Nigerians have been sharing financial data for years, informally and at scale. So why do some banking experts think banks are nervous when this informality is formalized and standardized?
Bilateral data-sharing agreements exist between banks and fintechs, each negotiated separately, each governed by different rules, each creating its own liability maze. POS agents can see customer’s account balances, with their authorization. Loan applicants share bank statements to loan providers, trusting assurances about how that data will be used without any real visibility into what happens next. The infrastructure already exists, fragmented, opaque, but built on different agreements where not two are similar. Open banking is not an attempt to introduce chaos to an already chaotic ecosystem. It’s an effort to structure what already happens, reduce fragmentation, and make consent explicit rather than implied. The anxiety banks feel is not about whether data will move, because it already does. The anxiety is about who carries the cost when it moves badly.
Banks are not resisting open banking because they’re stuck in the past. They’re cautious because they have spent years managing fraud, navigating unclear liabilities, and absorbing losses when things break. Open banking asks them to share customer data through standardized APIs in an ecosystem where enforcement consistency has historically been uneven.
The fraud problem is as old as time
Fraud already exists at industrial scale. What worries banks is that open banking could make it faster, harder to trace, and more expensive to fix. Nigeria does not lack fraud rules. Know Your Customer requirements have existed for years. Customer Due Diligence obligations are clear. Nigeria’s Open Banking regulation itself embeds consent management and authentication requirements into every data flow. But banks have watched bad actors refine their methods based on one simple insight: consequences were optional. Fraudsters understood the system extremely well. They knew which banks would delay investigations, which fintechs lacked proper reconciliation processes, which enforcement actions would fade after initial noise. They optimized for the gaps between regulation and accountability.
The fraud risk banks fear is not about open banking creating new attack vectors but about exposing long-standing weaknesses in how the ecosystem punishes misconduct.
When data moves across multiple institutions through APIs, and one party in the chain operates carelessly, who absorbs the loss? The bank usually does, because the customer relationship sits there and regulatory pressure follows.
But something has shifted. The CBN is winning the battle against fraud. The regulator’s enforcement posture over the past two years suggests that permissiveness is no longer the default. There have been increasing consequences for players involved in fraud chains. Fraud monitoring has intensified, and investigation timelines have tightened. The regulatory environment open banking enters is different from the one that allowed earlier fraud to flourish. Real-time fraud monitoring systems are becoming standard in the ecosystem. Coordinated liability frameworks that specify who is held responsible when data is misused have been built by the industry and will be embedded into API provider and consumer relationships. The question now is not whether fraud can happen, but whether the system can respond fast enough to make it unprofitable.
Who pays when data leaks across the chain?
The second cluster of concerns revolves around data governance, compliance burden, and liability ambiguity, all of which intensify when data moves across institutional boundaries. The Nigeria Data Protection Act establishes clear obligations for data controllers and processors. But enforcement is a work in progress, and banks know it. They have seen breaches happen at partner institutions with minimal regulatory follow-through. They have watched compliance become a paperwork exercise rather than an operational discipline. Open banking fragments accountability by design. When customer data flows from a bank to an API consumer to a third-party service, who is liable if it leaks? Contractually, the answer should be clear. In reality, it often isn’t.
Banks must now demonstrate NDPA adherence, meet open banking security standards, pass audits, report incidents, and maintain documentation across every API relationship. Smaller banks, already stretched thin on compliance resources, see this as a prohibitive cost. Larger banks see it as manageable but resent absorbing risk for ecosystem participants with weaker controls. The anxiety here is not about regulation itself but about whether liability will follow actual fault or default to the institution with the deepest pockets and most visible customer relationship. The CBN-led workstreams have built structures to address this. Incident response and breach management plans have been developed to ensure transparent protocols when things go wrong. Third-party risk management frameworks are being embedded into the Nigerian open banking architecture. Shared security standards across ecosystem participants are emerging, though adoption remains uneven. Whether these frameworks translate into enforceable outcomes across all participants will determine how much confidence banks ultimately place in the system.
The cost of uneven infrastructure
Infrastructure and operational readiness gaps create another layer of risk, one less visible but equally consequential. Open banking assumes baseline technical maturity; modern core banking systems, skilled API development teams, real-time monitoring capabilities, secure data environments. That assumption does not hold evenly across Nigerian banks. Legacy core banking systems still run at some Tier-2 institutions. Monitoring infrastructure to detect anomalies in real-time data flows requires investment many smaller banks have not made. This unevenness creates competitive risk. Banks with strong infrastructure can onboard API consumers quickly, respond to technical challenges fast, and offer richer data products. Players running older systems face delays, integration costs, and reputational exposure if their APIs underperform. Customers will migrate toward banks whose data flows work smoothly, and that migration could accelerate faster than weaker institutions can modernize.
The CBN has anticipated this and co-developed infrastructure blueprints for participants, establishing minimum technical standards across the industry. Additionally, Open Banking Nigeria has built an open-source API Gateway specifically to ease adoption by reducing the burden on individual banks to build and maintain their own infrastructure from scratch. For some institutions, this provides a practical on-ramp. The challenge is ensuring their use becomes mandatory and that smaller banks receive the technical support and regulatory forbearance needed during transition.
The cultural shift from closed to open banking
Perhaps the deepest source of anxiety is cultural. Banks are institutionally wired to own customer relationships and guard data as competitive advantage however Open banking inverts that model. It requires sharing data with customer consent, trusting third parties to handle it responsibly, and accepting that customer relationships will increasingly be mediated through platforms and aggregators rather than direct bank channels. This feels like loss of control because, in some ways, it is. Partnership models with fintechs require new trust dynamics. Banks that spent years competing with fintechs are now expected to provide them with structured data access. The instinct is defensive. ‘If we give them data, what stops them from disintermediating us entirely?’ The answer, though not always reassuring, is that open banking does not create disintermediation risk. That risk already exists. Fintechs already build around banks, creating innovative products that meet user needs in ways traditional banking often hasn’t. Open banking simply makes the relationship transparent and structured, and allows banks to participate in the value created on top of their infrastructure.
Some banks are reframing this shift as competitive advantage rather than threat, likely because they are looking through the right lens. Structured data-sharing means better credit decisioning, more opportunities for innovation, fewer bilateral negotiations, and clearer liability boundaries. Open banking, if implemented with end-users in view, will build trust rather than erode it. The opportunity cost of delay is higher than many institutions realize. Our article, Nigerian innovations that could get better with open banking shows exactly what’s at stake.
Delay is only another risk
Open banking does not create the risks banks worry about. It removes the comfort of informality that allowed those risks to persist without accountability. Fraud thrived when enforcement was weak, but coordinated liability frameworks and tighter accountability are changing that dynamic. Data governance failed when liability was ambiguous and consequences were slow, but incident response plans will embed clearer responsibility chains. Infrastructure gaps existed long before open APIs, but our API Gateway infrastructure is creating a pathway for technical catch-up.
Formalisation forces these issues into the open and replaces ambiguity with regulation and shared consequences. The instinct to delay is understandable, but delay preserves the very conditions banks say they fear. Delay does not reduce fraud risk but allows bad actors more time to optimize for loopholes. Delay does not clarify liability, rather, it postpones hard decisions about who pays when systems fail. Delay does not close infrastructure gaps, but widens the distance between innovators and those falling behind. What reduces risk is disciplined enforcement, shared accountability, and intentional design that anticipates failure rather than assuming perfect execution.
