Initiate User Set-up (Conditional)

Depending on the use case, the User may have to be onboarded with the TPP by agreeing to any relevant terms and conditions (e.g. regarding sharing and storage of personal data) and privacy notice, and setting up an account with the TPP, if required.

TPPs MUST:

1.1 Provide the User with Terms & Conditions, and Privacy Notice documents, outlining the applicable rights and responsibilities in the context of relevant regulation and legal principles. This may also need to include any onward sharing of personal data, recipients or categories of recipients who receive that data, and the lawful basis for processing the User’s personal data, as per Consent Setup | 2. Consent Codification.

1.2 Obtain the User's agreement to the above before setting them up and be able to request the User’s consent, as per the next step in the process.

1.3 Provide an option for the User to cancel the flow, if preferred.

Data Sharing Consent

Basic Consent Parameters

TPPs MUST:

2.1 Request only data required to perform their service (or use case).

2.2 Use the data language standards to describe the data clusters and data permissions in user-facing interactions so that the User clearly understands the data that will be requested from their LFI to provide the service requested.

• 2.2.1 Display to the User the data clusters that will be collected and the purpose the data will be used for.

  • 2.2.1.1 In the scenario that the use case of the TPP allows the User to select the data they wish the TPP to access, the TPP may provide to the User a list of data clusters for selection. However, please note that the TPP MUST enable this selection to take place earlier in the user journey, prior to the Consent screen.

2.3 Confirm the duration of the data access requested or, depending on the use case, allow the User to select how long the TPP can access their data.

• 2.3.1 When a ‘single-use’ (i.e. short-lived) account access consent is required, confirm to the User that their accounts will only be accessed for a maximum period of time as defined in Limits and Constants | Single use Consent Duration for Data.

  • 2.3.1.1. Confirm to the User what will happen to their data once the service has been provided and data access has been completed.

• 2.3.2 When a ‘long-lived’ account access consent is required for the service to be provided:

  • 2.3.2.1 Confirm to the User that when the consent reaches the end of the sharing duration period, the consent will expire and may need to be renewed.

  • 2.3.2.2 When the consent expires confirm to the User what will happen to their data and the service being provided, if not renewed.

• 2.3.3 Ensure that there is always an expiry date which defines a validity period of maximum as defined in Limits and Constants | Max Consent Validity Period. Consents with no expiry date will be rejected by the OFP.

2.4 Define the start and end dates for the period needed for historical transaction data, if required for specific use cases and TPP has requested any of the transaction related permissions, as defined in Customer Data | 6.3.1 Data Cluster Definitions.

• 2.4.1 The end date of the period of historical data that can be requested by TPPs and which MUST be returned by LFIs for a Data sharing request is as per the period defined in Limits and Constants | End Date of historical data for Data Sharing Request.

2.5 Confirm to the User that they can withdraw their consent at any time before the consent expires.

2.6 Provide to the User, the OFP and the LFI, their trading/brand name clearly and the name of any other parties they are supporting (if applicable).

2.7 Allow the User to identify and select the LFIs for the Consent.

• 2.7.1 Provide a way for the User to search for their LFI.

Additional Consent Parameters

TPPs MUST:

2.8 Set/clear the “Is Single Authorization” flag as appropriate (as per Common Rules and Guidelines | 7. Is Single Authorization flag).

2.9 Set the Authorization Expiration DateTime (as per Common Rules and Guidelines | 8. Authorization Expiration Date Time) if there are specific timing requirements that must be met for the Consent authorization. This is also relevant to cases where multiple authorizers are required to authorize the consent (please refer to Common Rules and Guidelines | 18. Multi User Authorization Flow).

2.10 Obtain the User's explicit consent to access information from the payment account products held at the selected LFI.

Consent Staging

As per Common Rules and Guidelines | 10. Consent Staging.

Hand-off to LFI

TPP MUST:

4.1 Notify the User that they will be transferred to the selected LFI to undertake their authentication and consent Authorization, as per Common Rules and Guidelines | 11. Hand off to LFI.

Authentication

LFI Authentication Only

LFI MUST:

5.1 Enable Users to perform authentication with their LFI, as per the following sections:

• Authentication by LFI | 2. Redirection

• Authentication by LFI | 3. Decoupled Redirection

5.2 Re-direct Users back to the TPPs, with information that the Consent has not been authorized, if User authentication has failed or User opt to cancel the authentication/authorization process.

Centralized Authentication and Authorization (Federated) Only

5.3 As per https://openfinanceuae.atlassian.net/wiki/spaces/6af317645dd64444b360d51d5bfb6d46/pages/321226238

Disclosure Consent

LFIs MUST:

6.1 Enable Users to authenticate using Multi-Factor Authentication (MFA) in order to review and authorize the data sharing single-use or long-lived Consent.

6.2 Retrieve from the OFP the data sharing Consent details staged by the TPP using the unique Consent Identifier.

6.3 Display details of data that will be shared and for how long.

6.4 Use the data language standards to describe data clusters and permissions in user-facing interactions so that the same information is displayed to the User, as defined in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv2draft3/pages/321229345/Customer+Data#6.-Permissions-and-Data-Clusters.

Select Accounts

LFI MUST:

7.1 Display list of eligible accounts for data sharing to the User, as per https://openfinanceuae.atlassian.net/wiki/spaces/6af317645dd64444b360d51d5bfb6d46/pages/321229790/Common+Rules+and+Guidelines#1.-Supported-Accounts

• 7.1.1 LFIs can display the eligible accounts using recognized nicknames, icons, account numbers, and account type.

7.2 Only display the applicable accounts for User selection, when the TPP has specified the Account Type and Account Sub-Type in the consent request object.

7.3 Enable the account selection process as per https://openfinanceuae.atlassian.net/wiki/spaces/6af317645dd64444b360d51d5bfb6d46/pages/321229790/Common+Rules+and+Guidelines#12.-Payment-Account-Selection-at-LFI

7.4 Allow the User to select which of their accounts to share data from, if the consent includes account-specific data permissions, and if there are multiple accounts available.

7.5 NOT request Users to select any account from their eligible account list when the Data Request Consent does not include any account-specific data permissions and instead includes only User data permissions (e.g. in the case of the Parties endpoint). TPPs MUST NOT display any list of eligible accounts in this case, please refer to variation https://openfinanceuae.atlassian.net/wiki/spaces/standardsv2draft3/pages/321229345/Customer+Data#3.2.1-Data-Sharing-for-Contact-and-Party-data-cluster.

• 7.5.1 Display to Users the full details of their personal data that will be shared with the TPP for the requested period of the Consent.

7.6 Allow Users to proceed to the Data Sharing Consent authorization without selecting any accounts in the case of Consents solely including non account-specific data permissions.

7.7 Display to the User any accounts that are unavailable to select and share with the TPP and communicate why these accounts cannot be selected.

7.8 Check the authorization status of the selected payment account is in accordance with the TPPs' Accepted Authorization Type as per https://openfinanceuae.atlassian.net/wiki/spaces/6af317645dd64444b360d51d5bfb6d46/pages/321229790/Common+Rules+and+Guidelines#13.-Check-Accepted-Authorization-Type.

Confirmation/ Authorization

LFIs MUST:

8.1 Present to Users all the details in relation to data sharing Consent.

8.2 NOT allow Users to change any of the Consent parameters (e.g. permissions) staged by the TPP.

8.3 Request Users to authorize the data sharing Consent.

8.4 Enable Users to cancel the data sharing Consent request from within the authorization journey.

8.5 Re-direct Users back to the TPPs, with information that the Consent has not been authorized, if Users opt to cancel the Consent authorization process before final authorization.

8.6 Check the Authorization Time window is valid as per https://openfinanceuae.atlassian.net/wiki/spaces/6af317645dd64444b360d51d5bfb6d46/pages/321229790/Common+Rules+and+Guidelines#20.-Check-Authorization-Time-Window.

8.7 Change the state of the data sharing Consent from ‘Awaiting Authorization’ to ‘Authorized’, when all Authorizers (one or more) have authorized the data sharing Consent.

8.8 Update the data sharing Consent details stored in the OFP with all the information included in the data sharing Consent authorized by the User.

OFP MUST:

8.9 Confirm back to the LFIs that the data sharing Consent details have been updated successfully.

Hand-off back to the TPP

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv2draft3/pages/321229790/Common+Rules+and+Guidelines#14.-Hand-off-back-to-the-TPP.

Confirmation to User

As per https://openfinanceuae.atlassian.net/wiki/spaces/standardsv2draft3/pages/321229790/Common+Rules+and+Guidelines#16.-Confirmation-to-User.

Data Sharing Request

TPPs MUST:

1.1 Only request specific data in the scope of their service (or use case).

1.2 Only submit to OFP data sharing requests for the data clusters and permissions consented by the User, as per the data sharing Consent authorized by the User.

Processing of Data Sharing Requests

OFP MUST:

2.1 Allow TPPs to submit data sharing requests in relation to a data sharing Consent authorized by Users, without any additional MFA or authorization by the Users.

2.2 Check that the received data sharing request relates to a valid data sharing Consent authorized by the User. The Consent MUST be in the ‘Authorized’ state. The OFP MUST reject any data sharing requests related to a data sharing Consent in a different state (e.g. expired) and respond back to the TPP with the appropriate error message/code.

• 2.2.1 Provide ongoing consented information (data and accounts), only if the User has consented to a long-lived data sharing Consent.

• 2.2.2 Provide short-lived data sharing access to Consented information, only if the User has consented to a single-use data sharing Consent.

2.3 Reject the data sharing request and provide the necessary error message to the TPP, if any checks on the data sharing request fail against the authorized data sharing Consent.

• 2.3.1 Only allow data sharing requests from TPPs for the data clusters and permissions consented by the User, as per the data sharing Consent authorized by the User.

2.4 Send the data sharing requests to the LFI for the data clusters and permissions consented by the User, as per the data sharing Consent authorized by the User.

LFIs MUST:

2.5 Allow the OFP to submit the data sharing requests without any additional MFA or authorization from the User.

2.6 Reject the data sharing request received by the OFP, in case there are valid reasons for the data sharing Consent to be suspended, as per https://openfinanceuae.atlassian.net/wiki/spaces/6af317645dd64444b360d51d5bfb6d46/pages/321225013/Consent+Setup#4.-Consent-States or due to any other BAU checks failure.

2.7 Share data requested by the OFP in relation to the authorized data sharing Consent.

• 2.7.1 Ensure that the data provided to the OFP allows the TPPs to reconcile the account transactions received from the LFI.

OFP MUST:

2.8 Send an appropriate error response to the TPPs, in case the data sharing request is rejected due to violating any of the LFIs BAU checks.

2.9 Provide the TPP with all the available data for the data clusters and permissions requested in relation to the data sharing Consent authorized by the User.

CDCU-1

Consent Update

TPPs SHOULD:

1.1 Enable Users to use the TPP Consent Management Interface (CMI) to amend one or more of the following parameters of a data sharing long-lived consent:

• Accounts that are related to the information services

• Data clusters that are associated with the Consent. For example, enabling an additional data cluster to get other services from a TPP.

• The duration Users want the consent to be valid, subject to the maximum validity period as defined in Limits and Constants | Max Consent Validity Period.

TPPs MUST:

1.2 Require the Users to authenticate with their LFI and authorize the Consent update, if they were allowed to make changes.

Accounts Basic (ReadAccountsBasic)

Any other name by which you refer to this account

Currency of the account, Nickname of account assigned by the account owner (e.g. Fahd’s Household account’).

Each Account will have a unique and immutable AccountId

Accounts Detail (ReadAccountsDetail)

Your account name and number

Account Name, account identifier (may include account number, IBAN, mobile number, email address or other unique identifier)

(plus all data provided in Accounts Basic)

Balances (ReadBalances)

Your account balance

Amount, Currency, Credit/Debit, Type of Balance, Date/Time, Credit Line.

Beneficiaries Basic (ReadBeneficiariesBasic)

Payee agreements you have set up

List of Beneficiaries.

Beneficiaries Detail (ReadBeneficiariesDetail)

Details of Payee agreements you have set up

Details of Beneficiaries account information (Name, account identifier such as IBAN, mobile number, email address or other unique identifier), Beneficiary Type and Account Holding Entity details

(plus all data provided in Beneficiaries Basic)

Standing Order Basic (ReadStandingOrdersBasic)

Your Standing Orders

SO Info, Frequency, Creditor Reference Info, First/Next/Final Payment info, SO Status

Standing Order Detail (ReadStandingOrdersDetail)

Details of your Standing Orders

Details of Creditor Account Information (Name, account identifier such as IBAN, mobile number, email address or other unique identifier)

(plus all data provided in SO Basic)

Direct Debits (ReadDirectDebits)

Your Direct Debits

Mandate info, Status, Name, Previous payment information, Frequency

Scheduled Payments Basic (ReadScheduledPaymentsBasic)

Recurring and future dated payments from your card account

Scheduled dates, currency, amount, reference. Does not include information about the beneficiary.

Scheduled Payments Detail (ReadScheduledPaymentsDetail)

Details of recurring and future dated payments from your card account

Scheduled dates, currency, amount, reference. Includes information about the beneficiary.

Transactions Credits (ReadTransactionsCredits)

Details of your incoming transactions

Transaction Information on payments made into the User’s account (Reference, Amount, Status, Booking Data Info, Value Date info, Transaction Code).

Includes information about the entity that made the payment.

Transactions Debits (ReadTransactionsDebits)

Details of your outgoing transactions

Same as above, but for debits.

Transactions Basic (ReadTransactionsBasic)

Your transactions

Transaction Information on payments for both credits in and debits out of the User’s account (Reference, Amount, Status, Booking Data Info, Value Date info, Transaction Code). Does not include information about the debtor/creditor.

Transactions Detail (ReadTransactionsDetail)

Details of your transactions

Transaction Information on payments made both credits in and debits out of the User's account (Reference, Amount, Status, Booking Data Info, Value Date info, Transaction Code, Merchant Category Code). Includes information about the debtor/creditor.

FX & Remittance Transactions Basic

(ReadFXTransactionsBasic)

Your FX & Remittance transactions

Transaction Information on FX & Remittance payments for both credits in and debits out of the User’s account (including Reference, Amount, Status, Booking Data Info, Value Date info, Transaction Code). Does not include information about the debtor/creditor.

FX & Remittance Transactions Detail

(ReadFXTransactionsDetail)

Details of your FX & Remittance transactions

Transaction Information on FX & Remittance payments for both credits in and debits out of the User's account (including Reference, Amount, Status, Booking Data Info, Value Date info, Transaction Code, Merchant Category Code). Includes information about the debtor/creditor

Product Information

(ReadProduct)

Details of your banking products

Account product information for a specific AccountID

FX & Remittance Product Information

(ReadFXProducts)

Details of your FX & Remittance products

FX & Remittance product information for a specific AccountID. This includes account features & services, such as:

• Currency Pairs Available: List of supported currencies for exchange.

• Transaction Methods: Bank transfers, cash transactions, online trading, etc.

• FX Products: Spot exchange, forwards, options, remittances, etc.

• Multi-Currency Support: If the account can hold multiple currencies.

Party User (ReadPartyUser)

High-level information on the successfully authorized user.

The party type, account role, and full Legal Name.

Party User Identity (ReadPartyUserIdentity)

Full KYC information on the successfully authorized user.

The party type, account role, address, date of birth, Emirates ID.

Party (ReadParty)

An array with high-level information on the account owner(s)/holder(s).

The party type, account role, and full Legal Name.