Recommended Insurance Rollout Plan 5 min read
This page proposes a sensible delivery sequence for an LFI working through Step 3 of the LFI Integration Journey when its Open Finance scope covers insurance. It is intended as a starting path that breaks the work into manageable increments — the LFI picks a single insurance type to deliver end-to-end first, then extends to the rest of its book once the first type is live.
This rollout plan is guidance. The Central Bank of the UAE sets the actual regulatory requirements and deadlines — those MUST always take precedence. It is the LFI's responsibility to assess how best to meet their obligations. This page recommends a delivery order; it does not define scope or timing.
Each phase below is a self-contained delivery increment. A phase can be taken end-to-end through Step 3 → Step 9 (build, certify, go live) before the next phase is started, or phases can be run in parallel where resourcing allows.
The plan is shaped around one core idea: an LFI that underwrites more than one insurance type should pick a primary insurance type first — typically the type with the largest in-force book or the highest expected TPP demand — and deliver it through every phase before extending to the rest. This contains scope, lets the LFI prove the consent journey and Ozone Connect endpoints against a single product model, and avoids spreading certification and production launch effort across multiple insurance types in parallel.
Foundations and First Insurance Type — Data Sharing
Phase 1 establishes the foundational integration with the API Hub and delivers Insurance Data Sharing for the LFI's chosen primary insurance type, end-to-end through certification and production launch.
1. Consent Validate
Implement the POST/consent/action/validate endpoint on your Ozone Connect server.
This endpoint is called by the API Hub before a consent is stored, and lets your LFI signal which consent types and permissions you support. Building this first means you can safely reject any consent type you haven't yet implemented, and then expand the accepted set as each subsequent capability comes online.
See the Consent Events API Guide for implementation details.
2. Consent Journey
Implement the authorization interaction between your LFI and the API Hub. These are the five endpoints your LFI calls against the Hub to drive a consent through customer authentication, authorization, and return to TPP:
| Endpoint | Direction | Purpose |
|---|---|---|
GET/auth | LFI → API Hub | Initiate the authorization interaction |
GET/consents/{consentId} | LFI → API Hub | Retrieve the full consent details |
PATCH/consents/{consentId} | LFI → API Hub | Update consent status, customer identifiers, and policy IDs |
POST/auth/{interactionId}/doConfirm | LFI → API Hub | Complete the authorization interaction and redirect back to TPP successfully |
POST/auth/{interactionId}/doFail | LFI → API Hub | Complete the authorization interaction and redirect back to TPP with a failure |
See the Consent Journey API Guide for the end-to-end sequence, including customer authentication requirements (SCA) and identifier rules.
3. Pick a Primary Insurance Type
Before building any Insurance Data Sharing endpoints, select one insurance type from the seven sectors covered by the standard:
- Employment insurance
- Health insurance
- Home insurance
- Life insurance
- Motor insurance
- Renters insurance
- Travel insurance
If your LFI underwrites more than one of these, pick the type you judge best to start with — typically the one with the largest in-force book, the highest expected TPP demand, or the cleanest mapping from your existing policy administration system into the standard's schema. The remaining types are picked up in Phase 3 once Phase 1 and Phase 2 are live for the primary type.
4. Insurance Data Sharing — Primary Type
Implement Insurance Data Sharing for the primary insurance type chosen above. Each insurance type is exposed through one pair of Ozone Connect endpoints — substitute the sector slug for your chosen type (employment, health, home, life, motor, renters, or travel):
| Endpoint | Purpose |
|---|---|
GET/{sector}-insurance-policies | List the policies covered by the consent |
GET/{sector}-insurance-policies/{InsurancePolicyId} | Retrieve full details for a single policy |
See Data Sharing — Requirements and the Data Sharing API Guide. Where the consent includes ReadInsurancePremium, the Premium field MUST be returned as a JWE — see Encrypted Premiums.
Once live, update the POST/consent/action/validate response to accept Insurance Data Sharing consents for the chosen sector.
5. Consent Management Interface
Provide a Consent Management Interface (CMI) in your customer-facing channels so policyholders can view and revoke their active insurance consents.
The CMI is sequenced last in Phase 1 because it consumes consents created by the Insurance Data Sharing capability. It is built against the Hub's Consent Manager APIs — the same endpoints the bank rollout uses, since the Consent Manager surface is consent-type agnostic:
| Endpoint | Purpose |
|---|---|
GET/psu/{userId}/consents | List all consents for a given customer |
GET/consents/{consentId} | Retrieve the full details of a consent |
POST/consents/{consentId}/action/revoke | Revoke a specific consent |
POST/consent-groups/{consentGroupId}/consents/action/revoke | Revoke a group of related consents |
See CMI — Insurance Data Sharing Requirements, User Experience, and the CMI API Guide.
With Phase 1 complete, take the work through Certification and Production Launch for the chosen primary insurance type before starting Phase 2.
First Insurance Type — Quotation
Phase 2 adds the Insurance Quotation capability for the same insurance type delivered in Phase 1. Building quotation against a type the LFI has already taken end-to-end keeps the consent journey, customer identification, and Ozone Connect integration patterns familiar — the only new work is the quotation flow itself.
Insurance Quotation is a forthcoming capability and is not yet published in these standards. When it is published, this phase will be updated with the endpoint list, requirements, and API guide links. Track the API Hub Release Notes for the publication date.
Extend POST/consent/action/validate to accept Insurance Quotation consents for the chosen sector once the capability goes live, and take Phase 2 through Certification and Production Launch before starting Phase 3.
Extend to Additional Insurance Types
Phase 3 applies to LFIs that underwrite more than one insurance type. Once Phase 1 and Phase 2 are live for the primary type, repeat the same delivery pattern for each additional insurance type the LFI offers:
- Implement Insurance Data Sharing for the additional sector (
/{sector}-insurance-policiesand/{sector}-insurance-policies/{InsurancePolicyId}) - Extend the CMI to surface consents for the additional sector (no new endpoints — the Consent Manager APIs already cover it)
- Implement Insurance Quotation for the additional sector once that capability is live
- Extend POST
/consent/action/validateto accept consents for the additional sector
Each additional insurance type is a self-contained delivery increment and should be taken through Certification and Production Launch before the next one is started, unless resourcing allows types to be brought live in parallel.
The endpoints and consent-journey integration are the same across all seven sectors — the additional work is in mapping each insurance type's policy and customer data into the standard's schemas.
Ongoing version upgrades and regulatory change
By the end of Phase 3 the LFI will have delivered Insurance Data Sharing, the Consent Management Interface, and Insurance Quotation for every insurance type it underwrites. From here, ongoing work is driven by version upgrades, new API families, errata, and regulatory changes — continue to track the API Hub Release Notes schedule and plan subsequent work against your own delivery cycles.