Data Privacy at the Core of Open Banking in Nigeria1
1. Introduction
The emergence of open banking has transformed the financial landscape, offering customers opportunities to access innovative financial services. However, as the open banking ecosystem continues to evolve, the need to navigate the intersection of data privacy regulations and open banking becomes paramount. This article explores the recently passed Nigeria Data Protection Act 2023 (the "NDPA" or the "Act") in light of open banking, and what data privacy laws mean for open banking in Nigeria.
2. What is Open Banking?
Open banking (also known as "open bank data") is a banking practice that provides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of application programming interfaces ("APIs").2 It entails banks granting third-party service providers (often tech startups and online financial vendors), access and control over customers' personal and financial data. An example of the implementation of open banking is the ability of consumers to initiate payments directly from their bank accounts through authorised third-party providers.3
3. Benefits of Open Banking4
3.1 Enhanced Financial Services: Open banking helps create new and better financial tools and services through unique digital access to individual banking information of customers and consumers. It encourages creativity and competition, and brings more choices for customers like personalised budget apps and faster payment methods.
3.2 Access to a Wide Range of Services: Open banking allows customers to benefit from a wider range of financial services and products beyond what a single institution offers. They can leverage the expertise and capabilities of multiple providers, finding the best solutions to meet their specific needs. This can include borrowing, investments, insurance, and more. Customers can easily compare products and services from different institutions, switch providers more easily, and access tailored financial advice.
3.3 Faster and Secure Payments: Open banking facilitates faster and more convenient payment options. It enables customers to initiate payments directly from their bank accounts without relying solely on traditional payment methods, such as walking into physical banks and filling forms to initiate financial transactions. This can lead to quicker transactions, real-time payments, and improved cash flow management for businesses.
3.4 Seamless Account Integration: Open banking facilitates the integration of various financial accounts and services. This means you can link your bank accounts, credit cards, and other financial platforms to access a comprehensive overview of your finances in one place.
4. Data Privacy Regulations and Open Banking in Nigeria
The sharing of financial information is also seen as a potential drawback with open banking. It raises concerns around data privacy because when data is distributed across various platforms and providers, it becomes more susceptible to theft and unauthorised access. This increases the risk of data breaches that will compromise the security of sensitive financial information.
On 7th March 2023, the Central Bank of Nigeria ("CBN") announced the issuance of the Operational Guidelines for Open Banking in Nigeria (the "CBN Guidelines"),5 making Nigeria the first African country with guidelines on open banking. The operational guidelines provide rules for how banks and third-party financial institutions interact with customer data. The entire guideline is a laudable step for open banking in Nigeria, as it recognises the importance of data privacy, covering data ethics framework for API Providers and API Consumers (APs/ACs), information security, effective information security management, and the duties of APs/ACs6 in preventing data breach, among others.
Particularly under Guideline 9.2, the CBN Guidelines provide as follows:
"APs/ACs shall comply with the Nigerian Data Protection Regulation or any CBN issued data protection regulation for FIs, to protect customer data."
The Nigeria Data Protection Act (NDPA) retained and did not repeal the existing (Nigerian Data Protection Regulation) NDPR and its Implementation Framework. The NDPR will be read in conjunction with the NDPA, and where there is any conflict in their provisions, the provisions of the NDPA shall prevail.7
A few specific provisions of the newly enacted NDPA that have a direct impact on open banking are as follows:
- Provision of Relevant Information to the Data
Subject: The NDPA provides that before a
data controller collects personal data from a data subject, the
data controller is to inform the data subject of certain
information as provided under the Act, some of which include
identity, residence and place of business of the data controller,
retention period for personal data, right of complaint to the
Commission amongst others.8
This is important in open banking, because in the relationship between customers and the banks, the banks often have the upper hand because they have within their reach the financial information and background of the customer. It is therefore important that customers clearly understand the implications of a third party being involved in their financial information, as this is very much the core of open banking. - Data Security: The NDPA
requires data controllers and data processors to implement
appropriate technical and organisational measures to ensure
security, integrity and confidentiality of personal data in their
possession and what to take into account in
implementation.9
The Act also provides that where there are personal data breaches on the information stored by a data processor, the data processor is to inform the data controller that engaged it as well as respond to all the information which the data processor that engaged it needs to resolve the breach in accordance with the Act.10 For instance, if a fintech startup (being the API user in open banking) discovers a breach of the financial information of customers on its app, it is to inform the bank or financial institution that granted them access to the financial information of its customers, to provide the service(s). - Rights of Data Subject:
Section 34 of the NDPA lists the rights of a data subject. The data
subject in this case is the bank customer, while the data processor
and controllers are the banks and third-party service providers.
Some of the rights of a data subject include the right to object to
the processing of his data, as well as the withdrawal of consent by
the data subject.11
This becomes pertinent in the context of open banking since certain individuals might feel hesitant and uncertain about the idea of their private data being shared with third parties, leading to reservations and a lack of confidence in the process. This class of persons shall have the right to object to such processing and will be provided with a mechanism for objection at no cost to them. If they have also given consent, it can be withdrawn and the data processor must not make it hard for consent to be withdrawn. - Consent: Consent is a foundational principle of open banking. Guideline 7.0 of the CBN Guidelines provides that consent shall be required from customers whose data is necessary to avail them of open banking products and services. Relating this to the NDPA,12 the Act defines what amounts to consent and how consent must be in the affirmative. It also provides that data controllers are to bear the burden of proof in establishing a data subject's consent. This is important because consent plays a crucial role in ensuring the privacy, security, and control of a customer's financial information.
- Penalties: Any person subject to the NDPA who is found to be in breach of the data privacy rights of any Data Subject shall be liable to various penalties for such offence under the Act.13 Given the heightened risk of potential breaches associated with the implementation of open banking, it is crucial for participants to proactively ensure full compliance with the provisions of the Act to avoid penalties.
5. Conclusion
Open banking has ushered in a new era of financial innovation and convenience by enabling seamless data sharing among financial institutions and third-party providers. While the benefits are undeniable, data privacy remains a paramount concern. The potential for increased data breaches and unauthorised access to sensitive financial information demands a vigilant approach from all stakeholders.
Therefore, preserving data privacy is not a mere obligation, but an opportunity to set higher standards of trust, security, and ethical conduct in the financial ecosystem. By embracing privacy-centric principles and ensuring compliance with regulatory mandates, open banking can truly fulfill its promise of empowering consumers while redefining the landscape of financial services.
Footnotes
1. Niniola Ayantoye, Associate, Corporate Finance and Capital Market, S. P. A. Ajibade & Co., Lagos, Nigeria.
2. An API, or application programming interface, is a set of defined rules that enable different applications to communicate with each other. It acts as an intermediary layer that processes data transfers between systems, letting companies open their application data and functionality to external third-party developers etc., which in the case of Open banking is between the bank and tech startups that create financial services apps.
3. 'Open Banking: Definition, How It Works, and Risks', available at https://www.investopedia.com/terms/o/open-banking.asp accessed on 13/07/23.
4. Benefits of Open Finance for Individuals, available at https://belvo.com/blog/5-benefits-of-open-banking-for-consumers/ accessed on 13/07/23.
5. Operational Guidelines for Open Banking in Nigeria, available at https://www.cbn.gov.ng/Out/2023/CCD/Operational%20Guidelines%20for%20Open%20Banking%20in%20Nigeria.pdf accessed on 17/07/2023.
6. API Providers and API Consumers (API: Application Programming Interface).
7. Section 63 of the Nigeria Data Protection Act, available at https://placng.org/i/wp-content/uploads/2023/06/Nigeria-Data-Protection-Act-2023.pdf accessed on 14/09/23
8. Section 27.
9. Section 39.
10. Section 40 of the NDPA.
11. The NDPA grants specific rights to individuals, including the right to confirm with data controllers or processors when their personal information is being used. It also allows individuals to have their data erased promptly and corrected if it's inaccurate, outdated, incomplete, or misleading. Additionally, individuals can obtain an electronic copy of their data unless it incurs unreasonable costs for the controller. They can withdraw their consent at any time, with the process being as straightforward as giving consent. Individuals also have the right to object to their data being processed, with immediate cessation unless there are overriding public interests or legitimate reasons. Moreover, the NDPA ensures that decisions significantly affecting individuals cannot be based solely on automated processing.
12. Section 26 of the NDPA.
13. Section 47 of the NDPA.
Originally published by 29 September, 2022
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.