ARTICLE
8 August 2025

CBN's Open Banking Guidelines: Implications For Non-Bank Entities

BH
Balogun Harold

Contributor

Balogun Harold is a specialist law firm for investment and financing transactions focused on Africa. We routinely undertake debt finance, private equity, project finance, venture capital, market entry and technology transactions on behalf of clients. We deliver proven, guaranteed and exceptional outcomes by always aiming for the best level of legal and transactional support necessary to achieve our clients' strategic goals.

It is often assumed that the Central Bank of Nigeria's (the "CBN") Open Banking Framework and related guidelines ( the "Open Banking Guidelines") are relevant only to banks...
Nigeria Finance and Banking

It is often assumed that the Central Bank of Nigeria's (the "CBN") Open Banking Framework and related guidelines ( the "Open Banking Guidelines") are relevant only to banks and licensed fintech companies. However, a closer reading of the Open Banking Guidelines suggests that its application is significantly broader, extending to any company that shares or consumes financial data through APIs, regardless of sector.

The Legal Basis for Broad Applicability

First, section 6.1 of the CBN Operational Guidelines for Open Banking (2023) states unambiguously that only entities that are registered on the Open Banking Registry are eligible to participate in the open banking ecosystem, either as API Providers or API Consumers.

Secondly, the Open Banking Guidelines define API Providers and API Consumers based not on sector, but on function, that is, whether an entity holds financial data and exposes it via APIs (i.e. an API Provider), or whether it accesses financial data through APIs (i.e. an API Consumer). We find no provisions that limitats or restricts these roles to licensed banks or fintechs. This suggests that any company, regardless of sector, that shares or accesses customer financial data via APIs must register with the Open Banking Registry (the "OBR") and comply with the Guidelines.

Read Also:Turnover and Control Considerations for Merger Clearance in Nigeria

Although the Open Banking Guidelines do not define financial data in specific terms, it appears that the Open Banking Guidelines recognize that financial data may not be the exclusive domain of banks. The category of financial data which may trigger application under the Guidelines appears to include:

  • Product and service information (PIST)
  • Market insights (MIT)
  • Personal information and transaction data (PIFT)
  • Profiling and scoring data (PAST).

This structure reflects a deliberate move by the CBN towards a truly open banking system, and anticipates participation by non-traditional financial entities such as telecom companies, payment processors, retailers, ride-hailing platforms, payroll providers, insurance firms, and investment platforms.

Regulatory Risk of Non-Compliance

The implications for non-bank and non-fintech entities can be material. We discuss some considerations as follows:

  1. Unregistered participation in Open Banking
    Companies that exchange financial data through APIs without registering on OBR expose themselves to CBN enforcement, and potentially to liability under Nigeria's data protection laws for unauthorized data processing.
  2. Companies may inadvertently fall within scope
    To illustrate this concern, a ride-hailing company that exposes driver earnings data to a lending platform, or an HR tech company offering payroll APIs to salary advance providers, may be caught within the scope of the Guidelines and may therefore need to comply, even if they do not hold a financial services licence.
  3. Liability and reputational exposure
    In the event of a data breach or dispute involving shared financial data, a non-registered entity may be viewed as operating unlawfully, limiting its ability to enforce agreements or benefit from legal protections afforded to compliant participants.
Read Also:What is a Permanent Establishment? Do you Have One?

Conclusion

It may be prudent for legal and compliance teams within non-bank organizations to conduct a regulatory impact assessment of their API-driven data flows to determine whether financial or transactional data processed, falls within the scope of the Open Banking Guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More