| Table of Contents | ||
|---|---|---|
|
General
What is Bahrain Open Banking Framework (Bahrain OBF)?
Bahrain OBF is the Open Banking Framework that supports the implementation of open banking in Bahrain. It will promote innovation while at the same time ensure highest standards are adopted in addressing customer data confidentiality, data security and privacy, safety and robustness of Bahrain’s financial system.
Bahrain OBF has been developed considering the relevant use cases (payments as well as account information sharing) that have several business opportunities for the ASPSPs and third party providers to cater to the customer’s unique needs. Bahrain OBF covers the associated technical and non-technical elements namely customer experience guidelines, user/customer journeys, API specifications, operational guidelines, and security standards and guidelines.
What are the guiding principles for the Bahrain Open Banking Framework (Bahrain OBF)?
Create Value: Focus on delivering true value without placing undue burdens on any OB participant.
Enhance Transparency: Ensure customers are fully informed of their rights and responsibilities regarding the transfer, possession, and use of their data.
Ensure Safety: Deliver a Framework while keeping customer convenience, safety and security at the center.
Adoption: Ensure a seamless economy wide adoption by balancing regulation, participation, and speed to market with the scope of products and/or data.
...
No, there is no additional charge for using Open Banking as a service. Keeping in view the overall objectives of Open Banking which include enhancing customer experience and competitiveness, banks must share generic product information relevant to all the principal retail banking products and services, free of any fees or charges.
In addition to these basic services, AISPs/PISPs are free to provide other value added services for which they may bilaterally agree with the customer. Thus, some accredited third party providers may decide to charge you for some of their products/solutions/services customized for your needs.
...
Read access allows the data recipient to obtain copies of customers’ financial data and use it for such activities as data aggregation (for example – AIS - account aggregations services).
Write access allows data recipient to initiate payments on behalf of the user/customer (for example – PIS - payment initiation services).
Security and Privacy
Is Bahrain Open Banking safe?
Safety and Security of user/customer data has have always been the primary focus area for Bahrain Open Banking:
The user/customer is always in control: The user/customer can choose when, for what purpose and for how long, to give access to his/her data.
Accreditation: Only third party providers regulated by the CBB can provide Open Banking services in Bahrain.
Existing Bahrain Regulations: All the existing Bahrain regulations for data security, storage, dispute, etc. will continue to be applicable to Open Banking services as well.
Security: All Open Banking participants should comply with the Security Standards and Guidelines as part of the Bahrain OBF.
...
Will I be informed about the end use of my data by a third party?
Yes. You need to give an explicit consent to use the Open Banking services of a third party provider. Amongst other things, the consent will clearly state the purpose for which it is granted and the time period for which it will be used. Further, only licensed AISPs/PISPs are allowed to collect, access and use customer data for the purpose for which it was collected in accordance with Bahrain OBF guidelines.
How can I revoke access
...
to AISPs/PISPs who use my data?
Access to data is driven by consent and the purpose for which access was granted in the first place. There are 2 ways in which you can revoke access to your data:
You can withdraw your consent directly on the AISP’s/PISP’s application or website; or
You can inform your bank, that you no longer want the AISP’s/PISP’s application or website to have access to your data.
What happens to my data after I cancel access?
...
Strong Customer Authentication or ‘SCA’ is authentication based on the use of three elements categorized as knowledge (something only the user knows [for example, a password]), possession (something only the user possesses [for example, particular cell phone and number]) and inherence (something the user is [or has, for example, a fingerprint or iris pattern]) that are independent, so the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data. For further information on elements of SCA or related exemptions, kindly refer to relevant Open Banking sections of the Rulebook.
Accreditation
Why should anyone apply for accreditation?
Only accredited third party providers and ASPSPs are allowed to offer Open Banking services in Bahrain.
Anyone who wishes to receive user/customer data to offer products or services to users/customers must be accredited with the CBB.
To become accredited, a person must apply to the CBB. The CBB will review the application and duly advise the applicant in writing when it has:
Granted the application without conditions;
Granted the application subject to conditions specified by the CBB; or
Refused the application, stating the grounds on which the application has been refused and the process for appealing against that decision.
What are the criteria for accreditation?
Accreditation criteria has been laid down and explained in detail in the Authorisation Module of Volume 5 of the CBB Rulebook.
How do I know if the third party provider is an accredited entity or not?
Anyone who wishes to know about the accreditation of a third party provider may do so by checking the list of accredited third party providers on the licensing directory available on the CBB website. In addition to the CBB website, the third party provider should clearly state their accreditation status.
What happens when an accredited entity does not comply with the Open Banking regulations?
The CBB may amend or revoke a license in any of the following cases:
If the licensee fails to satisfy any of the license conditions;
If the licensee violates the terms of the CBB Rulebook;
If the licensee fails to start a business within six months from the date of the license;
If the licensee ceases to carry out the licensed activity in the Kingdom;
The legitimate interests of the customers or creditors of a licensee required such amendment or cancellation.
API Specification
What is the use of Unique Identifiers (Id Fields)?
A REST resource should have a unique identifier (e.g. a primary key) that may be used to identify the resource. These unique identifiers are used to construct URLs to identify and address specific resources. However, considering that some of the resources described in these specifications do not have a primary key in the system of record, the Id field will be optional for some resources. An ASPSP that chooses to populate optional Id fields must ensure that the values are unique and immutable.
...
Yes, ASPSPs can create their own enumerations. The Bahrain OBF Specification includes various fields of Enumerated data types, where either the values are fixed to the defined set of alternatives (i.e. Static Enumerations), or flexible with defined set of alternatives, and ASPSPs can use/extend these alternatives (i.e. Namespaced Enumerations). When extending a namespaced enumeration:
ASPSPs must not publish an ASPSP-specific enumerated value if the existing Bahrain OBF guidelines defines the enumerated value.
ASPSPs must place such values in a namespace consisting of their two-letter country code (ISO 3166-1 Alpha-2 code), followed by a full-stop, followed by their name. e.g. BH.Bank1.enum1, where Bank1 is the bank name and enum1 is the extended enumeration.
...
Flow fails to succeed due to the USER/CUSTOMER providing invalid credentials to the ASPSP, resulting in no Authorisation Code being generated.
Further Information
How can I stay informed on new Open Banking updates or news?
...