Standard

Getting Started with Open Banking Nigeria future forward APIs.

API Specifications

Standard is open and non-proprietary.

APIs should be simple and useful.

Risk based approach to implementation.

Only few functions are compulsory for implementation

Driven by the specific needs of the industry and
stakeholders.

Security Profiles

Security has been designed into the system from
grounds up. There is a strong consideration to use FAPI.

Should be secure, simple, and adaptable.

Privacy is sacrosanct.

Implementation Architecture

Open Banking compliments existing infrastructure and does not replace it.

Operational Guidelines

Banks to determine who should connect.

Banks would determine what they would charge.

Stakeholders are required to implement metrics that can be interrogated.

Customer Experience

Should be easy for customers to understand.

Customers would know exactly what each access to their accounts or information can do.

Seamless enough to be invisible to end-users.

Segment
Function
Compulsory
Customer Authorization
Authorization
Authentication of SP to FS
Yes
No
Meta
Information about FS, functions implemented, etc.
Yes
No
Branch
Branch information, all, specific, find by location
No
No
ATM
ATM information, all, specific, find by location
No
No
Agency
Agent information, all, specific, find by location
No
No
POS
POS terminal information, all, specific, find by location
No
No
Customer
Get customer details
No
Yes
Accounts
Get account details, balances,
No
Yes
Transactions
Get statement, do transfers
No
Yes
Direct Debit
Set up direct debit, activate, modify, cancel
No
Yes
Bill Payments
Do bill payments, get billers
No
Yes
Fraud
Report fraud information
No
No

API Specifications

  • Implement oAuth2 with a combination of other 2FA variants
  • Logging of digital footprint of customers / applications

Encryption and other Security Measures

  • API connections and data in transit should be encrypted using TLS 1.2 at the minimum
  • Use Cipher Suites w/ Perfect Forward Secrecy! e.g. ECDHE_RSA_WITH_AES_256_GCM_SHA256
  • Use Extended Validation (EV) Certificates

Encryption and other Security Measures

  • Use HMAC signature-based authentication model for API key exchange
  • Use RESTful APIs instead of SOAP APIs
  • Use of JSON Web Tokens (JWT) as the format for security tokens
  • Whitelist and allow only valid entities
  • Use Security headers
  • Avoid Sensitive information in HTTP requests

General Secure Development Principles

  • Develop using secure coding principles

Parameter Validation

  • Validate content types
  • Validate lengths, structures and schemas
  • Perform input validation to sanitize all inputs

Threat Detection

  • Apply threat detection using WAF

Open Banking enables Fintechs connect directly to banks via standard APIs. This provides integrations that are not possible from a switch point of view. For example, show customers accounts, branches, ATM locations, etc.

While the API standard may be the same, banks will be able to control how fintechs connect, how much they charge, e.t.c.

Close Bitnami banner
Bitnami