Introduction

There has been demand for open banking practices in Nigeria by stakeholders in the Nigerian financial system. The aims include enabling financial institutions to provide third-party financial service providers access to financial data and other information through the use of application programming interfaces ("APIs") and to allow the linking of accounts and other data among financial institutions to be used by financial institutions, customers, and third-party service providers. It is in response to this that the Central Bank of Nigeria (the "CBN") released the Regulatory Framework for Open Banking in Nigeria in 2021 (the "Framework") to, among other things, facilitate access to financial information by third-party service providers, enhance competition and innovation in the banking system. The Framework established principles for data sharing across the banking and payments system to promote innovations and broaden the range of financial products and services available to bank customers. In line with the provisions of the Framework and in recognition of the various efforts channelled towards developing acceptable standards among stakeholders, the CBN issued the Operational Guidelines for Open Banking in Nigeria in March 2023 (the "Guidelines"). The CBN expressed its commitment, through the Guidelines, to stabilise and deepen the Nigerian financial system by fostering the adoption of open banking practices, enabling the sharing of customer permissioned personal data between banks and third-party financial service providers, and the building of customer-focused products and services.

We have analysed in this article the key requirements of the Guidelines and the expected impact in facilitating financial transactions and highlighted the key points that participants should be aware of.

What is open banking?

As the name suggests, open banking is a banking practice that enables other financial service providers to have open access to data relating to consumer banking, transactions, and other financial information from banks and non-bank financial institutions through the use of APIs). As a result, open banking recognises the ownership and control of data by customers of financial and non-financial services and their right to grant authorisations to service providers for the purpose of accessing innovative financial products and services. Open banking applicability includes agency banking, financial inclusion, know your customer ("KYC"), credit scoring/rating etc.

Objectives and services covered

The key objectives of the Guidelines include providing clear responsibilities and expectations for participants, ensuring that there is consistency and security across the open banking system, providing safeguards for financial system stability under the open banking regime, promoting competition that enhances access to banking and other financial services and outlining minimum requirements for the participants.

The Framework is specifically for banking and other related financial services that include payments and remittance services, collection and disbursement services, deposit-taking, credit, personal finance advisory and management, treasury management, credit ratings/scoring, mortgage, leasing/hire purchase and other services as may be determined by the CBN from time to time.

Eligible participants

All organisations that have possession of customers' data, which may be exchanged with other entities for the purpose of providing innovative financial services within Nigeria, are eligible to participate in the open banking ecosystem pursuant to the Guidelines. In this regard, the participants in the open banking ecosystem are categorised into API Providers, API Consumers and customers based on the roles that they perform in the open banking ecosystem. API Consumer or API Provider refers to a participant that uses API to avail data or service to another participant, such as a licensed financial institution/service provider, a fast-moving consumer goods company, other retailers, etc. Customers refer to the data owner required to provide consent for the release of data for the purpose of accessing financial services.

Eligible data

Data that may be exchanged and corresponding API services that may be implemented by and used by participants include (a) information on products provided by participants to their customers and access points available for customers to access services; (b) statistical data aggregated on the basis of products, service, segments, etc. not associated to any individual customer or account; (c) data at individual customer level either on general information on the customer (such as KYC data, total number or types of account held) or data on the customer's transaction (such as balances, bills payments, loans, repayments, recurring transactions on customer's accounts, etc.); and (d) information on a customer which analyses, scores or give an opinion on a customer such as credit score, income ratings etc. Item (a) is classified as low risk, item (b) is moderate risk, item (c) is high risk and item (d) is high risk and sensitive.

Registry

The Guidelines require the CBN to establish and maintain an Open Banking Registry ("Registry"). The Registry is meant to provide regulatory oversight on participants and to enhance transparency in the operations of Open Banking. The Registry will contain the details of registered participants and ensure that only registered institutions operate within the open banking ecosystem.

Responsibilities

The Guidelines set out the responsibilities of the participants towards ensuring the overall protection and security of the open banking architecture. Participants are required to establish a configuration management policy and conduct quarterly or more frequent audits of all changes within the configuration management system. Notably, the Guidelines require the recording of fund movements within the API provider domain at the account level of the API Consumer. This reaffirms the CBN's commitment to ensure transparency and risk mitigation within the open banking system's operational model. In addition, the Guidelines provide a standardised procedure for API Providers and consumers to follow in the event of incidents, thereby streamlining the objectives of implementing open banking in Nigeria.

Use of intellectual property

The Guidelines require that the intellectual property, including proprietary and protectable software source and object codes, aggregate data, aggregate services, and other protectable information, will be protected under the applicable laws in Nigeria. This means that participants must ensure that their use of intellectual property to operate in the open banking system is in accordance with Nigerian intellectual property laws and regulations.

Use and safeguard of personal data

In an effort to safeguard end users' personal data and to counter potential cybersecurity and data privacy risks linked to the processing and exchange of customer data on the API platform, the Guidelines mandate API Consumers to provide the following reports to subscribed customers: (a) real-time or near-time notifications via email, SMS, or in-app prompts when an API Consumer accesses the customer's account wallets; and (b) transcripts of an API Consumer's activities involving customer-permission data and associated financial transactions on the API platform. API Providers and API Consumers that require access to customers' data are required to obtain consent from the customers whose data are required to avail them of open banking products and services. Without that consent, a customer's personal data should not be used. The CBN will carry out an oversight function regarding data usage and exchanges and general governance for open banking to prevent abuse and ensure compliance with relevant legal and regulatory provisions.

The Guidelines introduce a comprehensive data protection framework that aligns with the data protection laws and regulations in Nigeria. Participants in the open banking ecosystem are obliged to adhere to data privacy and protection regulations, including any data protection regulations issued by the CBN. The Guidelines mandate API Providers and API Consumers to establish a data governance policy, a data ethics framework, and a data breach policy. These measures are to safeguard the integrity of the open banking landscape and ensure the effective management and protection of all customer data.

Moreover, the Guidelines contain strict standards that participants are required to meet regarding the sharing of end-user data. API Providers are only permitted to share customer information with API Consumers upon presentation of valid proof of consent from the customer. In addition to obtaining a customer's consent, the disclosure of customer data to outsourced service providers or non-Nigerian participants is, however, subject to CBN approval.

Combating money laundering

Underlying the Guidelines is the CBN's commitment to combating money laundering and terrorism financing and to mitigate the risk of the open banking ecosystem from being used for unlawful activities. In this regard, the Guidelines obligate API Providers and API Consumers to adhere to existing anti-money laundering and combating the financing of terrorism laws and regulations that apply to banks and other financial institutions in Nigeria. The implications of this include that participants must file relevant returns in respect of reportable transactions carried out through the open banking ecosystem. This underscores CBN's dedication to maintaining the highest standards of integrity and security within the open banking ecosystem.

Prescribed standards

The Guidelines contain five appendixes which set out the details of required API standards, risk management measures, security standards, customer experience standards, and an operational readiness checklist. Potential participants are required to familiarise themselves with the standards and adopt them in their operations in order to be eligible to participate in the open banking ecosystem.

Conclusion

The Guidelines are no doubt a welcome development in the Nigerian financial services sector. It has put in place specific mechanisms and protocols that will guarantee seamless interactions between participants in the open-banking ecosystem. With more impetus given to data privacy and security and minimum-security measures that must be adopted by participants, the CBN has reaffirmed its commitment to ensuring that the open banking framework of the country is in line with the best global practices. The reporting obligations of the API Providers and API Consumers with respect to end users' data is a welcomed development. The Guidelines bring an expansive framework that will protect the integrity of the open banking landscape.

Its implementation will help deepen financial inclusion in the country, reduce cost and ease of transactions and enhance collaboration among players in the financial sectors and their customers. Effective and efficient implementation will also help to deepen the credit scoring/rating of Nigerians, thereby making it easier for eligible persons to have access to credit. However, its success is heavily dependent on the implementation strategy that will be adopted by the CBN in the coming months.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.