In our previous article, we provided a summary of the key provisions in the Framework for Open Banking (the “Framework”) released by the Central Bank of Nigeria (CBN) on February 17, 2021. The CBN had in the Framework, indicated that a set of operational guidelines will be subsequently issued to provide guidance to participants on the mode of implementing and operating within the ambit of the Framework.
In view of the above, the CBN, in May 2022, published the draft Operational Guidelines for Open Banking in Nigeria (the “Proposed Guidelines”).
In this newsletter, we highlight our understanding of the applicability of the Proposed Guidelines and key points in the Proposed Guidelines, which regulate participation in Open Banking.
- What is Open Banking?
Open Banking is the practice of sharing financial information electronically, securely, and only under conditions which customers approve of, by using Application Programming Interfaces (APIs1). This permits the networking of accounts and data across institutions for use by consumers, financial institutions, and third-party service providers.
- What is the Scope of the Proposed Guidelines?
The Proposed Guidelines apply to banking and other related financial services, including (i) payments and remittance services; (ii) collection and disbursement services; (iii) deposit-taking; (iv) credit; (v) personal finance advisory and management; (v) credit ratings/scoring; (vi) leasing/hire purchase; and (vii) mortgages.
- Who can participate in Open Banking?
Any organization in possession of customers' data, which may be exchanged with other entities to provide innovative financial services within Nigeria may participate in the Open Banking ecosystem.
The Proposed Guidelines categorises participants as: (i) the API Provider (“APP”) i.e. a participant that uses API to provide data or service to another participant, e.g a licensed financial institution/service provider, a Fast-Moving Consumer Goods (FMCG) company, or a payroll service bureau; (ii) API Consumer (“AC”) i.e. a participant that uses API released by the AP to access data or service. An AC can be a licensed financial institution/service provider, an FMCG or a payroll service bureau; and (iii) Customer: i.e the data owner and end-user that may be required to provide consent for the release of data for the purpose of accessing financial services.
- What are the objectives of the Proposed Guidelines?
Some of the key objectives of the Proposed Guidelines include:
(i) to provide clear responsibilities and expectations for the various participant categories;
(ii) to ensure consistency and security across the Open Banking system;
(iii) to stipulate safeguards for financial system stability; and
(iv) to promote competition and enhance access to banking and other financial services.
5. How is Open Banking regulated?
The CBN under the Proposed Guidelines, commits to establishing an Open Banking Registry (OBR) to perform the following functions: (i) provide regulatory oversight on participants; (ii) enhance transparency in the operations of open banking; and (iii) ensure that only registered institutions operate within the open banking ecosystem.
The OBR is envisaged to serve as a public source for details of registered participants and each participant will be identified by its corporate registration number.
- What are the responsibilities of an APP?
An APP is required to: (i) maintain a configuration management policy approved by its executive team; (ii) execute a service level agreement (to include: accounting and settlement; fee structure; registration and sponsorship responsibilities etc) with the AC which will govern their relationship; and (iii) maintain a problem register which should indicate the date and time a problem was discovered, the timelines within which it was resolved, amongst others.
- What are the responsibilities of an AC?
An AC is required to: (i) maintain a data governance policy approved by its executive management committee; (ii) ensure it possesses a data ethics framework to ensure data security; and (iii) comply with all relevant data protection regulations in Nigeria to protect the customer's data.
- Data Protection
A recurring theme in the Proposed Guidelines is the provisions on the protection of the customers' data. The Proposed Guidelines generally require that participants develop and implement a data breach policy to ensure that the procedures for managing data breaches are set out. The Proposed Guidelines also provide that consent is required from customers whose data may be required by service providers to supply them with financial products and services.
The regulation on Open Banking operations provides a channel for financial inclusion and paves a way for access to financial services for millions of Nigerians. It is anticipated that upon the release of the final Guidelines, and proper implementation by participants, there will be a noticeable improvement to access to banking and payments services, as well as respect for data privacy.
1 An API is a set of programming code that enables data transformation between one software product and another.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.