AN ANALYSIS OF THE RECENTLY RELEASED OPERATIONAL GUIDELINES FOR OPEN BANKING IN NIGERIA
On the 7th of March 2023, the Central Bank of Nigeria (CBN) in collaboration with industry stakeholders, developed and released the Operational Guidelines for Open Banking in Nigeria (“Operational Guidelines”). This was preceded by an exposure draft of the Guidelines published in May 2022.
The Operational Guidelines keep in line with the provisions of the Open Banking Framework issued on the 17th of February 2021 by the apex banking regulator and sets out the responsibilities and expectations for the participants in the open banking ecosystem and the framework for sharing information, amongst others.
WHAT IS OPEN BANKING?
Open Banking is a system that enables the sharing of customer-permissioned data between banks and third-party firms. This system allows banks to securely share their customers’ data with third-party companies, such as fintech and other financial service providers, with the consent of their customers through the use of Application Programming Interface (API), which acts as a bridge between a bank’s systems and those of the third-party firms.
Once a customer gives consent for their data to be shared, the third-party firm can access their data through the bank’s API. This data includes information about the customer’s transactions, account balances and other relevant information. The third-party firm can then use this data to develop innovative products and services that are tailored to the customer’s needs.
Thus, with Open Banking, fintechs and banks are able to communicate seamlessly through the networking of accounts and data across institutions for use by consumers, financial institutions, and third-party firms. This means that regardless of how many accounts and financial products a customer has with multiple institutions, they can be managed from a centralised location without having to check out from one system to another.
THE SCOPE OF THE OPERATIONAL GUIDELINES
The Operational Guidelines apply to banking and other related financial services as categorised and determined by the CBN in the Open Banking Framework and these services include:
- payment and remittance
- collection and disbursement
- credit rating/scoring
- personal finance advisory and management
- treasury management
- leasing/hire purchase
- mortgages; and
- other services as may be determined by the CBN.
The Operational Guidelines provide that any organisation that has the data of customers which may be exchanged with other entities for the purpose of providing innovative financial services within Nigeria, is eligible to participate in the Open Banking ecosystem.
Participants in open banking are categorised based on the roles they perform, and the Operational Guidelines acknowledge that participants may assume more than one role. These participants are:
- API Provider (AP): This refers to a participant that uses APIs to provide data or service to another participant. An API Provider can be a licensed financial institution/service provider, Fast-Moving Consumer Goods (FMCG) companies, retailers, Payroll Service Bureau etc.
- API Consumer (AC): This refers to a participant on the other hand that uses API released by the API providers to access data or service. An API Consumer can also be a licensed financial institution/service provider, an FMCG or other retailers, Payroll Service Bureau etc.
- Customer: This refers to the data owner who shall be required to provide consent for release of data for the purpose of accessing financial services.
The Operational Guidelines also provide for the responsibilities of API Providers and API Consumers, especially as it relates to protection against data breaches, monitoring, information security, efficiency of their operations, data ethics, amongst others.
OPEN BANKING REGISTRY
Again, the Operational Guidelines mandate the CBN to establish and manage an Open Banking Registry that will serve as a regulatory oversight tool for participants in the open banking ecosystem. This registry is also designed to enhance transparency in the operations of Open Banking and ensure that only registered institutions operate within the ecosystem.
The Open Banking Registry shall also be a public repository for details of registered participants who shall be identified by its Corporate Affairs Commission (CAC) business registration number, which shall be the unique key across the system.
INTELLECTUAL PROPERTY PRESERVATION
The Operational Guidelines provide that participants’ intellectual property in proprietary and protectable software source and object codes, aggregate data and aggregate services among other protectable information shall be protected under the applicable laws in Nigeria and as such, no party shall acquire these rights belonging to another participant pursuant to the participation in Open Banking in Nigeria.
Furthermore, all ownership rights in any open data or other information shall at all times remain with the party or the participant from which such data or other information originated, whether the open data or other information is in human or machine-readable form.
SHARED INFORMATION FRAMEWORK
The Operational Guidelines provide that customer consent is the sole basis for sharing customer information in a shared information framework. Thus, an API Provider can only share information of a customer with an API Consumer upon presentation of a valid proof of consent by the customer and such consent shall be authenticated to ensure it emanates from its customer.
When the API Provider receives the customer’s consent to provide customer’s data to an API Consumer, it shall verify that:
- the consent emanated from its customer. This requires 2-Factor Authentication (2FA) of the customer to verify the consent.
- the request for customer’s data contains the purpose of the request.
- the request contains the credentials of the requesting end-user.
- the request contains a valid date and was made through appropriate channels.
It is commendable that Open Banking in Nigeria will enable innovative financial products and services that are customer-centered. However, a major risk that tags along the adoption of Open Banking remains data breaches abuse of processing. The Nigeria Data Protection Regulation, 2019 (NDPR) is the foundational pillar for data privacy and protection for the processing of personal data in Nigeria and it is hoped that API Providers and API Consumers ensure strict compliance with the NDPR in collaboration with the Operational Guidelines released by the CBN.
It follows that if the Operational Guidelines are efficiently implemented, it has the potential of revolutionising the provision of financial and ancillary services in Nigeria.
 Open Banking is currently practised in the United Kingdom, Singapore, China, Japan and gaining momentum in several other countries of the world.
 The NDPR was issued to address data privacy and protection concerns by the National Information Technology Development Agency (‘NITDA’) the federal agency under the Communications Ministry for IT-related matters.
Author : Esther Aderomi – Associate, Lexworth Legal Partners
DISCLAIMER: LEXWORTH LEGAL PARTNERS
This document is intended only as a general discussion on the subject of this article. Please do not regard it as legal advice. We would be delighted to provide additional details or advice about specific queries, if required.
For further enquiries, kindly send an email to firstname.lastname@example.org or email@example.com.