Open Vector report for Open Banking Nigeria

Open Vector
Open Vector

Abstract

This study, commissioned by open Banking Nigeria (OBN) analyses the current situation in Nigeria with respect to open banking and what might be learned from other open banking initiatives notably in the UK and Europe. The key finding is that while OBN ‘bottom up’ practical approach is yielding benefits, if it is not to lose momentum, their needs to be clear policy support, particularly from the Central Bank of Nigeria (CBN). Most particularly in the area of data sharing, since it is becoming clear that this is the main area of benefit from open banking, even more than payments

Introduction

In order to support Open Banking Nigeria (OBN) in progressing with its initiative, and as it part of the recently announced partnership between OBN and Open Vector, Open Vector has undertaken this report to help provide insights, especially from UK and Europe as the frontrunners in open banking, that might help OBN’s development. This will also be updated for other open banking initiatives, such as Australia, as more details become available. The approach that has been taken in preparing this has been to review OBN’s plans, and to suggest a way forwards, informed by Open Vector’s experience from the UK and Europe etc.

Executive Summary

Bottom-up, practical approach

Currently, OBN is moving ahead and taking practical steps to clearly demonstrate that open banking in Nigeria:

  • Will be beneficial for consumers and the economy overall, by increasing the flexibility and functionality of the financial system;
  • Will help increase financial inclusion. See for example FT article: http://www.businessdayonline.com/banks-telcos-fintechs-achieve-financial-inclusiontarget-collaboration-2/;
  • Is feasible to undertake in a way that does not increase risks and/or issues, that a risks/issues can be managed and mitigated; and
  • Will be able to build on, and interface with, the global and regional trend towards open banking in a way that will help drive Nigeria’s economic growth forwards.

OBN is doing this in a ‘bottom up’ way by progressing with the development of APIs, sandboxes etc providing demonstrable value in a practical way. There is an 18-month roadmap later in this paper laying out how OBN plans to keep the momentum up on this process.

Open Vector is helping to work with OBN to review this work and provide advice based on its experience elsewhere, notably in the UK and Europe.

Top-down, policy-driven approach

Additionally, even in reviewing these practical plans it is clear that, while extremely valuable and necessary, this alone is not enough sufficient and needs to be supplemented by a top-down policy-driven approach.

For example:

  • In establishing secure authentication between Third Parties and banks, the limits of bilateral arrangements are very quickly exhausted and there is a need for an agreed standard solution or at least model agreements;
  • There is a need for standard and reliable customer protections and redresses, which in turn require clarity regarding the legal relationships between the Third Parties and the banks and redress processes between them as well as with end customers;
  • Data Privacy and Protection: In the UK the initial attempt to facilitate data sharing, midata, floundered on the lack of a clear legal basis for data sharing. Even now, there is an on-going debate how the data sharing regulations (GDPR) and the PSD2 work together.

Therefore, there is a clear necessity for a coordinated policy thrust most notably from the

Central Bank and the data privacy and protection regulators to support this initiative notably to:

  • Set the policy vision and scope, as well as the over-arching regulatory regime, so that all parties have clarity;
  • Push the banks to work in a positive way to support it. In the UK and Australia, the continuing need to ensure this incentivization is maintained is clear;
  • Establish a governance model to coordinate activities as they move forward, and to report back to the policy bodies and stakeholders, so they can oversee progress and rule on challenges as they arise.

It is suggested that, rather than waiting for a fully -developed law like GDPR is consulted on and implemented, which may take several years, that CBN seeks to implement some regulations just covering open banking. That way rapid progress can be made, practical learning points gleaned, in parallel with planning for a more all-encompassing law.

Open Banking Nigeria

Background

OBN has been established by a group of top industry professionals and Fintech companies in Nigeria to promote, develop and implement a common standard for Application Programming Interfaces (APIs) across the financial and payment space in Nigeria.

History

The idea for Open Banking has been brewing for years within the Nigeria banking and Fintech community seeking innovation to deal with some intractable problems. However, on June 1, 2017, an email driving a call to action went out to a select group of Fintech and banking veterans arguing for a single API standard for banks in Nigeria. This subsequently drove the formation of Open Banking Nigeria as a group to bring this to fruition.

Working with about 9 banks and other industry stakeholders, the group developed a common standard that has been publicly hosted. This standard was also launched within the banking industry. There are ongoing discussions with the Central Bank of Nigeria, Nigerian Information Technology Development Agency, Bankers Committee and others to transform the Open Banking Nigeria API standard into a banking regulation.

Who is involved

The Open Banking Nigeria is composed of individual and technology members committed the development, advocacy, and delivery of Open Banking standard in Nigeria. For more information about participants and members, please visit https://openbanking.ng.

Achievements to date

Development of the API standard which involved a collaborative development and review with nine commercial banks and other industry stakeholders.

The standard has also been launched publicly to the stakeholders.

18-month programme

Q3 2018 (July – Sept)

  1. Focus on Open Banking (Breakfast series, April 24) – Done
  2. Sign MOU with Open Vector, UK (OV) – Done
  3. The announcement of a partnership with OV – Done
  4. Go live of Sandbox (version 1 API)
  5. Technical review of API with OV
  6. Draft of API version 2
  7. Advocacy with Central Bank of Nigeria
  8. Advocacy with Bankers Committee
  9. Advocacy with CeBIH (Committee of eBanking Industry Heads, Nigeria)
  10. Sign on 3 banks (KPI)
  11. Sign on 10 Fintechs (KPI)
  12. Agree on the amount required as grants and other funding (KPI)
  13. Release on the impact of Open Banking on Nigeria payment industry (KPI)

Q3 2018 (October – December)

  1. Go live of Sandbox (version 2 API)
  2. Fintech Hackathon
  3. ng go live with API (version 2 API)
  4. Go live of 2 banks for read-only APIs (version 2 API)
  5. Sign on additional 5 banks (KPI)
  6. Sign on additional 20 Fintechs (KPI)
  7. Grants and other funding agreed and flowing (KPI)
  8. 2 regional conference presentation of Open Banking Nigeria (KPI)
  9. The release of a report on bank preparedness for Open Banking in Nigeria (KPI)

Q1 2019 (January – March)

  1. Q3 Fintech Hackathon in partnership with large stakeholder
  2. Go live of 2 banks for read-only APIs (version 2 API)
  3. Sign on additional 5 banks (KPI)
  4. Sign on additional 10 Fintechs (KPI)
  5. Grants and other funding: tracking versus plan and continued funding (KPI)
  6. Presentation at KMPG Fintech Conference (KPI)
  7. The release of a report on bank preparedness for Open Banking in Nigeria (KPI)

How Customers Will Grant Access to their Data and Accounts

With Open Banking Nigeria, customers will be able to grant access to Fintech’s apps and services to connect to their accounts to read their balances, extract their transaction history, initiate payments, and update static data, e.g. credit card limits.

Before any Fintech can connect to a bank:

  1. The Fintech must be registered with the bank and signed a commercial and integration agreement
  2. The bank and Fintech must exchange integration credentials to be used to validate its connectivity.
  3. Each Fintech, within the bank API management interface, would have been pre-authorized for the specific transaction type.

For customer driven interactions, the Fintech would call on the bank’s endpoint, get authenticated and then call on the customer transaction endpoint. At this time, the bank would offer an oAuth2 enabled interface for the customer to authenticate.

It is also possible to establish long-lived tokens for the Fintech to be used to instruct subsequent interactions between the bank and the Fintech for the customer.

Throughout the authentication process, the Fintech is not to be able to read any of the data passing between the bank and the customer. This will need to be enforced by a combination of legal mechanisms, law, and contract, as well as technical mechanisms.

Learning points from UK / Europe

Technical

  • Access methodology: In the UK open banking has started in a pragmatic way seeking to establish a methodology that helps move things forward. The Open Banking Implementation Entity (OBIE) has devised a solution based on redirection, starting with a website to website redirection. That is the consumer, having initiated the transaction in the domain of the third party / the merchant, is redirected to the domain of the bank to authenticate and authorize. This is not a perfect solution for all use cases, but it is the most secure of the account access models and gets the consumer used to the concept in a safe way. Within Europe there is a desire to investigate multiple additional access methods before deciding how to move forwards: decoupled, direct / embedded, federated etc. This is leading to further delay without any clarity whether it will give rise to an improved solution. We would recommend that Nigeria seeks to move ahead with a single pragmatic model, that can be used for payments and account information, to establish progress. Then on the basis of this to move ahead to additional solutions. While there are clear merits in having the flexibility to cover other methods (notably using apps on mobile phones) it is best to start rapidly with a minimum viable (MVP) product and expand rapidly thereafter.
  • Security arrangements: In open banking solution banks need to be clear who they are dealing with in real-time which infers a machine-readable directory of participants, with digital certificates, tied together with clear SLAs and liability rules in event of errors. The UK OBIE has been more pragmatic in its solution, but even so, this is not as easy to use and onboard participants with as might have been hoped. The European solution of commencing with account access before robust security arrangements are implemented is definitely not recommended because it creates confusion for consumers, risks giving rise to frauds in the ‘transitional period’ that will scare consumers away from the concept and creates uncertainty so that the banks fail to implement practical solutions. In Nigeria, it is recommended that the specific requirements are understood clearly, and a solution defined and implemented and addresses the local requirements pragmatically and effectively.
  • Screen scraping: It is understood that screen scraping is illegal in Nigeria, or at least heavily frowned upon. It is important to maintain this stance and not let a desire to move ahead with open banking lead to a loosening of the stance on screen scraping because, as has been seen in UK and Europe, once loosened it is hard to rein in. Before PSD2 a number of third parties have used screen scraping in ‘impersonation’ mode. That is, using the consumer’s own credentials as if they were the consumer. Similarly, account access services have been expanding, under the radar, using screen scraping without transparency within parts of Africa. This also happened in the UK.

Policy and Vision

  • Need for policy imperative: There is a clear need for a policy direction to give focus, direction, and move the industry together at the same time. This does not necessarily need to be in the nature of a law like the UK CMA Order or the EU PSD2. But it does need to provide a clear call to action. In Nigeria, this would probably be most usefully given by the Central Bank since the banks are the parties that most need to be motivated to move decisively at the same time and grant access to their accounts.
  • Data sharing: In Europe, it is becoming clear that, while data sharing was an after-thought for PSD2, it has in practice become the major area of innovation, with more data sharing than payment initiation licenses being sought. But this is not without challenges as has been seen very clearly with the Facebook / Data Analytica affair. It is suggested that this is the tip of the iceberg and that there are some 30 investigations taking place of inappropriate data sharing. In Nigeria is already working to lobby the National Information Technology Development Agency (NITDA) to fine-tune new data protection guidelines to create an appropriate regime for modern data sharing. Further lobbying on the CBN to support clear pragmatic regulations related to open banking should be pursued as well to enable pragmatic progress while a fundamental new law is being considered, consulted on, and enacted.
  • Implementation entity: It is useful to have an entity to act as the focus of the implementation work and to coordinate standards development, implementation, testing, and certification etc. The practical effort and coordination required for testing and certification should not be under-estimated. The more rapid progress made by the UK compared to the rest of Europe is based partly on the decision to have an implementation entity coordinating and driving the process. This gives rise to governance and funding issues that need to be addressed. Obviously, any entity established within Nigeria would have to tailored to Nigeria’s requirements. But this should be informed by some of the findings elsewhere, some of which are listed below:
    • Any implementation entity should be supervised by the regulators but not run by the regulators. This might ultimately be based on the Principles for Financial Markets Infrastructure (PFMI) model;
    • The widest possible participation of stakeholders should be created, e.g. including banks, Fintechs, consumers, regulators;
    • Financing will initially have to fall primarily on the largest banks, but should include some level of charging on TPPs and even consumers to ensure initiatives that yield tangible value are prioritised over those with only theoretical benefits.
  • Legal framework for parties to work together: The ruling that banks cannot require any form of legal arrangement in order to gain access to accounts at banks has been a major obstacle to PSD2 and open banking achieving its objectives, in relation both to payments initiation and account information:
    • Payments initiation: PSD2 was designed as part of a payments policy initiative with the European Interchange Fee Regulation with the objective of giving more competition for card-based payments, probably along the lines of the IDEAL scheme in Holland. This reduces the merchant service charge by not giving card style protections. However realistically this can only be achieved with some sort of contractual structure between the parties.
    • Account information: Account information requires even more structuring around the relationships, so that the banks have clarity on their obligations to share data, Service Level Agreements (SLAs), including response times, and consumers have clarity on their recourse in the event of data breaches etc.

In Nigeria, it would be worthwhile evaluating whether some sort of contractual legal structure should be envisaged to provide for terms of engagement, SLAs, standardized dispute resolution etc. Although the implications of payments initiation and account information access are very different they are so inter-linked it is probably that the structure should cater for both types of access.

  • Funding and governance: Once the need for a central entity is acknowledged the issue arises how to fund the entity so that:
    • There is certainty that the funding will suffice for the work to be done; and
    • Governance arrangements are established so that, even though the banks will almost certainly be the largest funders of the project, this doesn’t mean that they get to dictate the direction of the entity against the interests of Fintechs, and most crucially consumers.

Although this sounds a relatively easy problem to articulate, it is a difficult issue to address.

  • Marketing and communication: Marketing and communication have proved difficult in the UK and Europe. Partly due to the nature of the service. It has been compared to selling infrastructures like plumbing or electricity. That is,
    • It is something that you rarely consume for and of itself (rather than as a means of obtaining something else), and
    • Something that you only really notice when it goes wrong.

Furthermore, partly due to the lack of any contractual terms of engagement, it is not possible to be clear to consumers exactly what methods are being adopted and what the risks are and what the consumer’s recourse is if things go wrong. Hence it was judged too difficult and too expensive to have some central marketing and communication campaign.

In Nigeria, it is recommended that an attempt is made to provide clear messaging to consumers of the benefits of the service to facilitate its adoption.

More details on some of the learning points from UK and Europe

This section explores some of these topics in some more detail.

Data sharing

In UK and Europe, both the CMA Order and PSD2 were mostly focussed on payments. Data sharing and therefore data security was an after-thought. Hence for example in Holland, the transposition of PSD2 into Dutch national law has been delayed due to a data privacy regulator objection, and in the UK is recognized that PSD2 and the data privacy laws do not wholly align.

However, in practice, it has quickly been noticed that the impetus for innovation is falling more in the field of account information access rather than payments. This is because, as is becoming common parlance, data is the new gold.

However, not all the movements on data sharing have been totally benign. Notably, affairs such as Equifax and now Facebook / Data Analytica affair have generated concern whether, once data has been shared and then misused or leaked, what the consumer really can achieve that will rectify the situation. The situation is not capable of easy remedy, such as reimbursing the amount taken, and the bank cannot be expected to underwrite the negligence or malice of a third party the consumer required the bank to share the data with.

If data sharing is to be a long-term success there are a series of recommendations that are worth considering based on the examples of the UK and Europe:

  • Legal clarity through legislation: While the legislation in the UK and Europe is all tending the same way, in details there are conflicts. It would be useful to ensure that any legislation of policy statements are high-level purposive remarks that leave the details to the market participants.
  • Legal clarity through contracts: It is useful if the parties are bound to reimburse consumers for losses they cause on clear predictable bases.
  • Clear enforceable redress: Over and above legal rules there need to be practical enforceable processes, collateral to enforce payments of liabilities, and/or the ability to suspend a participant that has failed to reimburse customers for attributed losses. This is crucial since banks cannot reasonably be required to underwrite TPP data breaches.
  • Clear security rules are the absolute priority from the outset: In Europe, due to the delay in agreeing to the security regulatory technical standards confusion has been created by PSD2 going live before the security rules are in force. It is recommended that this is not allowed to occur in Nigeria since it risks adverse events occurring that mean consumers incur losses that deter them from using open banking in the future. This is discussed more fully below.

It is recommended that the European GDPR law is used as the starting point for the study for several reasons:

  • It is a well-regarded model for a solution that works not just in one country but across geographies.
  • If a law based on GDPR is implemented it will also help businesses in Africa work with businesses in Europe, and even be able to outsource work to Africa from Europe.

However, having discussed this with OBN, there is a concern that if a Nigerian, or even an African GDPR, is made a pre-condition of moving ahead there is a risk that this will stall progress. Therefore, while using GDPR as a baseline and policy guide, Nigeria needs to make immediate practical progress. The best way to do this is probably by the CBN establishing pragmatic practical regulations focussed on banking and finance.

Implementation entity

In the UK it was identified that to make some practical progress it was necessary to have an entity as a focus and coordinator of the implementation. While many have criticised the progress this has made, at least all parties have clarity what is being done and why. In Europe, in contrast, there is little clarity what has been done.

One thing that does need to be addressed once an implementation entity is set up, is how the governance and funding will work. Within OBIE this was not truly well established and has meant that there has been a continuing debate around governance and funding whenever a particularly thorny issue comes up.

In Nigeria, it is recommended that an approach needs to be implemented from the outset that:

  • Provide governance arrangements so that, even though the banks will almost certainly be the largest funders of the project, this doesn’t mean that they get to dictate the direction of the entity against the interests of Fintechs, and most crucially consumers.
  • Provides a funding structure which will suffice for the work to be done, but does not scare off the smaller participants.

While establishing these parameters is reasonably easy, the particular solution will depend very much on local issues and can only really be agreed with the effective and active participant of the key local participants.

Legal framework

In Europe, the legislation has been very prescriptive in ruling that banks cannot require TPPs to agree to any form of contract as a precondition to gaining access to payment accounts. While the background to this is understandable it has actually proved a major obstacle to progress. In both payments initiation and account information, though for slightly different reasons.

  • Payments initiation: PSD2 was designed as part of a payments policy initiative with the European Interchange Fee Regulation with the objective of giving more competition for card-based payments, probably along the lines of the IDEAL scheme in Holland. This reduces the merchant service charge by not giving card style protections. However realistically this can only be achieved with some sort of contractual structure between the parties. Furthermore, it is becoming increasingly clear that the payment initiation model defined in PSD2 of ‘fire and forget’ is not well-suited to the two main use cases that payment initiation might be used for:
    • Point of sale: Here needs to be some sort of structure so that the beneficiary merchant can be sufficiently confident of the funds (this does not necessarily mean that they have actually to be received).
    • E-commerce: Here there is the question mark whether cards are still more appropriate due to the card protections over the delivery and fitness for purpose of the goods and/or services purchased. In any event, merchants often need the functionality to delay payment initiation until the goods and/or services are actually despatched.
    • In both cases, the prohibition on the payments initiation service being able to take possession of the funds has created obstacles to devising a genuinely functional competitor to cards.

Overall, in order to compete with card schemes, it is most plausible that a scheme like structure is necessary, such as for IDEAL in Holland or Zapp / PaybyBank in the UK.

It is acknowledged that, because of the way the payments market in Nigeria works there may be less necessity to target merchant acquiring or point of sale, and that the real focus initially at least will probably be in person to person (P2P), to business (P2B), and to government (P2G) will be the priority. Even so, the solution should avoid being overly prescriptive in the detailed solutions and leave that to the industry while establishing robust oversight mechanisms to ensure solid progress is made.

  • Account information: Account information requires even more structuring around the relationships, so that the banks have clarity on their obligations to share data, Service Level Agreements (SLAs), including response times, and consumers have clarity on their recourse in the event of data breaches etc.

For example, when an account information service is seeking to obtain information from a bank it is useful to have clear what the parameters are, e.g.:

– Is speed of the essence, in which case is there some limitation on the number of such calls that can be made without charge?

– Or is it more important to have a response that gives as comprehensive and accurate a view of availability of funds, taking into account all recent and known pending transactions?

If confidence and trust in data sharing are to be developed there needs to be as much clarity about remedies. Because unless trust and confidence will quickly evaporate if there are breaches that cause loss for which consumers cannot receive an appropriate remedy.

As noted above, although the implications of payments initiation and account information access are very different they are so inter-linked it is probably that the structure should cater for both types of access. Especially since providers of payments initiation and account information access will be the same firms offering inter-linked services.

Next steps

OBN is committed to continuing its work to progress open banking for the benefit of Nigeria. In order for this progress not to stall there is a need for policy support particularly from the central bank, particularly as regards data privacy regulations.

Open Vector is very pleased to have been able to assist in collating this analysis and adding its observations and experience, and thanks OBN staff for its time and assistance.

Contacts

Anyone wishing to know more about Open Banking Nigeria generally or the partnership between OBN and Open Vector should contact in the first instance:

Ope Adeoye
Spokesperson for OBN
Telephone:
+234 802 222 1412
E-mail:
[email protected]

Carlos Figueredo
CEO Open Vector
Telephone:
+44 7823 324 900
E-mail:
[email protected]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.