Introduction

Jack Jackson has been a customer of two reputable Nigerian banks for over four years. He had intended to secure loan financing from one of them to fund a project of his. However, neither could meet him in his financial comfort zone with their proposed interest rates and repayment plans. Jack was at his wits end.

While scrolling through his social media feed, he saw an advert by "AD Lenders"; a reputable fintech company, according to some financially savvy members of his network. AD Lenders held themselves out to be in the business of loans and credit facilities. Skeptical, but seeing this as an opportunity to secure a more pocket-friendly loan, he downloaded their application, inserted details about himself, and created an account with them. After signing up, he examined the loan terms and found he was much more comfortable with their repayment plan. After a further due diligence on the company, he then proceeded to apply for the loan sum. Jack worried whether his lack of a history with AD Lenders would work against him securing the loan. Within two hours of his application, he received a notification informing him that his loan application has been approved.

In this fictional yet common scenario, AD Lenders' ability to approve the loan in less than two hours, was facilitated by "Open Banking". Open banking describes the integration of the banks' Application Programming Interfaces (APIs), with those of Financial Technology (FinTech) companies. Its effect is to provide FinTechs with authorized access to the financial information and data of the banks' customers. AD Lenders was able to access Jack's financial histories in real time, and this helped it to ascertain his credit worthiness. This article will consider the risks, opportunities, and prospects of the Open Banking Framework in Nigeria.

Highlights of the Framework

Open Banking (OB) creates a standardized interface that aggregates users' banking and financial information in a central location, and provides stakeholders the ability to access all this information on a single platform. The platform also enables FinTechs and other financial industry players to provide their products and services to users online. OB could operate, for instance, in the form of a mobile application, from which customers can access the details of their various accounts operated with different banks.

The Framework for regulating OB applies to providers of financial services, such as: payments and remittance services, collection and disbursement services, deposit-taking, credit services, personal finance advisory and management, treasury management, credit ratings/scoring, mortgage services, and leasing/hire purchase.

The Framework categorizes data and services based on the level of personalization to the individual. Information on products provided to customers e.g., ATM locations and service codes are categorized as Product Information and Service Touchpoints (PIST), while statistical data not associated with an individual but used at an organizational or industry level are categorized as Market Insight Transactions (MIT). Presumably, monthly statistics relating to the percentage of card transactions conducted by the public would fit into MIT. Know-Your-Customer (KYC) data, or data on customers' transactions (e.g., balances, bills payments, etc.) are categorized as Personal Information and Financial Transaction (PIFT). The final category is Profile, Analytics and Scoring Transaction (PAST), which includes customer information that analyses, scores, or gives an opinion on the customer e.g., credit score and income ratings.

Each of the 4 categories within the Framework is rated based on the associated risk level, and specifies the financial industry stakeholders who are eligible to gain access to protected data. PAST and PIFT information/services are rated "High" and "High & Sensitive" respectively on the risk ladder. As such they are the exclusive preserve of CBN licensed or regulated participants, including licensed Payment Service Providers, Other Financial Institutions (OFIs), Deposit Money Banks and, (with the exclusion of services categorized as PAST) participants of the CBN Regulatory Sandbox.

The Framework further provides operational requirements for each participant, prescribes guiding principles relating to API, technical designs, data, information security etc. It also provides for customer rights, responsibilities, and redress mechanisms.

Opportunities

The Framework states its primary objective to be promoting competition in the FinTech space. To the extent that it provides Fintechs with the previously elusive access to data via connection to the database of the financial institutions, it would seem that success is within reach. The Framework now also provides the banks with some level of comfort as to the safekeeping of their data when shared with these companies. With this regulated access, FinTechs can now leverage information to provide better products and services, thereby increasing competition, and providing customers with more choice of financial products and services without compromising the safety of their data. 

OB is tailored to the financial industry, but this writer can think of no reason why its principles cannot be adopted elsewhere. Access to open data can do the same thing for the financial industry, as other key sectors like healthcare, education, the justice system, insurance, and agriculture, to name a few. For instance, if an individual's medical history can be accessed from any health facility irrespective of the location of his/her primary provider, medical officers can access necessary information to make informed, spot decisions in emergency situations. Rapid expansion into developing innovative "Meditech" products are much more likely when the innovators have regulated and authorized access to patients' data. While each industry sector will have its peculiar traits, they can and should create equivalent conditions for accessing data as in OB.

Drawbacks and Risks

The most evident risks of OB are data theft, loss, privacy breaches, and cyber-threats, amongst others. There is thus a strong need to consider and mitigate the likelihood of occurrence of any of these risk events – however remote. Ironically, these risk possibilities provide another opportunity in the financial sector. For several decades, insurance has acted as a cushion for risk, but regrettably traditional insurance is limited to fire and flood. The gates should be opened to loss from various cyber risks. The OB system creates a viable market for companies that provide cybersecurity and data related insurance products. Such products can cushion the impact of data breaches to OB Framework participants. Additionally, best practices for mitigating data risks should always be put in play, including:

  • Establishment of clearly defined technical standards and security protocols;
  • Prioritizing API security and implementing an API cybersecurity strategy;
  • Utilizing security certificates/key for app authentication and restricting access for Apps to their allowed resources;
  • Investment in modern infrastructure to better protect confidential information;
  • Continuous awareness and education to customers on giving consent to third party providers.

While OB may attempt to foster competition by providing participants with access to data, this access may still not be as open as is required to stimulate start-up innovators. Some of the access requirements are not easy to meet. These include licensing fees or minimum capital requirements which are set at relatively higher rates than may be affordable for some many start-ups. Furthermore, extending OB principles to other industries can only be achieved when databases exist in those industries in the first instance. While many companies, across industries, are actively embracing technology and migrating to electronic databases, for purposes of regulation their industries as a whole still operate paper-based systems. Until the broader systems are digitized, the possibility of open data will remain illusory.

Conclusion

The OB Framework has potential to move the financial industry towards growth and innovations that are tailor-made to end-users. Other non-financial sector industries can adopt and apply the Framework's innovations to their respective activities to enhance service delivery to the public. Cyber security insurance companies should also take advantage of the opportunity presented by free exchange of data to create innovative products suited to cushioning the effects of risk occasioned by data breaches. With these in place, the Framework will no doubt move the delivery of financial and other services in Nigeria one step closer to global standards.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.