Open Finance Regulation

1 CBUAE Classification: Public Open Finance Regulation

2 CBUAE Classification: Public Table of Contents Subject Page Scope and Introduction 5 Objectives 8 Article (1) Definitions 9 Article (2) Licensing and Licensing Procedures 18 PART I – Minimum Requirements Applicable to Licensees Article (3) Persons Deemed Licensed 20 Article (4) Limitations 22 Article (5) Accounts and Products 23 Article (6) Minimum Capital 24 Article (7) Aggregate Capital Funds 25 Article (8) Capital Instruments 25 Article (9) Professional Indemnity Insurance 26 Article (10) Control of Controllers 27 Article (11) Corporate Governance 28 Article (12) Risk Management, Compliance and Internal Audit 29 Article (13) Keeping Records 32 Article (14) Notification and Reporting Requirements 33 Article (15) Obligations of Licensees 35 Article (16) Obligations relating to Data Sharing 36 Article (17) Obligations relating to Service Initiation 38 Article (18) Authentication 39 Article (19) Secure Communication 40 Article (20) Obligations towards Users 42 Article (21) Liability for Unauthorised Transactions, Defective Transactions and Data Breaches 44 Article (22) Data Privacy and Consent for the Use of Personal Data 45 PART II – Minimum Requirements Applicable to the API Hub Article (23) Licensing Requirements 50 Article (24) Licence Conditions 53 Article (25) Minimum Capital Requirements 55 Article (26) Corporate Governance 57 Article (27) Risk Management and Internal Control Mechanisms 60 Article (28) Fees 61 Article (29) Reporting and Record Keeping 62 PART III – Minimum Requirements Applicable to Licensees and the API Hub Article (30) Anti-Money Laundering and Combating the Financing of Terrorism and Illicit Organisations 63 Article (31) Technology Risk and Information Security 64 Article (32) Supervision 66 Article (33) Regulations and Regulatory Technical Standards 66 Article (34) Enforcement and Sanctions 67 Article (35) Consumer Protection 67 Article (36) Cancellation of Previous Regulation 67 Article (37) Interpretation 67 Article (38) Publication and Application 68 Schedule 1 Details of the Open Finance Framework 69

3 CBUAE Classification: Public Circular No. 03/2025 Date: 10/07/2025 To: Licensed Financial Institutions, Insurance Companies, Insurance Brokers and the API Hub Subject: Open Finance Regulation

Scope and Introduction This Open Finance Regulation (this Regulation) establishes the regulatory requirements for the licensing, supervision and operation of an Open Finance Framework in the United Arab Emirates. The Open Finance Framework consists of an API Hub which includes a Trust Framework, and Common Infrastructural Services, which provide Open Finance access for the cross-sectoral sharing of data and the initiation of Transactions, on behalf of Users.

This Regulation also sets the specific requirements for the licensing and regulation of the API Hub.

The requirements in Part I of this Regulation apply fully to Licensees. The requirements in Part II of this Regulation apply fully to the API Hub. The requirements in Part III of this Regulation apply fully to Licensees and the API Hub.

Entities Mandated Participation in the Open Finance Framework is mandatory for all Licensees with respect to the Products and Services within its scope. Licensees (as Data Holders and Service Owners) are required under this Regulation to provide participants in the Open Finance Framework (as data recipients and service initiators) with access to customer data and the ability to Initiate Transactions on customer Accounts and Products.

Data Sharing and Service Initiation of Transactions is in all cases subject to the express consent of Users, the application of appropriate authentication processes and the use of secure communication. This Regulation and the rights of access to data and Accounts established hereunder, do not apply with respect to activities that are not regulated by the Central Bank.

Licensees mandated by this Regulation to provide Open Finance access include the following entities: a. Banks incorporated in the UAE. b. Branches of foreign Banks/representative offices of foreign Banks. c. Specialized Banks. d. Restricted licence Banks. e. Islamic Banks and Islamic windows. f. Finance Companies. g. Payment service providers (category 1/2/3/4). h. Retail payment systems providers. j. Stored value facility providers. k. Exchange houses. l. Crowdfunding-based-Loan companies. m. Insurance Brokers. n. Insurance Companies (national companies and foreign branches). o. Any other entity deemed to be a relevant Licensee by the Central Bank.

The Licensees which are mandated to provide Open Finance access, pursuant to this Regulation, will be on-boarded in phases. The first phase will include all Banks, including branches of foreign banks, and Insurance Companies (national companies and foreign branches) only. Later phases of the on-boarding will be announced by the Central Bank through official channels.

Open Finance Providers and their Licensing In order to facilitate the adoption of Open Finance and the participation of businesses as licensed Data Sharing Providers and/or Service Initiation Providers, this Regulation establishes a new category of regulatory licence for providers of Open Finance Services. Open Finance Providers will be the holders of such a licence, which enables them to undertake Data Sharing and/or Service Initiation.

Providers of Open Finance Services can opt for either one or both of the options to undertake Data Sharing or Service Initiation under an Open Finance Licence.

Without prejudice to other regulatory licences that they hold, an Open Finance Licence will not permit licence holders to perform any other category of licensed activity and, in particular, will not entitle licence holders to provide any form of Advice or to arrange or mediate Transactions in licensed activities, or hold customer funds in any form. Open Finance Providers must separately obtain or hold the additional regulatory licences required to undertake any other licensed activity or activities.

Licensed Deemed Persons Certain categories of Licensees, as specified in Article 3 of this Regulation, are treated as Persons Deemed Licensed. A Person Deemed Licensed must notify the Central Bank in writing of the intention to provide any Open Finance Service, setting out full details of its intended activities, and obtain the approval of the Central Bank prior to commencing such activities.

Licensees to Applicable Articles All Licensees, whether or not they are engaged in the provision of Open Finance Services, must comply with the requirements of this Regulation with regard to Data Sharing and Service Initiation by Users through Open Finance Providers and specifically the requirements in Articles 18 to 22 of this Regulation.

Objectives In exercising its powers and functions under this Regulation, the Central Bank has regard to the following objectives: a. Ensuring the safety and soundness of Open Finance Services; b. Adoption of effective and risk-based licensing requirements for Data Sharing and Service Initiation; c. Promoting the reliability and efficiency of Open Finance Services as well as public confidence; d. Encouraging innovation to promote competition and to benefit consumers through enhanced transparency across all financial products and services; and e. Reinforcing the UAE’s status as a leading financial technology hub in the region.

Where this Regulation includes a requirement to provide information or to take certain measures, or to address certain items listed at a minimum, the Central Bank may impose requirements that are additional to those provided in the relevant article.

Superseded Requirements and General Provisions This Regulation replaces all provisions of the Central Bank’s Open Finance Regulation issued via Circular No. 7/2023, on 31 December 2023.

Article (1) Definitions The following terms shall have the meaning assigned to them below for the purposes of this Regulation:

1. Account: an account held by a User with a Licensee relating to one or more of the Products specified in Article 5 of this Regulation.
2. Advice: advice on Products or Accounts and includes any method of communication that provides an opinion, evaluation, recommendation, and/or biased information / comparisons to a User or when acting as a User’s agent, provided that it could reasonably be regarded as having the intent to influence a User’s choice or decision to select, buy, sell, hold or subscribe to a particular Product or Account, related options or an interest in a particular Product or Account.
3. AML Laws: Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended, and Cabinet Decision No. (10) of 2019 Concerning the Implementing Regulation of Decree Federal Law No. (20) of 2018 on Anti-Money Laundering and Combating the Financing of Terrorism and Illegal Organizations, as amended, and any instructions, guidelines and notices issued relating to their implementation.
4. API Hub: the centralised Application Programming Interface Hub and Trust Framework, licensed and supervised by the Central Bank, through which parties are able to access the Open Finance Framework.
5. Applicant: any juridical person duly incorporated in the State which submits an Application.
6. Application: a written request for obtaining an Open Finance Licence.
7. Authorized Individual: any natural Person authorized in accordance with the provisions of the Central Bank Laws, to carry on any of the Designated Functions.
8. Bank: any juridical person licensed in accordance with the provisions of the Central Bank Law to primarily carry on the activity of taking deposits and any other Licensed Financial Activities.
9. Board: the board of directors of an Applicant, an Open Finance Provider or the API Hub, as the case may be, in accordance with applicable State law.
10. Central Bank: the Central Bank of the United Arab Emirates.
11. Central Bank Law: the Decretal Federal Law No. (14) of 2018 Regarding the Central Bank and Organization of Financial Institutions and Activities, as amended.
12. Central Bank Laws: the Central Bank Law and the Insurance Law.
13. Chief Executive Officer: the most senior executive appointed by the Board.
14. Common Infrastructural Services: the services specified in Schedule 1 of this Regulation.
15. Confidential Data: data relating to a User, who is or can be identified, either from the confidential data, or from the confidential data in conjunction with other information that is in, or is likely to come into, the possession of a Person or entity that is granted access to the confidential data.
16. Controller: a Person that alone or together with the Person’s associates has an interest in at least 20% of the shares in an Open Finance Provider or is in a position to control at least 20% of the votes in an Open Finance Provider.
17. Data Holder: a Licensee holding User Data.
18. Data Sharing: an on-line service to provide a User with consolidated User Data relating to one or more Accounts and/or Products held with a Data Holder.
19. Data Sharing Provider: a juridical person who is licensed by the Central Bank to carry on Data Sharing activities.
20. Designated Functions: functions of the Authorized Individual at, or for the benefit of, the Open Finance Provider or the API Hub, of influential nature on the institution's activities.

[Note: The provided text ends at definition 20. The subsequent articles and schedules are not included in the source text.]