by Chiamaka N. Anyanwu
On March 7, 2023, the Central Bank of Nigeria (CBN) in furtherance of its mandate for the stability and deepening of the financial system, issued operational guidelines on open banking in Nigeria. According to the CBN, these guidelines are expected to foster the sharing of customer-permissioned data between banks and third-party firms to enable the building of customer-focused products and services. Meanwhile, in February 2021, the CBN issued the Regulatory Framework for Open Banking in Nigeria in its efforts to enhance competition and innovation in the banking system. The introduction of these regulations has made Nigeria the first country in Africa to adopt open banking regulations. In reviewing these guidelines, we shall discuss their scope, objectives, and some of the highlights of the guidelines.
WHAT IS OPEN BANKING?
Open Banking is a system that provides third-party access to financial data through the use of application programming interfaces (APIs). In clearer terms, it is a system that allows banks and other financial institutions to open up data for regulated providers to access, use and share. In essence, it is the sharing of financial data.
The objectives of these guidelines are:
- To provide clear responsibilities and expectations for the various participant categories
- Ensure consistency and security across the open banking system
- Stipulate safeguards for financial system stability under an open banking regime
- Promote competition and enhances access to banking and other financial services
- Outline minimum requirements for participants.
SCOPE OF THE OPEN BANKING GUIDELINES
The scope of these guidelines applies to all banks and other related financial service providers. Typically, any organization that has data of customers may be exchanged with other entities for the purpose of providing innovative financial services within Nigeria. We shall now highlight some of the notable provisions in these guidelines.
1. Categories of Data
The guidelines have carefully listed the categories of data that can be shared and also the risk rating applicable to each category. These categories include Product Information and Service Touchpoints (PIST) which is rated Low Risk, Market Insight Transactions (MIT) which is rated Moderate Risk, Personal Information and Financial Transaction (PIFT) which is rated High Risk, and Profile, Analytics and Scoring Transaction (PAST) which is rated High Risk and Sensitive.
The entities participating in this open banking system have been categorized based on the services being rendered. There are API Providers who are responsible for using API to avail data or service to another participant. An example of this API Provider is Stears Data. Another participant is the API Consumers who make use of the API released to access data or services. Lastly, we have the consumers who are the data owners that are required to grant consent for the use of their data for accessing financial services. All of their responsibilities have also been highlighted in the guidelines.
3. Open Banking Registry
The guidelines have introduced the use of an Open Banking Registry (OBR) which is expected to serve as an inventory of APIs in the open banking ecosystem. The OBR will be responsible for maintaining an API interface that will aid API providers in handling the registration of their API consumers. Basically, it will help in enhancing transparency in the operations of open banking and also provide regulatory oversight on participants. In addition, the OBR will be a public inventory for registered participants in the ecosystem as each participant will be identified by its business registration number issued by the Corporate Affairs Commission (CAC).
4. Consent Management
Due to the CBN’s concern with consumer privacy, it has mandated that consent be obtained from all customers whose data are required to use the open banking products and services. The guidelines emphasize significant points regarding each participant’s duty to ensure that their customers are always informed of requests to access data or funds from their account, the data to be shared, and with whom as well as the duration for which these parties will maintain access to the information. In addition, the guidelines further stress that users must retain the right to grant consent, revoke previous consent, or decline data-sharing requests. It also covers important requirements for consent, authentication, and authorization stages in the Open Banking user journey.
5. Legal Agreements
The guidelines require participants to execute Master Agreements which consist of a Data Access Agreement and a Service Level Agreement. The components of these agreements are provided in these guidelines and participants are expected to comply with them. These agreements are mandatory and must be executed before the commencement of any open banking activity between participants.
6. Data Privacy and Security
The guidelines place a high priority on ensuring that all participants have the most stringent data security procedures. It makes provision for a data governance policy, data ethics framework, data privacy, information security, and data breach policy as well as some consumer protection regulations that must be adhered to.
The above are some of the highlights of the operational guidelines on open banking. For all parties involved in innovation, regulation is a crucial component. We believe that these guidelines are the first step in a significant journey that will have a positive impact on our financial sector.