Open Banking has emerged in the financial services ecosystem as a transformative concept, empowering individuals to share their financial data with authorized third-party providers (TPPs) for enhanced financial management and innovation. Recognizing the potential of Open Banking to revolutionize the Nigerian financial landscape, the Central Bank of Nigeria (CBN) issued the “Regulatory Framework for Open Banking in Nigeria” in 2021, followed by the “Operational Guidelines for Open Banking in Nigeria” in 2023 to guide the operations and implementation of the Open Banking financial regime.
These guidelines lay the foundation for a secure and regulated Open Banking ecosystem, fostering collaboration between banks, TPPs, and customers. However, as with any transformative technology, Open Banking presents a unique set of legal implications and risks that require careful consideration and mitigation strategies.
This article will discuss the legal implications of Open Banking in Nigeria, exploring the opportunities it unlocks while addressing the potential risks. Specifically, the focus will be on the CBN’s 2023 Operational Guidelines for Open Banking (the “Guidelines’’), examining their role in shaping the legal landscape and ensuring responsible Open Banking practices.
What is Open Banking?
Open Banking is the arrangement that enables the customer to grant permission to their bank or financial service provider to share their financial details with other entities in the financial services system, such as other banks and third-party financial service providers (TPPs). This sharing of information aims to facilitate the creation of customer-centric services and financial products. The technology driving open banking is known as the Application Programming Interface (API). APIs are a set of protocols and tools that allow the smooth transfer of data. Through APIs, participating banks and financial institutions can access information about financial products, services, personal details, transaction history, credit score, income ratings, and more customers from other participants.
2023 CBN Operational Guidelines for Open Banking
In March 2023, the CBN introduced the Operational Guidelines for Open Banking, which is a framework that regulates customer financial data transfer between banks and Third-Party Providers (TPPs) in Nigeria. These guidelines rest on key principles, which emphasize the significance of explicit and revocable customer consent for sharing financial data. A central focus is on data security, requiring banks to implement robust measures to protect customer information and imposing stringent security requirements on TPPs. Customer privacy is also prioritized, with both banks and TPPs obligated to comply with applicable data privacy laws and regulations. Furthermore, the Guidelines aims to protect consumers by mandating clear, transparent information about Open Banking services and ensuring prompt and fair handling of customer complaints. Lastly, the framework promotes fair competition by granting equal access to customer financial data for all TPPs, contingent upon customer consent. This comprehensive approach is aimed at creating a secure, private, and consumer-friendly environment within the Nigerian financial sector.
Opportunities in Nigeria
The CBN’s Operational Guidelines for Open Banking is expected to be a pathway to opportunities that revolutionizes the Nigerian financial sector. The Guidelines are expected to:
1. Enhance Financial Inclusion: Open Banking empowers individuals to access financial products and services tailored to their specific needs, regardless of their financial background or location. This promotes financial inclusion and facilitates broader participation in the financial ecosystem.
2. Promotion of Competition and Innovation in the Financial Sector: Open Banking breaks down barriers to entry for new players in the sector, fostering competition and driving innovation. TPPs can leverage customer-permissioned data to develop novel financial products and services, challenging traditional banking models and enhancing customer choice.
3. Development of Customer-Centric Financial Products and Services: By enabling TPPs to access customer-permissioned data, Open Banking facilitates the development of personalized and data-driven financial products and services that caters to individual needs and preferences.
4. Improved Efficiency and Reduced Costs in Financial Services Delivery: Open Banking streamlines financial processes, reduces transaction costs and enhances operational efficiency. This optimization benefits both customers and financial institutions, leading to improved and efficient delivery of financial services.
Key legal implications of Open Banking in Nigeria
1. Data Ownership and Control
a. Customer Consent: Open banking is based on the principle of customer consent. Customers must explicitly agree to share their financial data with TPPs. This consent must be informed, freely given and revocable at any time.
b. Data Ownership: Customers retain ownership of their financial data, even when they share it with TPPs. TPPs are not allowed to sell or monetize customer data without the customer’s explicit consent.
c. Data Sharing Limits: Customers can control the scope of data they share with TPPs. They can choose to share only specific types of data, such as transaction data or account balances, or they can share all their financial data.
2. Data Security and Privacy
a. Data Protection Laws: TPPs must comply with all applicable data protection laws, including the Nigeria Data Protection Act (NDPA),2023 and the Nigerian Data Protection Regulation (NDPR),2019. This means that they must implement appropriate security measures to protect customer data, minimize data collection, and ensure that data is processed only for purposes for which it was collected.
b. Security Standards: TPPs must adhere to strict security standards when accessing and storing customer data. This includes using strong encryption, implementing access controls, and regularly monitoring their systems for vulnerabilities.
c. Data Breach Notifications: TPPs must promptly notify the CBN and affected customers of any data breaches. They must also take steps to mitigate the impact of data breaches and prevent future breaches.
3. Fair Competition
a. Open Access to Data: Open banking promotes fair competition by giving TPPs access to customer data that would otherwise be held exclusively by banks. This allows TPPs to develop innovative products and services that compete with traditional banks.
b. Interoperability: Open banking promotes interoperability by requiring banks to provide TPPs with access to customer data through standardized APIs. This makes it easier for TPPs to connect with banks and develop new products and services.
c. Non-Discriminatory Pricing: Banks are prohibited from discriminating against TPPs in terms of pricing or access to data. This promotes fair competition.
4. Consumer Protection
a. Transparency: TPPs must provide clear and transparent information to customers about their data practices. This includes information about what data is collected, how it is used, and how it is shared.
b. Accountability: TPPs are accountable to the CBN for their compliance with the Operational Guidelines for Open Banking in Nigeria. The CBN has the power to take enforcement actions against TPPs that violate the Guidelines.
c. Dispute Resolution: The CBN has established a complaint handling process and a mediation mechanism for resolving disputes between customers and TPPs. This helps to ensure that customers have a fair and efficient way to resolve complaints.
5. Intellectual Property
a. Intellectual Property Protection: All intellectual properties of participants in open banking are protected under Nigerian law. These include trademarks, copyrights, patents, etc.
b. Data Rights: TPPs must not acquire any proprietary rights, title or interest in customer data without the customer’s explicit consent.
Mitigating risks associated with Open Banking
Despite the comprehensive Guidelines issued by the CBN, there are still potential risks associated with open banking in Nigeria. These risks include data privacy and security issues (eg. Data breach), cybersecurity threats, operational risk like technical glitches, fraud and unauthorized transactions, etc.
To mitigate these risks, we recommend the implementation of the following measures:
1. Strengthen Data Security and Privacy
a. Implement Robust Security Measures: Banks and TPPs should implement robust security measures to protect customer data, including encryption, access controls, and regular security audits.
b. Educate Consumers on Data Sharing: Raise awareness among consumers about data sharing practices in open banking, emphasizing their right to control their data.
2. Foster Transparent and Accountable Practices
a. Clear and Transparent Communication: Banks and TPPs should provide clear and transparent information to customers about how their data is collected, used, and shared.
b. Establish Data Governance Frameworks: Implement data governance frameworks to ensure responsible data management and accountability throughout the open banking ecosystem.
c. Regular Risk Assessments: Conduct regular risk assessments to identify and address potential vulnerabilities in data security and privacy practices.
3. Continuous Regulatory Oversight and Adaptability
a. Regular Review of Guidelines: Regularly review and update the Operational Guidelines for Open Banking in response to evolving technologies, risks, and consumer needs.
b. Regulatory Collaboration: Collaborate with international regulators to share best practices and address emerging risks in open banking.
c. Promote Open Dialogue: Foster open dialogue among stakeholders, including banks, TPPs, consumer groups, and regulators, to identify and address emerging challenges.
4. Data Protection Implementation
a. Compliance Annual Returns (CAR): Bank and TPPs should ensure to file their CAR yearly in compliance with the NDPA. This way the Banks and TPPs must carry out yearly audits on their data processing measures.
b. Data Protection Implementation Framework (DPIA): Banks and TPPs should compulsorily conduct DPIAs for every new product and service. This is to minimize and predict risk to data privacy associated with such products.
c. NDPA and data privacy principles: Banks and TPPs are to strictly implement data protection principles and the provisions of the NDPA. They are to implement and periodically review data policies and processes within the organizations.
By implementing these risk mitigation strategies, Nigeria can foster a more secure, transparent and consumer-centric open banking ecosystem, harnessing the benefits of innovation while minimizing potential risks.
Conclusion
Open Banking is an innovative and emerging product in the finance ecosystem that utilises data mining and personal financial information transfer between authorized parties. The CBN Guidelines is an adaptive framework that regulates the Opening Banking landscape, manages risks, and ensures that data transfers are done within a regulatory safe space. Open Banking operations within properly regulated means will change the financial market for Nigeria and place Nigeria as a top business environment.
Ozioma Agu is a Partner and the Team Lead of the Energy, Finance, & Infrastructure Practice Group at Stren and Blan Partners; Chizitereihe Oti is an Associate in the Corporate Services and Energy, Finance & Infrastructure Practice Groups; and Kolajo Onasoga is an Associate in the firm’s Energy, Finance, & Infrastructure Practice Group.
Stren & Blan Partners is a full-service commercial Law Firm that provides legal services to diverse local and multinational corporations. We have developed a clear vision for anticipating our clients’ business needs and surpassing their expectations, and we do this with an uncompromising commitment to Client service and legal excellence.
