With the arrival of fintechs and other innovators on the banking scene, the way we bank and carry out financial transactions is constantly changing. Some of these developments led to considerations for the creation of a seamless system that would lead to the sharing of financial data through an open banking system.
These developments, facilitated by the European Union's Payment Services Directive (PSD 2), led to the creation of open banking on the global scene.
What is open banking?
Open banking forms part of the emerging areas within the fintech ecosystem and is presently in use in Europe, the United Kingdom, China, Japan and Singapore.
It grants third-party providers (TPPs) open access to consumer banking, transactions, and other financial data from banks and non-bank financial institutions (NBFIs) through the use of Application Programming Interface (API).
With open banking, customers can share their financial data with different financial institutions. In order for this to be effected, the institution require the express consent of the customers. Open banking represents a shift from a closed model, where financial institutions operated in silos, to one in which data is shared between different members of the banking ecosystem with authorisation from the customer.
Thus, with open banking, fintechs and banks are able to communicate seamlessly through the networking of accounts and data across institutions for use by consumers, financial institutions, and TPPs.
Open banking will lead to a situation where regardless of how many accounts and financial products a customer has with multiple institutions, he can manage them from a centralised location without having to check out from one system to another.
For example, a consumer could have a bank account with Zenith Bank PLC, have a mutual fund account with ARM Investments and operate an account with a fintech like Piggyvest. When the customer wants to check his inflows and outflows from his different accounts, he will have to log into the separate platforms.
However, with open banking, the customer can seamlessly operate his investments and track his transactions on the three platforms from a centralised location through the use of APIs. The APIs can also look at the transaction data of the customer and identify the best financial products he can invest in that would yield better interest rates.
Importance of APIs to Open Banking
API is a software intermediary that enables technology platforms or applications communicate with each other. Some popular platforms that use APIs to accelerate the delivery of their services to consumers include Facebook, Google, Twitter and PayPal.
A banking API is an interface through which a financial institution provides data about customers, accounts and transactions. With a banking API, users of payment services will not be solely dependent on the direct services offered by their own bank. They can make use of third-party financial services, which, in turn, access the data required by the original bank via the banking API.
Some of the stakeholders that APIs in open banking are beneficial to include the following:
- Bank customers - APIs improve the customer experience, since customers can conveniently complete all transactions in the respective context and under one user interface. Also, the paperwork that would typically apply when running multiple transactions on different accounts would be minimised.
- TPPs in the e-commerce sector - With APIs, online providers can offer customers better services that include product selection and real-time arrangement of consumer credits.
- TPPs in the technology sector - technology providers whose solutions create interfaces to financial institutions and thereby create the technological infrastructure.
- Financial institutions - fintechs and banks will be able to expand their payment services ecosystem and onboard new customers through third party platforms.
- Fraud detection companies - APIs enable fraud detection companies effectively monitor customer accounts and identify problems as soon as they arise.
The Regulatory Framework for Open Banking in Nigeria
On February 17th, 2021, the Central Bank of Nigeria (CBN) issued the Regulatory Framework for Open Banking in Nigeria ("the framework").
The framework establishes principles for data sharing across the banking and payment ecosystem. It is aimed at promoting innovation, broadening the range of financial services and products, and deepening financial inclusion.
The framework applies to the following financial services1:
- Payments and remittance services
- Collection and Disbursement services
- Personal finance advisory and management
- Treasury Management
- Credit ratings/scoring
- Leasing/Hire purchase
- Other services as may be determined by the CBN
The framework provides for several issues including data and API access requirements, principles for API, data, technical design, and information security specifications.
We will examine the provisions of the framework and its impact on the operations of banks and fintechs in Nigeria.
Guiding Principles for API Specifications
The framework sets out the guiding principles for API specifications2 and provides that they shall adhere to the following principles or they will not be accepted:
- Openness: accessible to all interested and permissioned parties
- Reusability: premised on existing standards and taxonomy of technology
- Interoperability: supports exchange of objects across technologies, platforms, and organisations
- Modularity: loose coupling with provision for flexible integration
- Robustness: scalable, improvable, evolvable and transparent
- User-Centric: enhances user experience for consumers
- Security: ensures data privacy and safe exchanges and transactions
The framework classifies participants in open banking into 4 categories3 and each have their roles and responsibilities. It is noteworthy that participants are required to:
- maintain a customer service/complaint desk on 24 hours/7 days a week basis to resolve complaints of end-users;
- comply with data privacy laws and regulations; and
- comply with the provisions of the framework
Some of the responsibilities are captured here with the description of the participants:
|1)||Provider||A participant that uses API to avail data or service to another participant||
|2)||Consumer||A participant that uses API released by the providers to access data or service||
|3)||Fintechs||Companies that provide innovative financial solutions, products and services||
|4)||Developer Community||Individuals and entities that develop APIs for
participants based on requirements.
Categories of financial data
Data and services that can be shared through APIs are categorised with their risk levels as follows4:
|1||Product Information and Service
||includes information on products provided by participants to their customers and access points available for customers to access services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc.||Low|
|2||Market Insight Transactions (MIT):||Includes statistical data aggregated on basis of
products, service, segments, etc. It shall not be associated to any
individual customer or account. These data could be exchanged at an
organisational level or at an industry level.
|3||Personal Information and Financial Transaction (PIFT):||Includes data at individual customer level either
on general information on the customer (e.g. KYC data, total number
or types of account held, etc) or data on the customer's
transaction (e.g. balances, bills payments, loans, repayments,
recurring transactions on customer's accounts, etc)
|4||Profile, Analytics and Scoring Transaction (PAST):||Includes information on a customer which analyses,
scores or give an opinion on a customer e.g. credit score, income
||High and sensitive|
Other relevant provisions:
- Risk management5 - the framework provides that this is the responsibility of all participants. They are therefore expected to have (information technology, information security policies and a risk management framework that address APIs and also have a Designate a Chief Risk Officer who shall be responsible for implementing effective internal control and risk management practices.
- Customer Rights - the agreement that onboards the client must be presented in the customer's preferred language and his consent must be revalidated annually.
- Liability for loss - Participant and its partner shall be jointly responsible and bear liability for any loss to the customer, except where the participant can prove wilful negligence or fraudulent act against the customer.
- Guidance on Operational Rules6 - Dispute resolution protocols among participants are to be codified for basic operational issues. Operational rules are to also discourage dominant party and anti-competition practices.
The CBN framework is quite comprehensive and if effectively implemented, could lead to remarkable changes in the banking sector. The key points to note from the comprehensive framework is that the CBN has sought to provide standards for the safe utilisation and exchange of data and services and has defined data access levels (i.e. what bank data can be shared and who can get it).
However, the successful implementation of open banking is dependent on collaboration between fintechs, banks and NBFIs and the CBN.
Some of the changes that could be introduced by the implementation of the framework include the following:
Competition and innovation
There could be fiercer competition with larger banks competing for the market with fintechs and smaller banks. This could also see financial institutions trying to outdo themselves by deploying better technology, better customer service, higher interest rates and lower costs.
Conversely, financial institutions can use APIs to create a new experience with their customers by assisting customers in ways that were previously not possible in the market. For instance, they could help customers who are illiterates better understand financial issues around opening a bank account with voice commands in local languages or pidgin English. For the sophisticated customer, an open banking app could also assist them in determining the most affordable loan facility they can obtain from institutions, taking into consideration the state of their finances.
It will also generate additional revenue for financial institutions in the form of commission or access fees. Open banking conducted via APIs could also consolidate the position of forward-looking fintechs who, via data aggregation, can create detailed customer profiles and offer relevant products to clients for greater engagement.
Ease of banking
Conducting banking activities with traditional financial institutions is sometimes considered stressful. However, with open banking, customers will have consolidated information about all their financial products in a centralised location.
This would reduce time spent in carrying out transactions and minimise the paperwork for onboarding new users to the institutions' platforms.
Cybersecurity and data protection issues
There are some challenges that exist with open banking, particularly around cybersecurity, data privacy and the resulting liabilities to financial institutions. Issues around data breaches, hacking, phishing scams and malware are issues that would have to be taken into consideration when any institution is considering open banking and the use of APIs.
Also, with the Nigeria Data Protection Regulation (NDPR), which bears close resemblance to the European Union GDPR, the legal basis for processing data has to be taken into consideration before the financial records of customers are shared. Direct consent must be obtained from the customer in line with the provisions of the framework as the failure to do this could lead to dire consequences for the financial institution that shares the data.
The introduction of the CBN framework is a good development which could potentially lead to the improvement in the delivery of financial services in Nigeria.
However, although open banking offers a number of advantages, there are also concerns over the security risks occasioned by the sharing of data. Data protection laws, such as the NDPR, must also be countenanced by service providers when they are processing the data of consumers.
It is however our view that with the engagement of cybersecurity experts, financial service providers and lawyers with experience in data protection and technology, some of the risks can be managed and open banking can thrive in Nigeria.
1. Section 3.0 of the framework
2. Section 6.0 of the framework
3. Sections 7.1 and 7.2 of the framework
4. Sections 4.0, 4.1 and 4.2 of the framework
5. Section 9 of the framework
6. Section 6.4 of the framework
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.