New fintech regulations in the United Arab Emirates – Open Finance Regulation and Sandbox Conditions Regulation

On 23 April 2024, the Central Bank of the United Arab Emirates (the CBUAE) gazetted two very exciting fintech regulations: i.) the Open Finance Regulation, introducing an “Open Finance Framework” in which the CBUAE takes on a central role; and ii.) the Sandbox Conditions Regulation, allowing for the exemption of licensing standards subject to certain conditions (aimed at fostering innovation). This alert discusses the Open Finance Framework. In the below, unless defined otherwise, definitions have the meanings given to them in the Central Bank regulatory framework. 

1.  What came before – the RP Regulation of 2021

• When the CBUAE introduced the Retail Payment Services and Card Schemes Regulation (the RP Regulation) in 2021, it introduced a framework to regulate certain types of Retail Payment Services, including Payment Initiation Services and Payment Account Information Services, necessitating a “Category IV license” under the RP Regulation.

• At that point in time, Article 17 of the RP Regulation made it clear that a Payment Account Issuance Services provider (e.g. a bank) and a Category IV licensee may agree to contract with each other for the provision of access, direct or indirect, to the Payment Accounts held by them. Specific requirements apply to that contractual relationship and to the services provided by both the bank and the Category IV licensee (notably also around consent and data retention as well as data localisation).

2.  The Open Finance Regulation of 2024

• The Open Finance Regulation now makes participation in the Open Finance Framework (as managed by the CBUAE) mandatory for “Licensees” (initially: UAE licensed banks and foreign bank branches licensed in the UAE as well as Insurance Companies as part of a phased roll-out) who must provide Open Finance Providers (the data recipients and service initiators) with access to customer data and the ability to Initiate Transactions on customer Accounts and Products.

• The Open Finance Regulation also introduces a new license category and a compliance framework a for Open Finance Providers to undertake Data Sharing and/or Service Initiation. Other types of Central Bank licensed entities may be grandfathered as “Deemed Licensed” (a prior approval requirement applies). Key examples: Banks, Licensees under the RP Regulation, Stored Value Facilities providers, Finance Companies, Insurers.

• A key difference with the provisions of the RP Regulation is the mandatory requirement to share information under the Open Finance Regulation, and the fact that the Open Finance Regulation is intended to relate to a number of Accounts and Products across different sectors (debit and credit banking products, mortgages, forex, insurance, e-money, pre-paid).

As a general observation, this framework is a leap forward into the world of open finance. The framework is detailed and comprehensive and very much a very articulate expression of the UAE seeking to lead the digital reform agenda in the information age.

3.  Some of the key data and technology requirements are set out below:

• One of the key points of the Open Finance Regulation is the notion that it is the customer who may decide who and for what purpose it wishes to share its financial data with – and Licensees must collaborate with customers’ Open Finance Services providers. It is no surprise therefore that there are stringent requirements related to customer consent and data security and privacy.

• Special provision is made for prohibitions related to “data scraping” or similar data extraction activities or the interception of digital connections by way of reverse engineering.  

• A very elaborate framework is included in relation to authentication and secure communication standards as well as IT governance framework requirements. In addition, the CBUAE may, from time to time develop and issue additional technical standards addressed to Open Finance Providers. Examples given: digital access, cyber security, customer journey design, right to implement capped charging or to inhibit charging to third party providers.

4. The key technical components of the Open Finance Framework are:

• The Open Finance Regulation mandates that Licensees who are Data Holders and Service Owners (i.e. initially the banks and insurance companies based on the phased roll-out, led by the CBUAE) must establish and maintain a dedicated interface to provide secure on-line access to Accounts and Products through the “API Hub” and the other components of the Open Finance Framework. The API Hub is the centralized “Application Programming Interface Hub” established by the CBUAE, through which parties will be able to access the Open Finance Framework.

• The “Trust Framework” includes the Participant Directory (facilitating the validation of participants in the framework), the Digital Certificates (facilitating secure communications), the API Portal (to hold all documentation on standards etc.) and the Sandbox (facilitating participants’ ongoing testing and official conformance certifications).

• The “Common Infrastructural Services” includes (among other tools) a Consent and Authorisation Manager, being a standalone App for Users of a set of APIs for participants that supports the creation, management, enforcement and revocation of consumer, organisational and jurisdictional privacy directives. 

5.  Phased roll-out

• As set out above, the Open Finance Regulation will be rolled out in a phased manner and onboarding into the Open Finance Framework will begin with Banks and Insurers. Later phases of the onboarding will be announced by CBUAE through its official channels.

In closing, we view the Open Finance Regulation as a very positive step, opening up further opportunities for innovation, healthy competition and service improvement across the payments landscape in the UAE, which will likely have a huge and beneficial impact on the fintech eco system at large.