On the 7th day of March 2023, the Central Bank of Nigeria (“CBN”) set a record in Africa, by releasing the Operational Guidelines for Open Banking in Nigeria (“Guidelines”), thereby making Nigeria the first African country to adopt open banking regulations, particularly in view of the regulatory framework earlier issued by the CBN (please see our article on this).
We have set out in this article salient provisions in the Guidelines.
A. WHAT IS OPEN BANKING?
As explained in our earlier article, Open Banking is the banking practice that grants third-party financial service providers access (to the extent approved by the customers) to consumer banking transactions and financial data through the use of Application Programming Interfaces (APIs).
With Open Banking, Fintechs will be able to provide more innovative and seamless services to customers. For instance, it will allow customers to: (i) view and manage their various bank accounts from one centralized location; (ii) grant credit facility to customers quicker by utilizing APIs to access information required for the purpose of KYC; amongst other innovations.
B. WHO ARE THE PARTICIPANTS IN OPEN BANKING?
As previously explained here, the Guidelines categorises participants as:
(i) the API Provider (“APP”) i.e. a participant that uses API to provide data or service to another participant, e.g a licensed financial institution/service provider, a Fast-Moving Consumer Goods (FMCG) company, or a payroll service bureau;
(ii) API Consumer (“AC”) i.e. a participant that uses API released by the AP to access data or service. An AC can be a licensed financial institution/service provider, an FMCG or a payroll service bureau etc; and
(iii) Customer: the data owner and end-user that may be required to provide consent for the release of data for the purpose of accessing financial services.
C. WHAT ARE THE KEY PROVISIONS IN THE GUIDELINES?
The following are key provisions to note in the Guidelines:
1. Establishment Of an Open Banking Registry (“OBR”): The CBN will maintain an Open Banking Registry to provide regulatory oversight on participants, enhance transparency and ensure that only registered institutions operate within the open banking system. Each participant shall be identified by its CAC registration number which will be used as its unique key across the OBR ecosystem.
2. Execution Of a Service Level Agreement: API providers and API consumers who intend to share financial data are expected to execute a Service Level Agreement (“SLA”) which meets minimum requirements as set out in the Guidelines. SLAs at a minimum should include: (i) details of the Accounting and Settlement processes; (ii) the fees for the service and also set out the fees on their website; (iii) a system for easy reconciliation of bills; (iv) service monitoring provisions; (v) incident management procedures; (vi) performance monitoring procedures; and (vii) key performance indicators.
3. Reporting Requirements: The Guidelines also sets out reports that should be shared amongst APs and ACs. Some of them include the number and category of fraud and disputes on their platform; changes scheduled for the next month and potential impact; and excerpts of its problem register indicating new, existing, and resolved problems.
4. Submission Of Returns to the CBN: ACs and APs are to render periodic returns to the CBN setting out the volume of transactions; value of transactions; number of users; success rates; failure rates; security incidents; fraud incidents; and downtime reports.
5. Data Management: All APs and ACs are expected to have a Data Governance Policy which is to be approved by their Board of Directors. The policy is expected to ensure that data is well managed and fulfil all legal regulatory requirements.
In addition, a Data Ethics Framework is to be put in place setting out the principles for the acquisition, collection, collation, analysis, use, and sharing of personal data.
APs and ACs are at all times subject to the Nigerian Data Protection Regulation and any CBN issued data protection regulation for Financial Institutions.
6. Anti-Money Laundering (“AML”) And Combating The Financing Of Terrorism (“CFT”): According to the Guidelines, APs and ACs are mandated to comply with the extant Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) in Banks and Other Financial Institutions in Nigeria Regulation.
7. Information Security: APs and ACs are expected to comply with security principles set out in the Guidelines so as to protect the confidentiality, integrity and availability of information and data in the open banking system.
With the Guidelines, we expect that Fintechs will be empowered to innovate and improve financial services in Nigeria. Nonetheless, it is important that customers understand that their consent must be obtained prior to ACs and APs accessing their data and also understand their rights under the Guidelines.