Open Banking In Nigeria: Privacy Concerns & Compliance Obligations

Open Banking is transforming financial services in Nigeria by enabling the secure sharing of consumer financial data among banks, fintechs, and other regulated third-party service providers through APIs (Application Programming Interfaces). While it promises innovation, efficiency, and financial inclusion, open banking also raises significant data privacy and compliance concerns. In a digital environment where sensitive financial information is exchanged across multiple platforms, protecting consumer data and ensuring legal compliance becomes paramount.

It is against this background that this article aims to provide an overview of the privacy risks associated with open banking in Nigeria and explore the compliance obligations imposed on financial institutions and third-party providers under the relevant legal and regulatory framework in Nigeria.

WHAT IS OPEN BANKING?

Open banking is a banking practice that allows banks and other financial institutions to share customers' banking and other financial data and transactions with third-party service providers with the consent of the customers, through the use of APIs.

In other words, it refers to a financial system that enables customers to authorize third-party providers (TPPs) to access their financial data held by banks and other financial institutions with the aim of fostering innovation, competition, and personalized financial services such as budgeting tools, alternative credit scoring, and seamless payments.

LEGAL & REGULATORY FRAMEWORK

Open banking is generally regulated by the Central Bank of Nigeria (CBN) who in line with its mandate under the CBN Act¹ to promote a stable financial system in Nigeria² issued the Regulatory Framework for Open Banking in Nigeria (The Framework) in February 2021 to among other things provide an enabling regulatory environment for provision of innovative and customer-centric financial services through the safe utilisation and exchange of data and services between banks and third party service providers. The Framework was aimed at promoting competition and innovation in banking as well as enhancing access to financial services.

Given the recognition by CBN of the existence of an ecosystem for Application Programming Interface (API) in the financial and payments system, and being fully aware of various efforts in the industry to develop acceptable standards among stakeholders, the CBN thought it necessary to issue Guidelines to regulate open banking in Nigeria. Therefore, in March 2023, the CBN, in line with its mandate under the CBN Act for the stability of the financial system and pursuant to its role in deepening the financial ecosystem, again issued the Operational Guidelines for Open Banking in Nigeria (The Guidelines).

The Guidelines aim to, among other things, provide clear responsibilities and expectations for the various participant categories, ensure consistency and security across the open banking system, stipulate safeguards for financial system stability under an open banking regime, promote competition and enhance access to banking and other financial services as well as outline minimum requirements for participants.³

PRIVACY CONCERNS

The benefits of open banking to the financial ecosystem cannot be overemphasised. However, despite its numerous benefits to the financial economy, there are attendant privacy risks that, if not meticulously handled, pose huge financial risks to the customers.

Generally, data privacy and protection in Nigeria are governed by the Nigeria Data Protection Act (NDPA), 2023, and the NDPA GAID, 2025⁴, which regulates the handling and processing of personal data in Nigeria. By virtue of the nature of open banking transactions, customers' banking data are shared between banks and other third-party service providers who act in the capacity of a data controller or data processor to the customers (the data subjects).

Highlighted below are some of the privacy concerns associated with the use of open banking in Nigeria:

1. Unauthorized Data Access and Data Breaches

The use of APIs exposes financial data to a greater risk of unauthorized access, especially if the third-party providers who are granted access to customers' data lack robust security systems. A breach can lead to identity theft, fraud, or misuse of sensitive information of the customers, ultimately.

• Inadequate Consent Management

The cornerstone of Open Banking is user consent. However, there are concerns that customers may not fully understand the scope or implications of the consent they grant to third parties, especially when consent is bundled or not properly documented.

• Third-Party Data Handling Risks

Not all third-party providers are subject to the same rigorous oversight as traditional financial institutions. There's a risk that these providers may store or process personal data in ways that violate privacy principles or consumer expectations.

• Lack of Consumer Awareness

Many Nigerian users are unaware of their data rights or how to exercise them, making them vulnerable to exploitative data-sharing practices or misinformation.

• Cross-border Data Transfer

APIs and cloud infrastructure often facilitate the transfer of personal data across borders. Without clear safeguards, Nigerian users' data may be transferred to jurisdictions with weaker data protection laws.

COMPLIANCE OBLIGATIONS

In addition to the compliance obligations imposed on the banks and the third-party providers under the Framework and the Guidelines, there are data compliance obligations imposed on them under the NDPA and NDPA GAID. Highlighted briefly below are some of the compliance obligations under the Framework, Guidelines, NDPA, NDPA GAID, and other extant privacy laws in Nigeria:

A. FINANCIAL INSTITUTIONS (DATA PROVIDERS/DATA CONTROLLERS/DATA PROCESSORS)

1. Implementation of API security standards to prevent unauthorized access to data.
2. Obtaining and documenting verifiable customer consent before sharing data.
3. Conducting due diligence on third-party providers before integration.
4. Ensure continuous monitoring of data-sharing activities.
5. Cooperate with the NDPC and CBN in the event of data breaches or audits.
6. Prompt notification of the CBN and NDPC in the event of data breaches
7. Filing of annual data privacy audits
8. Preparation of Data Privacy Impact Assessments (DPIA) and registration with the NDPC
9. Registration as a Data Controller and Processor of Major Importance (DCPMI) with the NDPC
10. Provision of privacy policies on their website, etc
11. Ensuring the provision of technical and organizational measures to safeguard customers' data
12. Periodic capacity building for staff on data handling, data ethics, and data management
13. Entering into data sharing or data processing agreements with third-party providers.
14. Ensuring third party provides afford adequate level of data security and safeguards for the protection of customers' data

B. THIRD-PARTY PROVIDERS (TPPS)

1. Registering with the appropriate regulatory body (CBN) or other licensed body.
2. Developing data protection policies in line with the NDPA.
3. Implementing secure data storage and processing protocols.
4. Providing privacy notices that are clear and accessible to consumers.
5. Ensuring they can withdraw access to customer data upon request or revocation of consent.
6. Ensuring the provision of technical and organizational measures to safeguard customers' data
7. Periodic capacity building for staff on data handling, data ethics, and data management
8. Filing of annual data privacy audits
9. Preparation of Data Privacy Impact Assessments (DPIA) and registration with the NDPC
10. Registration as a Data Controller and Processor of Major Importance (DCPMI) with the NDPC
11. Periodic capacity building for staff on data handling, data ethics, and data management
12. Entering into data sharing or data processing agreements with third-party providers.

C. REGULATORS

1. CBN and NDPC must coordinate to ensure unified compliance monitoring of all players within the open banking ecosystem
2. Facilitation of robust mechanisms to ensure the enforcement, investigations, and penalties for data protection breaches by the CBN and NDPC.
3. Constant enforcement by CBN of API technical standards, risk management protocols, and consumer protection measures.

CONCLUSION

Open Banking in Nigeria holds great promise for democratizing financial services and enabling innovation. However, without a strong commitment to privacy and data protection, its potential could be undermined by breaches, abuse, and loss of public trust. The combined provisions of the NDPA, NDPA GAID, CBN Open Banking Guidelines, and other extant legislations and regulations provide a solid foundation. Nevertheless, consistent enforcement, public awareness, and ethical data practices are essential in ensuring that Open Banking serves Nigerians securely and equitably.

Footnotes

1. Central Bank of Nigeria Act, 2007

2. See Section 2(d) of the CBN Act, 2007

3. See Paragraph 5.0 of the Operational Guidelines for Open Banking in Nigeria, 2023

4. The GAID, which was released in 2013, repealed the Nigeria Data Protection Regulation (NDPR) and aims to complement and address the grey areas in the NDPA

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.