InFocus

OPEN BANKING MODULE SUMMARY

downlaod.png

Open Banking Module


During November 2018, the Central Bank of Bahrain (CBB) announced the launch of draft rules (25 pages) on open banking. The document is directed toward open banking operators that provide either of the following services:
 

  • Providers of account information  

  • Providers of payment initiation  
     

The common factor between both of these regulated services consist of gaining access to customer accounts from electronic wallets, conventional Islamic and retail banks through ‘application program interfaces’ (APIs).
 

Timeline of open banking developments in Bahrain
 

  • April 2018 - Tarabut Gateway joins the regulatory sandbox as first open banking applicant

  • 11 November 2018 - CBB issues open banking draft rules

  • 25 November 2018 - Deadline for feedback on open banking draft rules

  • 11 December  2018 - Tarabut Gateway graduates from regulatory sandbox

 

Definitions

 

Application Program Interfaces (API): API consists of a software intermediary that allows two applications to interact.
 

Account Information Service Providers (AISPs): A CBB-licensed entity that provides online account information services.
 

Payment Initiation Service Providers (PISPs): A CBB-licensed entity that provides online payment services.
 

Key themes

 

Legal Arrangements

AISPs and PISPs must establish a legal arrangement with customers. They must provide customers with information regarding the service, the provider, adopted safeguard and corrective measures, as well as any alterations to the legal arrangement including its termination. Such information must be provided prior to customers being bound by the legal arrangement for the services.

 

Standards for Authentication and Communication

AISPs and PISPs must have a secure customer authentication process and overall security approach for the following three primary elements:

 

  • Knowledge:  information that is only known to the customer of the platforms e.g. passwords

  • Possession: something that only the customer possess e.g. algorithm specifications

  • Inherence: focuses on devices or softwares that read an element of the customer e.g. biometric sensor

The security measures for each element must be independent to avoid compromise especially in cases when the same device (such as a mobile phone or tablet) is used for more than one operation.

 

Payment Transactions

Customers must consent to initiate payment transactions. The PISP may agree on payment transaction limits and stop the use of a payment instrument if it compromises the security of the payment instrument or there is suspected unauthorized or fraudulent use of the payment instrument. There is no specific amount mentioned as a limit therefore indicating it is a case-by-case situation. The AISPs and PISPs may implement fees and charges, which reasonably correspond to operational costs, but should be explicitly agreed on by both parties in the initial legal arrangements.

 

Security

Both AISPs and PISPs are obligated to hire a third-party cybersecurity specialist to perform vulnerability assessments and penetration testing every six months. Separately, external consultants need to also evaluate the operator's systems at least once every three years.
 

Technology Related Requirements

AISPs and PISPs must adhere to the best practices of technical standards, including for application program interfaces (APIs), electronic identification, transmission of data and web security. The CBB recommends that the licensee considers the following solutions:

 

  • Representational State Transfer and Simple Object Access Protocol: protocol for implementing web services

  • Web Services Security: security protocols that are adopted to protect online services from vulnerabilities

  • X.509 public key infrastructure standard: authentication device that creates, stores, and distributes digital certificates to verify the owner of a public key

  • OAuth 2.0: authorization framework that allows applications to gain limited access to user accounts

  • JSON Web Token: beneficial for securely transmitting information between parties.
     

Conclusion


This summary highlights key requirements and recommendations by the CBB for future open banking licensees. Alongside the brief, we highly recommend reading the draft regulations.

Disclaimer: The information presented in this summary is for informational purposes only and does not constitute and should not be construed as a solicitation or other offer, or recommendation to acquire or dispose of any investment or to engage in any other transaction, or as advice of any nature whatsoever. This summary is not designed to provide legal or other advice.