Unlocking Opportunities: A Comprehensive Guide to the Central Bank’s Open Finance Regulation

Key Takeaways

• The CBUAE has introduced the Open Finance Regulation as part of its ‘Financial Infrastructure Transformation Programme’ to boost financial technology in the country.
• Unlike earlier initiatives in Europe, the UK, and Australia, the UAE’s regulation offers a broader scope and sets a new benchmark in Open Finance.
• The framework consists of the Trust Framework, API Hub, and Common Infrastructural Services, which together ensure secure, efficient, and user-friendly financial data sharing and transaction initiation.
• Banks, insurance companies, brokers, and other financial institutions must jointhe framework, share user data with consent, and support Open Finance services.
• Entities must secure a CBUAE license to offer Open Finance services, comply with strict data protection measures, and face significant penalties for breaches.
• The regulation opens up vast opportunities for fintech companies to innovate, develop personalised products, and offer integrated financial services, positioning the UAE as a global leader in financial innovation.

On 15 April 2024, the Central Bank of the United Arab Emirates (“CBUAE”) published the Open Finance Regulation (”Regulation”). This Regulation adds to eight other initiatives introduced as part of the CBUAE’s Financial Infrastructure Transformation (“FIT”) Programme to promote technological innovations within the financial sector and to establish the UAE as a centre for financial technology.[1]

The UAE is not the first to introduce open finance regimes. In 2015, the European Parliament introduced the Revised Payment Services Directive, which included elements of open banking.[2] In 2017, the Competition and Markets Authority of the United Kingdom launched its Open Banking Roadmap and issued directions to the biggest retail banks in the UK to allow certain licensed entities to access their data using secured data protocols.[3] Australia also launched an open banking project in 2019, but rather than a financial services regulation, they introduced Consumer Data Rights legislation.[4] However, the scope of the CBUAE’s Regulation is comparatively much broader.

What is Open Finance?

Open Finance is a system where banks and other financial institutions can securely share users’ financial data with authorised third parties. Financial service providers can offer innovative services tailored to customers’ needs by integrating data from different accounts into a single platform. Users can then manage all their financial data from various sources in a single place.

Understanding the Key Definitions

Open Finance Providers[5] are entities licensed under the Regulation to provide Open Finance Services,[6] which include Data Sharing and Service Initiation. Only those with an Open Finance License[7] from the CBUAE can provide these services. A User[8] is anyone whose uses Open Finance Services, and their financial information is called User Data.[9] The main types of Open Finance Services are as follows:

1. Data Sharing:[10] An online service that consolidates a User’s financial data from various accounts and products held with licensed financial services providers, i.e., a Licensee/Data Holder;[11] and
2. Service Initiation: Initiating transactions like transfers, crediting, debiting, placements, withdrawals, redemptions, sales, orders or cancellations related to an Account or Product.

The Regulation governs the licensing and operation of Open Finance Services for specific products and related accounts (“Products”)[12] and the accounts related to these Products (“Accounts”).[13] However, Accounts and Products regulated by the Securities and Commodities Authority are excluded from the purview of the Regulation.[14]

Open Finance Framework

The Open Finance Framework consists of three components: the Trust Framework, the API Hub and the Common Infrastructural Services.

The Trust Framework includes a Participant Directory, which lists all approved financial institutions and service providers, ensuring only trusted entities can access the platform. This is similar to a registry of licensed banks and fintech companies participating in Open Finance. Digital Certificates are also part of the Trust Framework, providing secure digital IDs for safe communication between participants, akin to SSL certificates used by websites to secure online transactions. Additionally, the API Portal serves as a central site containing essential documentation and guidelines for participants, much like an online repository where fintech developers can find APIs and integration guides. The Sandbox offers a testing environment where participants can trial new services safely, comparable to a platform where banks and fintech companies simulate new financial products before launching them.

The API Hub acts as a central platform where all participants connect and interact. It functions as a central API gateway that fintech companies use to integrate their apps with multiple banks and financial services. This centralised system simplifies the implementation process for all involved parties.

Common Infrastructural Services encompass several key functionalities. The Consent and Authorization Manager oversees user permissions and privacy settings, allowing users to control which financial apps can access their bank account information. Service Assurance is responsible for handling technical issues and ensuring service quality, similar to a support system that monitors API performance and resolves downtime issues for participating banks and fintech companies. Reporting and Analytics involve analysing data and performance metrics and providing insights into API usage patterns and service efficiency across different financial institutions. Lastly, Administration Tools assist in managing disputes and administrative tasks, offering a set of tools to resolve transaction disputes between a bank and a fintech app providing budgeting services.

Mandatory Participation

The Regulation requires certain licensed entities, such as banks, insurance companies, insurance brokers, and other financial institutions, to participate in the Open Finance Framework. These institutions, regulated by the CBUAE, must share User Data and allow Open Finance Providers to initiate transactions on Users’ Accounts and Products. All services must have Users’ consent,[15] use secure authentication procedures,[16] and follow open communication standards.[17] These requirements apply even if the institutions do not directly offer Open Finance services.

Procedure for Obtaining the Licence

No company may provide Open Finance Services without obtaining a licence from the CBUAE.[18] The application process involves submitting a comprehensive application to the CBUAE. Each Applicant[19] can choose to undertake either Data Sharing or Service Initiation activities or both.

To be eligible, an Applicant must maintain a minimum capital amount of AED 1 million. The CBUAE may impose additional capital requirements based on the risk, size, and complexity of the Applicant’s activities.[20] The Applicant must also obtain professional indemnity insurance.[21]

Alternatively, an entity may be designated as a Persons Deemed Licensed for specific categories of licences under the Regulation.[22] These would usually include CBUAE-licensed banks, finance companies, retail payment service providers, insurance brokers, and stored value facility providers.

Obligations of Licensees

Licensees must meet several key requirements to comply with the Open Finance Framework. They must create a secure online interface for Open Finance Providers to access Accounts and Products via the API Hub, register as participants within 14 days of approval, and cooperate with Open Finance Providers in sharing User data and initiating transactions, all with User consent. They must not share data of non-customers, or any data received from a service owner. Clear terms and conditions, including fees and contact details, must be established with Users. Data scraping or any similar extraction methods are prohibited.[23]

Phased Roll-Out

The Regulation will be implemented gradually and phased in, starting with the onboarding of Banks and Insurers into the Open Finance Framework. The CBUAE will communicate the subsequent phases through official channels. The CBUAE has outlined plans for most customers to gain access to Open Finance applications by 2024.[24]

Data Privacy and User’s Consent

The Regulation requires that Open Finance Providers must have explicit User consent to process Personal Data. [25] This consent must be clear, informed, unambiguous, and freely given, involving a specific action from the User. Separate consent is needed for different purposes, and Users should be able to withdraw consent easily. Consent is invalid if unnecessary data is requested, and Sensitive Data[26] cannot be processed for Data Sharing. Personal Data must be handled lawfully, fairly, transparently, and only for specific, necessary purposes. It must be accurate and protected against unauthorised access or damage.[27] Firms are strictly liable for data breaches, facing significant penalties,[28] and must comply with existing consumer protection laws.[29]

Impact and Conclusion

The Regulation is a transformative initiative that significantly enhances the transparency, security, and efficiency of financial services. By mandating the secure sharing of User data with explicit consent, it fosters a more competitive and innovative financial ecosystem. This regulation not only strengthens consumer trust but also provides a fertile ground for fintech companies to thrive.

The opportunities for fintech firms are vast, from developing personalised financial products to creating seamless, integrated services that cater to the diverse needs of consumers. With the UAE’s commitment to becoming a global fintech hub, companies entering this market can leverage the regulatory framework to drive growth, foster innovation, and build robust, user-centric financial solutions.

This regulatory environment positions the UAE as a leader in financial innovation, offering fintech companies a unique opportunity to be at the forefront of digital transformation in the financial sector.

**

TLP Advisors is a dynamic and forward-thinking consulting, strategy and law firm specialising in providing cutting-edge solutions to our diverse clientele. With our roots deeply embedded in financial services, gaming, web3, and emerging tech, we offer unparalleled knowledge and support tailored to these rapidly evolving sectors’ unique challenges and opportunities.

TLP Advisors has consistently been the firm of choice for L1 chains, DeFi protocols, gaming companies, fintech and payment companies, foundations, funds, and investors. We have built a reputation for excellence through frequent collaborations with regulators, funds, and technology incubators. Our deep understanding of the intricate regulatory landscapes and industry dynamics allows us to provide strategic guidance and innovative solutions that empower our clients to navigate complex challenges and seize emerging opportunities.

[1] UAE’s central bank to issue CBDC and launch instant payments platform, OPEN BANKING EXPO (Feb. 14, 2023), https://www.openbankingexpo.com/news/uaes-central-bank-to-issue-cbdc-and-launch-instant-payments-platform-as-part-of-financial-transformation-programme/

[2] Payment services: revised rules to improve consumer protection and competition in electronic payments, EUROPEAN COMMISSION (Jun. 28, 2023), (https://ec.europa.eu/commission/presscorner/detail/es/qanda_23_3544

[3] Millions of customers benefit as Open Banking reaches milestone, GOV.UK (Jan. 12, 2023),

https://www.gov.uk/government/news/millions-of-customers-benefit-as-open-banking-reaches-milestone

[4] Open Banking around the world, DELOITTE, https://www.deloitte.com/global/en/Industries/financial-services/perspectives/open-banking-around-the-world.html.

[5] Article (1), Section 32, Open Finance Regulation.

[6] Article (1), Section 33, Open Finance Regulation.

[7] Article (1), Section 31, Open Finance Regulation.

[8] Article (1), Section 59, Open Finance Regulation.

[9] Article (1), Section 60, Open Finance Regulation.

[10] Article (1), Section 16, Open Finance Regulation.

[11] Article (1), Section 15, Open Finance Regulation.

[12] ”Products“ includes ”deposits, payment/savings accounts, credit/debit card accounts, stored value facilities, prepaid payment accounts, post-paid payment accounts, foreign exchange accounts, loans and other personal finances, mortgages, virtual accounts, and insurance products.”

[13] Article (1), Section 1, Open Finance Regulation.

[14] Article (5), Open Finance Regulation.

[15] Article (22), Open Finance Regulation.

[16] Article (18), Open Finance Regulation.

[17] Article (19), Open Finance Regulation.

[18] Article (2), Open Finance Regulation.

[19] “Applicant” means “any juridical person duly incorporated in the State which submits an application”, Article (1), Section 5, Open Finance Regulation.

[20] Article (6), Open Finance Regulation.

[21] Article (9), Open Finance Regulation.

[22] Article (3), Open Finance Regulation.

[23] Article (15), Open Finance Regulation.

[24] Al Etihad Payments launches Open Finance to strengthen the financial services sector in the UAE, Central Bank of the UAE, https://www.centralbank.ae/media/4kfjymcz/al-etihad-payments-launches-open-finance-to-strengthen-the-financial-services-sector-in-the-uae-en.pdf.

[25] “Personal Data” means ”any information, which is related to an identified or identifiable natural person”, Article (1), Section 41, Open Finance Regulation.

[26] ”Sensitive Data” means ”any Personal Data related to the health of a person, such as his/her physical, psychological, mental, genetic or sexual condition, including information related to healthcare services provided thereto that reveals his/her health status“, Article (1), Section 49, Open Finance Regulation.

[27] Article (22), Open Finance Regulation.

[28] Article (21), Open Finance Regulation.

[29] Article (28), Open Finance Regulation.