The Compliance Alert An Overview Of The Operational Guidelines For Open Banking In Nigeria Compliance

1.0. INTRODUCTION

The traditional banking system was defined by structural inefficiencies which included high cost of transactions, limited financial access, lack of transparency, and most of all dawdling service delivery. Customers' financial data was held exclusively by banks, thereby limiting innovation and customer choice.

The emergence of financial technology (fintech) exposed these systemic gaps and highlighted significant legal and regulatory deficiencies and imbalance particularly in data ownership, market access and consumer rights. Hence, regulators across the globe introduced open banking frameworks, designed to legally recognize customer rights over financial data, promote competition, and create a secure environment for innovation in the financial sector. Nigeria became the first African country to establish a framework for Open Banking,¹ reflecting its commitment to strengthening financial inclusion and promoting a modernized regulatory landscape.

Open banking system is a regulated system that allows bank customers to securely share their financial data with authorized third-party providers via a well-designed and purpose-driven Application Programming Interfaces (APIs). Open banking is applicable in credit scoring and rating, agent banking, financial inclusion, and know your customer (KYC).² It also aids to maintain budget, access credit facilities, and conveniently manage money.

2.0. The Operational Guidelines for Open Banking in Nigeria 2023³

The Central Bank of Nigeria ("the CBN") is the principal regulator of the open banking fintech model. As part of its powers provided in the Central Bank of Nigeria Act 2007 and the Banks and Other Financial Institutions Act 2020, the CBN in an effort to promote competition and innovation in the banking sector issued the Operational Guidelines for Open Banking in Nigeria 2023 ("the guidelines"). The 2023 Guidelines were issued as a follow-up to the 'Regulatory Framework for Open Banking in Nigeria'⁴, published in 2021. While the 2021 framework set out the foundational principles for open banking, the 2023 Guidelines provides comprehensive rules for implementation, including the categorization of participants as well as detailed provisions on data sharing and API access.

The Guidelines apply to banking and other related financial services providing; payments and remittance services, collection and disbursement services, deposit-taking, credit, personal finance advisory and management, treasury management, credit ratings/scoring, mortgage, leasing/hire purchase, and other services as may be determined by CBN.

3.0. Participants in Open Banking

Entities participating in open banking are classified according to defined roles, which corresponds to the nature and scope of the services it provides. Players are categorised into:

3.1. API Providers: These participants provide data and services to third parties. They include Banks, a Fast-Moving Consumer Goods (FMCGs) Company, or Payroll Service Bureaus.

3.2. API Consumers: API consumers are authorized third parties who utilise APIs released by API providers to access data and service. They include Startups, Financial Institutions or other service providers consuming data released.

3.3. Customers: They are the ultimate data owners who must provide consent for the release of data to the third-party entities providing financial services.

4.0. Compliance Provisions

Participants in the open banking ecosystem are subject to mandatory compliance requirements outlined in the Guidelines, especially concerning security protocols for data access and storage, minimum requirements for risk management, operations, privacy, and customer experience.⁵ Some compliance watch list include:

4.1. The Registry

The Open Banking Registry (OBR) is a centralized repository maintained by the CBN to provide regulatory oversight on participants and ensure accuracy and transparency in open banking open banking operations. Financial institutions, third-party service providers, and other stakeholders planning to use or offer services through open banking channels are required to register with the OBR⁶ upon incorporation to participate in Nigeria's open banking process. All authorized participants in the open banking ecosystem are officially listed in the OBR.

4.2. Consent Management Compliance

The Guidelines⁷ require that consent must be obtained from customers before their data may be accessed for the provision of open banking products and services. Such consent must be provided in the same form as the agreement presented to the customer by the API providing bank. In addition, the customer's consent must be revalidated on an annual basis and/or where an API Consumer has not utilized the service for 180 days.

The Guidelines further recognises the key purpose of the Nigerian Data Protection Act 2023 ("NDPA") and the Nigerian Data Protection Regulation⁸ in giving customers control over their financial data. Any breach arising from failure to adhere to the Guidelines on the customer's consent will also lead to a breach in the data privacy rights of the customer.⁹

4.3. Service Level Agreement

A Service Level Agreement must be executed between the API Providers and the API Consumers to govern their relationship.¹⁰ The Agreement shall include: fee structure, account settlement, reconciliation of bills and registration & sponsorship responsibilities of the parties.

4.4. Reporting Compliance

4.4.1. Report by API Providers & API Consumers: A mandatory monthly report must be submitted between the API Providers and the API Consumers.¹¹ The report should state the API performance levels for the current month and previous fiscal months, quarters and year. It should state statistics of new and existing incidents, and changes made. It should also detail the number and category of fraud and disputes encountered, along with related service-level agreement performance.

4.4.2. Report to Customers: Customers must receive a transcript of the API Consumer's operations involving their data at least once a month,¹² or as requested by the customer. This transcript should include all transactions completed, the interface or channel used, the time and status of each transaction, the matching request and response pairs, and any related financial movements. It should cover all API Consumers' activities conducted within the preceding 30 days.¹³

4.5. Anti-Competition Practices

API Providers and Consumers are prohibited from participating in any unethical or unprofessional activity, such as de-marketing. Therefore, participants are mandated to comply with must follow Section 2.0 of the Nigerian Banking Industry Code of Conduct.¹⁴

Where one participant intends to terminate the relationship, a 20-business-day (twenty) notice must be provided to the other participants. In an event where a disconnection occurs immediately, as a result of fraud, service abuse, or a directive from the CBN¹⁵, API providers must ensure that API Consumers receive a report explaining the reason for the disconnection within two business days.

5.0. Combating Money Laundering and Financing Terrorism

API Providers Consumers are obligated to comply with established AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) protocols. This compliance is mandated by the CBN and the Nigerian Financial Intelligence Unit ("NFIU"), in addition to legislative instruments like the Money Laundering (Prevention and Prohibition) Act and the CBN AML/CFT Regulations.¹⁶

6.0. Rendition of Returns

API Consumers and Providers shall render the following periodic returns to CBN using existing channels as specified by the Bank: Volume of transactions, Value of transactions, Number of users, Success rates, Failure rates, Security incidents, Fraud incidents, Downtime reports, and any other requirements as the CBN shall require.

7.0. Conclusion

The introduction of open banking in Nigeria represents a significant milestone in the evolution of the country's financial services sector. By establishing a clear legal and regulatory framework, the CBN has created an enabling environment that balances innovation with consumer protection, thereby promoting financial inclusion, market competition, and operational transparency.

The 2023 guidelines not only operationalize the foundational principles set out in the 2021 framework but also strengthen oversight, enhance operational integrity, and foster public confidence in the open banking ecosystem. By ensuring secure data exchange and safeguarding service quality, the guidelines not only protect consumers but also encourages sustained innovation within Nigeria's financial services industry. All participants are required to register with the Open Banking Registry, implement robust consent controls, provide transparent reporting, and adopt standardized procedures for service termination. Participants are also advised to familiarize themselves with these guidelines and adopt them to effectively participate in the system.

Footnotes

1. Chinwe Micheal, 'Five African Countries with Open Banking Guidelines' (Business day, 3rd April 2025) ( https://businessday.ng/technology/article/here-are-five-african-countries-with-open-banking-guidelines/) Accessed 15th July 2025

2. The Operational Guidelines for Open Banking in Nigeria 2023 (Guidelines)

3. ibid

4. The Regulatory Framework for Open Banking in Nigeria, 2021 (Framework)

5. Guidelines, section 2.4

6. Guidelines, section 6.0

7. Guidelines, section 7.0, 11.0 & Appendix IV

8. Guideline, section 9.2

9. Guidelines. Section 9.2

10. Guidelines, section 8.1.2

11. Guidelines, section 8.7

12. Guidelines, section 8.8.1

13. Guidelines, section 8.8.2

14. Section 2.0 of the Nigerian Banking Industry Code of Conduct highlights the prohibited unethical conducts in the banking profession.

15. Guidelines, section 8.8

16. Guidelines, section 9.5

17. Guidelines, section 9.4

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.