INTRODUCTION:
The Central Bank of Nigeria is empowered under the Central Bank of Nigeria (CBN) Act 2007 and the Banks and Other Financial Institutions Act (BOFIA) 2020, to issue legal tender, promote a sound financial system[1]and promote the development of electronic payments system in Nigeria. In February 2021, the CBN announced a regulatory framework for open banking in Nigeria as part of its efforts to foster the sharing and leveraging of customer-permissioned data by banks with third-party firms to build solutions and services that provide efficiency, greater financial transparency, and options for account holders and to enhance access to financial services in Nigeria.
The Bank acknowledged the emergence of an ecosystem for Application Programming Interface (API) in the banking and payments system and is aware of various industry attempts to set acceptable standards among stakeholders. An API is what permits applications to communicate with one another. An API is what enables a fintech program to interact with a bank’s server in the case of fintech and banking.[2] As a result, the Bank in May 2022, created operational guidelines for Open Banking in accordance with the rules of the Regulatory Framework in consultation with industry stakeholders.
It is noteworthy that Nigeria appears to be one of the first African countries to formally adopt an Open Banking standard. Canada, Australia, and New Zealand are notable countries that have implemented open banking standards following in the footsteps of the United Kingdom by defining and adopting a single API standard for their respective financial ecosystems.[3]
Against the backdrop of the foregoing, this article highlights some features of Open Banking and its operations in Nigeria per the provisions of the operational Guidelines for Open Banking in Nigeria (Exposure draft).
MEANING OF OPEN BANKING
Open Banking is a banking practice in which third-party financial service providers are granted access to customers’ banking transactions and financial data via Application Programming Interfaces (APIs). Such access must be only to the extent approved by customers.[4]
Open Banking capitalizes on the usage of data owned by customers but stored and controlled by banks to produce value for customers without reversing or jeopardizing individual customers’ privacy rights. Open Banking enables authorized third-party developers to gain secure access to a bank’s customer data, often using Application Programming Interfaces (APIs) rather than screen scraping (the process of collecting screen display from one application and translating it so another application can display)[5]. It can facilitate more useful data analysis and presentation for individual customers (about their own data) and financial services providers (in relation to groups of customers).[6]
The categories of data that can be transmitted via APIs have been specified in the Central Bank of Nigeria’s Regulatory Framework for Open Banking. It allows for four data categories and assigns a risk category to each of them. The four categories are as follows:[7]
- Product Information and Service Touchpoints (PIST): These include information provided by participants to customers and information on access points available for customers to access service for example ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc. This category is rated low risk.[8]
- Market Insight Transactions (MIT): includes statistical data aggregated on basis of products, services, and segments, which is not associated with any individual customer or account. These data could be exchanged at an organisational level or an industry level. The MIT is rated as a moderate risk-category.
- Personal Information and Financial Transaction (PIFT): includes data at the individual customer level either on general information on the customer (e.g., KYC data, total number or types of account held, etc) or data on the customer’s transaction (e.g., balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc). The PIFT is rated as a high-risk category.
- Profile, Analytics, and Scoring Transaction (PAST): include information on a customer which analyses, scores or give an opinion on a customer e.g., credit score, income ratings, etc. It is rated as a high and sensitive risk.
REGULATION OF OPEN BANKING
The Central Bank of Nigeria is the regulatory body for banks and financial institutions in Nigeria. The CBN isresponsible for the following with respect to Open Banking in Nigeria:
- Issuance of the Regulatory Framework for Open Banking in Nigeria and its review as it may deem necessary;
- Overseeing the implementation and operations of Open Banking in Nigeria;
- Enforcement of the framework put in place;
- Arbitration of disputes among participants before any litigation or commencement of Judicial process;
- Application of the Consumer Protection Framework to Open Banking Disputes with end-users;
- Facilitation of enablers such as the Development of Common Banking Industry API Standards within 12 months of the issuance of this framework and;
- Maintenance of Open Banking Registry(OBR).[9]
The OBR is to perform the role of providing regulatory oversight on participants, enhancing transparency in the operations of open banking, and ensuring that only registered institutions operate within the open banking ecosystem.[10]
The OBR is required to be a public repository for details of registered participants. Also, each participant is to be identified by its CAC business registration number, which must be the unique key across the OBR system. The OBR is also to maintain an API interface, defined within the Open Banking API guidelines, which will serve as the primary means by which Tier 3 participants can manage the registration of their API consumers.
The requirement for onboarding into the OBR is to be based on the provisions of the Regulatory Framework for Open Banking.[11]
PARTICIPANTS IN THE OPEN BANKING ECOSYSTEM
Any organisation that has data of customers which may be exchanged with other entities to provide innovative financial services within Nigeria, is eligible to participate in the Open Banking ecosystem.[12]
Entities in the Open banking ecosystem are classified based on the following roles that they may play. Participants may take on several roles depending on their services and offerings:
- API Provider (AP): This refers to a participant that uses API to avail data or service to another participant. An API Provider can be a licensed financial institution/service provider, a Fast-Moving Consumer Goods (FMCG) Company or other retailers, Payroll Service Bureau, etc.
As a requirement for participating in the open banking ecosystem, API Providers are to have a Configuration Management (CM) policy approved by its Executive or Board Level IT Steering Committee or equivalent governing body not less than Executive level, an Automated CM process, a log of all changes within the CM system, audited quarterly, or more frequently, and defined in the approved CM and a configuration database.[13]
API providers are also required to monitor infrastructural and API levels performance – internally monitor hardware, hypervisor, operating system, and application environment metrics at the functional level, collect performance metrics for all API, and implement monitoring processes that alert (visually or otherwise) first-level support personnel to identify suspicious and critical level occurrences.[14]
2. API Consumer (AC): This refers to a participant that uses API released by the
(API) providers to access data or service. An API Consumer can be a licensed
financial institution/service provider, an FMCG or other retailers, Payroll
Service Bureau, etc.
An AC is required to maintain a data governance policy approved by its executive management committee;[15] ensure it has a data ethics framework to ensure data security;[16] and comply with all relevant data protection regulations in Nigeria to protect the customer’s data. [17]ACs are also to have effective information security management in place.[18] Furthermore, ACs have a duty to render monthly returns such as volume of transactions, the value of transactions, the number of users, success rates, failure rates, security incidents, fraud incidents, downtime reports and any other requirement as the CBN shall determine from time to time to the CBN.[19] ACs are mandated to comply with the extant Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) in Banks and Other Financial Institutions in Nigeria.[20]
It is apposite to note a Service Level Agreement (SLA) must be executed between API providers and API consumers to govern the relationships between the parties.[21]Also, agreed fees must be stated by the participants in the SLA and publicly disclosed on their websites.[22]
3. Customer: This refers to the data owner and end-user that may be required to
provide consent for the release of data to access financial services.
Customers must consent for their data to be used by service providers in
order for them to receive financial products and services.
Since the customer is critical to the successful implementation of open banking, the protection of the customer is the responsibility of all participants. Participants are thus expected to follow the provisions of the Bank’s Consumer Protection Framework in their dealings with customers.
Additionally, the following is applicable in the operation of the open banking:[23]
- The agreements presented to the customer by the participant must be simple, explicit and in the customer’s preferred language;
- The agreement must be presented to the customer’s preferred form including written, electronic, video or audio;
- Customer’s consent must be obtained in the same form the agreement was presented and a copy of the consent of the customer must be made available to the customer and preserved by the participant;
- The specific rights which the customer will be granting to the participant and the implication of granting those rights to the participant must be listed for the customer to consent to separately for each right to be given to the participant;
- The consent of the customer must be re-validated annually and where the customer had not used the service of the partner for 180 days;
- The responsibility of the customer for his/her protection must be clearly communicated to the customer at the on-boarding stage;
- The participant is mandated to avail the customer with security updates regularly in his/her preferred form and language to help him or her conduct transactions safely;
- The customer shall adhere to procedures for authenticating transactions and ensure that login and authentication details are not compromised through negligence;
- The customer is required to comply with preventive protocols and security advise provided by the participant and report any observed discrepancy in his/her accounts or assets.
It should be highlighted that if a consumer suffers a loss, the participant and its partner will be jointly responsible and liable, unless the participant can establish willful negligence or a fraudulent conduct against the customer.[24]
INTELLECTUAL PROPERTY
It should be noted that participants’ intellectual property (in proprietary and protectable software source and object codes, aggregate data, and aggregate services among other protectable information) is protected under the applicable laws in Nigeria.[25]
In that light, a party is prohibited from unlawfully acquiring any proprietary rights, title, or interest in or to any Intellectual Property Rights of another Party or any other Participant according to the participation in Open Banking in Nigeria. [26]
Furthermore, ownership rights in any open data or other information at all times remain with the Party or Participant from which such open data or other information originated whether the open data or other information is in human or machine-readable form.[27] However, participants are permitted to grant a royalty-free license for their intellectual property in aggregated data, subject to the satisfaction of the consent requirement for use by other participants to such extent as may be required for Open Banking in Nigeria.[28]
ANTI-COMPETITION PRACTICES
The guidelines provide that APs are prohibited from engaging in unethical and unprofessional practices such as de-marketing. Participants are therefore mandated to adhere to the relevant provisions of the Code of Conduct in the Nigerian Banking Industry. It also provides that where a participant needs to terminate a relationship, 20 business days’ notice must be given to the other participant(s), and where disconnection is instant, due to fraud, abuse of services, or an instruction from the CBN, APs must ensure that the AC is provided with a report justifying the disconnection within 2 business days.[29]
CONCLUSION
Open Banking is anticipated to provide customers with a number of advantages, including the ability to view and manage all of their bank accounts from a single location, grant creditors quick access to account data when requesting a loan, simplify accounting procedures, offer competitive banking rates, and more.[30]
In Nigeria, where a major portion of the population is unbanked or underbanked, Open Banking has the potential to improve financial inclusion, particularly in terms of access and affordability. By providing mobile payment and transfer solutions, emerging fintech and mobile banking businesses have already enhanced financial inclusion in Nigeria. Banks, telecommunications companies, and other fintech players may further improve and widen African financial markets by fully utilizing the potential of Open Banking. If properly implemented, open banking improves financial service providers’ ability to meet the needs of customers. As long as security and privacy are not jeopardized, this should boost trust in financial service providers.[31]
We, therefore, believe that the operational guidelines have provided all financial institutions and users with a better understanding of the operation of open banking in Nigeria.
FOOTNOTES:
[1] Section 2 of the Central Bank of Nigeria (CBN) Act 2007
[2] https://www.hydrogenplatform.com/blog/apis-in-fintech accessed on the 18th of June 2022
[3] https://guardian.ng/business-services/nigeria-pioneers-opening-banking-in-africa/ accessed on the 12th of June 2022
[4] https://pavestoneslegal.com/the-regulation-of-open-banking-in-nigeria/ accessed on the 18th of June 2022
[5] https://www.techopedia.com/definition/16597/screen-scraping accessed on the 15th of June 2022
[6] https://www.hoganlovells.com/en/publications/open-banking-in-africa accessed on the 18th of June 2022
[7] Section 4.1 of the Regulatory Framework for Open Banking in Nigeria
[8] Section 4.2 of the Regulatory Framework for Open Banking in Nigeria
[9] Section 8.0 of the Regulatory Framework for Open Banking in Nigeria
[10] Paragraph 6.0 of the Operational Guidelines for Open Banking in Nigeria
[11] Paragraph 6.1 of the Operational Guidelines for Open Banking in Nigeria
[12] Paragraph 4.1 of the Operational Guidelines for Open Banking in Nigeria
[13] Paragraph 8.1.1 of the Operational Guidelines for Open Banking in Nigeria
[14] Paragraph 8.2.1 of the Operational Guidelines for Open Banking in Nigeria
[15] Paragraph 9.1 of the Operational Guidelines for Open Banking in Nigeria
[16] Paragraph 9.1.1 of the Operational Guidelines for Open Banking in Nigeria
[17] Paragraph 9.2 of the Operational Guidelines for Open Banking in Nigeria
[18] Paragraph 9.3.1 of the Operational Guidelines for Open Banking in Nigeria
[19] Paragraph 9.4 of the Operational Guidelines for Open Banking in Nigeria
[20] Paragraph 9.5 of the Operational Guidelines for Open Banking in Nigeria
[21]Paragraph 8.1.2 of the Operational Guidelines for Open Banking in Nigeria accessible at https://www.cbn.gov.ng/out/2022/ccd/operational%20guidelines%20for%20open%20banking%20in%20nigeria_approved%20exposure%20draft.pdf
[22] Paragraph 8.1.2.2 of the Operational Guidelines for Open Banking in Nigeria
[23] Section 10.0 of the Regulatory Framework for Open Banking in Nigeria
[24] Section 10.0 of the Regulatory Framework for Open Banking in Nigeria
[25] Paragraph 11.12.1 of the Operational Guidelines for Open Banking in Nigeria
[26] Paragraph 11.12.2 of the Operational Guidelines for Open Banking in Nigeria
[27] Paragraph 11.12.3 of the Operational Guidelines for Open Banking in Nigeria
[28]Paragraph 11.12.4 of the Operational Guidelines for Open Banking in Nigeria
[29] Paragraph 8.9 of the Operational Guidelines for Open Banking in Nigeria
[30] https://pavestoneslegal.com/the-regulation-of-open-banking-in-nigeria/ accessed on the 18th of June 2022
[31] https://www.hoganlovells.com/en/publications/open-banking-in-africa accessed on the 18th of June 2022
0 Comments