...
The API must provide support for out-of-band (OOB) authentication:
Out-of-band (OOB): Out-of-band authentication is a type of authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password. Using a separate authentication channel makes it significantly more difficult for an attacker to intercept and subvert the authentication process.
Forms of OOB authentication include codes sent to a mobile device via SMS, authentication via a voice channel, codes sent to a mobile app via push notifications, and codes sent to or received from a trusted execution environment connected to the host device that is trying to establish an authenticated connection.
Out-of-band is activity outside a defined telecommunications frequency band, or, metaphorically, outside some other kind of activity "Examples include secure authenticator mobile applications".
ASPSPs must notify the User/Customer asynchronously/OOB when significant actions have occurred (e.g. a change to a payee).
The ASPSP API response should inform the third party that an OOB process is underway so that, where appropriate, they can inform the User/Customer.
ASPSP and AISP/PISP should include fraud-relevant information (e.g. IP addresses, Geo location) in the API messages.
The reporting of incidents and the process to handle it shall be covered as per the existing guidelines related to cyber risk in the CBB Rulebook.
CENTRAL BANK OF BAHRAIN © 2020