No financial consumers’ information will be shared on Open Banking in Nigeria without documented consent. The Central Bank of Nigeria (CBN) requires all participants in open banking to strictly comply with security standards for accessing and storing financial consumers’ data.
The Background:
Further to the CBN’s February 2021 Regulatory Framework in Open Banking in Nigeria, the CBN issued Africa’s first Operational Guidelines for Open Banking in Nigeria in March 2023.
The Operational Guidelines for Open Banking in Nigeria and the Regulatory Framework for Open Banking in Nigeria are the twin functional documents for Open Banking in Africa’s most populous nation.
The financial consumers’ consent to Open Banking in Nigeria is a financial technology service – an API-based system that requires an OTP (one-time-token) for verification.
The CBN acknowledge that financial consumers’ information or data were being shared before March 2023. Our Fintech law team recently advised and guided an Other Financial Institution through NIBSS’ (Nigerian Inter-Bank Settlement System) IGREE services form.
Following the CBN’s Operational Guidelines for Open Banking in Nigeria, NIBSS has required its partners to execute an IGREE Services Form. NIBSS’ IGREE Services form an API consumer’s doorway to shared information on Open Banking in Nigeria.
The Operational Guidelines on Open Banking describe an API Consumer as a participant that uses API released by the API providers to access financial consumers’ data or services[1].
The Operational Guidelines for Open Banking in Nigeria define an API Provider[2] as a participant that uses API to provide financial consumers’ data or services to the API Consumer.
An API Consumer or API Provider as a key stakeholder in Open Banking in Nigeria may be a licensed financial institution or service provider, an FMCG (fast-moving consumer goods) or other retailers, or Payroll Service Bureau.
We submit that conflicts between the Nigerian Data Protection Regulation 2019 and the Regulatory regimes for Open Banking in Nigeria are resolved in favour of the Open Banking Regulatory Regimes.
Our submission is premised on the provisions of BOFIA (Banking and Other Financial Institutions Act) 2020 that constitutes the CBN as the sole and exclusive regulator of Nigeria’s financial services sectors.
Otherwise, the Operational Guidelines for Opening Banking that API Providers or API Consumers’ right to export or share a financial consumer’s data with a non-Nigerian must be with the CBN’s consent conflicts with Federal Attorney-General’s similar rights under the extant provisions of the NDPR 2019.
Financial Consumer’s Consent to Shared Information
Armed with the IGREE Services form as implemented by NIBSS, the API Consumer will receive an embedded link (API) to the API Provider’s platform.
Typically, if a PayCentre Africa’s prospective user wants to sign on as a shared agent under the agency banking framework (POS agent), PayCentre Africa will display a consent form to the user – we assume that PayCentre signed the NIBSS IGREE services form.
The API operator’s consent process for financial consumers’ Open Banking consent requires sending an OTP (one-time-token) to the email or mobile number the financial consumers registered or logged with its financial services provider or bank.
We note that in the event of fraud, the fraudster who has accessed a financial consumer’s SIM or email may complete an Open Banking consent process. – Liabilities will depend on a careful loss apportionment.
Once the User consents to PayCentre Africa to access the User’s BVN and specified banking data, PayCentre Africa or other operators would be able to access the data on the API Provider’s platform.
A documented financial consumer’s consent to shared information on Open Banking in Nigeria is the API Consumer’s access card to Open Banking in Nigeria.
Validity of Financial Consumers’ Consent
The validity of a financial consumer’s consent depends on the following:
- identity of the operator that requests the financial consumer’s consent must be displayed at the time of the request;
- the operator’s accreditation/registration number or other valid means of identification in the open banking registry;
- Compliance with an access level to data by service category;
- Specific nature of the request, which shall be explicit and describe the (i) type of access the operator shall have on the customer account in line with access level by data and service category (ii) tenor of the consent or the date when the access shall be invalidated (iii) frequency of access to the customer information and (iv) If the request includes consent to collect data for anonymous/de-identified data analysis;
- Information regarding the process for withdrawal of consent by the customer
- Information about redundant data including the following touchpoints (a) the operator’s general policy concerning decision-making on the deletion or deidentification of redundant data per extant laws and regulations; and (b) an outline of the customer’s rights to elect for deletion of their redundant data and information on how to exercise such rights.
The process of withdrawing consent must include:
- a statement that the customers can withdraw their consent at any time
- a detailed process for withdrawal of consent by the customer and
- consequences of consent withdrawal.
Layers of Shareable Information in Open Banking in Nigeria
The Regulatory Framework in Open Banking in Nigeria 2021 categorized financial consumers’ shareable information under Open Banking in Nigeria as follows:
- Product Information and Service Touchpoints (PIST): data on products provided by participants to their customers and access points available for customers to access services such as ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc.
- Market Insight Transactions (MIT): statistical data aggregated on basis of products, services and It shall not be associated with any individual customer or account. These data could be exchanged at an organisational level or an industry level.
- Personal Information and Financial Transaction (PIFT): data at the individual customer level either on general information on the customer namely KYC data, total number or types of accounts held or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts.
- Profile, Analytics and Scoring Transaction (PAST): information on a customer that analyses, scores or gives an opinion on a customer such as credit score, or income ratings.
Data and Service Risk Ratings are graded as low, moderate, high, and high & sensitive.
Dispute Resolution and Remedies
The Operational Guidelines for Open Banking in Nigeria 2023 subject every data breach to arbitration provided that the financial consumer may petition the CBN’s CPD (Central Bank of Nigeria’s Consumer Protection Department) under the Consumer Protection Framework 2018.
Opt-out options and graduated information sharing are the financial consumer’s immediate preference should it suffer a change of mind on the sought-for services.
Conclusion
Low financial literacy and regulators’ trust deficit may deal a heavy blow to the adoption of Open Banking among financial consumers in Africa’s most populous country, Nigeria.
Open Banking in Nigeria is a well-conceived policy. Regulatory and compliance failover and failback should be heavily expected. The effects and extents of compliance failback and failover may determine the financial consumers’ response to consent to Open Banking in Nigeria.
The CBN does not incentivize adoption in Nigeria’s banking services. It prefers a take-it-or-leave-it attitude. Financial institutions and fintech operators fail to incentivize and prioritize customers’ patronage – they merely ash out on low financial literacy.
Prioritizing financial consumers’ experience strategy is an effective board’s main business – perhaps the (overburdened) boards of financial institutions and fintech are waiting on the CBN to include customer experience in the checklist.
Open Banking in Nigeria is capable of deepening the gains of Fintech services in Nigeria with the challenges that include data breaches.
[1] Reg. 4.1 (ii), Operational Guidelines for Open Banking in Nigeria, 2022, page 8 <https://www.cbn.gov.ng/Out/2022/CCD/OPERATIONAL%20GUIDELINES%20FOR%20OPEN%20BANKING%20IN%20NIGERIA_APPROVED%20EXPOSURE%20DRAFT.pdf>
[2] Reg. 4.1(i), Op. Cit.