On the 7th day of March 2023, the Central Bank of Nigeria
(“CBN“) set a record in Africa, by
releasing the Operational Guidelines for Open Banking in Nigeria
(“Guidelines“), thereby making Nigeria
the first African country to adopt open banking regulations,
particularly in view of the regulatory framework earlier issued by
the CBN (please see our article on this).
We have set out in this article salient provisions in the
Guidelines.
A. WHAT IS OPEN BANKING?
As explained in our earlier article, Open Banking is the banking
practice that grants third-party financial service providers access
(to the extent approved by the customers) to consumer banking
transactions and financial data through the use of Application
Programming Interfaces (APIs).
With Open Banking, Fintechs will be able to provide more
innovative and seamless services to customers. For instance, it
will allow customers to: (i) view and manage their various bank
accounts from one centralized location; (ii) grant credit facility
to customers quicker by utilizing APIs to access information
required for the purpose of KYC; amongst other innovations.
B. WHO ARE THE PARTICIPANTS IN OPEN BANKING?
As previously explained here, the Guidelines categorises
participants as:
- the API Provider (“APP“) i.e. a
participant that uses API to provide data or service to another
participant, e.g a licensed financial institution/service provider,
a Fast-Moving Consumer Goods (FMCG) company, or a payroll service
bureau; - API Consumer (“AC“) i.e. a
participant that uses API released by the AP to access data or
service. An AC can be a licensed financial institution/service
provider, an FMCG or a payroll service bureau etc; and - Customer: the data owner and end-user that may be required to
provide consent for the release of data for the purpose of
accessing financial services.
C. WHAT ARE THE KEY PROVISIONS IN THE GUIDELINES?
The following are key provisions to note in the Guidelines:
- Establishment Of an Open Banking Registry
(“OBR”): The CBN will maintain an Open Banking
Registry to provide regulatory oversight on participants, enhance
transparency and ensure that only registered institutions operate
within the open banking system. Each participant shall be
identified by its CAC registration number which will be used as its
unique key across the OBR ecosystem. - Execution Of a Service Level Agreement: API providers
and API consumers who intend to share financial data are expected
to execute a Service Level Agreement (“SLA”) which meets
minimum requirements as set out in the Guidelines. SLAs at a
minimum should include: (i) details of the Accounting and
Settlement processes; (ii) the fees for the service and also set
out the fees on their website; (iii) a system for easy
reconciliation of bills; (iv) service monitoring provisions; (v)
incident management procedures; (vi) performance monitoring
procedures; and (vii) key performance indicators. - Reporting Requirements: The Guidelines also sets out
reports that should be shared amongst APs and ACs. Some of them
include the number and category of fraud and disputes on their
platform; changes scheduled for the next month and potential
impact; and excerpts of its problem register indicating new,
existing, and resolved problems. - Submission Of Returns to the CBN: ACs and APs are to
render periodic returns to the CBN setting out the volume of
transactions; value of transactions; number of users; success
rates; failure rates; security incidents; fraud incidents; and
downtime reports. - Data Management: All APs and ACs are expected to have
a Data Governance Policy which is to be approved by their Board of
Directors. The policy is expected to ensure that data is well
managed and fulfil all legal regulatory requirements.
In addition, a Data Ethics Framework is to be put in place setting
out the principles for the acquisition, collection, collation,
analysis, use, and sharing of personal data.
APs and ACs are at all times subject to the Nigerian Data
Protection Regulation and any CBN issued data protection regulation
for Financial Institutions. - Anti-Money Laundering (“AML”) And Combating The
Financing Of Terrorism (“CFT”): According to the
Guidelines, APs and ACs are mandated to comply with the extant
Anti-Money Laundering (AML) and Combating the Financing of
Terrorism (CFT) in Banks and Other Financial Institutions in
Nigeria Regulation. - Information Security: APs and ACs are expected to
comply with security principles set out in the Guidelines so as to
protect the confidentiality, integrity and availability of
information and data in the open banking system.
CONCLUSION
With the Guidelines, we expect that Fintechs will be empowered
to innovate and improve financial services in Nigeria. Nonetheless,
it is important that customers understand that their consent must
be obtained prior to ACs and APs accessing their data and also
understand their rights under the Guidelines.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.