Back Custom print Link Text Only Rich Text Print

  • GR-6.1 GR-6.1 Access to PISPs and AISPs

    • GR-6.1.1

      The CBB has recognised the need to revise its rules in keeping with the following changes at a systemic level, both globally and regionally:

      a) market growth in e-commerce activities;
      b) increased use of internet and mobile payments;
      c) consumer demand to increasingly use smart device based payment solutions;
      d) the developments in innovative technology; and
      e) a trend towards customers having multiple account providers.

      This section sets forth the rules applicable to Islamic retail bank licensees with regards to the new category of ancillary service providers described below.

      Added: April 2019

    • GR-6.1.2

      The CBB has established a Directive contained in "Module OB: Open Banking" in Volume 5 of the CBB Rulebook that deals with a new sub category of ancillary service providers who, under the terms of the CBB license, may provide "payment initiation services" and/or "account information services". Such licensees are termed "payment initiation service providers" or PISPs and "account information service providers" or AISPs. Banks and other licensees which maintain a customer account is referred to in the CBB Rulebook Volume 5 as "licensees maintaining customer accounts".

      Added: April 2019

    • GR-6.1.3

      Islamic retail bank licensees must:

      (a) grant ancillary service providers of the types referred to in Paragraph AU-1.2.1 (f) and (g) of Rulebook Volume 5: Ancillary Service Providers Authorisation Module, access to customer accounts on an objective, non-discriminatory basis based on consents obtained from the customer (both natural and legal persons);
      (b) provide the criteria that the Islamic retail bank licensees apply when considering requests pursuant to sub-paragraph (a) above for such access; and
      (c) ensure that those criteria are applied in a manner which ensures compliance with sub-paragraph (a) above while ensuring adherence to Law No 30 of 2018, Personal Data Protection Law (PDPL) issued on 12 July 2018.
      Amended: September 2024
      Amended: July 2021
      Added: April 2019

    • GR-6.1.4

      Access to customer accounts granted pursuant to Paragraph GR-6.1.3 must be sufficiently extensive to allow the AISP and PISP access in an unhindered and efficient manner.

      Added: April 2019

    • GR-6.1.5

      Access to customer accounts granted pursuant to Paragraph GR-6.1.3 shall mean that at customer’s direction, the licensees are obliged to share, without charging a fee, all information that has been provided to them by the customer and that which can be accessed by the customer in a digital form. The obligation should only apply where the licensee keeps that information in a digital form. Furthermore, the obligation should not apply to information supporting identity verification assessment; which the licensees should only be obliged to share with the customer directly, not a data recipient. The information accessed and shared shall include transaction data, relevant Merchant Category Code information and product and services data that banks are required to publicly disclose, such as price, fees, and other charges should be made publicly available under open banking. Fees may be charged by banks to AISPs for sharing ‘Value Added Data’ and ‘Aggregated Data’ are not required to be shared. Value added data or derived data results from material enhancement by the application of insights, analysis, or transformation on customer data by the licensee. Aggregated data refers to data which is aggregated across the licensee’s customer segments for the purpose of analysis.

      Amended: April 2022
      Amended: July 2021
      Added: April 2019

    • GR-6.1.6

      If an Islamic retail bank licensee refuses a request for access to such services or withdraws access to such services, it must seek approval of the CBB in a formal communication which must contain the reasons for the refusal or the withdrawal of access and contain such information as the CBB may direct. The CBB shall approve the request if it is satisfied that the impact of not giving access is minimal. If the request is rejected, the Islamic retail bank licensee must adhere to the direction provided by the CBB.

      Added: April 2019

    • GR-6.1.7

      Islamic retail bank licensees must comply with each of the following requirements:

      (a) provide access to the same information from designated customer accounts made available to the customer when directly requesting access to the account information, provided that this information does not include sensitive payment data (such as customer security credentials or other personalised data, the holding of which or the use of which is not authorised by the customer; and data which may be used by the holder for unauthorised, fraudulent, illegal or activity or transactions);
      (b) provide, immediately after receipt of the payment order, the same information on the initiation and execution of the payment transaction provided or made available to the customer when the transaction is initiated directly by the latter;
      (c) upon request, immediately provide PISPs with a confirmation whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. This confirmation must consist of a simple 'yes' or 'no' answer.
      Added: July 2021

    • GR-6.1.8

      For the purposes of this Chapter, Islamic retail bank licensees must provide access to and share information and data pertaining to customer account activity, including the Merchant Category Code information relevant to the payments from the customer account, and balances of individuals (natural persons) covering a period of 12 full months or 365 days at the time of access to the AISPs in respect of the following services/products offered by the licensee:

      (a) Savings accounts;
      (b) Current accounts;
      (c) Term and call deposits;
      (d) Foreign currency accounts;
      (e) Unrestricted investment accounts;
      (f) Restricted investment accounts;
      (g) Mortgage/housing finance products;
      (h) Auto loans;
      (i) Consumer loans/financing;
      (j) Overdrafts (personal);
      (k) Credit and charge cards;
      (l) Electronic wallets and prepaid cards; and
      (m) Other accounts which are accessible to the customer through e-banking portal or mobile device.
      Amended: September 2024
      Amended: April 2022
      Added: July 2021

    • GR-6.1.8A

      For the purposes of Paragraph GR-6.1.7, where Islamic retail bank licensees have arrangements to provide access to information and data pertaining to account activity and balances of legal persons, they must provide relevant information covering a period of 12 full months, or 365 days at the time of access, to the AISPs in respect of the following services/products offered by the licensee:

      (a) Bank accounts including foreign currency denominated bank accounts;
      (b) Overdrafts;
      (c) Term and call deposits;
      (d) Treasury products;
      (e) Unrestricted investment accounts;
      (f) Restricted investment accounts;
      (g) Financing facilities*;
      (h) Trade finance facilities*;
      (i) Credit and charge cards;
      (j) Electronic wallets and prepaid cards; and
      (k) Other accounts which are accessible to the customer through e-banking portal or mobile device.

      * Including off-balance sheet commitments, guarantees and other lines of credit.

      Added: September 2024