Open banking and emerging opportunities for Fintechs in Nigeria
On 17 February 2021, the Central Bank of Nigeria (CBN) issued the Regulatory Framework for Open Banking in Nigeria (the ‘Framework’).
The Framework establishes principles for data sharing across the banking and payment ecosystem. It aims to promote innovation, broaden the range of financial services and products available, and expand financial inclusion.
The Framework applies to the following financial services:1
- payments and remittance services;
- collection and disbursement services;
- personal finance advice and management;
- treasury management;
- credit ratings/scoring;
- leasing/hire purchase; and
- other services as may be determined by the CBN.
The Framework provides for several issues, including data and application programming interface (API) access requirements, principles for API, data, technical design and information security specifications.
But what precisely is ‘open banking’?
With the growth of Fintechs and alternative financial service providers on the banking scene, the way we conduct financial transactions is constantly changing. This has led to conversations around the creation of a seamless system to enable the sharing of financial data and the subsequent development of open banking on a global scale, facilitated by the European Union’s Payment Services Directive (PSD2).
Open banking grants third-party providers (TPPs) open access to consumer banking, transactions and other financial data from banks and non-bank financial institutions (NBFIs) through an application programming interface (API).
With open banking, customers can share their financial data with different financial institutions. To put this into effect, the institutions require the express consent of the customer. Open banking represents a shift from a closed model, where financial institutions operated in silos, to one in which data is shared between different members of the banking ecosystem.
Thus, with open banking, Fintechs can communicate seamlessly through the networking of accounts and data across institutions for use by consumers, financial institutions and TPPs.
Open banking will lead to a situation where, regardless of how many accounts and financial products a customer has, they will be able to operate their investments and track transactions on three platforms from a centralised location, through APIs. APIs can also look at the customer’s transaction data and identify financial products with better interest rates to advertise to the customer.
Importance of APIs to open banking
API is a software intermediary that enables technology platforms or applications to communicate with one another. Some popular platforms that use APIs to accelerate the delivery of their services to consumers include Facebook, Google, Twitter and PayPal.
A banking API is an interface through which a financial institution provides data about customers, accounts and transactions. With a banking API, users of payment services are not dependent solely on the services offered by their own bank. They can make use of third-party financial services, which, in turn, access the data required by the original bank via the banking API.
Guiding principles for API specifications
The Framework sets out the guiding principles for API specifications and provides that they must adhere to the following principles or they will not be accepted:
- Openness: accessible to all interested and permissioned parties.
- Reusability: premised on existing standards and taxonomy of technology.
- Interoperability: supports exchange of objects across technologies, platforms, and organisations.
- Modularity: loose coupling with provision for flexible integration.
- Robustness: scalable, improvable, evolvable and transparent.
- User-centric: enhances user experience for consumers.
- Security: ensures data privacy and safe exchanges and transactions.
The Framework classifies participants in open banking under four categories and each has its own roles and responsibilities. It is of note that participants are required to: (i) maintain a customer service/complaint desk 24/7 to resolve complaints of end-users; (ii) comply with data privacy laws and regulations; and (iii) comply with the provisions of the Framework.
Categories of financial data
Data and services that can be shared through APIs are categorised alongside their risk levels as follows:4
Product information and service touchpoints (PIST)
Includes product information provided by participants to their customers and access points available for customers to access services (eg, ATM/POS/agents’ locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc).
Market insight transactions (MIT)
Includes statistical data aggregated on the basis of products, service, segments, etc. It shall not be associated with any individual customer or account. This data may be exchanged at an organisational or industry level.
Personal information and financial transaction (PIFT)
Includes data at the individual customer level (eg, know-your-customer data, total number or types of account held, etc) or data on the customer’s transaction (eg, balances, bills payments, loans, repayments, recurring transactions, etc).
Profile, analytics and scoring transaction (PAST)
Includes information on the customer which analyses, scores or gives an opinion (eg, credit score, income ratings etc).
High and sensitive
Other relevant provisions
Risk management:5 the Framework provides that this is the responsibility of all participants. They are therefore expected to have information technology, information security policies and a risk management framework that address APIs. They must also have a designated chief risk officer responsible for implementing effective internal control and risk management practices.
Customer rights: the agreement that contracts the client must be presented in the customer’s preferred language and their consent must be revalidated annually.
Liability for loss: the participant and its partner shall be jointly responsible and bear liability for any loss to the customer, except where the participant can prove wilful negligence or fraudulent act against the customer.
Guidance on operational rules:6 dispute resolution protocols among participants are to be codified for basic operational issues. Operational rules are also to discourage dominant party and anti-competition practices.
The key points to note from the comprehensive Framework are that the CBN has sought to provide standards for the safe utilisation and exchange of data and services, and has defined data access levels (ie, what bank data can be shared and who can obtain it).
However, the successful implementation of open banking is dependent on collaboration between Fintechs, banks and NBFIs and the CBN.
Some of the changes that could be introduced by the implementation of the Framework are outlined below.
Competition and innovation
There could be fiercer competition with larger banks competing with Fintechs and smaller banks for market hold. This could also see financial institutions trying to outdo one another by deploying better technology, better customer service, higher interest rates and lower costs.
Conversely, financial institutions can use APIs to create a new experience with their customers by assisting them in ways not previously possible. For instance, they could help illiterate customers better understand financial issues around opening a bank account, with voice commands in local languages or pidgin English. For the sophisticated customer, an open banking app could also assist in determining the most affordable loan facility available to them.
The Framework will also generate additional revenue for financial institutions in the form of commission or access fees. Open banking conducted via APIs could also consolidate the position of forward-looking Fintechs which, via data aggregation, can create detailed customer profiles and offer relevant products to clients for greater engagement.
Ease of banking
Conducting banking activities with traditional financial institutions is sometimes considered stressful. However, with open banking, customers will have consolidated information about all their financial products in a centralised location. This would reduce time spent in carrying out transactions and minimise the paperwork for onboarding new users to the institutions’ platforms.
Cybersecurity and data protection issues
There are some challenges with open banking, particularly around cybersecurity, data privacy and the resulting liabilities to financial institutions. Issues around data breaches, hacking, phishing scams and malware should be taken into consideration by any institution considering open banking and the use of APIs.
Also, with the Nigeria Data Protection Regulation (NDPR), which bears close resemblance to the European Union General Data Protection Regulation (GDPR), the legal basis for processing data must be taken into consideration before the financial records of customers are shared. Direct consent must be obtained from the customer in line with the provisions of the Framework as the failure to do this could lead to dire consequences for the financial institution that shares the data.
The introduction of the CBN Framework is a good development which could potentially lead to the improvement of financial services delivery in Nigeria.
However, although open banking offers a number of advantages, there are also concerns over the security risks occasioned by data sharing. Data protection laws must also be countenanced by service providers when they are processing consumer data.
It is the author's view that, with the engagement of cybersecurity experts, financial service providers and lawyers with experience in data protection and technology, some of the risks can be managed and open banking can thrive in Nigeria.
 Section 3.0 of the Framework.
 Section 6.0 of the Framework.
 Sections 7.1 and 7.2 of the Framework.
 Sections 4.0, 4.1 and 4.2 of the Framework.
 Section 9 of the Framework.
 Section 6.4 of the Framework.