Open Banking & SCA
Open Banking requires explicit user consent before accessing financial data. Hyperscale implements OAuth 2.0 with PKCE (Proof Key for Code Exchange) following RFC 7636, with Strong Customer Authentication (SCA) as required by SAMA.
OAuth 2.0 Consent Flow
The consent flow ensures users explicitly authorize access to their financial data.
OAuth Scopes
Request only the scopes your application needs. Each scope requires explicit user consent.
accounts:readlowView account balances, details, and statements
accounts:writehighOpen new accounts, modify account settings
transactions:readmediumView transaction history and details
payments:writehighInitiate payments and transfers
cards:readmediumView card details, limits, and transactions
cards:writehighIssue cards, set limits, freeze/unfreeze
Strong Customer Authentication
SCA requires two of three factors: knowledge (PIN), possession (device), inherence (biometric).
Biometric
Fingerprint or Face ID verification
OTP
One-time password via SMS or authenticator
Hardware Key
FIDO2/WebAuthn security keys
PIN + Device
PIN combined with registered device
When SCA May Be Skipped
Certain transactions may qualify for SCA exemption. Exemptions are evaluated by the issuing bank in real-time.
Low Value
Transactions below threshold may skip SCA
Trusted Beneficiary
Recurring transfers to saved recipients
Low Risk TRA
Transaction Risk Analysis flags low fraud risk
Recurring Fixed
Subscription payments with fixed amount
Exemption Liability: When an exemption is applied and fraud occurs, liability shifts to the party that applied the exemption.
Consent Validity
Different consent types have different validity periods. Users can revoke consent at any time.
| Consent Type | Validity | Renewable |
|---|---|---|
Account Access | 90 days | |
Payment Initiation | One-time | |
Recurring Payment | Until cancelled | |
Standing Order | Per order terms |
SAMA Open Banking Framework
Saudi Arabia's Open Banking framework mandates specific requirements for Third Party Providers.
TPP Registration
- Registration with SAMA as Third Party Provider
- Fintech license or regulatory sandbox participation
- Technical capability assessment
- Professional indemnity insurance
Consumer Protection
- Clear consent language in Arabic and English
- Explicit scope description before consent
- 90-day maximum access validity
- One-click consent revocation
Data Standards
- SAMA-defined API specifications
- Standard data formats for accounts and transactions
- Mandatory response fields and structures
- Error code standardization
Security
- TLS 1.2 minimum for all communications
- OAuth 2.0 with PKCE mandatory
- Certificate-based client authentication
- Request signing with JWS