Chile
United Arab Emirates
BahrainChile (Latam)
UAE
Bahrain
Designed to promote competition, innovation, and inclusion in the financial system. It is governed by the principles of interoperability, non-discrimination among participants, information security, personal data protection, and customer control over their data through express consent.
To stimulate innovation across the UAE’s financial sector by encouraging more consent-driven, data-rich, collaborative, secure and customer-centric digital business and service models. Achieving this vision will deliver greater clarity and control to customers, so that they can manage their finances better.
The API specifications are designed to be extensible, allowing for updates to capabilities and functionality.
The Bahrain OBF follows the PSD2‘s guidance. In addition, the Bahrain OBF API specifications have drawn references from the UK OBIE API specification guidelines, the intellectual property rights for which belong to OBIE, UK and are subject to usage limitations as specified by OBIE, the UK.
The regulatory framework was designed considering international reference models such as the UK, Brazil, Australia, India, Singapore, and Bahrain as baselines. Specific domestic case studies are pending as the ecosystem is currently in its implementation phase.
Buy now, Pay later (BNPL) offers customers a flexible range of instalment options to choose from while shopping. First introduced and revolutionised by Klarna, a Swedish financial firm, in 2005. Recently Taly launched the first Sharia-compliant BNPL service in the Kingdom of Bahrain, which is free for customers.
Specification and design are based on OpenAPI version 3.1.
Open Finance Standards v1.2-final – 20/12/2024
v1.0.0 / 28 Oct 2020
Remote and automated access via RESTful architecture. Connections require mutual authentication using Mutual Transport Layer Security (mTLS) and cryptographic validation of digital certificates issued by a valid Certificate Authority.
The API specifications and business rules are publicly available.
All licensed financial institutions (LFIs) are required to adhere to the open finance standard.
Accredited TPPs may access LFI APIs within the ecosystem.
Access to account information and payment initiation services requires access to customer accounts through APIs with licensees maintaining customer accounts.
The Bahrain OBF API specifications have drawn references from the UK OBIE API specification guidelines, the intellectual property rights for which belong to OBIE, and are subject to usage limitations as specified by OBIE.
Regulated
The implementation of the Open Finance System (SFA) follows a phased approach as established by General Rule No. 514 (NCG 514). While the rule was published on July 3, 2024, the mandatory data-sharing ecosystem will officially go live in July 2026 (24 months after publication). This will be followed by a gradual 36-month rollout for different types of institutions.
The system is deployed in phases ranging from 12 to 36 months after its entry into force (July 2026). It begins with public data and concludes with transactional data for all customers and payment initiation services, varying by the size and role of the entity.
Regulated
Regulated
APIs for financial data exchange and payment initiation; a Centralised Participants Directory managed by the CMF; a mandatory Alternative Mechanism for operational contingencies; Dynamic Client Registration (DCR); and a Developer Web Portal equipped with a testing Sandbox.
Key elements of the Open Finance Framework:
1. Roadmap: Access the detailed open finance roadmap, ensuring clarity and ease of updates.
2. Approved Use Cases: Review the approved use cases demonstrating the practical applications and benefits of open finance.
3. Catalogue of Standards: Browse through the comprehensive catalogue of all Open Finance standards relevant to LFIs and TPPs.
4. Testing and Certification Framework: Requirement and process for LFIs and TPPs for testing and certifications.
5. Open Finance Platform: User guides and other essential documentation for the Open Finance Platform (OFP).
6. Limitation of Liability Model: Address various dispute scenarios, identify the liable and responsible parties, and estimate the extent of redress.
7. Commercial and Pricing Model: Sets out the fee structure for access to and usage of the Open Finance Platform.
8. AML and Fraud Guidelines: Cover Anti Money Laundering and Fraud Management Guidelines across components
The first in the world to include Islamic banking licenses.
The framework is principally based on global ISO standards, specifications and guidelines as published by the Open Banking Implementation Entity (OBIE) in the U.K, the Open Banking standards in Australia, and the Payment Services Directive (PSD2). These have been customized for implementation in Bahrain based on existing practices and terminology used by the Bahrain ecosystem.
Banks must share generic product information relevant to all the principal retail banking products and services, free of any fees or charges.
In addition to these basic services, AISPs/PISPs are free to provide other value-added services for which they may bilaterally agree with the customer. Thus, some accredited third-party providers may decide to charge for some of their products/solutions/services customised for customers’ needs.
Banking
Applies to Banks, Credit Card Issuers, Card Operators, Cooperatives, Insurance Companies, General Fund Administrators (AGF), Brokerages, and Compensation Funds. It covers information on terms and conditions, customer service channels, customer onboarding, historical financial positions, transaction history, active products, and payment initiation.
Finance
Open Finance
– Bank Service Initiation
– Bank Data sharing
– Insurance Data Sharing
Banking
Open Banking
-
Account information
-
Payment Initiation
Account opening and onboarding
Credit Cards
Insurance
Investments
Accounts (current, sight, savings, funding provision), credit cards, credit operations (consumer, commercial, mortgage), insurance policies (life, general, pension), investment instruments (time deposits, mutual funds, APV), and card operation services.
Current Accounts
Savings
Current Accounts
FAPI 2
OAuth
Supported by the “Participants Directory” operated by the CMF, which centralizes identities, roles, endpoints, and statuses. It relies on a Public Key Infrastructure (PKI) and requires Digital Certificates under the X.509v3 standard with extended validation (EV). It leverages Software Statement Assertions (SSA) signed by the directory for Dynamic Client Registration.
Technical specifications are governed by Technical Annex 3 (Annex of NCG 514), which was further updated via public consultation in January 2026. Key standards include:
-
Security: Authentication is set to ‘Redirected Mode’ for payment initiation.
-
Dynamic Client Registration: Includes a mandatory Dynamic Client Registration (DCR) API for service providers.
-
Consent: Standards for generating, managing, and revoking consent must be granular and verifiable, with a mandatory ‘Consent Dashboard’ for users.
Certificates
Registry
Certificates
Registry
Implements the advanced security profile of the OpenID Foundation: FAPI 2.0 Security Profile. It mandates the use of the OAuth 2.0 authorization framework, OpenID Connect, TLS 1.3 protocol, mutual validation via mTLS, Pushed Authorization Requests (PAR), PKCE, JWT tokens, and asymmetric message signing for non-repudiation (JWS).
FAPI 2.0
OAuth
OIDF
CIBA
FAPI1
OAuth
OIDC
Access to the Open Banking API is secured using the Open ID Foundation’s Financial Grade API (FAPI) Profile.
Access also requires customers (Payment Service Users or PSUs) to undergo Strong Customer Authentication (SCA) as part of OpenID Connect authorisation flows.
The API currently supports app->web, mobile-web->web, web->web authentication flows.
More about security.
Includes data on historical financial positions and active products (end-of-month balances, available amounts, delinquency levels, rates, terms) and transaction history (credits, debits, counterparties, dates) with a mandatory historical depth of 12 months for both natural and legal persons.
Accounts
Balances
Beneficiaries
Direct Debits
Parties Or Contacts
Standing Orders
Transactions
Accounts
Balances
Direct Debits
Other
Parties Or Contacts
Standing Orders
Statements
Transactions
Services where a Payment Initiation Service Provider (PSIP) instructs charges or credits on behalf of the customer to their Account Providing Institution (IPC). It supports immediate single payments, scheduled payments, and predefined or variable recurring payments. It requires redirected authentication flows for funds confirmation and payment authorization.
As of the January 2026 updates, the CMF has finalized dictionaries and sequence diagrams for five specific payment APIs:
-
One-time payments.
-
Scheduled one-time payments.
-
Recurring fixed-amount payments.
-
Recurring variable-amount payments.
-
Funds confirmation (CAF).
Bulk & Batch
Fixed Recurring
Future Dated
International Payments
Refunds
Single Instant
Variable Recurring Payments
Bulk Payments
Future Dated Payments
Single Domestic Payments
Single International Payments
Established across three levels: Level 1 (Guidelines and Policies via NCG 514), Level 2 (Technical definitions of standards), and Level 3 (Manuals and concrete technical specifications incorporated in Annex No. 3 – Technical Annex).
API Specifications
Customer Experience Guidelines
Operational Guidelines
API Specifications
Operational Guidelines
The CMF will provide a “Developer Web Portal” (openfinancechile.atlassian.net) featuring technical documentation, manuals, flows, data dictionaries, coding references, a community forum, and access to a Sandbox environment.
The following resources are available to all registered developers:
– Open Finance Framework (including Use Cases, Business Rules and Standards)
It is mandatory to issue a findings report regarding Functional Tests before moving to production. This certification must be provided by an external certifying entity with at least 3 years of experience in digital services, along with verifiable expertise in APIs and cybersecurity (possessing an ISO 27001 certification or SOC 2 standard).
Customer Experience
Functional
Operational
Security Profile
Operational
Security Profile
Fintec Law No. 21,521 was published on January 4, 2023. NCG 514 was issued on July 3, 2024, to formally regulate the SFA. In January 2026, the CMF presented the “Normative Report updating Annex 3 and incorporating Payment Initiation,” detailing mature technical adjustments following public consultations. IN December 2026, CMF released the first version of the APIs specifications set to be in production by July 2027.
Open finance in the UAE is a relatively new concept, however the region has moved quickly and offers one of the most comprehensive sets of open finance functionality. The first version of the Standard was published in August 2024, with an updated version released in December 2024.
The Central Bank of Bahrain’s (CBB) rules relating to Open Banking were introduced in December 2018, when the CBB mandated the adoption of Open Banking for all retail banks in the Kingdom. While a majority of the banks and the third parties have progressed on implementation of Open Banking to meet the prescribed deadline of June 2019, in order to accelerate adoption, the CBB felt the need to ensure that there is a high degree of consistency in the implementation of Open Banking. Towards this objective, the CBB, in consultation with industry participants, has developed the Bahrain Open Banking framework of standards and guidelines.
In October 2020, the Kingdom launched the Bahrain Open Banking Framework (Bahrain OBF) and the framework is holistic in defining the Open Banking Regulation, guidelines, technical standards for Open API platforms, security standards (including data privacy), and overall governance.
Led by the Financial Market Commission (CMF), which is in charge of regulation, Directory administration, and the supervision of participants. It receives consultative support from the “Open Finance System Forum” (Foro SFA), consisting of an Advisory Group, a Technical Secretariat, and Technical Groups.
Centralized interoperability is managed through the Participant Directory (DP). All participants must undergo Mandatory Sandbox Testing within the CMF’s official environment and receive validation from an external certifier specialized in cybersecurity and APIs before joining the live registry.
The governance of Open Finance in the UAE is overseen by the Central Bank of the UAE (CBUAE). CBUAE sets the regulations, with AlTareq setting the guidelines, and standards for open finance implementation, monitors compliance, and ensures the security, privacy, and protection of customer data within the framework.
Governed by the CBB (Central Bank of Bahrain). The board of CBB compromises of seven Directors, appointed by Royal Decree for a renewable term of four years.
The Governor, with a ministerial rank, is in charge of the day-to-day management and is directly accountable to the Board. This position is appointed by Royal Decree for a renewable 5-year term, and it might be supported by Deputy Governors.
The responsibilities of the Governor include presenting a report to the Board within 3 months after the end of the fiscal year regarding operations, audited accounts and external auditor’s opinion on said accounts.
CBB is also required to present financial and operational reports to the Board and the Ministry of Finance.
Internal governance is maintained effectively through a system of internal committees, documented policies, procedures, internal audits and quality assurance functions.
Read more about governance.
Each entity must maintain a Risk Management Plan, a Business Continuity Plan, and a Disaster Recovery Plan, which must be tested annually. Institutions are mandatorily required to have an operational “Alternative Mechanism” acting as a contingency, with a required daily availability of 90%.
The framework will continue to be revised and updated periodically, based on inputs from the industry and changing global trends.
Participants are subject to the sanctioning powers of the CMF. Non-compliance may lead to temporary suspensions (partial or total), fines, or the definitive cancellation of registration or access. Entities are required to self-report on information quality and consistently use the Operational Incident Report (RIO) platform.
– Security Certification (to the OpenID FAPI 2.0 profile)
– Functional Certification
– Customer Experience Certification
The list of CBB licensees who have provided self-declarations to CBB stating that they have completed their implementation tasks and are fully compliant with Bahrain OBF v.1.0.0 (Phase 1).
IPIs and IPCs (e.g., Banks) have mandatory participation through enablement in a CMF “Roster” (Nómina). Third parties wishing to consume data or initiate payments must obtain authorization from the CMF through formal enrollment in the Registry of Information-Based Service Providers (PSBI) or Payment Initiation Service Providers (PSIP), demonstrating financial backing guarantee policies.
Only accredited TPPs are able to access the Open Finance ecosystem.
Users must obtain a license through the CBB.
Law No. 21,521 (Fintec Law), DL No. 3,538 (CMF Organic Law), Law No. 19,628 (Personal Data Protection Law of Chile), Law No. 20,009 (Frauds in Means of Payment), and the Updated Compilation of Norms for Banks (RAN Chapters 1-7, 1-13, 20-7, 20-8, 20-9, and 20-10).
