The financial services and financial technology sectors in Africa have witnessed unprecedented growth in recent years. This growth is driven by the peaking of innovation/ deployment of new technology, the rapid immergence of start-up fintech companies and the flow of global capital into the Africa’s emerging financial technology market. This growth has created a natural demand for democratized access to customer/financial data which is critical to the development products and financial solutions tailored to closing Africa’s financial inclusion gap by lowering the barrier to entry and cost of product development through digital integration with existing market infrastructure.
OPEN BANKING IN SIMPLE TERMS
Open Banking is the free sharing of customer approved financial data through Application Programming Interfaces (APIs) yet within the boundaries of applicable data privacy rules and restrictions/ and specifically for the purpose of enabling the development more personalized products/solutions by financial service providers.
This represents a significant shift from the hitherto closed model where traditional banks controlled and dominated access to financial data generated from their historical relationships with their customers to a more open model characterized by seamless sharing of data amongst stakeholders in the banking ecosystem with the intention of allowing non-traditional service providers create technology driven solutions that address key problems such as access to credit, money transfer, payments solutions, savings, investment, and other forms personal finance needs.
An API is a simple and standardized interface which enables technology platforms to be integrated and to seamlessly request and transfer data in a controlled manner. The open banking system recognizes that while customer data may be in the possession of a service provider; the ownership and control of such data should remain with the customer. As such, usage ought not to be at the whims of the service provider but completely within the control of the data subject who is at liberty to authorize the free share of such data with any third party. The forms of financial data available for sharing within the open banking framework include: – basic KYC information, product preference/usage data, credit history, transaction history amongst others.
A CASE FOR OPEN BANKING REGULATION IN AFRICA
With financial inclusion on the Continent remaining significantly below the global average ( more than 50% of Africa’s adult population are either unbanked or underbanked); It is no question that the adoption of Open Banking will enable financial innovation at a scale and speed that give wings to Africa’s Financial Marketplace to truly take off.
Sitting right at the epicenter of the Open Banking innovation; is access to financial data (specifically personal financial data). This therefore, heightens data privacy concerns – as it remains difficult to leave data access decisions solely in the hands of data subjects who may not be educated or adequately aware of the privacy implications of this permissive flow of data, making them easily susceptible to data breaches and manipulation. On the other hand, with the underlying financial market integration which Open Banking enables; the safety and integrity of the APIs also carry significant security exposure at a magnitude that could be systemic. Hence, active regulation remains not just desirable but very critical to preserving and protecting the integrity of our bourgeoning digital financial market and the over 300million unbanked/underbanked population in Africa which it seeks to attract.
NIGERIA ADOPTS A POSTURE OF MANDATORY REGULATION OF OPEN BANKING
Nigeria is the first country to adopt a holistic regulatory framework for open banking following the exposure of the Central Bank of Nigeria’s (“CBN”) Open Banking Regulation in March 2023 which primarily seeks to establish a framework for collaboration and information sharing within the Financial Services ecosystem. Many other countries in Africa, have adopted supportive regulatory approach instead; which principally provides operational frameworks which serve as mere practice standards which are either not codified or mandatory to comply with. Some others have adopted a neutral approach where data sharing is fully democratized in the hands of market participants and stakeholders who freely determine the terms that will govern the sharing of data howbeit within the safeguards of existing data privacy regulations.
Nigeria’s open banking regulation establishes standards for Application Programming Interface design, security, functionality, data collection, storage, and sharing requirements across integrated banking and financial services channels, information categorization, risk rating and security specification whilst preserving financial system stability through systems safety, data integrity and data privacy assurance.
Whilst the Regulation remains the primary legal framework for Open Banking; the existing data privacy regulations remain safely at the epicenter of the deepening financial technology marketplace as it seeks to protect the interest of data subjects whilst penalizing abusive use of personal data.
KEY PROVISIONS IN THE CBN OPEN BANKING REGULATION
- Prescription of the Regulatory Requirements for Operators
The Guidelines prescribe the requirement for participants to operate within the Open Banking ecosystem. Generally Banks are required to provide necessary data oversight and governance functions that ensure compliance by participants with relevant legal and regulatory provisions. The Guidelines further provide that notwithstanding the responsibilities given to banks, all participants shall be guided by all extant laws relating to data protection, consumer rights and fair practices.
- Establishment of the Open Banking Registry
The Guidelines mandates the establishment of the Open Banking Registry (the “OBR“) by the Central Bank of Nigeria. The Registry will also exercise regulatory oversight over market participants in a manner that enhances transparency by ensuring that only registered institutions operate within the Open Banking ecosystem. The OBR will operate as the singular public repository with market data on registered participants, who shall be identified by their RC numbers as prescribed by the Corporate Affairs Commission (“CAC“).
- Qualification of Eligible Participants
The guidelines directs that all organizations which possess customer financial data capable of being shared with other entities to provide innovative and more effective financial services within the country, are eligible to be a participant within the Open Banking ecosystem. The implication is that this broadly admits banks and non-traditional financial institutions within the scope of eligible participants. The guideline further enumerates the categories of market participants into:
- API Providers: Participants that use an API to provide data or service to another Participant;
- API Consumers: Participants that use the API released by the Provider to access data or service;
- Customers: this refers to a data subject whose data is required to be shared or transmitted via an API and who is required to give consent to the exchange and use of his data.
- Data Governance Requirements
The Guideline empowers the CBN to provide data governance oversights and to prescribe regulations and guidelines for dealing with information assets within the ecosystem whilst mandating all Participants to ensure that all customer-permissioned data to be shared via authorized data exchanges are accurate, up-to-date and complete.
- Consent Management Framework
The Guideline prescribes an entire framework for consent management and customer experience making it mandatory for participants to procure the prior consent of customers before sharing their data or offering them any form of open banking product or service. The Guidelines provide for three stages of consent management – (1) consent (2) authentication, and (3) authorization detailing how consent should be derived, the rights that the data subject has in giving consent, authentication mechanisms, and the guidelines for the authorization to access customer data by API Customers.
- Data Security Requirements
The Guideline set out the minimum-security requirements which participants must comply with, and they include Layered security, separation of duties, least privilege, zero trust, dual control, need to know and privacy. It also mandate API Providers and their Users to develop, maintain and implement an information security policy, which will ensure efficient allocation of resources, processes, technology, people, and budget towards securing data. It also prescribes the creation of a data breach policy to guide the operation of any data breach through prevention, preparation, assessment, containment, communication, review, recovery, and testing of any incident regarding a data breach.
THE NIGERIAN DATA PROTECTION REGULATION AND OPEN BANKING REGULATION
Nigeria’s first data protection regulation was issued in 2019 by the National Information Technology Development Agency (NITDA). The Guideline clearly emphasizes the need for Participants to comply with extant laws relating to data protection specifically the NDPR, which represents the primary regulation relating to the protection of data subjects and the exchange of personal data in whatever form.
Whilst the Open Banking regulation deals with the exchange of personal financial data amongst participants within the ecosystem, their operation must comply with the provisions of the NDPR. One of such of the is the requirement to obtain consent from a data subject before sharing or processing their data. The NDPR imposes an obligation on the data controller to obtain the consent of the customer whose data is to be collected, and such consent must be obtained without fraud, coercion, or undue influence. Beyond making adequate provision for consent as required under the NDPR, the Guidelines further categorize consent management into three stages – consent, authentication, and authorization whilst providing guidelines on how consent should be derived, the rights of the data subject to give or withhold consent, permissible authentication mechanisms, and guidelines for the authorization to access customer data by API Customers.
The open banking ecosystem in Africa has certainly taken flight, with countries such as South Africa, Kenya, Nigeria and Ghana recording unprecedented rate of product development, innovation and adoption across the regions digital financial services market. That said, strengthening financial systems regulation, risk management and financial data governance remain critical to achieving continuous and sustainable growth in the sector. The introduction of Nigeria’s open banking regulations is bold, audacious and enviable. It is expected that its implementation will be strategic and impactful.
We are an Africa Focused deal advisory/boutique commercial law firm focused on supporting businesses and positioning them to operate efficiently within their market sphere. We are known for our quality service delivery which is focused on attention to detail, creativity, timely execution and client satisfaction. Our service offering includes: – corporate commercial, real estate & construction, finance, capital markets & derivatives, mergers and acquisitions, private equity, infrastructure, technovation and data privacy, agriculture & commodities, business formations & start up support amongst others.
The content of this Article is not intended to replace professional legal advice. It merely provides general information to the public on the subject matter. Should you wish to seek specialist legal advice on this or any other related subject, you may contact our Financial Technology Practice Group:
Telephone: +234 1 4536427 ; +234 (0) 809 093 8104