With the arrival of fintechs and other innovators on the banking scene, the way we bank and carry out financial transactions is constantly changing. Some of these developments led to considerations for the creation of a seamless system that would lead to the sharing of financial data through an open banking system.
These developments, facilitated by the European Union’sPayment Services Directive(PSD 2), led to the creation of open banking on the global scene.
WHAT IS OPEN BANKING?
Open banking forms part of the emerging areas within the fintech ecosystem and is presently in use in Europe, the United Kingdom, China, Japan and Singapore.
It grants third-party providers (TPPs) open access to consumer banking, transactions, and other financial data from banks and non-bankfinancial institutions(NBFIs) through the use ofApplication Programming Interface (API).
With open banking, customers can share their financial data with different financial institutions. In order for this to be effected, the institution require the express consent of the customers. Open banking represents a shift from a closed model, where financial institutions operated in silos, to one in which data is shared between different members of the banking ecosystem with authorisation from the customer.
Thus, with open banking, fintechs and banks are able to communicate seamlessly through the networking of accounts and data across institutions for use by consumers, financial institutions, and TPPs.
Open banking will lead to a situation where regardless of how many accounts and financial products a customer has with multiple institutions, he can manage them from a centralised location without having to check out from one system to another.
For example, a consumer could have a bank account with Zenith Bank PLC, have a mutual fund account with ARM Investments and operate an account with a fintech like Piggyvest. When the customer wants to check his inflows and outflows from his different accounts, he will have to log into the separate platforms.
However, with open banking, the customer can seamlessly operate his investments and track his transactions on the three platforms from a centralised location through the use of APIs. The APIs can also look at the transaction data of the customer and identify the best financial products he can invest in that would yield better interest rates.
IMPORTANCE OF APIS TO OPEN BANKING
API is a software intermediary that enables technology platforms or applications communicate with each other. Some popular platforms that use APIs to accelerate the delivery of their services to consumers include Facebook, Google, Twitter and PayPal.
Abanking APIis an interface through which a financial institution provides data about customers, accounts and transactions. With a banking API, users of payment services will not be solely dependent on the direct services offered by their own bank. They can make use of third-party financial services, which, in turn, access the data required by the original bank via the banking API.
Some of the stakeholders that APIs in open banking are beneficial to include the following:
- Bank customers– APIs improve the customer experience, since customers can conveniently complete all transactions in the respective context and under one user interface. Also, the paperwork that would typically apply when running multiple transactions on different accounts would be minimised.
- TPPsin the e-commerce sector– With APIs, online providers can offer customers better services that include product selection and real-time arrangement of consumer credits.
- TPPsin the technology sector– technology providers whose solutions create interfaces to financial institutions and thereby create the technological infrastructure.
- Financial institutions– fintechs and banks will be able to expand their payment services ecosystem and onboard new customers through third party platforms.
- Fraud detection companies– APIs enable fraud detection companies effectively monitor customer accounts and identify problems as soon as they arise.
THE REGULATORY FRAMEWORK FOR OPEN BANKING IN NIGERIA
On February 17th, 2021, the Central Bank of Nigeria (CBN) issued the Regulatory Framework for Open Banking in Nigeria (“the framework”).
The framework establishes principles for data sharing across the banking and payment ecosystem. It is aimed at promoting innovation, broadening the range of financial services and products, and deepening financial inclusion.
The framework applies to the following financial services[1]:
- Payments and remittance services
- Collection and Disbursement services
- Deposit-taking
- Credit
- Personal finance advisory and management
- Treasury Management
- Credit ratings/scoring
- Mortgage
- Leasing/Hire purchase
- Other services as may be determined by the CBN
The framework provides for several issues including data and API access requirements, principles for API, data, technical design, and information security specifications.
We will examine the provisions of the framework and its impact on the operations of banks and fintechs in Nigeria.
GUIDING PRINCIPLES FOR API SPECIFICATIONS
The framework sets out the guiding principles for API specifications[2]and provides that they shall adhere to the following principles or they will not be accepted:
- Openness: accessible to all interested and permissioned parties
- Reusability: premised on existing standards and taxonomy of technology
- Interoperability: supports exchange of objects across technologies, platforms, and organisations
- Modularity: loose coupling with provision for flexible integration
- Robustness: scalable, improvable, evolvable and transparent
- User-Centric: enhances user experience for consumers
- Security: ensures data privacy and safe exchanges and transactions
PARTICIPANTS
The framework classifies participants in open banking into 4 categories[3]and each have their roles and responsibilities. It is noteworthy that participants are required to:
- maintain a customer service/complaint desk on 24 hours/7 days a week basis to resolve complaints of end-users;
- comply with data privacy laws and regulations; and
- comply with the provisions of the framework
Some of the responsibilities are captured here with the description of the participants:
S/N |
Participant |
Description |
Responsibilities |
1) |
Provider |
A participant that uses API to avail data or service to another participant |
a) Publish the APIs and define requirements and technical guidelines.
b) Define the data and services accessible through the APIs.
c) Carry out Know Your Partner (KYP) due diligence on partner participants which shall include a comprehensive risk assessment on the partner participant duly singed off by the Chief Risk Officer before executing agreements.
d) Ensure that the partner participant that owns the customer interface obtains consent of the end-user based on agreed protocols.
e) Notify the partner participant of intention to terminate relationship within 48hours of breaching the risk thresholds.
f) Notify the Bank of any terminated relationships with partner participants within 3 business days to update information in the Open Banking Registry where necessary.
|
2) |
Consumer |
A participant that uses API released by the providers to access data or service |
a) Execute a Data Access Agreement and Service Level Agreement with the Provider.
b) Adhere to the requirements and guidelines set by the Provider.
c) Obtain consent of the end-user on each action that may be performed on the account of the end user as specified by the provider.
d) Cooperate with the Provider for the regular monitoring of its control environment.
|
3) |
Fintechs |
Companies that provide innovative financial solutions, products and services |
a) Ensure that it leverages API to innovate products and solutions that are interoperable.
b) Avoid alteration of APIs published by provider without consent of the providers.
c) Any Modification of published APIs shall be based on the provisions of Data Access Agreement.
|
4) |
Developer Community |
Individuals and entities that develop APIs for participants based on requirements. |
a) Execute service agreements with the partner participant outlining the participant’s business requirement and technical guidelines.
b) Employ secure coding and development standards and practices.
c) Maintain strict avoidance of interaction with the production server of the partner participant.
|
CATEGORIESOF FINANCIAL DATA
Data and services that can be shared through APIs are categorised with their risk levels as follows[4]:
S/N |
Category |
Description |
Risk rating |
1 |
Product Information and Service Touchpoints (PIST): |
includes information on products provided by participants to their customers and access points available for customers to access services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc. |
Low |
2 |
Market Insight Transactions (MIT): |
Includes statistical data aggregated on basis of products, service, segments, etc. It shall not be associated to any individual customer or account. These data could be exchanged at an organisational level or at an industry level. |
Moderate |
3 |
Personal Information and Financial Transaction (PIFT): |
Includes data at individual customer level either on general information on the customer (e.g. KYC data, total number or types of account held, etc) or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc) |
High |
4 |
Profile, Analytics and Scoring Transaction (PAST): |
Includes information on a customer which analyses, scores or give an opinion on a customer e.g. credit score, income ratings etc. |
High and sensitive |
Other relevant provisions:
- Risk management[5]– the framework provides that this is the responsibility of all participants. They are therefore expected to have (information technology, information security policies and a risk management framework that address APIs and also have a Designate a Chief Risk Officer who shall be responsible for implementing effective internal control and risk management practices.
- Customer Rights– the agreement that onboards the client must be presented in the customer’s preferred language and his consent must be revalidated annually.
- Liability for loss– Participant and its partner shall be jointly responsible and bear liability for any loss to the customer, except where the participant can prove wilful negligence or fraudulent act against the customer.
- Guidance on Operational Rules[6]–Dispute resolution protocols among participants are to be codified for basic operational issues. Operational rules are to also discourage dominant party and anti-competition practices.
OUR TAKEAWAY
The CBN framework is quite comprehensive and if effectively implemented, could lead to remarkable changes in the banking sector. The key points to note from the comprehensive framework is that the CBN has sought to provide standards for the safe utilisation and exchange of data and services and has defined data access levels (i.e. what bank data can be shared and who can get it).
However, the successful implementation of open banking is dependent on collaboration between fintechs, banks and NBFIs and the CBN.
Some of the changes that could be introduced by the implementation of the framework include the following:
Competition and innovation
There could be fiercer competition with larger banks competing for the market with fintechs and smaller banks. This could also see financial institutions trying to outdo themselves by deploying better technology, better customer service, higher interest rates and lower costs.
Conversely, financial institutions can use APIs to create a new experience with their customers by assisting customers in ways that were previously not possible in the market. For instance, they could help customers who are illiterates better understand financial issues around opening a bank account with voice commands in local languages or pidgin English. For the sophisticated customer, an open banking app could also assist them in determining the most affordable loan facility they can obtain from institutions, taking into consideration the state of their finances.
It will also generate additional revenue for financial institutions in the form of commission or access fees. Open banking conducted via APIs could also consolidate the position of forward-looking fintechs who, via data aggregation,can create detailed customer profiles and offer relevant products to clients for greater engagement.
EASE OF BANKING
Conducting banking activities with traditional financial institutions is sometimes considered stressful. However, with open banking, customers will have consolidated information about all their financial products in a centralised location.
This would reduce time spent in carrying out transactions and minimise the paperwork for onboarding new users to the institutions’ platforms.
CYBERSECURITY AND DATA PROTECTION ISSUES
There are some challenges that exist with open banking, particularly around cybersecurity, data privacy and the resulting liabilities to financial institutions. Issues around data breaches, hacking, phishing scams and malware are issues that would have to be taken into consideration when any institution is considering open banking and the use of APIs.
Also, with the Nigeria Data Protection Regulation (NDPR), which bears close resemblance to the European Union GDPR, the legal basis for processing data has to be taken into consideration before the financial records of customers are shared. Direct consent must be obtained from the customer in line with the provisions of the framework as the failure to do this could lead to dire consequences for the financial institution that shares the data.
CONCLUSION
The introduction of the CBN framework is a good development which could potentially lead to the improvement in the delivery of financial services in Nigeria.
However, although open banking offers a number of advantages, there are also concerns over the security risks occasioned by the sharing of data. Data protection laws, such as the NDPR, must also be countenanced by service providers when they are processing the data of consumers.
It is however our view that with the engagement of cybersecurity experts, financial service providers and lawyers with experience in data protection and technology, some of the risks can be managed and open banking can thrive in Nigeria.
[