In March 2018, the Central Bank of Nigeria talked about its interest in an Open Banking system, which will open up the financial system and allow the transaction data that banks sit on to be accessible to other industry players. All of this data sharing will happen through Application Programming Interfaces (APIs).
At the time, the apex bank’s Deputy Director, Banking and Payment System, Mr Musa Itopa Jimoh, made a statement that has now become key to Open Banking conversations; “banks are sitting on a huge amount of data but they are not doing anything about it….“CBN is looking at how to raise the standard for all banks and fintechs to plug in.”, he said in 2018.
It has taken three years, but the CBN has finally released draft regulations that will guide Open Banking operations in Nigeria.
CBN’s Regulatory Framework
In February 2021, the CBN issued the “Regulatory Framework for Open Banking in Nigeria”, which sets out the rules under which the sharing of financial data will happen. While sharing financial data is important in changing the face of banking, it comes with its own risks.
Regulation mitigates these risks and provides guardrails for everyone involved. This is why the draft regulation creates four categories of data that can be exchanged using APIs. It also gives a risk category to each of the categories.
Product Information and Service Touchpoints (“PIST”) is a low-risk category that includes information provided by participants to customers and information on access points available for customers to access service for example ATM locations, website addresses, charges, and rates, etc.
Market Insight Transactions (“MIT”) is judged as moderate risk. This is statistical information on products, services, and segments. MIT data is not associated with an individual customer and is shared on an aggregate basis.
Personal Information and Financial Transaction (“PIFT”) is high-risk. This is individual customer data providing general information on the customer including personal data such as the total number of accounts and transaction data.
The last category is Profile, Analytics, and Scoring Transaction (“PAST”). It is rated as a high and sensitive risk. This is personalized scoring customer data such as income ratings and credit score.
Who can access what?
Creating categories is only one half of it as the CBN goes further to clearly set out tiers/levels to determine who can access what. These participants can be providers who use API to provide data or services to another participant, consumers that use APIs released by the providers to access the data or service, fintechs or developer communities.
All these participants have different access levels. Tier 0 participants have access to only PIST and MIT data while Tier 1 (applicable to those operating through the newly created sandbox) participants can access PIST, MIT and PIFT data.
Tier 2 and 3 participants can access all the categories of data but the difference between both tiers is that tier 2 is for licensed payment service providers while tier 3 is for deposit money banks.
The creation of categories and tiers point to the fact that there will be requirements for each tier. The most stringent requirements are for tier 0 participants who can only operate when sponsored by a Tier 2 or Tier 3 participant. They will also need to complete a risk assessment report.
Since Tier 1 participants are already in CBN’s sandbox, they don’t need anything more than a listing on the Open Banking Registry. Tier 2 and 3 participants are required to hold a valid license from the CBN, provide a satisfactory risk assessment report by at least 2 partner participants (from Tier 2 and 3 each) and list on the Open Banking Registry.
Away from access, the CBN’s regulations also speak to common standards for APIs. According to the draft regulation, the CBN will develop a common Banking Industry API standard within 12 months of issuing the Framework.
The common Banking Industry API standards will outline specifications for technical design, data and information security standards taking into account principles such as openness, reusability, interoperability and security of data.
The CBN’s draft framework is an important first step to drive Open Banking in Nigeria and make the country, Africa’s Open Banking pioneer. But the draft regulations need to be more expansive on some issues around data.
For instance, there aren’t any clear processes for when a data breach happens. There’s also silence on the consequences for any infractions by participants on the different tiers created. With the number of unreported data breaches in Africa, these are necessary additions to the regulation.
Regardless, because these are draft regulations, there is the possibility that the final approved regulations will be more robust. The CBN disclosed that operational guidelines related to the framework will be communicated in due course as it continues to monitor industry developments.
While the timeline for that is unclear, what we know for certain is that the CBN has set an ambitious plan of getting the common Banking Industry API standards ready by February 2022.
To achieve this, the apex bank set up an industry committee that has Open Banking Nigeria as a member. The industry committee is expected to design a world-class standard on behalf of the Nigerian ecosystem after which the CBN will review and then approve for the industry.
The Committee is also expected to propose designs for technology, risk, operations, privacy, consent, and cybersecurity.