Regulatory Framework for Open Banking in Nigeria – Emerging opportunities for fintechs and financial institutions (Part II)
In the first part of the article, we considered open banking and the effect of Application Programming Interface (API) on banks and fintechs. We also analysed some of the provisions of the Regulatory Framework for Open Banking in Nigeria (“the framework”).
In the concluding part of the article, we examine the categories of financial data as well as data protection and cybersecurity issues that can arise in the use of open banking and APIs.
Categories of financial data
Data and services that can be shared through APIs are categorised with their risk levels as follows:
|1||Product Information and Service Touchpoints (PIST):
|Includes information on products provided by participants to their customers and access points available for customers to access services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc.||Low|
|2||Market Insight Transactions (MIT):||Includes statistical data aggregated on basis of products, service, segments, etc. It shall not be associated to any individual customer or account. These data could be exchanged at an organisational level or at an industry level.
|3||Personal Information and Financial Transaction (PIFT):||Includes data at individual customer level either on general information on the customer (e.g. KYC data, total number or types of account held, etc) or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc)
|4||Profile, Analytics and Scoring Transaction (PAST):||Includes information on a customer which analyses, scores or give an opinion on a customer e.g., credit score, income ratings etc.
|High and sensitive|
Other relevant provisions:
- Risk management – the framework provides that this is the responsibility of all participants. They are therefore expected to have (information technology, information security policies and a risk management framework that address APIs and also have a Designate a Chief Risk Officer who shall be responsible for implementing effective internal control and risk management practices.
- Customer Rights – the agreement that onboards the client must be presented in the customer’s preferred language and his consent must be revalidated annually.
- Liability for loss – Participant and its partner shall be jointly responsible and bear liability for any loss to the customer, except where the participant can prove willful negligence or fraudulent act against the customer.
- Guidance on Operational Rules – Dispute resolution protocols among participants are to be codified for basic operational issues. Operational rules are to also discourage dominant party and anti-competition practices.
The CBN framework is quite comprehensive and if effectively implemented, could lead to remarkable changes in the banking sector. The key points to note from the comprehensive framework is that the CBN has sought to provide standards for the safe utilisation and exchange of data and services and has defined data access levels (i.e., what bank data can be shared and who can get it).
However, the successful implementation of open banking is dependent on collaboration between fintechs, banks and NBFIs and the CBN.
Some of the changes that could be introduced by the implementation of the framework include the following:
Competition and innovation
There could be fiercer competition with larger banks competing for the market with fintechs and smaller banks. This could also see financial institutions trying to outdo themselves by deploying better technology, better customer service, higher interest rates and lower costs.
Conversely, financial institutions can use APIs to create a new experience with their customers by assisting customers in ways that were previously not possible in the market. For instance, they could help customers who are illiterates better understand financial issues around opening a bank account with voice commands in local languages or pidgin English. For the sophisticated customer, an open banking app could also assist them in determining the most affordable loan facility they can obtain from institutions, taking into consideration the state of their finances.
It will also generate additional revenue for financial institutions in the form of commission or access fees. Open banking conducted via APIs could also consolidate the position of forward-looking fintechs who, via data aggregation, can create detailed customer profiles and offer relevant products to clients for greater engagement.
Ease of banking
Conducting banking activities with traditional financial institutions is sometimes considered stressful. However, with open banking, customers will have consolidated information about all their financial products in a centralised location.
This would reduce time spent in carrying out transactions and minimise the paperwork for onboarding new users to the institutions’ platforms.
Cybersecurity and data protection issues
There are some challenges that exist with open banking, particularly around cybersecurity, data privacy and the resulting liabilities to financial institutions. Issues around data breaches, hacking, phishing scams and malware are issues that would have to be taken into consideration when any institution is considering open banking and the use of APIs.
Also, with the Nigeria Data Protection Regulation (NDPR), which bears close resemblance to the European Union GDPR, the legal basis for processing data has to be taken into consideration before the financial records of customers are shared. Direct consent must be obtained from the customer in line with the provisions of the framework as the failure to do this could lead to dire consequences for the financial institution that shares the data.
The introduction of the CBN framework is a good development which could potentially lead to the improvement in the delivery of financial services in Nigeria.
However, although open banking offers a number of advantages, there are also concerns over the security risks occasioned by the sharing of data. Data protection laws, such as the NDPR, must also be countenanced by service providers when they are processing the data of consumers.
It is however our view that with the engagement of cybersecurity experts, financial service providers and lawyers with experience in data protection and technology, some of the risks can be managed and open banking can thrive in Nigeria.
Davidson Oturu is a Partner of the firm