One Week, One Circular: Examining the CBN's Latest Guidelines on Open Banking.

It would seem that players in Nigeria's financial sector are inundated with one regulation after another from the apex regulator Nigeria Central Bank. Much like Wilson Tagbo, the protagonist in Anezi Okoro's novel One Week One Trouble, banks and other financial institutions in Nigeria cannot escape the many regulations of the apex authority, which often come in the form of circulars. In recent times, Nigeria's apex bank has issued circulars on various issues ranging from the Naira re-design policy to the review of tenure of senior management and non-executive directors of deposit money banks, to the guidelines for open banking in Nigeria. While some of these circulars (re: the naira redesign policy) have brought untold hardships on both the players in the financial sector and regular citizens, some of them, like the guidelines for open banking are actually innovative, and if properly implemented can foster growth in the financial services sector. The many regulations of the Central Bank of Nigeria aside, the focus of today's newsletter is the Central Bank of Nigeria’s Guidelines for Open Banking.

In February 2021, the Central Bank of Nigeria (CBN) issued the regulatory framework for open banking in Nigeria. The framework set out principles on data and service categories for the exchange of customer data, guiding principles of API specifications, and risk management. More recently, the CBN also issued the Guidelines for Open Banking in Nigeria. Before we get into examining the contents of the guidelines, what is open banking? Open banking is a practice that allows third-party financial service providers access to financial data from banks and other financial institutions through the use of Application Programming Interfaces (APIs). In open banking, service providers employ technology to build applications, through which they can access and utilize customer data to provide a wider array of banking services. Open banking, as opposed to the closed model, allows data to be shared between different players in the banking and finance ecosystem, with the consent and authorization of the customer.

A key component of the open banking system is the Application Programming Interface (API). The API is simply a software intermediary that allows two or more applications or computer programs to communicate with each other. It is one of the most popular ways of integrating computer systems and is employed in many systems and processes which make our lives easier. For example, a lot of debit cards run on APIs which are universally acceptable so the holders can make withdrawals at different cash points. In the Nigerian market, the banking and financial services space has seen an increase in the number of financial technology firms proffering and offering innovative financial services. However, these Fintechs have increasingly faced challenges in the integration process with traditional banks. It is not in doubt that given the trends in the financial services industry, there is a need to foster cooperation between fintechs and traditional banking institutions by linking financial networks. Countries like Singapore for example have launched an API exchange, and have taken advantage of these APIs to create platforms that promote financial inclusion and innovation.

Prior to the issuance of the Open Banking Guidelines, many fintechs in Nigeria had to integrate with each bank individually; a long and complicated process with no guarantees of success. Thus, there was an obvious need for a standard framework to enable financial service providers integrate and communicate seamlessly across board. The Guidelines, in addition to the earlier released framework for open banking in Nigeria, established the principles and security standards that participants in the industry must adhere to when sharing customer data. Under the Guidelines, every organization that has access to customer data, which may be exchanged with other entities for the purpose of providing financial services in Nigeria, is eligible to participate in the open banking ecosystem. Participants can either be API providers: which means that they provide data to other parties, or API consumers: in which case they make use of API released by the API providers to access data.

The Guidelines, in addition to the framework, provide different access levels depending on the type of institution in question. Participants without a regulatory licence are assigned a tier zero maturity level and can only access data that is categorized as Product Information Service Touchpoints (PIST) (e.g. service codes, fees, charges, website addresses, etc.) and Market Insights Transactions (MIT) like statistical data. Tier 1 participants are participants through the CBN's regulatory sandbox program. They can access data categorized as PIST, MIT and can also access Personal Information and Financial Transaction (PIFT) such as data on a customer's transactions, recurring transactions, type of account held, etc. Tier 2 participants are licenced Payment Service Providers and other financial institutions. These ones can access data categorized as PIST, MIT, PIFT and also access Profile Analytics and Scoring Transaction (PAST) which includes information and analysis on a customer's account such as your credit score and income ratings. The Tier 3 participants are deposit money banks and they can access data categorized as PIST, MIT, PIFT and PAST. Tier 2 and Tier 3 participants shall hold a valid licence from the Central Bank of Nigeria, and they must also complete a Satisfactory Risk Assessment Report by at least two partner participants, addressing their risk management practices and financial strength analysis. All participants shall be listed on the open banking registry.

Section 6.0 of the Guidelines mandates the Central Bank of Nigeria to provide and maintain an open banking registry for the industry, to provide regulatory oversight on all the participants. Each participant is identified by its CAC business registration number and the registry shall maintain an API interface through which API providers manage the registration of API consumers. Section 8.1.2 of the Guidelines mandate the API providers (AP) and the API consumers (AC)to execute a Service Level Agreement (SLA) which will govern the relationship between the parties. The SLA shall specify accounting and settlement issues between the parties, the fee structure, and reconciliation of bills. The Guidelines also make provisions for the implementation of monitoring processes to monitor the API levels’ performance and collect performance metrics for all API transactions.

It must be mentioned that one of the biggest risks of the open banking system is the threat of privacy breaches, data security, cybercrime, and fraud. Beyond the bank or financial institution, there is also the risk that an authorized third party may experience a breach and inadvertently expose customer data to attacks. Thus, the Guidelines specifically address situations of incident management. Incidents are classified into functional, performance, and systemic. The ACs and APs are required to maintain a problem register which shall be made available to Regulators, Auditors, Risk and Control teams within the organization and shall contain the date/time a problem was discovered, characteristics of the problem, interim measures that have been applied to manage the problem while keeping the system operational and documented plans for a resolution or description of the intended solution. The Guidelines also mandate the APs and ACs to provide secure and real-time communication platforms to be used for incident reporting and management.

Another key provision of the Guidelines is the consent management provision. Firstly, customers whose data is to be processed must grant consent. Seeing as the entire concept of open banking is centered around the exchange of data, data protection is a key issue that should be addressed in any open banking regulation. Section 9 of the Guidelines sets out the principles for data information and treatment in the open banking ecosystem. Participants in the ecosystem are required to have a data ethics framework that shall provide principles for the acquisition, collection, collation, analysis, use, and sharing of personal data, and a data breach policy to monitor and prevent risks, and prepare for incidents of a breach.  The APs and ACs are also required to comply with the provisions Nigerian Data Protection Regulation (NDPR) as they relate to the protection of the rights of data subjects, use, and collection of data.

The issuance of the guidelines is a laudable feat as it projects Nigeria to become the first African country to do so, however, the adoption of an open banking regime is not without its own peculiar issues. It is expected that most financial institutions (particularly, traditional institutions), will be skeptical about any framework which involves sharing data: a valuable organizational asset). Sharing confidential information of customers could potentially expose the company to competitors, and it also raises concerns centered around the acceptable standards of use of data obtained from customers. These challenges aside, companies and businesses which provide financial services need to explore consumer data, particularly with respect to commercial parties and third-party products with bank customers. Finally, it is important to state that by making data and systems available to third parties, financial institutions can expand their market, achieve product diversity, and commercialize core systems.

P.S: at the time of publishing this newsletter, the CBN has released a regulatory framework for agent banking in Nigeria.