Secure Management of Keys and Credentials
Establishes mandatory and recommended practices for the secure management of cryptographic keys and credentials within the UAE Open Finance ecosystem — ensuring regulatory compliance, protecting organizational and user data, and maintaining trust across participants.
What this policy covers
- Generation, storage, use, rotation, revocation, and destruction of cryptographic keys and credentials
- Authentication, authorization, and token handling in Open Finance APIs and consent flows
- Integration with Key Management Systems (KMS), Hardware Security Modules (HSMs), and other cryptographic infrastructure
- Roles and responsibilities for LFIs, TPPs, and ecosystem participants
The controls organisations must implement
While the UAE does not mandate a single key management statute, organisations are required to implement robust security controls under the Information Assurance Regulation and the CBUAE Open Finance guidelines.
Key requirements
- Key lifecycle management — secure generation, storage, distribution, rotation, revocation, and destruction
- Protection of sensitive material — secret and private keys must be protected against unauthorized access, loss, or disclosure
- Auditing and logging — all key usage and lifecycle activities must be logged and auditable
- Certification and revocation — procedures to maintain trust across ecosystem participants
LFIs and TPPs must implement these controls to ensure confidentiality, integrity, and availability of Open Finance systems.
The five practices every participant must adopt
Adopt secure cryptographic infrastructure
Use FIPS 140-3 certified HSMs for key generation, signing, encryption, and storage. Ensure centralized key management using modern KMS (on-premises or cloud) that supports UAE data governance and local control principles, such as data residency and access controls.
Implement key lifecycle controls
Rotate transport and signing keys at least every 13 months or more frequently if mandated. Define clear policies for key expiration, recovery, and destruction. Maintain audit logs of all key usage.
Enforce strong authentication
Use phishing-resistant, modern authentication methods:
- FIDO2 / Passkeys for customer authentication
- OAuth 2.0 + FAPI 2.0 for secure API access
- Mutual TLS (mTLS) for client-server authentication
Ensure secure handling of credentials and tokens throughout consent and API flows.
Apply access management best practices
Implement role-based access control (RBAC) and separation of duties for key access. Limit key access to authorized personnel and system components only.
Retain cryptographic control with BYOK / MYOK
LFIs may use Bring Your Own Key (BYOK) or Manage Your Own Key (MYOK) strategies to maintain control over sensitive key material while leveraging cloud infrastructure.
Why this matters
Secure key and credential management is a regulatory requirement, operational imperative, and trust enabler in the UAE Open Finance ecosystem. By implementing hardware-backed cryptography, modern authentication standards, robust key lifecycle management, and strong access controls, LFIs and TPPs can:
- Protect user and organizational data
- Maintain regulatory compliance
- Enable secure, consented financial data sharing
- Foster trust and resilience across the Open Finance ecosystem