Delegated SCA — Requirements v2.16 min read

Must conform to the Request JWT requirements — correct aud, signing algorithm (PS256), and expiry window.

Must be included in the POST body (client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer). Authenticates the TPP application — see Client Assertion.

Must be payments openid. If consent.Permissions includes any of ReadAccountsBasic, ReadAccountsDetail, or ReadBalances, must be accounts payments openid — see Account Permissions in a Payment Consent.

Must be urn:openfinanceuae:service-initiation-consent:v2.1.

The consent version in authorization_details[0].type (e.g. urn:openfinanceuae:service-initiation-consent:v2.1) restricts the version of the Payment Initiation endpoints the consent can be used to call (specified in the path, e.g. /open-finance/payment/v2.1/payments). It MUST resolve to an ApiVersion the LFI has published in the Trust Framework for the Payment Initiation API family.

The request must conform exactly to the POST /par OpenAPI schema. No additional or undocumented parameters are permitted.

The decrypted PII payload must conform exactly to the PII schema. No additional or undocumented parameters are permitted.

The Risk block must be fully populated — every field that is known or derivable from the TPP's system must be included. See Risk.

If provided, must reference a valid UAE IBAN held at the LFI and reachable through this API Hub. The account must be in a state that permits payment initiation (e.g. not blocked, dormant, or closed).

Optional. If provided, must contain 1–10 creditor entries. Each Creditor must be a valid UAE domestic creditor — the account must be reachable on a supported UAE domestic rail (AANI or UAEFTS) and, where the LFI can determine the state of the receiving account, in a state able to receive payments. Mandatory fields, IBAN, and BIC derivation rules apply to every entry — see creditor field validation requirements.

Must be present and set to true.

Must be an empty object {}.

The LFI must advertise Delegated SCA as supported for the requested beneficiary model via the corresponding flag on its authorisation server entry in the Trust Framework: ApiMetadata.DelegatedAuthentication.SingleBeneficiarySupported (exactly 1 creditor entry), ApiMetadata.DelegatedAuthentication.MultipleBeneficiariesSupported (2–10 entries), or ApiMetadata.DelegatedAuthentication.OpenBeneficiariesSupported (Initiation.Creditor omitted). If the payment type is not supported for the requested beneficiary model, the consent validation will fail.

If provided, must reference a previous consent belonging to the same end user. If the original consent in the chain already had a BaseConsentId, the TPP must reuse that same BaseConsentId rather than the immediate prior ConsentId.

Optional; default is false. Omitting or setting to false asserts that the TPP supports the multi-authorization flow — the consent may remain pending while additional authorizers approve before reaching Authorized. Setting to true requests that only accounts solely authorizable by the authenticated customer be offered. The LFI must not reject the consent based on its own platform capability — this is a TPP-side assertion. See Multi-Authorization.

If provided, must not be in the past. Must not be after consent.ExpirationDateTime.

Must not be in the past. Must be less than one year in the future.

If ReadBalances is included, at least one of ReadAccountsBasic or ReadAccountsDetail must also be present.

Must not be present. Domestic payments are denominated in AED only; CurrencyRequest is for non-local currency and international transfers.

If provided, must be a recognised AANI purpose code.

Should be included. Should be a valid UUID (RFC 4122). An invalid value will not cause a failure but tracing will not be possible.

Must contain a valid Bearer access token issued with the payments openid scope (or accounts payments openid where account permissions were included on the consent — see Account Permissions in a Payment Consent). The consent bound to the token must be in Authorized status and the ExpirationDateTime of the Consent must be in the future.

The version in the request URL path (e.g. v2.1 in /open-finance/service-initiation/v2.1/payments) must match the version in the consent's authorization_details[0].type (urn:openfinanceuae:service-initiation-consent:v2.1).

Must match the ConsentId bound to the access token. The Consent must be in Authorized status and the ExpirationDateTime of the Consent must be in the future.

No amount cap is enforced by the consent. The TPP is responsible for ensuring the amount was explicitly approved by the user via their own SCA flow before initiating.

Can differ from consent.PaymentPurposeCode. If provided, must be a recognised AANI purpose code.

The request must conform exactly to the POST /payments OpenAPI schema. No additional or undocumented parameters are permitted.

The decrypted PII payload must conform exactly to the PII schema. No additional or undocumented parameters are permitted.

The Risk block must be fully populated — every field that is known or derivable from the TPP's system must be included. See Risk.

Must demonstrate that the User was recently authenticated using SCA (at least two distinct factors). ChallengeOutcome must be Pass, AuthenticationFlow must be MFA, and at least two of PossessionFactor.IsUsed, KnowledgeFactor.IsUsed, or InherenceFactor.IsUsed must be true with a valid Type set on each. ChallengeDateTime must be recent relative to the payment request.

Depends on the beneficiary model set at consent time. Single beneficiary (Initiation.Creditor[] had 1 entry at consent time): the submitted creditor must exactly match that consent-time entry. Multiple beneficiaries (2–10 entries): the submitted creditor must exactly match one entry from the pre-approved consent-time list. Open beneficiary (Initiation.Creditor[] omitted at consent): no consent-time match — the submitted creditor must independently satisfy the creditor field validation requirements (mandatory fields, valid UAE IBAN, and BIC derivation rules) and must be a valid UAE domestic creditor reachable on AANI or UAEFTS. See Creditor.

Should be included. Should be a valid UUID (RFC 4122). An invalid value will not cause a failure but tracing will not be possible.

Must be included. Must be a stable, unique value per payment attempt — the same key must be reused on retries of the same payment.

Must be sent when as customer is authenticated at the time of the call. Must be a valid HTTP-date (RFC 7231), e.g. Tue, 11 Sep 2012 19:43:31 UTC.

Must be sent as the customer is actively present at the time of the call. Must be a valid IPv4 or IPv6 address.

Should be sent when the customer is actively present. Should reflect the user-agent of the customer's browser or device.