Disclaimer

Note that the implementation of FAPI 2.0 Security Tests within the Open Finance Structure, in collaboration with the OpenID Foundation (OIDF), is still under discussion. Consequently, these tests have not yet been deployed by the Foundation and are therefore not available for execution at the provided links. Additionally, the certification policies are subject to significant updates and revisions to thoroughly refine their content and recommendations. Thus, the guidelines presented herein are provisional and should only be considered as a reference for the expected requirements at the Ecosystem's launch.

1. Introduction

The scope of this guide is to guide the use of the tool provided by the OpenID Foundation (OIDF) (“Security Compliance Engine”) for testing and certifying the security scope of Authorization Servers (OpenID Providers - OPs) and Data Receiving Applications (Relying Parties - RPs).

1.1. Objectives and General Concepts

For secure and assertive entry into the Open Finance Ecosystem, participants are required to perform security layer tests of their applications and subsequent certification of these applications using the framework created and maintained by the OpenID Foundation:

An Open Finance data receiving and transmitting application can only be registered in the Trust Framework's productive environment if it has been certified in the security tests maintained by the OIDF.

1.2. Scope

Within the scope envisaged by the compliance engines, the following certifications will be expected:

Security

• Data Providers (LFIs): FAPI 2.0 UAE Open ID Providers*

• Data Receivers (TPPs) : FAPI 2.0 UAE Relying Parties

*Data transmitting institutions that use the API Hub provided by the Open Finance structure and implemented by Ozone API will not need additional certification, as the certification performed by Ozone is sufficient for production entry.

1.3. Certification Object

Security certifications can be carried out in a productive or pre-productive (homologation) environment, at the participant's choice.

If opting for a pre-productive environment, it should mirror the production environment, having the same architecture, network elements, and software versions as in production.

After the tests, all used data, including public and private keys of certificates and client data from the test, will be made available in the ecosystem, visible to other participants and subject to audit. Therefore, if an institution opts to perform the certification in a productive environment, it must be aware and responsible for revoking the certificates used during the tests and for obtaining any required customer consent.

2. Testing and Certification Process

3.1. Execution of Conformity Tests

For running the Conformance Tests please check the documentation issued by the OIDF :

• How to run conformance tests for FAPI-RW OPs

• How to run conformance tests for FAPI RP

• Access the OIDF conformance suite

• Conformance Suite Repository

3.2. Request for Security Certification

To request security certification from the OIDF, participants should consult the instructions at the following address: https://openid.net/certification/op_submission/

3.3. Additional OIDF Documentation

In addition to the FAPI profile specifications mentioned at the end of this Guide, the OIDF also recommends consulting the article, "FAPI Explained by an Implementer – Updated," for institutions seeking FAPI certification. This article can be accessed at the following link: Financial-grade API (FAPI), Explained by an Implementer – Updated

3. Costs

As stated on its official page, the costs for each certificate are fixed, vary for members and non-members, and are paid directly to the OpenID Foundation. The price table for FAPI certification is available at: https://openid.net/certification/fees/ .

In view of the benefit of accessing reduced certification costs, it may be of interest for some institutions to join the OpenID Foundation. Below, we present some important information that can assist IFs in the membership process, if desired.

Membership costs to the OIDF

The membership costs follow the OIDF table which can be found at the link below:

https://openid.net/foundation/members/registration

To join, the institution must proceed directly through the OpenID Foundation website at:

https://openid.net/foundation/members/registration

The benefits of becoming a member, as well as further information, can be accessed at:

https://openid.net/foundation/benefits-members/

4. Support

If you have questions about the execution of security compliance tests, please contact the foundation by email at certificate@oidf.org.

To report possible bugs or necessary changes, please open tickets at https://gitlab.com/openid/conformance-suite/-/issues/new