The Central Bank of Nigeria (the “CBN”) in an attempt to provide an enabling regulatory environment for provision of innovative and customer-centric financial services issued the Regulatory Framework for Open Banking in Nigeria (the “Framework”) on February 17, 2021. Prior to the issuance of the Framework, banks operated in a closed ecosystem, with exclusivity of access to customer information, locking out innovators; and forcing customers to rely solely on the digital channel offerings of their respective banks. With the issuance of the Framework, the financial services space in Nigeria will experience the simplification and integration of multiple and complicated financial services.
In light of the growing need for the integration of banks and other financial institutions with innovators and customers in the financial services space and the increasing adoption of Application Programming Interface (“API”) based integrations in the industry, the Framework has become fundamental to filling this gap and driving innovations in the financial services sector. Hence, the purpose of the Framework is to enhance financial inclusion, foster the sharing and leveraging of data with third party financial services firms to build solutions and services that provide efficiency, greater financial transparency, synchronization and options for account holders across Nigeria to inter operate within the financial system in Nigeria.
Given that the Framework seeks to achieve ease of accessibility of data to third parties and innovators, financial institutions can expand their addressable market, achieve product diversity, commercialize core systems and encourage flexible financial options that will be beneficial to customers and in tandem with international best practices adopted in other jurisdiction in relation to open banking.
We note that the Framework covers banking and other related financial services such as:
- Payments and remittance services;
- Collection and Disbursement services;
- Personal finance advisory and management;
- Treasury Management;
- Credit ratings/scoring;
- Leasing/Hire purchase; and
- Other services as may be determined by the Bank.
A. CATEGORIZATION OF PARTICIPANTS AND DATA EXCHANGE
It is important to note that under the Framework, not every participant has access to all the categories of information made available. Participants in the Framework are categorized based on their Risk Management (“RM”) Maturity Level and data that may be exchanged. Corresponding API services that may be implemented by and used by participants is dependent on the RM Maturity Level. Kindly refer to Table below;
- Product Information and Service Touchpoints (“PIST”): Information shared under this category has a low-risk rating and can be accessed by participants across all the Tiers. It includes information on products provided by participants to their customers and access points available for customers to access services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc.
- Market Insight Transactions (“MIT”): Information shared under this category has a Moderate-risk rating and can be accessed by participants across all Tiers excluding Tier 0 participants. It includes statistical data aggregated on basis of products, service, segments, etc., and is not associated to any individual customer or account. These data could be exchanged at an organisational level or at an industry level.
- Personal Information and Financial Transaction (PIFT): Information shared under this category has a High-risk rating and can be accessed by participants across all Tiers excluding Tier 0 participants. It includes data at individual customer level either general information on the customer (e.g. KYC data, total number or types of account held, etc.) or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc.)
- Profile, Analytics and Scoring Transaction (“PAST”): Information shared under this category have a High and Sensitive-risk rating and is only available to Tiers 1 & 2. It includes information on a customer which analyses, scores or gives an opinion on a customer e.g. credit score, income ratings etc.
B. GUIDING PRINCIPLES FOR API SPECIFICATIONS
Under the Framework, the CBN commits to regulate the development of a common Banking Industry API standard with technical design standard, data standard, information security standard and operational rules and also states that the development of a common API standard by the industry and/or by participants shall adhere to the following principles;
i. Openness: accessible to all interested and permissioned parties
ii. Reusability: premised on existing standards and taxonomy of technology
iii. Interoperability: supports exchange of objects across technologies, platforms, and organisations
iv. Modularity: loose coupling with provision for flexible integration
v. Robustness: scalable, improvable, evolvable and transparent
vi. User-Centric: enhances user experience for consumers
vii. Security: ensures data privacy and safe exchanges and transactions
Under the Framework, the CBN also provides for Technical Design, Data and Information Security specifications, outlined in Appendix 1 of the Framework as well as Guidelines for the Operational Rules of the API.
C. ROLES AND RESPONSIBILITIES OF PARTICIPANTS
Participants may assume any of the following roles under the Framework;
- Provider: A provider is a participant that uses API to avail data or service to another participant. The role of the Provider is to publish the APIs and define the requirements and technical guidelines as well as the data and services accessible through the APIs. The Provider establishes the Data Access Agreement and Service Level Agreements (to be revalidated annually) with other participants and carries out Know Your Partner (KYP) due diligence on partner participants which shall include a comprehensive risk assessment on the partner. The Provider shares responsibility with the partner participant for any loss to the end-user which did not arise from the wilful negligence or fraudulent act of the end-user and ensures that the partner participant that owns the customer interface obtains consent of the end-user based on agreed protocols, complying with data privacy laws and regulations. The Provider is required to maintain a customer service/complaint desk on twenty-four (24) hours/ seven (7) days a week basis for financial institutions to resolve complaints of end-users.
- Consumer: A consumer is a participant that uses API released by the providers to access data or service. In compliance with data privacy laws and regulations including the Nigerian Data Protection Regulations (“NDPR”), the Consumer must obtain the consent of the end-user on each action that may be performed on the account of the end user as specified by the provider; specifying to the end-user, the implications of the consent to be given and the actions to be performed. The consumer is required to cooperate with the Provider for the regular monitoring of its control environment; implement any remedial actions as may be indicated by the Provider based on vulnerabilities discovered through the monitoring of its control environment; and collaborate effectively with the Provider to investigate any breach or fraud. The requirement to maintain a customer service/complaint desk on twenty-four (24) hours/ seven (7) days a week basis for financial institutions to resolve complaints of end-users also extends to consumers.
- FinTechs: These include companies that provide innovative financial solutions, products and services. The Framework recognises that FinTechs may either be Consumers or Providers of API and are required to assume the responsibilities of either consumer or provider depending on the role played at the relevant time. In addition, FinTechs are required to leverage API to innovate products and solutions that are interoperable; avoid alteration of APIs published by provider without consent of the providers; comply with data privacy laws and regulations; and maintain customer service/complaint desk on twenty four (24) hours/ seven (7) days a week basis for financial institutions to resolve complaints of end-users. Any modification of published APIs should be based on the provisions of Data Access Agreement or an addendum to the agreement, as applicable.
- Developer Community: This includes individuals and entities that develop APIs or provide programming services for other participants. The Developer Community is required to execute service agreements with the partner participant outlining the participant’s business requirement and technical guidelines; employ secure coding and development standards and practices; and maintain strict avoidance of interaction with the production server of the partner participant.
- Central Bank of Nigeria: The CBN has the oversight of the implementation and operations of Open Banking in Nigeria as well as the responsibility for the review and enforcement of the Framework. It also arbitrates disputes among participants before any litigation or commencement of Judicial process. The CBN is required to develop Common Banking Industry API Standards within twelve (12) months of the issuance of the Framework and maintain an Open Banking Registry.
In addition, the Participants are required to adhere to the Risk Management principles under the Framework, including but not limited to having information technology and information security policies; and a risk management framework that address APIs; a designated Chief Risk Officer who shall be responsible for implementing effective internal control and risk management practices; updated API Risk catalogues and API Process Control Mapping and Risk Control Matrix.
D. CUSTOMER RIGHTS, RESPONSIBILITIES AND REDRESS MECHANISM
Though the full implementation of open banking in Nigeria, will further drive customers confidentiality down the order of business. In line with this, CBN has to ensure the thorough implementation of end to end regulations and guidelines on how it would be operated by ensuring that participants have adequate security measure in their infrastructures ready to address the technical or any systemic challenge as they come.
Therefore, under the Framework, the protection of the customer is the responsibility of all the participants. Participants are therefore required to adhere to the provisions of the Consumer Protection Framework of the CBN in their dealings with customers as well as Data privacy laws and regulations; particularly the NDPR. Amongst the additional requirements imposed by the Framework, it is required that agreements presented to the customer by the participant should be simple, explicit and in the customer’s preferred language; and in the customer’s preferred form including written, electronic, video or audio form. The Customer’s consent is required to be obtained in the same form that the agreement was presented, and a copy of the consent of the customer made available to the customer and preserved by the participant. The specific rights which the customer will be granting to the participant as well as the implication of granting those rights to the participant should be listed for the customer to consent to separately. Under the Framework, it is required that the consent of the customer should be re-validated annually and where the customer has not used the service of the partner for One Hundred and Eighty (180) days.
With the rapidly evolving banking sector, open banking, which seeks to achieve greater bank data availability and help drive innovation is set to positively transform the mode of operations of business in Nigeria. Asides the potential benefits of this innovative approach by the CBN to financial institutions (including but not limited to data sharing, financial accessibility and product innovation), the implementation of the Framework will significantly improve the ease of operating businesses in Nigeria and ultimately attract foreign investments. Given that ease of accessibility to data raises confidentiality and privacy concerns, it is commendable that the Framework requires the participants to comply with all data privacy laws and regulations including the NDPR. It is hoped that the CBN will ensure that mechanisms are put in place to ensure compliance by the participants.
This update is for general information purposes only and does not constitute legal advice. If you have any questions or require any assistance or clarification on how these measures could apply to you or your business, please contact the persons listed below.