...

...

2. Overview

The Central Bank of Bahrain (CBB) has worked with experts to develop rigorous security specifications for the wider Open Banking ecosystem. This document covers the key considerations of security that would be essential from an Open Banking ecosystem and applicable to ASPSPs and AISP/PISPs.

...

All requirements and best practices stated in this document are in addition to existing rules and guidelines set by the CBB and the PDPL. In all cases, external assurance and certification of the Information Security adherence is preferable to self-certification.

...

3. Open Banking System Security Guidelines

It is recommended that all stakeholders in the Open Banking ecosystem must align to ISO27001: 2013 standard. Further, all ASPSPs/AISPs/PISPs should leverage a risk based approach to security by leveraging internationally recognized “National Institute of Standards and Technology”-NIST framework.

...

All ecosystem participants (ASPSP/AISP/PISP) must ensure compliance with existing guidelines published by the CBB on cyber risk, cyber and internet security (CBB Rulebook Volume 1 and Volume 5).

...

3.1 Penetration Testing

Penetration testing systematically probes for vulnerabilities in applications and networks and should be undertaken in a controlled manner (to minimise any impact on live operations). The benefits of penetration testing include:

...

Further, penetration and vulnerability testing may be additionally conducted by AISPs/PISPs/ASPSPs based on the Open Banking release cycle, i.e. every time a major release related to the entities OB systems, and any minor release that may potentially directly impact/expose any sensitive or personal data of users/customers.

...

4. Open Banking API security specifications

All participants must implement the Open Banking security aspects of the API specification, including authentication, authorisation, access levels and permission and encryption. The following API security specifications leverage the OpenID foundation’s financial API (FAPI) read and write API security profile. This specification is published on the OpenID Foundation website at openid.net.

...

• Authentication and Authorisation;

• Data Encryption; and

• Fraud detection and monitoring.

...

4.1 Authentication and Authorisation

The process through which a user/customer authenticates itself to its data attribute provider or ASPSP (in order to further authorise a third party access) will be a tripartite process and should be designed to minimise digital friction. Specifically:

...

Part 2: Read and Write API Security Profile

...

4.2 Data encryption

API connections and data in transit should be encrypted to ensure that all data in transit is safe and secure.

...

[1] Streaming APIs enables a subscription for receiving events in near real time using push technology. Streaming APIs invert the conversational nature of REST and enables the ASPSP server to send information to an AISP/PISP when an update is ready. While the AISP/PISP can, in theory, request an update, the streaming server of the ASPSP should pre-empt this with updates as ready. Streaming API reduces the load on the system by reducing the number of API calls thereby improving performance

...

4.3 Fraud detection and monitoring

In addition to the counter fraud function, all participants must include completed risk indicators within their payload to facilitate strong security across the Open Banking ecosystem and aid fraud detection and prevention.

...