Skip to main content
  • Initial and Ongoing Requirements

    • Article (6) Minimum Capital

      1. For the purpose of being granted a license by the Central Bank to perform an Open Finance Service, an Open Finance Provider will be required to hold a minimum capital amount of one million Dirham (AED 1,000,000).
      2. Additional capital requirements may be imposed by the Central Bank, at its sole discretion and notified to the Open Finance Provider, with the Central Bank taking into account factors such as the risk, size and/or complexity associated with the activities conducted by the Open Finance Provider.
    • Article (7) Aggregate Capital Funds

      1. An Open Finance Provider must hold, at all times, aggregate capital funds that do not fall below the minimum capital requirements set in Article 6 of this Regulation.
      2. The minimum capital held as aggregate capital funds must be the higher of the figure stated in Article 6 of this Regulation and the Central Bank’s estimate of the wind down costs for the Open Finance Provider.
      3. The Central Bank may at its sole discretion impose aggregate capital funds requirements higher than the requirements referred to in Article 7(1) of this Regulation, if, taking into consideration the risk, scale and complexity of the Open Finance Provider’s business, it considers such higher requirements are necessary for ensuring that the Open Finance Provider has the ability to fulfil its obligations under this Regulation.
    • Article (8) Capital Instruments

      1.  An Open Finance Provider’s aggregate capital funds consist of:

        1.1.paid-up capital;
        1.2.reserves, excluding revaluation reserves; and
        1.3.retained earnings.
      2. An Open Finance Provider’s aggregate capital funds cannot be met by any capital held within their entity which is otherwise allocated as any other regulatory capital for Licensed Financial Activities.
      3. The following items must be deducted from the aggregate capital funds:

        3.1accumulated losses;
        3.2goodwill; and
        3.3any other items as determined by the Central Bank.
    • Article (9) Professional Indemnity Insurance

      1. An Open Finance Provider must hold professional indemnity insurance of an amount and scope suitable and proportionate to the risks arising from the Open Finance Service it provides, as determined by the Central Bank on a case-by-case basis. Subject to this, the minimum limits of indemnity per year are:

        1.1.for a single claim, five million Dirham (AED 5,000,000); and
        1.2.in aggregate the higher of five million Dirham (AED 5,000,000) or an amount equivalent to 50% of annual income from the Open Finance Provider’s Open Finance Services.
         The Central Bank may determine that an Open Finance Provider must hold minimum limits of indemnity in excess of these amounts.
      2. The professional indemnity insurance must at a minimum cover liabilities of the Open Finance Provider and its employees in respect of, inter alia, Unauthorized Transactions, data loss and breaches, cyber security risks and delayed or incorrectly Initiated Transactions.

       

    • Article (10) Control of Controllers

      1. A Person must not become a Controller of an Open Finance Provider without obtaining prior authorisation from the Central Bank.
      2. The Central Bank may grant authorisation under Article 10(1) of this Regulation if it considers that:

        2.1having regard to the likely influence of the Controller, the Open Finance Provider will remain compliant with the requirements of this Regulation and any other relevant Regulations, including Regulations issued in accordance with this Regulation and any relevant law; and
        2.2the Controller meets the fit and proper and suitability requirements specified by the Central Bank.
      3. The approval under Article 10(2) of this Regulation may be granted subject to any conditions that the Central Bank may impose on the Person, including, but not limited to:

        3.1conditions restricting the Person’s disposal or further acquisition of shares and/or voting powers in the Open Finance Provider; and
        3.2conditions restricting the Person’s exercise of voting power in the Open Finance Provider.
    • Article (11) Corporate Governance

      1. Open Finance Providers must have and maintain effective, robust and well-documented corporate governance arrangements, including a clear organisational structure with well-defined, transparent and consistent lines of responsibility.
      2.  The corporate governance arrangements referred to in Article 11(1) of this Regulation must be comprehensive and proportionate to the nature, scale and complexity of the Open Finance Provider’s business, and must contain, at a minimum:

        2.1a Board approved organisation structure which records in writing each division, department or unit, indicating the name of each responsible individual accompanied by a description of the respective function and responsibilities;
        2.2controls on conflicts of interest;
        2.3controls on integrity and transparency of the Open Finance Provider’s operations;
        2.4controls to ensure compliance with applicable laws and Regulations;
        2.5methods for maintaining confidentiality of information and complying with data privacy requirements; and
        2.6procedures for regular monitoring and auditing of all corporate governance arrangements.
      3. The Senior Management of an Open Finance Provider must fulfil fit and proper and suitability requirements specified by the Central Bank from time to time, including that each member of Senior Management:
      3.1is competent and possesses the necessary knowledge, skills, qualifications and experience;
      3.2has a record of acting honestly, ethically, with integrity and is of good repute;
      3.3has a good record of financial conduct;
      3.4is able to make his/her own decisions in a reasoned, objective and independent manner; and does not have any conflict of interest that could affect their conduct;
      3.5has sufficient time to devote to fully performing his/her duties/responsibilities under this Regulation;
      3.6contributes to the collective suitability of the Senior Management; and
      3.7meets any additional requirements specified in applicable Regulations.

       

    • Article (12) Risk Management, Compliance and Internal Audit

      1. Open Finance Providers must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational, security and other risks to which they are or might become, exposed.
      2. The framework established under Article 12(1) of this Regulation must be proportionate to the nature, scale and complexity of the Open Finance Provider’s business, and must contain, at a minimum:

        2.1incident management procedures, including for the detection and classification of major operational and security incidents;
        2.2business continuity and disaster recovery plans, which include: (i) an adequate business continuity management programme to ensure continuation, timely recovery, or in extreme situations, orderly scale-down of critical operations in the event of major disruptions. The programme must comprise business impact analysis, recovery strategies, a business continuity plan and alternative sites for business and information technology recovery; and (ii) appropriate software development life cycle practices to ensure operational resilience and minimise application failures that may pose risks to users; and
        2.3sound administrative and accounting procedures.
      3. Open Finance Providers must establish a risk management function, an internal audit function and a compliance function and ensure that they are adequately resourced.
      4. Open Finance Providers must establish and maintain on an ongoing basis a wind down plan that is acceptable to the Central Bank.
      5. The risk management function must be independent, permanent, have a reporting line directly to the Board and effectively monitor, report on and mitigate the operational, market, credit, legal and other risks to which the Open Finance Provider is exposed.
      6.  The compliance function must be independent, permanent, have a reporting line directly to the Board and must monitor and report on observance of all applicable laws, regulations and standards and on adherence by staff and Senior Management to legal requirements, proper code of conduct and the requirements of this Regulation and other Regulations, where applicable.
      7. The internal audit function must be independent, permanent, report directly to the Board, employ best practice in internal audit, and be effective. It must provide independent assurance to Senior Management on the quality of the Open Finance Provider’s internal controls, risk management, compliance, systems, and controls.
      8.  Open Finance Providers must not Outsource any material activity, including to any related party without the prior receipt of notification of non-objection from the Central Bank. Open Finance Providers will retain full responsibility for the services provided by any Outsourced service provider. Although all requests for non-objection will be considered on their individual merits, the Central Bank will, in general, not permit the Outsourcing of core activities, and key management and control functions.
      9.  Regulatory requirements for specific functions including risk management, internal audit and compliance, may be established in separate Regulations.
    • Article (13) Record Keeping

      1. Open Finance Providers must maintain records relating to the provision of their Open Finance Services, which must at a minimum include records of the following matters:

        1.1.User consent to access User Data and/or Initiate Transactions as required under Article 22 of this Regulation;
        1.2.Evidence of all User Data provided to the Open Finance Provider by Licensees who are Data Holders on behalf of Users;
        1.3.All Transactions Initiated by the Open Finance Provider on the instruction of Users; and
        1.4.Evidence of all User Data related to a Transaction which was destroyed or otherwise disposed of.
      2. All records maintained pursuant to Article 13 of this Regulation must be kept securely, in a durable medium and must be capable of being made available to the Central Bank promptly upon request.
      3. Open Finance Providers must retain the records referred to in Article 13 of this Regulation for a period of at least five (5) years from the date of creation of such records, unless otherwise required by applicable laws or the Central Bank.
    • Article (14) Notification and Reporting Requirements

      1.  An Open Finance Provider must be open and cooperative with the Central Bank and notify the Central Bank of all matters that the Central Bank might reasonably require notice of, including to support the performance of the Central Bank’s supervisory functions.
      2. An Open Finance Provider must comply with all regulatory reporting requirements, including ongoing requirements specified by the Central Bank from time to time.
      3. Where any material change affects the accuracy and completeness of information provided in an Application, the Applicant or Open Finance Provider, as the case may be, must immediately notify the Central Bank of such change and provide all necessary information and documents.
      4. An Open Finance Provider must immediately notify the Central Bank of any violation or potential violation of a material requirement under this Regulation or other applicable legal or regulatory requirement.
      5. An Open Finance Provider must immediately notify the Central Bank if it becomes aware that any of the following events have occurred or are likely to occur:

        5.1if a Data Holder or Service Owner unjustifiably refuses access to an Account or Product and/or information relating to them;
        5.2any event that prevents access to or disrupts the operational or security status of the Open Finance Provider;
        5.3any legal action taken against the Open Finance Provider or any member of its Senior Management or director of the Board either in the State or outside the State;
        5.4the commencement against the Open Finance Provider or any member of its Senior Management or director of the Board of any insolvency, winding up, liquidation or equivalent proceedings, or the appointment of any receiver, administrator or provisional liquidator in any jurisdiction;
        5.5any disciplinary measure or sanction taken against the Open Finance Provider or any member of its Senior Management or director of the Board or any measure or sanction imposed on any of them by a body other than the Central Bank, whether in the State or outside the State;
        5.6any material change in regulatory requirements to which the Open Finance Provider is subject beyond those of the Central Bank, whether in the State or outside the State; or
        5.7any other event specified by the Central Bank.