Guide for Banks & Financial Institutions

Implementation guide for Account Servicing Payment Service Providers (ASPSPs) joining the UAE Open Finance ecosystem.

Your Role as an ASPSP

As a bank or Licensed Financial Institution (LFI), you are an Account Servicing Payment Service Provider (ASPSP) in the Open Finance ecosystem. Your role is to provide secure, standardized APIs that allow authorized Third Party Providers (TPPs) to access customer data and initiate payments on their behalf.

๐Ÿฆ

Data Provider

Expose account data through standardized APIs

๐Ÿ”

Consent Manager

Handle customer authorization and consent lifecycle

๐Ÿ’ณ

Payment Executor

Process payments initiated by authorized TPPs

API Requirements

The UAE Open Finance framework specifies the following API families:

API Family Status Description
Account Information Required Balances, transactions, standing orders, direct debits
Payment Initiation Required Domestic payments, scheduled payments, bulk payments
Confirmation of Payee Required Name verification before payment execution
Product Information Optional Public product catalogs, branch information, ATM locations

Technical Architecture

TPP Layer
Third Party Providers
โ†“ FAPI-secured APIs โ†“
Platform Layer
Al Tareq Platform (Directory, Trust Framework)
โ†“ Mutual TLS โ†“
Bank Layer
Authorization Server
Resource Server (APIs)
Consent Management
โ†“
Core Systems
Core Banking, Payment Systems, Customer Data

Implementation Roadmap

1

Phase 1: Foundation

  • Register on Al Tareq platform
  • Set up authorization server (OAuth 2.0 + FAPI)
  • Implement consent management system
  • Deploy sandbox environment
2

Phase 2: Core APIs

  • Implement Account Information APIs
  • Implement Payment Initiation APIs
  • Set up webhook notifications
  • Complete internal testing
3

Phase 3: Certification

  • Pass conformance test suite
  • Complete security assessment
  • Document API specifications
  • Publish to directory
4

Phase 4: Production

  • Enable production APIs
  • Onboard initial TPPs
  • Monitor and optimize performance
  • Iterate based on feedback

Security Requirements

FAPI Compliance

Implement Financial-grade API security profile (FAPI 1.0 Advanced or FAPI 2.0)

Mutual TLS

All API calls must use mutual TLS with qualified certificates

Strong Customer Authentication

Multi-factor authentication for consent authorization

Token Binding

Access tokens bound to TPP certificates to prevent token theft

Consent Management

Banks must implement a comprehensive consent management system that:

  • Displays clear information about requested access permissions
  • Allows customers to approve or deny access per account
  • Supports consent expiry and renewal
  • Enables customers to revoke consent at any time
  • Maintains an audit trail of all consent activities
  • Provides a customer dashboard to view active consents

Implementation Support

Access technical documentation and sandbox environments to begin your implementation.

API Documentation โ†’ Al Tareq Portal โ†’