The Jordan Open Finance Standards

Jordan Payments & Clearing Company

Jordan

– Target Financial Institutions: The Open Finance instructions apply to all banks and Payment Service Providers (PSPs) holding licences in Jordan.

– Enforceability: It is mandatory for all financial institutions to allow TPPs access to customer data via APIs after obtaining customer consent.

– API Scope: TPPs can access various types of customer account data, including transaction data, account information, and other relevant data.

– Target TPPs: This includes both Account Information Service Providers (AISPs), which access customer data, and Payment Initiation Service Providers (PISPs), which facilitate third-party providers in offering payment services.

– Technical and Security Requirements: The responsibility for establishing and documenting technical and security standards for Open Finance services, based on best practices, lies with banks and PSPs.

– Open Finance Policy: Both banks and PSPs must create comprehensive documented policies addressing security aspects, data sharing, and contracting with TPPs, including defining the roles and responsibilities of boards and executive managers in relation to Open Finance services.

– Risk Management: Banks and PSPs must identify, manage, and monitor risks associated with TPP contracts and provide Open Finance services.

– Authentication: Banks and PSPs are required to conduct due diligence with TPPs to verify their identity. The instructions also encompass data privacy and consumer protection requirements.

– Commercialisation: Banks and PSPs are allowed to monetise their APIs but there is currently no guidance in terms of fees and pricing.

Version 0.4.3 Beta

A standardized, API-led framework mandated by the Central Bank of Jordan to unify data sharing between banks, PSPs, and TPPs. It utilizes a central API Gateway/Aggregator model managed by JoPACC while allowing for direct-call service (DCS) implementations.

• Four-Pillar Architecture: A comprehensive scope covering Account Information (AIS), Payment Initiation (PIS), Facilities & Products (FPS), and Extended Services (ES).
• IBAN Confirmation Service: A specialized “Others AIS” feature allowing Third-Party Providers to verify the validity and ownership of an IBAN to reduce payment fraud and errors.
• Standardized OTP Service: Built-in “Extended Services” for generating and verifying One-Time Passwords directly through the API framework to streamline customer authentication.
• Mandatory Message Signing: High-security requirements using JSON Web Signatures (JWS) for all requests to ensure non-repudiation and data integrity.
• Centralized Aggregator & Direct-Call Support: Flexible architecture supporting both a central JoPACC hub (Aggregator) and direct bank-to-TPP connections (Direct-Call Services).
• Inclusive Financial Scope: Designed to go beyond retail banking to include Microfinance Institutions (MFIs) and Payment Service Providers (PSPs).
• Rich Product Discovery: Standardized access to non-consented data, including ATM/Branch locations, real-time FX rates, and detailed bank fee schedules.
• National Identity Integration: Future-proofed for integration with Jordan’s national digital identity and eKYC frameworks.
•  

– Account information

– Extended services

– Payment initiation services

– Product information

FPS (Facilities & Products Services): Publicly available data including Financial Institution information, Branch/ATM locators, Fee schedules, and FX rates.

The Jordan Open Finance ecosystem operates on a Registry-based Model managed and governed by JoPACC under the oversight of the Central Bank of Jordan (CBJ).

• Centralized Participant Registry: JoPACC maintains the definitive directory of all authorized entities, including Account Servicing Payment Service Providers (ASPSPs) and Third-Party Providers (TPPs).

• Onboarding & Verification: Entities must undergo a rigorous vetting process and be licensed by the CBJ before being issued the digital credentials required to access the ecosystem.

• Digital Identity & Certificates: The framework utilizes a Public Key Infrastructure (PKI) where the registry facilitates the exchange of software statements and certificates. This ensures that every API call is authenticated against a verified identity in the registry.

• Role-Based Access: The registry defines specific permissions for participants based on their license type (e.g., AISP, PISP, or both), ensuring data is only shared with entities authorized for those specific services.

Authorization: OAuth2 and OpenID Connect (OIDC).

• Integrity: Mandatory x-jws-signature (JSON Web Signature) for non-repudiation and request verification.

• Transport: Mutual TLS (mTLS) for secure communication between participants.

Includes ‘MY AIS’ for personal data and ‘Others AIS’ for third-party verification services like IBAN confirmation.

• MY AIS: Accounts, Balances, Transactions, and Beneficiaries (Standard user-consented data).

• Others AIS: IBAN Confirmation (This is a major technical addition where TPPs verify accounts of users who are not their direct customers).

• Data Scope: This covers “Direct-Call Services” (DCS) for banks and PSPs.

Extended Services (ES): Functional requests such as the OTP (One-Time Password) Service for enhanced authentication during TPP-led workflows.

Supports single immediate payments and payment status inquiries through authorized PISPs.

https://jpcjofsdev.devportal-az-eu.webmethods.io/portal/apis

Jointly governed by the Central Bank of Jordan (Regulator) and JoPACC (Operator/Standards Body).

All banks and licensed Payment Service Providers (PSPs) in Jordan must reconcile their systems to comply with these instructions.

Regulating Open Finance Services Procedures Instructions No. (12/2022) issued by the Central Bank of Jordan.