INTRODUCTION

On 7 March 2023, the Central Bank of Nigeria (the "CBN") issued the Operational Guidelines for Open Banking in Nigeria (the "Guidelines"), setting out detailed provisions on the responsibilities and expectations for participants in the Open Banking ecosystem and the framework for sharing information and customer experience standards, among others.1 Before the issuance of the Guidelines, the CBN released the Regulatory Framework for Open Banking in Nigeria (the "Open Banking Framework") in February 2021 and the Exposure Draft of the Operational Guidelines for Open Banking in Nigeria (the "Draft Operational Guidelines") in May 2022. The Open Banking Framework was issued at the time to provide an enabling regulatory environment for innovative and customer-centric financial services by safely utilizing shared data. Read more on the Open Banking Framework here.2

This article examines the salient provisions of the Operational Guidelines and their implications for Open Banking in Nigeria.

WHAT IS OPEN BANKING?

Open Banking is a system that allows third-party providers (TPPs) access to consumer financial data from banks and non-bank financial institutions (NBFIs) through the use of Application Programming Interfaces (APIs). With Open Banking, banks are essentially putting in place infrastructure that will allow their consenting Customer's data to be easily shared with TPPs. Access to customer financial information will enable TPPs to provide services directly to customers.3 It represents a shift from a closed banking model, where financial institutions operate in silos, to one where they can share data amongst themselves, with authorization from the Customer.

For example, a consumer who has a traditional bank account and operates an account with a fintech providing investment services would ordinarily process his information and transactions from both institutions separately. For the Customer to check his inflows and outflows from his different accounts, he must log into the separate platforms and get the information separately. However, with Open Banking, the Customer can seamlessly operate his investments and track his transactions on different platforms from a centralized location using APIs. The APIs can also look at the Customer's transaction data and identify the best financial products he can invest in that would yield better interest rates.

KEY PROVISIONS

We have highlighted below some of the main provisions of the Guidelines related to the Open Banking ecosystem, including the extent of its application, responsibilities of participants, ownership of data and data governance, etc.

Participants

Under the Guidelines, any organization with customer data that may be shared with other entities to provide innovative financial services within Nigeria can participate in the Open Banking ecosystem. Therefore, even organizations that are non-financial service providers are eligible to participate, subject to compliance with the relevant laws and regulations.4

Participants are categorized according to their roles within the ecosystem, though they may assume more than one role depending on their offerings. Participants include:

  1. API Provider – This participant uses APIs to provide data or services to another participant. Notably, the CBN has adopted a broad eligibility approach; an API Provider can be a licensed financial institution/service provider, a Fast-Moving Consumer Goods (FMCG) company, a retailer, Payroll Service Bureau etc.
  1. API Consumer – This is a participant on the receiving end that uses API that API Providers release to access data or service. Like an API Provider, an API Consumer can be a licenced financial institution/service provider, an FMCG company, a retailer, Payroll Service Bureau etc.
  1. Customer – this refers to the data owner and end-user whose consent is required to release their data to access financial services.

Responsibilities of Participants

API Providers and Consumers

The Guidelines places enormous responsibilities on API Providers and Consumers to ensure adequate planning, monitoring, security and efficiency of their operations. Some of the notable responsibilities of API Providers and Consumers are:

a. The Guidelines require API Providers and Consumers to execute Service Level Agreements ("SLA"), which will govern their relationships. The SLA must provide for accounting and settlement, fee structure, reconciliation of bills, registration and sponsorship responsibilities, etc.5

b. API Providers and Consumers must devise an incident management plan which provides for incidents and incident management procedures classification. The incident management procedure must include provisions on determining the scope and impact of an incident, notification of the relevant party, investigation of root cause and resolution of the incident.6

c. Provision or prescription of secure real-time communication platforms for first-level incident responders within their organizations for incident notification, investigation and resolution. Specifically, the communication platform shall accommodate text, voice and video conferencing modes to support various scenarios. The Guidelines have designated emails as an insufficient method of incident management communication.7

d. Reporting obligations to the counterparty (API Provider/Consumer) on performance levels, statistics of incidents/problems, SLA compliance, number and category of fraud and disputes, etc.8 Similar reporting obligations are also owed to customers, primarily when an API Consumer accesses the Customer's account(s)/wallet(s).9

e. The Guidelines prohibit API Providers and Consumers from engaging in unethical and unprofessional anti-competition practices such as de-marketing.10

f. Maintenance of a Data Governance Policy approved by a committee of the Board of Directors or, at least, an API Provider/Consumer's executive management committee.11

g. API Providers and Consumers are required to develop and maintain an effective Information Security Policy while conducting regular threat assessments.12

h. Compliance with the Nigeria Data Protection Regulation or any other CBN-issued data protection regulation for financial institutions while ensuring constant protection against data breaches.13

i. Rendering of returns to the CBN monthly, detailing volume of transactions, value of transactions, number of users, success rates, security and fraud incidents, etc.14

Intellectual Property Preservation and Ownership of Open Data

All ownership rights in any open data or other information shall always remain with the party or the participant from which such data originated, whether the data is in human or machine-readable form.15 The Guidelines also provides that participants may protect their proprietary and protectable software source and object codes, aggregate data and aggregate services under the applicable laws in Nigeria.16

Open Banking Registry

The Guidelines require the CBN to provide and maintain an Open Banking Registry (the "OBR") to provide regulatory oversight on participants, enhance transparency in the operations of Open Banking, and ensure that only registered institutions operate within the Open Banking ecosystem.17

The OBR shall serve as a public repository for details of registered participants, who shall be identified by their respective business registration numbers issued by the Corporate Affairs Commission (the "CAC").

Shared Information Framework

The Guidelines provides for a shared information framework, making Customer consent the sole basis for sharing Customer information. Accordingly, an API Provider is only permitted to share information of a Customer with an API Consumer upon presentation of valid proof that the Customer has consented to the sharing. The Customer's consent must be authenticated to confirm it emanates from its Customer.18 The verification of the validity of consent exercise by the API Provider shall ascertain that:

a. The consent emanated from its Customer;

b. The request for Customer's data contains the purpose of the request;

c. The request includes the credentials of the requesting end-user;

d. The request has a valid date and was made through appropriate channels.

Data Governance

In addition to the obligation on participants to comply with extant laws on data protection, consumer rights and fair practices, the CBN shall provide data oversight and governance for open banking information assets to ensure compliance with relevant legal and regulatory provisions.19

Customer Experience Standards

The Guidelines prioritizes Customer's safety and convenience. Accordingly, it mandates that participants prioritize customer experience in operating and implementing Open Banking.

Further to this, it stipulates the following customer experience principles which participants must implement:20

  1. Control – Participants must provide Customers with the right tools and clarity of information at the right time. Furthermore, Customers must be aware that they can view and cancel any consent given whenever they deem fit.
  1. Speed – Participants must ensure that each interaction has appropriate speed, clarity and efficiency without compromising security and control.
  1. Transparency – participants must provide progressive levels of information to Customers in plain language. For example, where a participant requires information from Customers, the participant must clearly disclose the reason and purpose of the requirement, and the consequences of supplying the information.
  1. Security – Finally, participants must give assurances concerning Customer data definition, use, security and protection.

Redress Mechanism/Dispute Resolution

The Guidelines also prescribes a procedure for resolving disputes emanating from Open Banking. At the onboarding stage, Customers are to be provided adequate information on how to lodge complaints and the available dispute resolution mechanisms.

Additionally, the SLAs between Participants are to incorporate comprehensive dispute resolution mechanisms. However, where disputes are unresolved after exhausting laid down procedures, an aggrieved party can approach the CBN's Consumer Protection Department to resolve such lingering disputes.21

CONCLUSION

The benefits of Open Banking, such as the enablement of innovative products and services, competition and better customer experience, are undeniable. However, a significant risk with its adoption and implementation is data/security breaches and abuse. Indeed, this observation prompted the release of our publication titled "The Effect of Nigeria's Data Protection Regime on Open Banking" in May 2021, shortly after the CBN indicated its intention to facilitate the implementation of Open Banking in Nigeria.

Evidently, with the issuance of the Guidelines, the CBN is aware of the risks associated with Open Banking and has consequently made comprehensive provisions to mitigate these risks. Accordingly, if properly implemented, the Guidelines would operate to ensure the safe operation of Open Banking in Nigeria.

Footnotes

1. Operational Guidelines for Open Banking in Nigeria.pdf (cbn.gov.ng)

2. Regulatory framework for Open Banking in Nigeria

3.Ana Badour & Domenic Presta, "Open Banking: Canadian and International Developments" (2018) 34:1 Banking and Finance Law Review 41.

4. Paragraph 4.1 of the Operational Guidelines

5. Paragraph 8.1.2 of the Operational Guidelines

6. Paragraph 8.2.2 of the Operational Guidelines

7. Paragraph 8.6.1 of the Operational Guidelines

8. Paragraph 8.8 of the Operational Guidelines

9. Paragraph 8.8.2 of the Operational Guidelines

10. Paragraph 8.8 of the Operational Guidelines

11. Paragraph 9.1 of the Operational Guidelines

12. Paragraph 9.3.1 of the Operational Guidelines

13. Paragraph 9.2 of the Operational Guidelines

14. Paragraph 9.4 of the Operational Guidelines

15. Paragraph 11.12.3 of the Operational Guidelines

16. Paragraph 11.12 of the Operational Guidelines

17. Paragraph 6.0 of the Operational Guidelines

18. Paragraph 11.2 of the Operational Guidelines

19. Paragraph 6.2 of the Operational Guidelines

20. Appendix IV to the Operational Guidelines

21. Paragraph 4.4.3, Appendix IV of the Operational Guidelines

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.