It is often assumed that the Central Bank of Nigeria's (the "CBN") Open Banking Framework and related guidelines ( the "Open Banking Guidelines") are relevant only to banks and licensed fintech companies. However, a closer reading of the Open Banking Guidelines suggests that its application is significantly broader, extending to any company that shares or consumes financial data through APIs, regardless of sector.
The Legal Basis for Broad Applicability
First, section 6.1 of the CBN Operational Guidelines for Open Banking (2023) states unambiguously that only entities that are registered on the Open Banking Registry are eligible to participate in the open banking ecosystem, either as API Providers or API Consumers.
Secondly, the Open Banking Guidelines define API Providers and API Consumers based not on sector, but on function, that is, whether an entity holds financial data and exposes it via APIs (i.e. an API Provider), or whether it accesses financial data through APIs (i.e. an API Consumer). We find no provisions that limitats or restricts these roles to licensed banks or fintechs. This suggests that any company, regardless of sector, that shares or accesses customer financial data via APIs must register with the Open Banking Registry (the "OBR") and comply with the Guidelines.
Although the Open Banking Guidelines do not define financial data in specific terms, it appears that the Open Banking Guidelines recognize that financial data may not be the exclusive domain of banks. The category of financial data which may trigger application under the Guidelines appears to include:
- Product and service information (PIST)
- Market insights (MIT)
- Personal information and transaction data (PIFT)
- Profiling and scoring data (PAST).
This structure reflects a deliberate move by the CBN towards a truly open banking system, and anticipates participation by non-traditional financial entities such as telecom companies, payment processors, retailers, ride-hailing platforms, payroll providers, insurance firms, and investment platforms.
Regulatory Risk of Non-Compliance
The implications for non-bank and non-fintech entities can be material. We discuss some considerations as follows:
- Unregistered participation in Open
Banking
Companies that exchange financial data through APIs without registering on OBR expose themselves to CBN enforcement, and potentially to liability under Nigeria's data protection laws for unauthorized data processing. - Companies may inadvertently fall within
scope
To illustrate this concern, a ride-hailing company that exposes driver earnings data to a lending platform, or an HR tech company offering payroll APIs to salary advance providers, may be caught within the scope of the Guidelines and may therefore need to comply, even if they do not hold a financial services licence. - Liability and reputational exposure
In the event of a data breach or dispute involving shared financial data, a non-registered entity may be viewed as operating unlawfully, limiting its ability to enforce agreements or benefit from legal protections afforded to compliant participants.
Conclusion
It may be prudent for legal and compliance teams within non-bank organizations to conduct a regulatory impact assessment of their API-driven data flows to determine whether financial or transactional data processed, falls within the scope of the Open Banking Guidelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
