Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Introduction To Open Banking in KSA

Download as pdf or txt
Download as pdf or txt
You are on page 1of 33

Open Banking in Saudi Arabia

A guide to
the KSA
Open Banking
Framework
 Open Banking in Saudi Arabia

Photo by Abdullah Alaradi on Unsplash


A guide to
the KSA Open
Banking
Framework

Who is this guide for? Lean on Open Banking


This guide is for anyone that would like to As a Third Party Provider (TPP) Lean has a
gain a better understanding of the KSA critical role in the Open Banking ecosystem.
Open Banking standard and ultimately By using Lean, you get a single point of
start building enriched financial products, access to manage your connections with
including but not limited to: bank accounts in KSA, and when you’re
ready to expand into a new market with a
→ Enterprises, fintechs, and start-ups different set of standards, Lean can be your
looking to consume Open Banking long-term partner to enable your transition
services without having to rewrite your entire
codebase to handle a new market.
→ Established regulated financial services
firms

→ Open banking advisers and


professionals
Open Banking in Saudi Arabia

Why was this guide


created by Lean?

On 2nd November, the Saudi Central This guide aims to create clarity for all
Bank (SAMA) released the Open Banking stakeholders and looks at the fundamental
Framework, which includes “a comprehensive changes, compares the KSA standard with
set of legislation, regulatory guidelines and the Open Banking Implementation Entity's
technical standards based on international (OBIE) standard, and dives into the technical
best practices to enable banks and fintechs elements.
to provide open banking services in the
Kingdom”.

This version focuses on Account Information


Services (AIS). The imminent second version is
in progress and will focus on Payment Initiation
Services (PIS). SAMA has stated that all Saudi
banks will go live with account data in Q1 of
2023 and payments will be targeted later the
same year.

4
Why was this guide created by Lean Open Banking in Saudi Arabia

Contents

Why was this guide created by Lean? 4

Contents 5

What is Open Banking? 6

Background to the KSA Open Banking Program 9

The KSA Standard in detail 11

Key Differences between the OBIE Standard and KSAOB 16

Changes to Consents 17

Changes to Endpoints 19

How does Lean help with Open Banking? 26

Lean Services 28

Gaining access to Open Banking in KSA 30

Frequently Asked Questions 32

5
Open Banking in Saudi Arabia

What is Open Banking?


Open Banking is a regulated market approach
enabling individuals to share the data held in their
bank accounts with third parties securely and safely.
At a fundamental level, it creates ownership of data
for individuals and a pathway for them to share that
data with companies that can use it to provide them
with new and innovative services.

Europe introduced Open Banking to the world, led


predominately by market regulation PSD2, and in
parallel, the Open Banking Implementation Entity
(OBIE) was created in the UK. The OBIE sets the
Open Banking standard(s) for the UK, which has
subsequently become the standard from which other
jurisdictions have built their own.

Bahrain, as an example, does not introduce


changes from the OBIE Standard in its localized
implementation. However, other regulators have
added region-specific capabilities and terms to
improve the quality of data for their jurisdiction.

With SAMA's release of the KSA Standard (KSAOB)


we have put together this guide to walk through the
capabilities outlined in the new standard, identify
how it differs from the OBIE standard, and outline
some of the many ways that this new standard can
be used. This guide should be used for information
purposes only, and is not exhaustive.

6
What is Open Banking Open Banking in Saudi Arabia

Decoding the language of Open


Banking
The numerous terms commonly used within Open Banking all add a layer
of complexity. Unfortunately, you'll likely see these terms throughout
documentation regarding Open Banking – so we've put together a quick
primer to help you navigate the jargon of Open Banking.

An overview of the Open Banking ecosystem and its participants in KSAOB.

Term Description

Account to Account transfer Is the act of making a payment through a bank-to-bank transfer instead
(A2A) of using, for example, a credit or debit card.

Account Information Service AIS is the act of retrieving data held in a customer’s bank account.
(AIS)

Account Information Service An AISP enables customers to view all their bank account information
Provider (AISP) (across different banks) in one place.

7
What is Open Banking Open Banking in Saudi Arabia

Term Description

Consent A ‘consent’ is provided by a PSU 1 to allow a TPP to access the details


in their account. A consent can be granted indefinitely, be time-boxed
between dates, or be granted as a one-off consent. This defines how
long a TPP is able to access the data.

For PIS, consents generally need to be obtained for each individual


payment (with the exception of VRPs)

Payment Account Service A PASP is most often, but not limited to, a bank. They are the provider
Provider (PASP) of the underlying account infrastructure, which is accessed through
Open Banking APIs.

Payment Initiation Service PIS is the act of performing an account-to-account payment using
(PIS) Open Banking.

Payment Initiation Service A PISP allows a customer to pay companies directly from their bank
Provider (PISP) account(s) rather than using card networks such as Visa or MasterCard.

Payment Service User (PSU) A PSU is a customer–or end-user of a service. A PSU can be a business,
or an individual consumer.

Third Party Provider (TPP) A Third Party Provider may be either an AISP or PISP, or both, and who
is regulated to provide AIS and PIS services to a PSU 1.

Variable Recurring Payment A Variable Recurring Payment is a long lived consent from a customer to
(VRP) continue making payments on a monthly basis for differing amounts.

Glossary of terms used by Lean in this document

Term Description

You The person reading this, for the purposes of this document we assume
that you are a TPP that wants to use Lean’s services to connect to your
customer’s bank accounts.

Customers Your customers that interact with your business

Consumers Customers with Retail bank accounts

Businesses Customers with Business bank accounts

8
Open Banking in Saudi Arabia

Background to the KSA


Open Banking Program
KSA's Open Banking Program is a regulatory framework comprising two
critical elements; the Open Banking Framework and the Open Banking Lab.

The KSA Open Banking Framework


The Open Banking Framework is the regulatory framework that includes
a comprehensive set of legislation, regulatory guidelines, and technical
standards. It is split into a number of sections for ease of reference. These
include:

1. Glossary: this section lists the key terms used throughout the KSA
Open Banking Framework.

2. Use Cases: provides an overview of the Open Banking Evaluation and


Prioritization Framework, together with details of the use cases to be
enabled by each new release.

3. Business Rules: this section provides clear directives on the


requirements that must be adhered to in order for banks and fintechs
to provide open banking services in KSA, with items related to specific
use cases clearly articulated.

4. KSA Standards: this is where the definitive KSA open banking


standards set out (as detailed below).

9
Background to the KSA Open Banking Program Open Banking in Saudi Arabia

The Open Banking Lab


The Open Banking Lab provides a technical testing environment to enable
banks and fintechs to develop, test, and certify their open banking
services to ensure conformance with the Open Banking Framework.

Similar to other testing environments globally, the KSA Open Banking Lab
is designed to foster innovation and speed up the development of open
banking in the Kingdom. It comprises:

1. Sandbox environment: this environment simulates a real bank’s open


banking APIs, developed to allow participants to build and test their
applications in a safe and secure environment.

2. Ready use cases: the lab is designed to support a wide range of


end retail and corporate use cases, with mock data available for
participants to test their solutions.

3. Testing and Certification: lab participants can use the lab’s


conformance suites to test and certify their APIs to ensure their
conformance with the KSA Open Banking Framework.

To directly access either parts of the program, interested participants need


to contact the Open Banking Program at ob@sama.gov.sa to gain access.

Upon gaining access to the Open Banking framework, you access a


repository of resources covering all aspects, including business and
technical. You can also collaborate with SAMA's Open Banking team and
other participants operating within the ecosystem, such as Lean.

10
Open Banking in Saudi Arabia

Photo by Yunus A-Khalifah on Unsplash

The KSA Standard in


detail
What does the standard cover?
The first version of SAMA’s KSAOB standard covers AIS services for both
Corporate and Retail payment accounts; this is grouped into two major sets
of APIs. The Letter of Guarantee API and the Account Information API.

Letter of Guarantee API


A letter of guarantee is a type of document issued by a bank on behalf of
a customer who has entered into a contract to purchase goods or services
from a supplier. It acts as a promise that the supplier will be paid for the
purchase of goods or services.

The letter of guarantee lets the supplier know that they will be paid, even if
the customer of the bank defaults. The Letter of Guarantee API provides a
digital process to create and manage a letter of guarantee.

11
The KSA Standard in detail Open Banking in Saudi Arabia

Account Information API


The Account Information API is the cornerstone of gathering AIS
information from accounts. It covers consents and requests to access the
information contained in the following endpoints:

Accounts Balances
A list of accounts that the PSU has granted The balance(s) of a given account.
consent to access.

Standing Orders Transactions


A list of Standing Orders that have been set A list of transactions performed using the
up with the account to be paid in the future payment account, with access of up to 4
on an ongoing basis. years historical payment data.

Parties Beneficiaries
Identity information linked to the consented A list of the accounts that have been
customer, as well as benefactors of any added.
given account.

Direct Debits Scheduled Payments


A list of the Direct Debit payments set up A list of the payments that have been
against an account. scheduled to take place in the future. As
beneficiaries to the account for payment
purposes.

12
The KSA Standard in detail Open Banking in Saudi Arabia

Photo by Saif AlDhaher on Unsplash

Example Use Cases of Open


Banking in KSA

Personal Financial Management (PFM)

A key PFM use case for Open Banking is account aggregation. Instead
of the consumer having to keep track of their money across different
bank accounts, Lean can be the source for you to aggregate a view of all
accounts into one app to provide a holistic view of a customer’s financial
landscape.

13
The KSA Standard in detail Open Banking in Saudi Arabia

Lending

Lenders must perform many checks to underwrite a business or consumer


loan. Often these checks are performed using a combination of uploaded
bank statements and a debt-to-burden check with a Credit Bureau, such
as SIMAH.

With Open Banking, consumers can easily share their past transactions
in a consumable, programmatic format, allowing lenders to quickly review
up to 4 years’ worth of data to understand a customer’s income, monthly
outgoings and commitments.

Over the longer term, we predict that this data will become the primary
source for procuring on the spot lending decisions as a pre-check
qualification before conducting an expensive credit check on potential
customers.

For business lenders, the opportunity to maintain access over time and
see the impact of loans on the business’ incomes and outgoings allows for
smarter targeting of funds into businesses that effectively deploy loaned
capital.

14
The KSA Standard in detail Open Banking in Saudi Arabia

Digital Accounting

Using Lean’s APIs for Enterprise Resource Planning (ERP) and back-office accounting
applications allows those companies to aggregate multiple accounts in one place,
connect numerous data sources, collect and analyze real-time information, reduce
errors, save time, and ultimately boost back-office efficiency.

KYC & Digital Onboarding

Using Lean’s Identity API provides the Trust Framework and Verified Data included
in the Parties API outlined above. This gives you access to verified data, which can
be vetted and used based on your own risk tolerances for the quality of data at a
fraction of the cost of traditional KYC providers; giving your customers a faster way
of authenticating and providing their details without the need for lengthy onboarding
systems.

15
Open Banking in Saudi Arabia

Key Differences
between the OBIE
Standard and KSAOB
There are several differences between
the OBIE standard and KSAOB. Whilst
this list is not exhaustive, broadly, these
can be separated into three functional
differences:

1. Changes to business rules


Differences in the mandates provided
by the regulator in creating and
managing Open Banking consents.

2. Structural Changes to the Standard


These are fundamental changes to the
standard regarding the data served
back using the API.

3. Regional Specific Values


These are minor changes that account
for the differences in the financial
landscape of KSA; typically these are
seen as alternative or entirely new
enum values for specific attributes.

16
Open Banking in Saudi Arabia

Changes to Consents
The KSAOB standard differs significantly from the OBIE Standard with
regards to Consents and Consent Management.

Consent types
In OBIE, a consent refresh is required every 90-days at the minimum. The
responsibility for gaining this consent is currently transitioning from the
PASP’s responsibility, to becoming the TPP’s responsibility–nonetheless for
ongoing access to account information a TPP must record a users consent
to continue collecting data every 90 days.

In KSAOB there are three types of consent:

1. One-time consent
Allows a TPP to fetch the data they need once, without any further
access to the account.

2. Time-boxed consent
Allows the TPP to fetch the data they need between pre-defined dates
in the past and into the future. This means for example, a TPP could
create a consent for the next 1 year of new data, and the last 3 months
of existing data.

3. Ongoing consent
This allows a TPP to maintain access to a PSU’s account indefinitely
(with the exception of a consent being revoked). This provides an
enhanced user-experience for the applications where ongoing access
is a prerequisite to their service working, for example a Personal
Financial Management (PFM) application.

17
Changes to Consents Open Banking in Saudi Arabia

Consent Management
Revocation of consent is a major factor in KSAOB’s framework, with the
amount of access and trust being given to TPPs to manage access and
consents for their use-cases this is contrasted with strong guidance on
how a user can opt-out of the service. Specifically:

→ Users must be able to revoke their consent within the application,


following a set guideline for the information that needs to be presented
to them and what will happen when they revoke their consent.

→ Users must be able to revoke their consent from the bank itself. This
means TPPs may lose access to accounts without being formally
notified.

18
Open Banking in Saudi Arabia

Changes to Endpoints
Accounts Endpoint

Structural Changes
REMOVED SwitchStatus: SwitchStatus is unique to the UK market, where
a Current Account switching service is provided to enable consumers to
change banks easily.

Regional Specific Values


CHANGED Status: More details are provided on the account’s status,
indicating further details of the nature of the state that the account is in.

OBIE Values KSA

Enabled, Disabled, Deleted, Active, Not Active, Dormant, Unclaimed, Deceased, Suspended, Closed
Proforma, Pending

CHANGED AccountIdentifiers.IdentificationType: The OBIE standard has


a slight ambiguity in how they handle the identification of accounts–
sometimes requiring PCI compliance as Card Numbers can be shared. In
KSAOB only IBANs and Masked PANs will be shared.

OBIE Values KSA

BBAN, IBAN, PAN, Paym, IBAN, MaskedPAN


sortCode
AccountNumber

19
Changes to Endpoints Open Banking in Saudi Arabia

Response attributes breakdown

API Attribute Description

Accounts Status The status of the account, indicating whether it is


active or inactive.

StatusUpdateDateTime The time at which the status was last updated.

AccountType Whether the account is a retail or business account.

AccountSubType The type of account, e.g. Current Account or


E-Money account.

Description A description of the account provided by the bank.

Nickname A nickname for the account set by the account


owner.

OpeningDate The date the account was opened.

MaturityDate The date the account reached maturity (where


applicable).

AccountIdentifiers Details on the IBAN or PAN for the account. Provides


both where a card is available for an account that
can be identified with an IBAN.

Servicer Details on the organization that services the


account.

20
Changes to Endpoints Open Banking in Saudi Arabia

Balances Endpoint
The balance endpoint has no changes from the OBIE Standard.

Response attributes breakdown

API Attribute Description

Balances CreditDebitIndicator Whether the account balance is in credit or debit.

Type The type of balance being provided. Enabling you to


detect, for example, what the available balance on
an account is against the current balance.

DateTime The time that the balance was provided.

Amount The amount and currency that is stored against this


balance.

CreditLine The credit line(s) available, includes overdrafts and


credit limits on cards.

21
Changes to Endpoints Open Banking in Saudi Arabia

Transactions Endpoint

Structural Changes
ADDED BillDetails: Added bill details generated from SADAD, includes
BillerID, BillNumber and BillPaymentType attributes enabling you to
easily identify defaulted payments, as an example.

Regional Specific Values


CHANGEDCardInstrument.CardSchemeName: Region-specific cards have
been added to the list of accepted enums.

OBIE Values KSA

AmericanExpress Diners AmericanExpress, Diners, Discover, GCC, MasterCard, UPI, mada


Discover MasterCard VISA

CHANGED CardInstrument.InstrumentType: Region-specific and more highly


specified list of payment instruments used with cards.

OBIE Values KSA

ConsumerDevice Contactless ApplePay, madaPay, Contactless, MagStripe, Chip, Other


None PIN

ADDED debtorAccount.IdentificationType: To be used in conjunction with


the Identification attribute, provides an enumerated value to provide
context on the value in Identification.

OBIE Values KSA

Not present AccountNumber, CommercialRegistrationNumber, Email, MobileNumber,


NationalID, IqamaNumber, PassportNumber

ADDED creditorAccount.IdentificationType: To be used in conjunction with


the Identification attribute, provides an enumerated value to provide
context on the value in Identification.

OBIE Values KSA

Not present AccountNumber, CommercialRegistrationNumber, Email, MobileNumber,


NationalID, IqamaNumber, PassportNumber

22
Changes to Endpoints Open Banking in Saudi Arabia

Response attributes breakdown

API Attribute Description

Transactions TransactionDateTime The datetime that the transaction was performed.

LocalTimeZone The local datetime that the transaction was


performed.

ValueDateTime The datetime that the value of the transaction was


recorded on the account.

BookingDateTime The datetime that the transaction was actually (or


is expected to be) booked against the account.
This date can be in the future.

StatementReference The identification that appears on a customer's


bank statement.

TransactionReference The full transaction reference.

TransactionType Indicates how the transaction was made, for


example at a POS terminal or through an RTGS
transfer.

SubTransactionType Indicates the nature of the transaction e.g.


purchase, refund.

TerminalId The identifier for the terminal used to make the


payment.

Flags Additional flags attached to the payment e.g.


'Cashback'.

PaymentModes Indicates whether the purchase was made online or


in person.

CreditDebitIndicator Indicates whether the amount field is to be credited


or debited from the account balance.

Status The current status of the transaction e.g. Booked.

TransactionMutabillity Whether the transaction can be changed or not in


future as settlements take place throughout the
day.

TransactionInformation Additional transaction information.

Amount The amount and currency that is charged against


the balance.

ChargeAmount Additional fees for the transaction and whether


they are included in the transaction amount.

ChangeAmountVat Any VAT applied to the charge.

23
Changes to Endpoints Open Banking in Saudi Arabia

CurrencyExchange Details on the currency exchange fees at the


time of purchase if the transaction was made in
a currency other than the one supported by the
account.

BankTransactionCode Details on the bank's transaction codes for the


transaction.

MerchantDetails Details on the merchant that performed the


transaction including Name and Merchant Category
Code.

CreditorAgent Details on the crediting party's account holder.

CreditorAccount Details of the crediting party's account.

DebtorAgent Details on the debiting party's account holder.

DebtorAccount Details of the debiting party's account.

CardInstrument If a card was used to complete the purchase,


provides information about the card and how it
authorized the transaction.

Balance The balance of the account after the transaction


was made.

BillDetails If the transaction was used to pay a bill (e.g.


through SADAD), provides details on the bill being
paid.

Parties Endpoint
The Parties endpoint allows for collecting identity information on the customer. Unlike
the previous endpoints, SAMA has expanded the purpose and capabilities of the
Parties endpoint, using the OpenID Connect for Identity Assurance model instead of
the OBIE standard.

Structural Changes
The Parties API has fundamentally been overhauled from the data present in the
OBIE standard; providing far more granular data on the individual, and the efforts
undertaken to verify and authenticate the details present in the API.

24
Changes to Endpoints Open Banking in Saudi Arabia

The response can be broken down into three constituent parts per entity:

1. Party Data
Includes high level information about the Identity and its relationship to the account(s)
accessed. Specifically the PartyID, PartyNumber, PartyType and, AccountRole

2. Verification
Includes data and information on how the claims (see below) were obtained. This
is set out in two objects verification which covers the Trust Framework, Level of
Assurance and Verification methodology. evidence sets out the documents supplied
during the verification process, specifically information on the following documents:
Passport, Driving Permit, ID Card or Residence Permit.

3. Claims
While Verification contains information on what has been checked, claims hold the
data gained from that document. For example, a Passport claims information related
to your first, middle, and family names, as well as your birth date, nationality and sex.
Other documentation will provide further claims.

API Attribute Description

Parties PartyType Indicates the party's relationship with the account,


for example if they own it, it is a joint account or they
are a delegate able to access the account.

AccountRole Specifies the party's role in the related account,


example values such as: Administrator, Beneficiary,
Power of Attorney.

Verification Details on the method used to verify the claims


in this response. Including the Trust Framework
used, the assurance level and, when the verification
procedure took place.

Evidence Details on the evidence used in the verification


process, how and when it was checked. Additionally
provides the document details, and may be a
Passport, Driving Permit, ID Card or Residence
Permit.

Claims Outlines the claims made on the document(s)


provided. Including but not limited to: details on the
party's name, address, email, gender, birth date,
phone number and, nationality.

25
Open Banking in Saudi Arabia

How does Lean help


with Open Banking?

Build vs. Buy: The benefits of using


an aggregator
Whilst having a single Open Banking standard in place, in theory, means
that integrating with each bank across the country is a 'build-and-move-
on' process, the reality is often quite different. This is particularly true
when a new standard is being implemented and differing interpretations of
the underlying requirements exist. Lean solves this by doing the hard work
for you.

Easy to use plug and play APIs ‘One-and-done’ integration


Lean makes it significantly easier to manage As banks continue to evolve and improve
your connections with customers by their adoption of the KSAOB, there will
introducing concepts such as our Customer continue to be frequent updates across
API to effectively manage an individual's all banks for how they serve the data
connections to your services. through their APIs. Additionally, over time,
the standards and capabilities of an API
Lean makes it significantly easier to manage may evolve. This means that performing
your connections with customers by an integration directly with a bank today
introducing concepts such as our Customer doesn’t mean it is ready for tomorrow.
API to manage an individual’s connections to
your services effectively. Conversely, Lean has operated in the UAE
for over two years and we’re proud to
Our APIs are designed to take a lot of the say that we have never needed to ship a
complexity inherent within Open Banking breaking change to our APIs. Customers
standards out of the integration process to of the very first iteration of our APIs
provide a more straightforward interface to have the same level of support as those
interact with your customers; going from onboarding today. We believe in progressive
an implementation time of two weeks + per enhancements to our products, meaning
bank, to a couple of weeks for the entire you'll always be able to use the latest and
ecosystem. greatest features without worrying about
breaking your existing code.

26
How does Lean help with Open Banking? Open Banking in Saudi Arabia

A breaking change is defined as the removal an API stops working as expected. Thereby
or changing of the values in a field in our leaving you free to continue building the
API–additional attributes being added are products and services that will delight your
not seen as a breaking change. customers, without the need to tread water
on your access layer.

Our APIs in the UAE have had a 99.9%


average uptime over the previous two years.

Reduce the burden of


maintenance
The maintenance burden is a hidden
cost of building your own integrations.
As banks implement changes in the
standard, have different interpretations
of the implementation, and go through Best-in-class UX
maintenance windows, the line of
Lean is battle-tested in the UAE and
communication and relationship between all
knows how important user experience is
banks and a TPP is exceptionally costly for
to conversion rates. We rigorously test
any business to maintain.
and monitor our SDK for optimizations
Lean works directly with banks daily as part that can be made across a wide variety of
of our core business, and so integrating with businesses–providing those learnings to our
Lean means you don’t have to worry about partners for free as we ship over-the-air
changes in the APIs and chasing banks when updates to our SDK each week.

27
Open Banking in Saudi Arabia

Lean Services

Data API
Lean’s Data API in KSA currently covers Account, Balance,
Transaction and Identity fetching providing basic access to your
customer’s banking data. Our scheduled payments, direct debit,
beneficiary and standing order APIs will launch early next year,
enabling you to access an even fuller view of your customer's
financial data.

Transaction Categorization
Lean’s data API enables access to data and enriches that
access using proprietary Artificial Intelligence (AI) and Machine
Learning (ML) models. Our Categorization engine accurately
categorizes over 90+% of local transactions in the UAE and
we’re working on bringing the same level of reliability to KSA.

Transaction Categorization is currently available in beta while


we gather the requisite data to improve our models.

Insights Services
On top of access to data, there are some frequently asked
questions with Open Banking that can be solved at source by
Lean. For example: which account is a Salary Account? What is
this customer’s income likely to be? What’s the lowest amount
held in their account(s) over the last 12 months?

We apply AI, ML and data processing techniques to the data


you retrieve to save you time and the development cost of
performing data manipulation yourself.

Our insights services will launch shortly after our Data API is
fully live and operational in Q1 ‘23. If you are interested in a data
query, we want to work together to support you. Please reach
out to our Sales team to discuss this further.

28
Lean Services Open Banking in Saudi Arabia

Future Services
Lean aims to build further services on top of our Data API to
unlock and empower fintechs in the region. Our mission is to get
fintechs to market faster and help them serve customers better.

Examples of these initiatives are demonstrated across our work


in the UAE, where we are working to solve some of the biggest
challenges customers have faced around A2A payments,
such as reconciliation and programmatic access to corporate
accounts to enable payment orchestrations to suppliers and
customers.

29
Open Banking in Saudi Arabia

Gaining access to Open


Banking in KSA
As with any new regulatory framework, market participants can expect
a period of adjustment whilst the regulator builds and improves upon its
existing licensing framework to meet the demands and challenges of new
regulatory activities.

The KSA Open Banking framework is no different, and the current SAMA
licensing framework remains a ‘work in progress’. The information in the
following section therefore remains subject to change.

Do you need to be regulated in order and is permitted to work with other


to consume the KSA open banking fintechs in our sandbox cohort. As
APIs? Lean onboards new players and
see the potential benefits of open
Based on our most recent banking, the company is also uniquely
conversations with the regulator, it is positioned to provide valuable support
looking likely that, at least for now, you from its foothold of the regulatory
will need to be regulated by SAMA in regime - whether it is engaging with
some capacity or receive a letter of the regulator to obtain a no objection
no objection from them to consume letter on the client's behalf or providing
the open banking APIs in KSA. We assistance on the SAMA licensing
believe this is because SAMA wants to application.
carefully observe how the ecosystem
develops in order to minimize the risk Lean is confident that as the demand
of consumer harm, which would have a for open banking-related services
detrimental effect on consumer uptake, grows and the KSA open banking
innovation and indeed overall trust regulatory framework matures, this
in the long-term sustainability of the will result in more innovative use cases
ecosystem. emerging. SAMA may adopt some
form of agency model, similar to what
Under the current licensing framework, has been adopted in the UK and other
Lean is classified as a ‘Permitted jurisdictions worldwide in the future to
Fintech’ in SAMA’s regulatory sandbox cater towards this demand.

30
Gaining access to Open Banking in KSA

How does the agency model work in open as an early- mover. We are always willing to
banking? share our experiences and help guide other
market participants, so feel free to reach out
In the UK whereby open banking experienced to Lean for tips and suggestions on getting
'a slow start' and was touted as being 'unlikely started.
to work' and 'doomed to fail', we expect SAMA
will allow leading open banking players, such I am interested in becoming a technical
as Lean, once they are fully SAMA licensed, to service provider / a bank that consumes
adopt a form of agency model. the open banking APIs. Do I need to be
regulated?**
Under an agency model, once appropriate
compliance checks and due diligence steps This aspect of SAMA’s licensing framework is
have been completed, Lean will allow other currently under assessment. The regulator is
market participants to offer their products currently working on a market activation plan
and services by 'piggy-backing' off Lean's that will detail:
own SAMA license. As a result, Lean will be
able to take care of the licensing burden → The different roles of the market
for our clients and help navigate the participants and SAMA’s approach for
evolving landscape of other regulations and activation and rollout, e.g. will banks be
compliance requirements. Lean's clients allowed to act as TPPs from day one
will not only be able to get to market faster with pros and cons for the different
but will also be able to build open finance approaches.
solutions that reach a wider audience.
→ The different licenses and approvals
Whilst we acknowledge that adoption of the market participants must apply for.
agency model increases the risk for Lean,
and will not be available until Lean itself is
**Whenever embarking on your KSA open
fully licensed by SAMA, we have the strong
banking journey, we strongly recommend
belief that the adoption of such agency model
that you speak to advisers in the Kingdom to
will prove to be an invaluable way to bring
verify the latest position.
innovation to the open banking economy.

When should you apply for an open banking


license?

We recommend that you start early and


engage with SAMA (and with Lean) as soon
as you identify the open banking use case
which will support your business. SAMA
is in the implementation phase of rolling
out the Open Banking Program, including
the finalization of regulations, licenses and
supervision requirements, so this will be your
opportunity to help shape the ecosystem

31
Open Banking in Saudi Arabia

Frequently Asked
Questions

Have you integrated with all banks in KSA? Do I need to be PCI-DSS Compliant to use
Lean?
Lean is currently integrating with nine banks
in KSA, with varying degrees of completion. No. The KSAOB masks Primary Account
At the time of writing (Dec’ 22) we have Numbers (PAN), which comprise the full card
one bank live in production and available number seen on cards. As a result, Lean
to test with our Clients and four banks with does not handle any PCI data nor share data
completed integrations under testing in their that would require PCI-DSS compliance.
respective sandboxes.

SAMA’s timeline outlines that banks must


develop and comply with the standards set
out in the API by December ‘22, with market
launch and readiness by the end of Q1 ‘23.

When will Payments functionality be


available in KSA?

According to SAMA's timelines, TPPs such


as Lean are expected to be able to provide
payment services by H2 '23. Although the
standard for payments will undergo the
same process as the Data APIs, currently,
there is no documentation in the public
domain to indicate the functionalities
that will be present within the Payments
capabilities of KSA's implementation.

32
Want to unlock open
banking in Saudi Arabia?
Increase cost efficiencies, reduce manual and
operational burdens, and create better payment
experiences – build richer applications and enhanced
financial products powered by Open Banking today.

Get in touch with us to get started on your Open


Banking journey:

sales@leantech.me

Lean Technologies Saudi for Technology and


Information Systems is a Permitted Fintech in KSA
regulated by the Saudi Central Bank to operate
within the Regulatory Sandbox, under license no.
1010622090.

Lean Technologies Ltd. 2022 © All rights reserved

You might also like