Pulling SME banking data out of Mashreq Biz, the AlTareq-era way

The AlTareq window is the reason this is on the roadmap now

Mashreq Biz sits inside a market that has, in the last twelve months, gone from "Open Finance is coming" to a live regulated channel. The CBUAE's Open Finance Regulation — Circular 7 of 2023, updated by Circular 3 of 2025, in force from 10 July 2025 — makes participation mandatory for all licensed financial institutions, and the AlTareq programme run through Nebras Open Finance LLC is the user-facing brand consenting customers see when an authorized third party requests their data. Commercial Bank of Dubai was the first to fully activate it for customers, working with the CBUAE-licensed TPPs Lean Technologies and Pay10. A Mashreq Biz business customer is, in regulatory terms, exactly the kind of account holder Open Finance was designed to free up.

That is the strategic backdrop. The tactical reality, on a single integration today, is that any one SME data scope you actually need may or may not be live on the AlTareq journey for Mashreq Biz at the moment you sign the contract. We design every Mashreq Biz build to ride the regulated channel when it is the cleanest path, and to lean on the authorized interface route in parallel for anything not yet covered, with both stitched into one stable interface for your platform.

What a Mashreq Biz session actually exposes

The substance comes from the app's own feature list and the corresponding screens. Each row is something a Biz user can see today and an integrator typically wants normalised.

These are the surfaces. The integration shape depends on which ones your platform actually needs — that scoping is the first conversation, not a side-effect of the build.

Three authorized routes, picked in this order

1. The CBUAE-licensed TPP path through AlTareq / Nebras

The intended long-run home for read-only account information on a Mashreq Biz business customer. We work with a CBUAE-licensed TPP, the customer consents through the AlTareq journey, and the data Nebras's API hub standardises lands in your system on a refreshable consent. Strongest durability, regulator-supervised, and the consent UX a business owner expects to see.

Trade-off: scope and coverage of business-segment data over AlTareq is still expanding through 2026. We confirm what is live for Mashreq Biz at engagement kick-off rather than promising a fixed catalogue up front.

2. Authorized interface integration against the Biz session

Reverse engineering / data extraction for interoperability, run against accounts the client owns or has the account holder's written authorization for. We map the auth handshake (registered-device push to Security PIN / biometric), the session token, the statement endpoints, the transaction queue endpoints and the bill-pay flows, and wrap them as a stable interface. This is how we cover everything that the AlTareq scope does not yet reach, in particular the multi-signatory queue, FX-deal-rate transfer initiation and UAE biller flows.

Trade-off: vulnerable to in-app revisions; that is what the scheduled drift check on the support contract is for (more under engineering notes).

3. User-consented credential access with native exports as fallback

Where a single account, single signatory, and a low-cadence pull is all that is needed, the cleanest delivery is sometimes a consent-driven session that downloads MT940 / PDF statements and parses them. We use this for short engagements and for migration backfills.

For most Mashreq Biz scopes we end up combining route 1 (where it is live) with route 2 (for everything else), wrapped behind one schema your platform calls. That recommendation is not a fixed rule — it falls out of the specific data your project needs.

What lands in your repo at the end

• Runnable source for the endpoints you scoped — Python and/or Node — covering authentication, the account/statement pulls, the transfer or queue calls, error handling and retry.
• OpenAPI 3.1 spec describing the normalised interface we expose to your platform (independent of which underlying route is serving each call).
• Protocol & auth-flow report for the Mashreq Biz session: the Security-PIN / push handshake, token refresh window, device-registration constraints, and the MT940 statement parser quirks we hit.
• Automated tests against captured fixtures plus a smoke suite that runs against a consenting account on a schedule.
• Compliance package — the consent records, the data-retention defaults, the log/redaction setup, and the data-minimisation notes for your own legal review.
• Interface documentation good enough for a back-end engineer who has never seen Mashreq Biz to pick the work up cold.

A small sketch of how a session call looks

Illustrative only — the field names and the token shape get confirmed during the build against a consenting account; do not treat this as the production contract.

POST /v1/mashreqbiz/session/start
Content-Type: application/json
{
  "device_binding": "<registered_device_token>",
  "auth_assertion": "<push_to_pin_assertion_jwt>",
  "client_ref": "openbankingstudio.com / acme-erp"
}

200 OK
{
  "session_id": "sx_8f24...",
  "issued_at": "2026-05-30T07:14:11Z",
  "expires_at": "2026-05-30T07:29:11Z",
  "refresh_window_s": 900,
  "scope": ["accounts.read","statements.read","queue.read"]
}

GET /v1/mashreqbiz/accounts/<account_ref>/statement
       ?from=2026-04-01&to=2026-04-30&format=normalised
Authorization: Session sx_8f24...

200 OK
{
  "account_ref": "AE07033...",
  "currency": "AED",
  "opening_balance": 184250.12,
  "closing_balance": 192871.05,
  "lines": [
    {"posted":"2026-04-02","value":"2026-04-02","amount":-1450.00,
     "currency":"AED","narrative":"DEWA bill 2026-04","ref":"BIL-882134",
     "channel":"bill_pay"},
    {"posted":"2026-04-03","value":"2026-04-03","amount":-12300.00,
     "currency":"USD","fx_rate":3.673,"narrative":"Intl transfer to Acme HK",
     "ref":"FT-7711","channel":"intl_transfer"}
  ],
  "source_route":"authorized_interface",
  "fallback_used":false
}

The `source_route` field exists on purpose: your platform should never need to know whether a given call was served by the AlTareq channel or the authorized interface. We hide that switch behind the same response shape.

Consent scope, AlTareq, and where compliance lives

Two regimes apply at the same time. The CBUAE Open Finance Regulation governs the licensed TPP route — consent is obtained through the AlTareq journey, the data hub is Nebras Open Finance LLC, and there is a regulator-defined Trust Framework on top of identity, authentication and data security. The UAE's Federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and CBUAE consumer-protection standards govern the customer-data handling on top.

Practically that means: a Mashreq Biz integration we deliver only ever runs against an account the client owns, the legal entity that owns it, or an explicit consenting account holder. Consents are scoped to what the integration needs — a balance widget does not get transfer-initiation scope. Refresh and revocation are stored with the consent record. The build runs on logged sessions; payloads are redacted before any sample leaves the build environment; NDAs sit on top where the client wants them.

Where the regulated channel does not yet cover a piece of data your integration needs, we say so plainly and the authorized interface path carries that piece, with the consent recorded against the same business entity so the compliance posture stays consistent.

Engineering notes we work into the Mashreq Biz build

These are the things experience on this app has taught us to design for, all handled inside the engagement, not laid at the customer's feet.

• Push-to-PIN as part of the flow, not a wall. Mashreq has moved Biz away from SMS OTPs to in-app push notifications backed by a Security PIN or biometric on a registered device. We design read-only pulls to run on a refreshable session bound to a registered device the client provides, and we model write actions (transfer initiate, bill pay) as queued instructions that surface to the human approver — so the integration matches how the app actually behaves rather than fighting it.
• The Transaction Queue is the truth, not a side-effect. On corporate accounts with two approvers, the in-app Transaction Queue is the canonical place to know whether a payment is initiated, awaiting, approved or rejected. We model the queue as a first-class object in the schema so a finance system can read state mid-flow, not only at terminal status.
• Drift gets caught on a clock, not on a ticket. The Biz front end ships updates; selectors and field names move. The support contract runs a small recorded session against the live app on a schedule, so shape drift surfaces before any client opens a ticket — that is included, not billed as an extra.
• FX deal rates are a separate object. Mashreq Biz advertises special FX deal rates on international transfers. We capture the quoted rate as its own field at the time of the transfer so downstream accounting does not have to back-derive it from amount-in / amount-out.
• UAE biller catalogues evolve. The Bill Pay list (Etisalat, Du, DEWA, SEWA, ADDC, Salik, Naqodi Wallet, credit cards) is per-biller code and changes when a new biller is added. We keep the biller code table versioned so a downstream AP system never silently breaks when Mashreq adds the next utility.

Working with the studio

For a Mashreq Biz scope, a typical first build — auth, balances, statements normalised, queue read, and one transfer flow — fits inside the $300 source-code delivery: you provide the target app name (Mashreq Biz) and what you need from its data, we deliver the runnable source, the OpenAPI spec, the protocol report, tests and the interface docs, and you pay after delivery once you are satisfied. The same scope can also run on a pay-per-call hosted endpoint with no upfront fee, where you simply call our API and pay per request — useful when you would rather not host or maintain the integration in-house. Delivery cycle is 1–2 weeks for a first cut. Access, authorisations and any sponsor or sandbox arrangements are handled with you during onboarding; that is part of the engagement, not a prerequisite list.

To start, send the app name and the data scope you need to /contact.html and we will come back with a written scope.

Concrete projects this brief usually maps to

• An accounting platform (Xero, Zoho Books, QuickBooks MENA edition) that wants daily Mashreq Biz statements in normalised form, with FX rate captured per intl transfer.
• A treasury dashboard for a multi-bank SME group that needs Mashreq Biz balances alongside Wio and FAB balances on a single view.
• An AP automation tool that watches the in-app Transaction Queue and pings the approver in Slack until the dual-control sign-off lands.
• An audit-prep workflow that pulls 13 months of Mashreq Biz statements on-demand and reconciles them against ERP postings.
• A field-cash tool that uses Mashreq Biz's Cardless Cash flow to authorise an engineer to draw a fixed amount from a Mashreq ATM, with the disbursement booked into the right cost centre automatically.

What this brief is based on

The Mashreq Biz feature surface above is taken from the app's own Play Store listing and Mashreq's UAE business banking pages. The regulatory framing — CBUAE Open Finance Regulation, AlTareq journey, Nebras Open Finance LLC — is taken from CBUAE's own rulebook and recent confirmed press around the first live customer activation. Public source links below; private capture against any specific consenting account is part of the engagement.

• CBUAE — Open Finance Regulation (rulebook)
• CBUAE — Open Finance programme page
• Arabian Business — CBD becomes first UAE bank to fully activate Open Finance under AlTareq
• Mashreq — Biz Security PIN and in-app authentication

Reviewed 2026-05-30 by the OpenBanking Studio integration desk.

Adjacent UAE business-banking apps an integration job usually touches

If you are integrating Mashreq Biz, you are almost certainly going to be asked about one of these next. Plain text on purpose — the same authorized-route logic applies to each, the specifics differ.

• Wio Business — the most prominent UAE digital-only business bank, zero-balance accounts with rich in-app categorisation; integrators want balances, transactions and invoicing data.
• Emirates NBD businessONLINE — the long-running corporate channel from one of the largest UAE banks; statement and payment data dominate integrator demand.
• ADCB ProCash / ADCB Business — corporate cash management and SME mobile banking; balance and bulk-payment flows are the usual asks.
• RAKBANK BusinessDirect / RakStarter — strong SME presence, RakStarter for early-stage; integrators care about statements and biller payments.
• FAB Mobile Business / FABeAccess — First Abu Dhabi Bank's business stack; corporate-grade reporting, MT940 still common.
• Mashreq NEOBiz — Mashreq's sister proposition for freelancers and startups; same group, different account opening and slightly different in-app surface.
• Dubai Islamic Bank Business / alislami Business — Sharia-compliant business banking; transaction narratives carry product-specific markers worth modelling.
• CBD iBusiness — Commercial Bank of Dubai's business stack; relevant because CBD was the first UAE bank to fully activate AlTareq, so the regulatory pattern is most visible there.
• HSBC UAE Business / HSBCnet — international corporate flows, treasury and trade finance data.
• Citibank CitiDirect — global cash-management platform with a UAE footprint; common in multi-country group integrations.

Questions integrators raise on this one

Does Mashreq Biz data fall inside the CBUAE Open Finance perimeter?

Yes. Mashreq is a CBUAE-licensed bank and the Open Finance Regulation (Circular 7 of 2023, updated by Circular 3 of 2025, in force from 10 July 2025) makes participation mandatory for all licensed financial institutions. As the AlTareq programme stands up additional account-holder journeys through Nebras, more of the SME banking surface a Biz user sees in-app becomes reachable via a CBUAE-licensed TPP. Until your specific data scope is live there, we run the authorized interface route in parallel.

Can a foreign-incorporated company on a UAE Mashreq Biz account still be the consenting party?

Yes, as long as the legal entity that owns the Mashreq Biz relationship is the one giving consent. We map the signatory rules per company so a single integration handles single-signatory micro-businesses and dual-signatory SMEs that route everything through the Transaction Queue.

Is the Security PIN / push-notification step a blocker for a server-to-server pull?

It is the thing the integration is designed around, not a blocker. Mashreq has moved away from SMS OTPs to in-app push-to-PIN authorisation, so any payment-initiation flow needs a human-in-the-loop tap on the registered device. We design read pulls to run unattended on a refreshable session and surface a clear queue for any transaction the human must approve.

Will you sign an NDA covering the Mashreq Biz traffic capture?

Yes. Capture happens on accounts the client owns or has written authorisation for, logs are kept, sample traffic is redacted before it leaves the build environment, and the working artefacts only leave under an NDA you provide or one of ours.