Open Banking Module
During November 2018, the Central Bank of Bahrain (CBB) announced the launch of draft rules (25 pages) on open banking. The document is directed toward open banking operators that provide either of the following services:
Providers of account information
Providers of payment initiation
The common factor between both of these regulated services consist of gaining access to customer accounts from electronic wallets, conventional Islamic and retail banks through ‘application program interfaces’ (APIs).
Timeline of open banking developments in Bahrain
April 2018 - Tarabut Gateway joins the regulatory sandbox as first open banking applicant
11 November 2018 - CBB issues open banking draft rules
25 November 2018 - Deadline for feedback on open banking draft rules
11 December 2018 - Tarabut Gateway graduates from regulatory sandbox
Application Program Interfaces (API): API consists of a software intermediary that allows two applications to interact.
Account Information Service Providers (AISPs): A CBB-licensed entity that provides online account information services.
Payment Initiation Service Providers (PISPs): A CBB-licensed entity that provides online payment services.
AISPs and PISPs must establish a legal arrangement with customers. They must provide customers with information regarding the service, the provider, adopted safeguard and corrective measures, as well as any alterations to the legal arrangement including its termination. Such information must be provided prior to customers being bound by the legal arrangement for the services.
Standards for Authentication and Communication
AISPs and PISPs must have a secure customer authentication process and overall security approach for the following three primary elements:
Knowledge: information that is only known to the customer of the platforms e.g. passwords
Possession: something that only the customer possess e.g. algorithm specifications
Inherence: focuses on devices or softwares that read an element of the customer e.g. biometric sensor
The security measures for each element must be independent to avoid compromise especially in cases when the same device (such as a mobile phone or tablet) is used for more than one operation.
Customers must consent to initiate payment transactions. The PISP may agree on payment transaction limits and stop the use of a payment instrument if it compromises the security of the payment instrument or there is suspected unauthorized or fraudulent use of the payment instrument. There is no specific amount mentioned as a limit therefore indicating it is a case-by-case situation. The AISPs and PISPs may implement fees and charges, which reasonably correspond to operational costs, but should be explicitly agreed on by both parties in the initial legal arrangements.
Both AISPs and PISPs are obligated to hire a third-party cybersecurity specialist to perform vulnerability assessments and penetration testing every six months. Separately, external consultants need to also evaluate the operator's systems at least once every three years.
Technology Related Requirements
AISPs and PISPs must adhere to the best practices of technical standards, including for application program interfaces (APIs), electronic identification, transmission of data and web security. The CBB recommends that the licensee considers the following solutions:
Representational State Transfer and Simple Object Access Protocol: protocol for implementing web services
Web Services Security: security protocols that are adopted to protect online services from vulnerabilities
X.509 public key infrastructure standard: authentication device that creates, stores, and distributes digital certificates to verify the owner of a public key
OAuth 2.0: authorization framework that allows applications to gain limited access to user accounts
JSON Web Token: beneficial for securely transmitting information between parties.
This summary highlights key requirements and recommendations by the CBB for future open banking licensees. Alongside the brief, we highly recommend reading the draft regulations.
Disclaimer: The information presented in this summary is for informational purposes only and does not constitute and should not be construed as a solicitation or other offer, or recommendation to acquire or dispose of any investment or to engage in any other transaction, or as advice of any nature whatsoever. This summary is not designed to provide legal or other advice.