The status of open banking implementation: mandates, entities and practical implementation.

Open banking is a regulated service in the UAE, with licensing provided by the following three regulators:

1- The Central Bank of UAE (CBUAE) as the monetary and financial services regulator at the federal level, regulates the Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) under the Retail Payment Services and Card Schemes Regulation 2021?(RPSCS Regulation).

AISP is defined in the RPSCS Regulation as a retail payment service to provide consolidated information on one or more payment accounts held by a retail payment service user - a person who intends to make use of or makes use of a retail payment service in the capacity of a payer, payee or both - with either another payment service provider or with more than one payment service providers. For the avoidance of doubt, the AISP does not involve the holding of retail payment service user's funds at any time.

PISP means a retail payment service to initiate a payment order at the request of the retail payment service user with respect to a payment account held at another payment service provider. For the avoidance of doubt, the PISP does not involve the holding and maintenance of payer's funds at any time.

?

The applicant that intends to provide AISP and/or PISP shall apply for a category IV license. The applicant shall, at the time of submitting the application (i) fulfil the legal form, (ii) meet the respective initial capital of at least one hundred thousand Dirhams regardless of the monthly average value of payment transactions, (iii) provide the necessary documents and information specified in the CBUAE application form as provided by the licensing division, and (iv) hold a professional indemnity insurance.

?

The RPSCS Regulation stipulates the requirement for establishing proper contractual arrangements between banks and AISPs/PISPs, providing the minimum requirements under the contractual agreement for entities that opt to participate in open banking. Additionally, the RPSCS Regulation stipulates guidance on various service-specific risks and obligations towards retail users.

The contractual arrangements shall (i) have a sound legal basis and be legally enforceable, (ii) clearly describe the rights and obligations of the counterparties, (iii) clearly define the allocation of liability between the counterparties, including in cases of fraud, unauthorized access or data breach, in a manner that each counterparty takes responsibility for the respective parts of the payment transaction under its control, (iv) specify the reasons for denying access to payment accounts related to unauthorized or fraudulent access by AISPs and PISPs, and (v) explicitly oblige the counterparties to comply with article 13 on technology risk and information security.

As stated in article 17 of the RPSCS Regulation, AISPs and PISPs shall:

- Provide services based on the retail payment service user's explicit consent.

- Ensure that the personalized security credentials of the retail payment service user are not, with the exception of the retail payment service user and the issuer of the personalized security credentials, accessible to other parties and that they are transmitted through safe and efficient channels.

- Not request or store sensitive payment data of the retail payment service user. For the purposes of AISPs and PISPs, the name of the payment account owner and payment account number shall not constitute sensitive payment data.

- Not use, access or store any data for purposes other than for the provision of the payment initiation or payment account information services, as explicitly requested by the retail payment service user.

In addition to the above requirements, AISPs shall access only the information from designated payment accounts and associated payment transactions, and PISPs shall not modify the amount, the payee or any other feature of the payment transaction.

2- The Financial Services Regulatory Authority (FSRA) provides a licensing regime for Third-Party Providers (TPP) that engage in accessing, processing, and transferring specified information as may be prescribed by FSRA. AISPs and PISPs can obtain a license to become TPPs.

The FSRA stipulates the operational requirements for TPPs, including the need to establish a governing contract with users, implement strong customer authentication features, and comply with technical requirements. The FSRA publishes the following rules: (i) Conduct of Business Rules, (ii) Anti-Money Laundering and Sanctions Rules and Guidance, (iii) Prudential – Investment, Insurance Intermediation and Banking Rules, and (iv) Glossary.

According to article 20 of the Conduct of Business Rulebook, the governing contract must contain the following information:

- The name of the TPP, its contact details and address, and details of its financial service permission.

- Description of the main characteristics of the services to be provided, the information, form and procedure for the transaction, the time of receipt of the transaction, the maximum time taken for the services to be provided, and any limits for the use of the third-party services.

- Details of all charges payable, details of the exchange rates to be applied where relevant or, its method of calculation.

- The means of communication agreed between the parties for the transmission of information or notifications including, where relevant, any technical requirements for the customer’s equipment and software for receipt of the information or notifications.

- Safeguards and corrective measures, such as the secure procedure by which the TPP will contact the customer in the event of suspected or actual fraud or security threats. Where relevant, the conditions under which the TPP proposes to reserve the right to stop or prevent the transaction from being executed.

- Changes to and termination of the contractual arrangement, such as the proposed terms under which the customer will be deemed to have accepted changes to the governing contract, the duration of the governing contract, and where relevant, the right of the customer to terminate the governing contract.

- Contractual clauses on the law applicable to the governing contract, the competent courts, and the availability of any alternative dispute resolution procedures.

?

The TPP must provide or make available to the customer, immediately after the initiation of the transaction: (a) confirmation of the receipt and successful initiation of the transaction, (b) a reference enabling the customer to identify the transaction, and, where appropriate, any information transferred with the transaction, (c) the amount of the payment transaction, in the currency used in the payment order, (d) the amount of any charges payable in relation to the transaction and, where applicable, a breakdown of the amounts of such charges expressed, (e) the actual rate used or a reference to the exchange rate, and, where the transaction leads to a payment, the amount of the payment after that currency conversion, and (f) the date and time on which the TPP received the payment transaction.

?

The TPP must maintain relevant records of all transactions and agreements. The records must include: (a) the specified information that has been requested by the customer, (b) the specified information that has been accessed, processed and transferred by the TPP, and (c) information about the customer that TPP has obtained as part of its customer onboarding process.

?

As entities registered in the Abu Dhabi Global Market, TPP are subject to the Data Protection Regulations 2015. TPPs must maintain adequate security measures to protect the confidentiality and integrity of customers’ personalized security credentials and must ensure that appropriate means are available at all times to enable the customer to notify of the loss, theft, misappropriation or unauthorized use of the customer’s personalized security credentials. TPP must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the third-party services it provides. In addition, TPP must employ strong customer authentication where the customer accesses, processes or transfers specified information through the TPP.

?

3- Under the Dubai Financial Service Authority (DFSA), AISPs and PISPs can obtain a license under the “Arranging or Advising on Money Services” license as defined in the General Module Rulebook.

As per the said rulebook, the account information service means an online service that provides consolidated information on one or more accounts held by the user with one or more account providers, and includes such a service whether information is provided in its original form or after processing and to the user or to another person in accordance with the user’s instructions.

Payment initiation service means an online service that initiates a payment order at the request of the user with respect to a payment account held at another payment service provider, but does not include: (a) exclusion a service that involves contact with any funds at any stage of the payment transaction or (b) the issue of a payment instrument.

The account information service enables users to have access to a single source of aggregated information so they can view information from various accounts in a single place. Users may also expressly consent to that information being shared with another person such as their financial adviser or a credit reference agency. The payment initiation service is a service that establishes a software ‘bridge’ between the website of the merchant and the online banking platform of a payer’s payment account, which allows the user to initiate the payment. This type of service would typically be made available as a payment option on a merchant’s website. PISPs should not receive funds at any stage of the payment transaction or issue payment instruments. The PISP provides independent verification to the relevant merchant that the user has sufficient funds in the payment account and has made a payment by selecting that account to make a payment to the merchant.

The DFSA stipulates the conduct of business requirements related to various user protection measures and risk mitigation.

In establishing adequate complaints handling policies and procedures, the authorized firm should have regard to the nature, scale and complexity of its business and its size and organizational structure. In handling complaints, the authorized firm should consider its obligations under the Data Protection Law 2007 and under General Module Rulebook 5.3.19 and accompanying guidance. The DFSA considers 60 days from the receipt of a complaint to be an appropriate period in which the authorized firm should be able to resolve most complaints. However, complaints related to the provision of money services or arranging or advising on money services should generally be resolved within 15 business days.

Under rule 9.4.4 the authorized firm providing money services or arranging or advising on money services is required to ensure that clients have access to an independent complaint handling service. Furthermore, section 9.4 sets out additional requirements that apply to the authorized firm carrying on the financial service of providing money services or arranging or advising on money services.