In the last month two very important regulatory guidance documents have been released by the EU and US governments respectively:
By adding to these regulations a single constraint - that an individual can own and specify the UMA Authorization Server if they choose to - I think we can derive a complete UMA Legal profile and associated clauses.
Adrian