Introduction To Open Banking in KSA
Introduction To Open Banking in KSA
Introduction To Open Banking in KSA
A guide to
the KSA
Open Banking
Framework
Open Banking in Saudi Arabia
On 2nd November, the Saudi Central This guide aims to create clarity for all
Bank (SAMA) released the Open Banking stakeholders and looks at the fundamental
Framework, which includes “a comprehensive changes, compares the KSA standard with
set of legislation, regulatory guidelines and the Open Banking Implementation Entity's
technical standards based on international (OBIE) standard, and dives into the technical
best practices to enable banks and fintechs elements.
to provide open banking services in the
Kingdom”.
4
Why was this guide created by Lean Open Banking in Saudi Arabia
Contents
Contents 5
Changes to Consents 17
Changes to Endpoints 19
Lean Services 28
5
Open Banking in Saudi Arabia
6
What is Open Banking Open Banking in Saudi Arabia
Term Description
Account to Account transfer Is the act of making a payment through a bank-to-bank transfer instead
(A2A) of using, for example, a credit or debit card.
Account Information Service AIS is the act of retrieving data held in a customer’s bank account.
(AIS)
Account Information Service An AISP enables customers to view all their bank account information
Provider (AISP) (across different banks) in one place.
7
What is Open Banking Open Banking in Saudi Arabia
Term Description
Payment Account Service A PASP is most often, but not limited to, a bank. They are the provider
Provider (PASP) of the underlying account infrastructure, which is accessed through
Open Banking APIs.
Payment Initiation Service PIS is the act of performing an account-to-account payment using
(PIS) Open Banking.
Payment Initiation Service A PISP allows a customer to pay companies directly from their bank
Provider (PISP) account(s) rather than using card networks such as Visa or MasterCard.
Payment Service User (PSU) A PSU is a customer–or end-user of a service. A PSU can be a business,
or an individual consumer.
Third Party Provider (TPP) A Third Party Provider may be either an AISP or PISP, or both, and who
is regulated to provide AIS and PIS services to a PSU 1.
Variable Recurring Payment A Variable Recurring Payment is a long lived consent from a customer to
(VRP) continue making payments on a monthly basis for differing amounts.
Term Description
You The person reading this, for the purposes of this document we assume
that you are a TPP that wants to use Lean’s services to connect to your
customer’s bank accounts.
8
Open Banking in Saudi Arabia
1. Glossary: this section lists the key terms used throughout the KSA
Open Banking Framework.
9
Background to the KSA Open Banking Program Open Banking in Saudi Arabia
Similar to other testing environments globally, the KSA Open Banking Lab
is designed to foster innovation and speed up the development of open
banking in the Kingdom. It comprises:
10
Open Banking in Saudi Arabia
The letter of guarantee lets the supplier know that they will be paid, even if
the customer of the bank defaults. The Letter of Guarantee API provides a
digital process to create and manage a letter of guarantee.
11
The KSA Standard in detail Open Banking in Saudi Arabia
Accounts Balances
A list of accounts that the PSU has granted The balance(s) of a given account.
consent to access.
Parties Beneficiaries
Identity information linked to the consented A list of the accounts that have been
customer, as well as benefactors of any added.
given account.
12
The KSA Standard in detail Open Banking in Saudi Arabia
A key PFM use case for Open Banking is account aggregation. Instead
of the consumer having to keep track of their money across different
bank accounts, Lean can be the source for you to aggregate a view of all
accounts into one app to provide a holistic view of a customer’s financial
landscape.
13
The KSA Standard in detail Open Banking in Saudi Arabia
Lending
With Open Banking, consumers can easily share their past transactions
in a consumable, programmatic format, allowing lenders to quickly review
up to 4 years’ worth of data to understand a customer’s income, monthly
outgoings and commitments.
Over the longer term, we predict that this data will become the primary
source for procuring on the spot lending decisions as a pre-check
qualification before conducting an expensive credit check on potential
customers.
For business lenders, the opportunity to maintain access over time and
see the impact of loans on the business’ incomes and outgoings allows for
smarter targeting of funds into businesses that effectively deploy loaned
capital.
14
The KSA Standard in detail Open Banking in Saudi Arabia
Digital Accounting
Using Lean’s APIs for Enterprise Resource Planning (ERP) and back-office accounting
applications allows those companies to aggregate multiple accounts in one place,
connect numerous data sources, collect and analyze real-time information, reduce
errors, save time, and ultimately boost back-office efficiency.
Using Lean’s Identity API provides the Trust Framework and Verified Data included
in the Parties API outlined above. This gives you access to verified data, which can
be vetted and used based on your own risk tolerances for the quality of data at a
fraction of the cost of traditional KYC providers; giving your customers a faster way
of authenticating and providing their details without the need for lengthy onboarding
systems.
15
Open Banking in Saudi Arabia
Key Differences
between the OBIE
Standard and KSAOB
There are several differences between
the OBIE standard and KSAOB. Whilst
this list is not exhaustive, broadly, these
can be separated into three functional
differences:
16
Open Banking in Saudi Arabia
Changes to Consents
The KSAOB standard differs significantly from the OBIE Standard with
regards to Consents and Consent Management.
Consent types
In OBIE, a consent refresh is required every 90-days at the minimum. The
responsibility for gaining this consent is currently transitioning from the
PASP’s responsibility, to becoming the TPP’s responsibility–nonetheless for
ongoing access to account information a TPP must record a users consent
to continue collecting data every 90 days.
1. One-time consent
Allows a TPP to fetch the data they need once, without any further
access to the account.
2. Time-boxed consent
Allows the TPP to fetch the data they need between pre-defined dates
in the past and into the future. This means for example, a TPP could
create a consent for the next 1 year of new data, and the last 3 months
of existing data.
3. Ongoing consent
This allows a TPP to maintain access to a PSU’s account indefinitely
(with the exception of a consent being revoked). This provides an
enhanced user-experience for the applications where ongoing access
is a prerequisite to their service working, for example a Personal
Financial Management (PFM) application.
17
Changes to Consents Open Banking in Saudi Arabia
Consent Management
Revocation of consent is a major factor in KSAOB’s framework, with the
amount of access and trust being given to TPPs to manage access and
consents for their use-cases this is contrasted with strong guidance on
how a user can opt-out of the service. Specifically:
→ Users must be able to revoke their consent from the bank itself. This
means TPPs may lose access to accounts without being formally
notified.
18
Open Banking in Saudi Arabia
Changes to Endpoints
Accounts Endpoint
Structural Changes
REMOVED SwitchStatus: SwitchStatus is unique to the UK market, where
a Current Account switching service is provided to enable consumers to
change banks easily.
Enabled, Disabled, Deleted, Active, Not Active, Dormant, Unclaimed, Deceased, Suspended, Closed
Proforma, Pending
19
Changes to Endpoints Open Banking in Saudi Arabia
20
Changes to Endpoints Open Banking in Saudi Arabia
Balances Endpoint
The balance endpoint has no changes from the OBIE Standard.
21
Changes to Endpoints Open Banking in Saudi Arabia
Transactions Endpoint
Structural Changes
ADDED BillDetails: Added bill details generated from SADAD, includes
BillerID, BillNumber and BillPaymentType attributes enabling you to
easily identify defaulted payments, as an example.
22
Changes to Endpoints Open Banking in Saudi Arabia
23
Changes to Endpoints Open Banking in Saudi Arabia
Parties Endpoint
The Parties endpoint allows for collecting identity information on the customer. Unlike
the previous endpoints, SAMA has expanded the purpose and capabilities of the
Parties endpoint, using the OpenID Connect for Identity Assurance model instead of
the OBIE standard.
Structural Changes
The Parties API has fundamentally been overhauled from the data present in the
OBIE standard; providing far more granular data on the individual, and the efforts
undertaken to verify and authenticate the details present in the API.
24
Changes to Endpoints Open Banking in Saudi Arabia
The response can be broken down into three constituent parts per entity:
1. Party Data
Includes high level information about the Identity and its relationship to the account(s)
accessed. Specifically the PartyID, PartyNumber, PartyType and, AccountRole
2. Verification
Includes data and information on how the claims (see below) were obtained. This
is set out in two objects verification which covers the Trust Framework, Level of
Assurance and Verification methodology. evidence sets out the documents supplied
during the verification process, specifically information on the following documents:
Passport, Driving Permit, ID Card or Residence Permit.
3. Claims
While Verification contains information on what has been checked, claims hold the
data gained from that document. For example, a Passport claims information related
to your first, middle, and family names, as well as your birth date, nationality and sex.
Other documentation will provide further claims.
25
Open Banking in Saudi Arabia
26
How does Lean help with Open Banking? Open Banking in Saudi Arabia
A breaking change is defined as the removal an API stops working as expected. Thereby
or changing of the values in a field in our leaving you free to continue building the
API–additional attributes being added are products and services that will delight your
not seen as a breaking change. customers, without the need to tread water
on your access layer.
27
Open Banking in Saudi Arabia
Lean Services
Data API
Lean’s Data API in KSA currently covers Account, Balance,
Transaction and Identity fetching providing basic access to your
customer’s banking data. Our scheduled payments, direct debit,
beneficiary and standing order APIs will launch early next year,
enabling you to access an even fuller view of your customer's
financial data.
Transaction Categorization
Lean’s data API enables access to data and enriches that
access using proprietary Artificial Intelligence (AI) and Machine
Learning (ML) models. Our Categorization engine accurately
categorizes over 90+% of local transactions in the UAE and
we’re working on bringing the same level of reliability to KSA.
Insights Services
On top of access to data, there are some frequently asked
questions with Open Banking that can be solved at source by
Lean. For example: which account is a Salary Account? What is
this customer’s income likely to be? What’s the lowest amount
held in their account(s) over the last 12 months?
Our insights services will launch shortly after our Data API is
fully live and operational in Q1 ‘23. If you are interested in a data
query, we want to work together to support you. Please reach
out to our Sales team to discuss this further.
28
Lean Services Open Banking in Saudi Arabia
Future Services
Lean aims to build further services on top of our Data API to
unlock and empower fintechs in the region. Our mission is to get
fintechs to market faster and help them serve customers better.
29
Open Banking in Saudi Arabia
The KSA Open Banking framework is no different, and the current SAMA
licensing framework remains a ‘work in progress’. The information in the
following section therefore remains subject to change.
30
Gaining access to Open Banking in KSA
How does the agency model work in open as an early- mover. We are always willing to
banking? share our experiences and help guide other
market participants, so feel free to reach out
In the UK whereby open banking experienced to Lean for tips and suggestions on getting
'a slow start' and was touted as being 'unlikely started.
to work' and 'doomed to fail', we expect SAMA
will allow leading open banking players, such I am interested in becoming a technical
as Lean, once they are fully SAMA licensed, to service provider / a bank that consumes
adopt a form of agency model. the open banking APIs. Do I need to be
regulated?**
Under an agency model, once appropriate
compliance checks and due diligence steps This aspect of SAMA’s licensing framework is
have been completed, Lean will allow other currently under assessment. The regulator is
market participants to offer their products currently working on a market activation plan
and services by 'piggy-backing' off Lean's that will detail:
own SAMA license. As a result, Lean will be
able to take care of the licensing burden → The different roles of the market
for our clients and help navigate the participants and SAMA’s approach for
evolving landscape of other regulations and activation and rollout, e.g. will banks be
compliance requirements. Lean's clients allowed to act as TPPs from day one
will not only be able to get to market faster with pros and cons for the different
but will also be able to build open finance approaches.
solutions that reach a wider audience.
→ The different licenses and approvals
Whilst we acknowledge that adoption of the market participants must apply for.
agency model increases the risk for Lean,
and will not be available until Lean itself is
**Whenever embarking on your KSA open
fully licensed by SAMA, we have the strong
banking journey, we strongly recommend
belief that the adoption of such agency model
that you speak to advisers in the Kingdom to
will prove to be an invaluable way to bring
verify the latest position.
innovation to the open banking economy.
31
Open Banking in Saudi Arabia
Frequently Asked
Questions
Have you integrated with all banks in KSA? Do I need to be PCI-DSS Compliant to use
Lean?
Lean is currently integrating with nine banks
in KSA, with varying degrees of completion. No. The KSAOB masks Primary Account
At the time of writing (Dec’ 22) we have Numbers (PAN), which comprise the full card
one bank live in production and available number seen on cards. As a result, Lean
to test with our Clients and four banks with does not handle any PCI data nor share data
completed integrations under testing in their that would require PCI-DSS compliance.
respective sandboxes.
32
Want to unlock open
banking in Saudi Arabia?
Increase cost efficiencies, reduce manual and
operational burdens, and create better payment
experiences – build richer applications and enhanced
financial products powered by Open Banking today.
sales@leantech.me