In CDS Standards, request headers, x-cds-client-headers, the description says the header is mandatory for customer present calls.
How should a Data Holder (DH) validate x-cds-client-headers in a Banking/Common API call?
The statement in the standards is a requirement on the Accredited Data Recipient (ADR). There is no requirement on the DH on how to use this header. DH would probably be unable to validate the header contents.
The purpose of this header is to support behavioural monitoring processes that may be implemented by a DH. A request should not be rejected based on the syntax of this header. However, the header may be used to identify fraudulent activity that could harm the consumer. If the potential for harm is identified then the DH can reject a transaction based on the associated exception in the rules.
Note that rejections for harm must be reported. It is not recommended to do this arbitrarily.