivery address, with region, and country

• Transaction Indicators: Information in relation to the transaction itself including Customer Present flag, Confirmation of Payee flag, Contract Present flag and initiating Channel

• Beneficiary Indicators: Information in relation to the Beneficiary of the initiated payment including Beneficiary Account Type (Retail or Corporate), Beneficiary Prepopulated by TPP flag, Merchant Details (with Name and SIC code), Merchant Trading Name, Beneficiary Verified by TPP flag and additional Beneficiary Account holder Identifiers (such as a national ID or Passport Number for Retail accounts or business registration number for Business and Corporate accounts).

• Merchant Details: Include the Merchant Identification. For the UAE Aani Core Scheme, the format has the following:

  • A three character Emirates Code 

  • A five character Issuer type code

  • A Trade License number

  • A four digit Economic activity code.

LFIs are expected to use this data to assess risk in a non-discriminatory way.

Further detail concerning the risk information block can be found here.

4.2 Confirmation of Payee

Confirmation of Payee is a service which allows a debtor to check if the exact name and surname, or business name, of the creditor match the details provided by the debtor. The debtor is expected to provide the IBAN or account number (domestic payments), and the full name of the creditor. This will be returned as either an exact match or no match. An exact match reduces the likelihood of a fraudulent transaction taking place.

Further detail concerning Confirmation of Payee can be found in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1dot2draft1/pages/266374035.

5. Liability Model

The liability model provides a clear indication of which party is liable and responsible at different stages of various scenarios within the Open Finance journey. This increases accountability at all stages of the open finance journey and therefore reduces the likelihood of fraudulent behaviour taking place as a result of negligence. The below table illustrates an example of an issue, indicating which party is liable, responsible, and what the extent of the redress is.

Further examples and additional detail on the liability model can be found here.