BackText onlyPrint

You need the Flash plugin.

Download Macromedia Flash Player



Location: Central Bank of Bahrain Volume 1—Conventional Banks > Part A > High Level Standards > GR General Requirements > GR-6 Open Banking
  • GR-6 Open Banking

    • GR-6.1 Access to PISPs and AISPs

      • GR-6.1.1

        The CBB has recognised the need to revise its rules in keeping with the following changes at a systemic level, both globally and regionally:

        a) market growth in e-commerce activities;
        b) increased use of internet and mobile payments;
        c) consumer demand to increasingly use smart device based payment solutions;
        d) the developments in innovative technology; and
        e) a trend towards customers having multiple account providers.

        This section sets forth the rules applicable to conventional retail bank licenseesG with regards to the new category of ancillary service providersG described below.

        Added: April 2019

      • GR-6.1.2

        The CBB has established a Directive contained in "Module OB: Open Banking" in Volume 5 of the CBB Rulebook that deals with a new sub category of ancillary service providersG who, under the terms of the CBB license, may provide "payment initiation servicesG " and/or "account information servicesG ". Such licensees are termed "payment initiation service providersG " or PISPs and "account information service providersG " or AISPs. Banks and other licensees which maintain a customer account is referred to in the CBB Rulebook Volume 5 as "licensees maintaining customer accounts".

        Added: April 2019

      • GR-6.1.3

        Conventional retail bank licenseesG must:

        (a) grant ancillary service providersG of the types referred to in Paragraph AU-1.2.1 (f) and (g) of Rulebook Volume 5: Ancillary Service Providers Authorisation Module, access to customer accounts on an objective, non-discriminatory and proportionate basis based on consents obtained from the customer;
        (b) provide the criteria that the conventional retail bank licenseeG apply when considering requests pursuant to sub-paragraph (a) above for such access; and
        (c) ensure that those criteria are applied in a manner which ensures compliance with sub-paragraph (a) above while ensuring adherence to Law No 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.
        Added: April 2019

      • GR-6.1.4

        Access to customer accounts granted pursuant to Paragraph GR-6.1.3 must be sufficiently extensive to allow the AISP and PISP access in an unhindered and efficient manner.

        Added: April 2019

      • GR-6.1.5

        Access to customer accounts granted pursuant to Paragraph GR-6.1.3 shall mean that at customer's direction, the licenseesG are obliged to share all information that has been provided to them by the customer and that which can be accessed by the customer in a digital form. The obligation should only apply where the licenseeG keeps that information in a digital form. Furthermore, the obligation should not apply to information supporting identity verification assessment; which the licensees should only be obliged to share with the customer directly, not a data recipient. The information accessed shall include transaction data and product and services data that banks are required to publicly disclose, such as price, fees, and other charges should be made publicly available under open banking. 'Value Added Data' and 'Aggregated Data' are not required to be shared. Value added data results from material enhancement by the application of insights, analysis, or transformation by the licensee. Aggregated data refers to various elements of customer data aggregated for the purpose of internal management by the licensee.

        Added: April 2019

      • GR-6.1.6

        If a conventional retail bank licenseeG refuses a request for access to such services or withdraws access to such services, it must seek approval of the CBB in a formal communication which must contain the reasons for the refusal or the withdrawal of access and contain such information as the CBB may direct. The CBB shall approve the request if it is satisfied that the impact of not giving access is minimal. If the request is rejected, the conventional retail bank licenseeG must adhere to the direction provided by the CBB.

        Added: April 2019

    • GR-6.2 Communication Interface for PISPs and AISPs

      • GR-6.2.1

        Conventional retail bank licenseesG that offer to a payer a customer account that is accessible online must have in place at least one interface which meets each of the following requirements:

        (a) AISPs and PISPs must identify themselves in sessions with conventional retail bank licenseesG ;
        (b) AISPs and PISPs must communicate securely to request and receive information on one or more designated payment accounts and associated payment transactions; and
        (c) PISPs must communicate securely to initiate a payment order from the payer's payment account and receive information on the initiation and the execution of payment transactions.
        Added: April 2019

      • GR-6.2.2

        Conventional retail bank licenseesG must establish the interface(s) referred to in Paragraph GR-6.2.1 by means of a dedicated interface.

        Added: April 2019

      • GR-6.2.3

        For the purposes of authentication of the customer, the interfaces referred to in paragraph GR-6.2.1 must allow AISPs and PISPs to rely on the authentication procedures provided by the conventional retail bank licenseeG to the payment service user. In particular, the interface must meet all of the following requirements:

        (a) process for instructing and authentication by the conventional retail bank licenseeG ;
        (b) establishing and maintaining authentication of communication sessions between the conventional retail bank licenseeG , the AISP, the PISP and the payment service user(s); and
        (c) ensuring the integrity and confidentiality of the personalised security credentials and of authentication codes transmitted by or through the AISP or the PISP.
        Added: April 2019

      • GR-6.2.4

        Conventional retail bank licenseesG must ensure that their interface(s) follows standards of communication which are agreed by the CBB and that the protocols are technology neutral. They must ensure that the technical specifications of the interface are documented and are made available to AISPs and PISPs when requested.

        Added: April 2019

      • GR-6.2.5

        Conventional retail bank licenseesG must establish and make available a testing facility, including support, for connection and functional testing by authorised AISPs and PISPs that have applied for the relevant authorisation, to test their software and applications used for offering an information/payment service to users. No sensitive information must be shared through the testing facility.

        Added: April 2019

      • GR-6.2.6

        Conventional retail bank licenseesG must ensure that the dedicated interface established for the AISPs and PISPs offers the same level of availability and performance, including support, as well as the same level of contingency measures, as the interface made available to the payment service user for directly accessing its payment account online.

        Added: April 2019

      • GR-6.2.7

        For the purposes of GR-6.2.6, the following requirements apply:

        (a) Conventional retail bank licenseesG must monitor the availability and performance of the dedicated interface and make the resulting statistics available to the CBB upon their request;
        (b) where the dedicated interface does not operate at the same level of availability and performance as the interface made available to the conventional retail bank licensee'sG customer when accessing the payment account online, the bank must report it to the CBB and must restore the level of service for the dedicated interface without undue delay and take the necessary action to avoid its reoccurrence.
        (c) The report referred to in (b) above must include the causes of the deficiency and the measures adopted to re-establish the required level of service; and
        (d) AISPs and PISPs making use of the dedicated interface offered by conventional retail bank licenseesG must also report to the CBB any deficiency in the level of availability and performance required of the dedicated interface.
        Added: April 2019

      • GR-6.2.8

        Conventional retail bank licenseesG must include in the design of dedicated interface, a strategy and plans for contingency measures in the event of an unplanned unavailability of the interface and systems breakdown. The strategy must include communication plan to inform the relevant AISP/PISP making use of the dedicated interface in the case of breakdown, measures to bring the system back to 'business as usual' and a description of alternative options AISPs and PISPs may make use of during the unplanned downtime.

        Added: April 2019

    • GR-6.3 Security of Communication Sessions and Authentication

      • GR-6.3.1

        Conventional retail bank licenseesG must ensure that communication sessions with PISPs and AISPs including merchants, relies on each of the following:

        (a) a unique identifier of the session;
        (b) security mechanisms for the detailed logging of the transaction, including transaction number, timestamps and all relevant transaction data;
        (c) timestamps which must be based on a unified time-reference system and which must be synchronised according to an official time signal.
        Added: April 2019

      • GR-6.3.2

        Conventional retail bank licenseesG must ensure secured identification when communicating with AISPs and PISPs.

        Added: April 2019

      • GR-6.3.3

        Conventional retail bank licenseesG must ensure that, when exchanging data via the internet, with PISPs and AISPs, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

        Added: April 2019

      • GR-6.3.4

        PISPs and AISPs must keep the access sessions offered by conventional retail bank licenseesG as short as possible and they must actively terminate the session as soon as the requested action has been completed.

        Added: April 2019

      • GR-6.3.5

        When maintaining parallel network sessions with the PISPs and AISPs, conventional retail bank licenseesG must ensure that those sessions are securely linked to relevant sessions established in order to prevent the possibility that any message or information communicated between them could be misrouted.

        Added: April 2019

      • GR-6.3.6

        Conventional retail bank licensees'G sessions with PISPs and AISPs must contain unambiguous reference to each of the following items:

        (a) the customer and the corresponding communication session in order to distinguish several requests from the same customer;
        (b) for payment initiation servicesG , the uniquely identified payment transaction initiated;
        (c) for confirmation on the availability of funds, the uniquely identified request related to the amount necessary for the execution of the transaction.
        Added: April 2019

      • GR-6.3.7

        Conventional retail bank licenseesG must ensure that where they communicate personalised security credentials and authentication codes, these are not readable by any staff at any time.

        Added: April 2019

      • GR-6.3.8

        Conventional retail bank licenseesG must comply with each of the following requirements:

        (a) they must provide access to the same information from designated customer accounts and associated payment transactions made available to the customer when directly requesting access to the account information, provided that this information does not include sensitive payment data (such as customer security credentials or other personalised data, the holding of which or the use of which is not authorised by the customer; and data which may be used by the holder for unauthorised, fraudulent, illegal or activity or transactions);
        (b) they must provide, immediately after receipt of the payment order, the same information on the initiation and execution of the payment transaction provided or made available to the customer when the transaction is initiated directly by the latter;
        (c) they must, upon request, immediately provide AISPs and PISPs with a confirmation whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. This confirmation must consist of a simple 'yes' or 'no' answer.
        Added: April 2019

      • GR-6.3.9

        In case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements, the conventional retail bank licenseesG must send a notification message to the relevant PISP or AISP which explains the reason for the unexpected event or error.

        Added: April 2019

      • GR-6.3.10

        Where the conventional retail bank licenseeG offer a dedicated interface, it must ensure that the interface provides for notification messages concerning unexpected events or errors to be communicated by any PISP or AISP that detects the event or error to the other licensees participating in the communication session.

        Added: April 2019

      • GR-6.3.11

        Conventional retail bank licenseesG must provide access to information from customer accounts to AISPs whenever the customer requests such information.

        Added: April 2019

      • Secure authentication

        • GR-6.3.12

          Conventional retail bank licenseesG , AISPs, and PISPs, must have in place a strong customer authentication process and ensure the following:

          (a) no information on any of the elements of the strong customer authentication can be derived from the disclosure of the authentication code;
          (b) it is not possible to generate a new authentication code based on the knowledge of any other code previously generated; and
          (c) the authentication code cannot be forged.
          Added: April 2019

        • GR-6.3.13

          Conventional retail bank licenseesG , PISPs and AISPs must adopt security measures that meet the following requirements:

          (a) the authentication code generated must be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction; and
          (b) the authentication code accepted by the licensee maintaining customer account corresponds to the original specific amount of the payment transaction and to the payee agreed to by the payer;
          (c) a SMS message must be sent to the customer upon accessing the online portal or application and when a transaction is initiated;
          (d) any change to the amount or the payee must result in the invalidation of the authentication code generated.
          Added: April 2019

      • Independence of elements of strong authentication

        • GR-6.3.14

          Conventional retail bank licenseesG , AISPs and PISPs must establish adequate security features for customer authentication including the use of the following three elements:

          (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
          (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
          (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
          Added: April 2019

        • GR-6.3.15

          Conventional retail bank licenseesG , AISPs and PISPs must ensure that the elements referred to in Paragraph GR-6.3.14 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis.

          Added: April 2019

    • GR-6.4 Standards for Program Interfaces and Communication

      • GR-6.4.1

        Conventional retail bank licenseesG must adhere to the best practices of technical standards, including for application program interfaces (APIs), electronic identification, transmission of data and web security.

        Added: April 2019

      • GR-6.4.2

        Conventional retail bank licenseesG should use a single standard by making a reference to Open API standards in a leading financial centre and which should be subject to independent tests, including testing in a test environment.

        Added: April 2019

      • GR-6.4.3

        To remain technologically neutral the technical standards adopted by conventional retail bank licenseesG must not require a specific technology to be adopted by AISPs or PISPs. Authentication codes must be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys and/or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled.

        Added: April 2019

    • GR-6.5 Implementation

      • GR-6.5.1

        Conventional retail bank licenseesG must provide the CBB with implementation plans before 31st January 2019 and the arrangements to implement the requirements of this Chapter should be completed latest by 30th June 2019. The banks must notify the CBB when it anticipates delays together with action plans to counter the anticipated delays. The banks must make available the resources to AISPs/PISPs within a reasonable period after satisfying all the requirements.

        Added: April 2019

Back to top