LFI — Integration Guide v2.1
The implementation guide for Licensed Financial Institutions (LFIs) connecting to UAE Open Finance. It covers the APIs your bank exposes, the API Hub services your bank consumes, the Trust Framework registrations required to participate, and the onboarding and certification path from sandbox through to live production traffic.
Where the LFI sits
UAE Open Finance is strictly mediated: TPPs never call LFIs directly. All TPP traffic is routed through the API Hub (operated by Nebras, with vendor support from Ozone API), which acts as the OIDC/FAPI authorization server, the consent source of truth, and the gateway that proxies every request to the relevant LFI. The LFI's role is the execution layer.
Operate Ozone Connect
The LFI-built backend that implements the Open Finance endpoints the Hub calls — account data, payments, Confirmation of Payee, products & leads, ATMs, and consent events.
Authenticate the customer
During the consent journey, the end user is redirected from the Hub to the LFI to authenticate and authorise the consent. Your authorisation server hands the result back to the Hub via Headless Heimdall.
Provide a CMI
The customer-facing Consent Management Interface where end users review and revoke active consents, backed by the Hub's Consent Manager API.
Consent state, token issuance, schema enforcement, and TPP-facing routing all live in the Hub. The LFI does not maintain independent consent state and does not issue tokens.
LFI Integration Journey
If this is your first time on this guide, follow the Integration Journey end-to-end. It sequences the work into three phases — Pre-production build & integrate, Certification, and Production launch — and links out to every section below at the right point in the journey.
Recommended Bank Rollout Plan
How to stage delivery capability-by-capability against the regulatory deadline.
→Sections
Each section covers one area of the integration. Work through them in the order suggested by the Integration Journey, or jump in where you need.
Trust Framework
The participant directory and certificate authority that underpins the ecosystem. Register your organisation, nominate Organisation Admins and users, upload transport and signing certificates, and create the C3-hh-cm-client application the Hub uses to call your services. Once live, this is also where you publish your authorisation server and API resources so TPPs can discover them.
API Hub
Everything the Hub provides to your LFI: connectivity and mTLS setup, application-layer authentication, environment-specific configuration, the Admin Portal for TPP management and operational reporting, the Headless Heimdall auth-server API used during the consent journey, and the Consent Manager API for reading and managing consents.
Ozone Connect - Banking
The Ozone Connect APIs your LFI implements for the Hub to call on behalf of authorised TPPs.
- Data Sharingaccounts, balances, transactions, beneficiaries, standing orders, statements, customer data (BDSP, consented)→
- Payments (Service Initiation)single instant & multi-payments, refunds, PII, multi-authorization (BSIP, consented)→
- Confirmation of Payeepre-payment payee verification (BSIP, client credentials)→
- Products & Leadsopen product catalogue and lead capture (BDSP, client credentials)→
- ATMsATM location data (BDSP, client credentials)→
Ozone Connect - Insurance
The Ozone Connect APIs your LFI implements for insurance — one endpoint pair per sector you underwrite, called by the Hub on behalf of authorised TPPs.
Open Finance overview→Ozone Connect - Consent Events
The events-and-actions API your LFI implements so the Hub can validate consents at creation time and notify your systems when consents are created, modified, or revoked. This is the LFI's hook into the consent lifecycle owned by the Hub.
Consent Journey
The customer journey at the LFI between PAR and token issuance: authentication (including Strong Customer Authentication), authorization, and the Headless Heimdall handoff back to the Hub.
Consent Management Interface
Requirements, user experience, and API guide for the consent management surface every LFI must expose to its customers — the place where end users view and revoke active Open Finance consents.
Testing & Certification
The certification evidence required before going live — functional, user experience, performance, and security validation — and the production live-proving steps (attestation, self-testing, TPP buddying) that follow.