John needs to sign up for a new budgeting app. Instead of creating yet another password, he sees an option to log in with Google. He clicks it, Google verifies his identity, and within seconds, he has access. No new credentials to manage, and no forms to fill out.
This login experience is powered by a standard called OAuth, a widely used authentication protocol that allows users to grant third-party apps access to their accounts without sharing their passwords. It’s why so many apps let you “Sign in with Google,” “Sign in with Apple,” or even, for the brave few still using it, “Sign in with Yahoo.”
Now, imagine this same process but for banking. Unfortunately, OAuth was designed for general online applications, not financial transactions. It carries extra components that financial services do not need. To address this, experts developed a stricter version called Financial-grade API (FAPI).
Spotlight read: How “Pay with Bank” will work with open banking in Nigeria
What is FAPI?
FAPI, or Financial-grade API, is a security framework designed to enhance authentication and data-sharing standards in financial services. It builds on OAuth 2.0 but introduces stricter security measures, ensuring that financial data is accessed and shared securely.
Unlike OAuth, which is used across various industries, FAPI is tailored for financial applications. It enforces robust authentication mechanisms, limits excessive data exposure, and requires encrypted communication channels. This reduces the risk of unauthorized access and enhances user privacy. In simpler terms, FAPI lets users share only what is necessary.
For instance, when logging into a banking app, FAPI ensures that only the necessary financial data is shared, preventing excessive permissions that could compromise security. This makes it an ideal choice for open banking systems, where multiple institutions must securely interact with customer data.
Spotlight read: Pros and cons of Nigeria’s adoption of ISO 20022 for Open Banking Nigeria
Use case of FAPI in Open Banking
When open banking began gaining traction, especially in the UK, stakeholders recognized a major flaw. OAuth, the standard protocol for user authentication and authorization, was too broad for financial services. While OAuth worked well for social media logins and general applications, it lacked the stringent security and privacy measures required for banking. Financial transactions demand stronger authentication, precise access controls, and better safeguards against fraud.
To address this, industry experts refined OAuth 2.0 into a more secure and specialized framework for financial services. This became the Financial-grade API (FAPI). FAPI built on OAuth but introduced higher security requirements, such as stronger encryption, stricter consent management, and mechanisms to prevent unauthorized data sharing.
FAPI ensures that financial institutions and third-party providers exchange only necessary data, reducing security risks. Unlike OAuth, which might allow a music streaming app to request full access to a Google account when it only needs an email address, FAPI enforces more restrictive, role-based permissions. This prevents unnecessary data exposure and reduces the risk of breaches.
For example, in an open banking transaction:
- A fintech app requests access to a customer’s account data to provide budgeting insights.
- Instead of receiving full account details, the fintech can only access the specific data it needs, such as transaction history or account balance, based on customer consent.
- Stronger authentication mechanisms, such as biometric verification or multi-factor authentication (MFA), ensure that only authorized users can approve these requests.
- Data transmission follows strict encryption standards, making it harder for attackers to intercept or manipulate information.
These security enhancements make FAPI an ideal solution for open banking, where customers need to grant multiple financial service providers controlled access to their data without compromising privacy or security.
Spotlight read: Does Nigeria need OCEN to boost credit?
Will Nigeria adopt FAPI for Open Banking authentication?
Nigeria is still defining authentication standards for open banking. Open Banking Nigeria has recommended FAPI, and while the Central Bank of Nigeria (CBN) has not made an official decision, industry leaders expect it to be adopted.
Unlike OAuth, which relies on major tech providers, Nigeria’s system would be managed by the Nigeria Inter-Bank Settlement System (NIBSS) using the Bank Verification Number (BVN) system.
Here’s how it would work:
- A fintech requests access to a customer’s banking data.
- The customer must approve the request before access is granted.
- Instead of the bank handling authentication, it sends a request to NIBSS.
- NIBSS prompts the customer to log in.
- If the customer is not registered, they sign up using BVN, a password, and possibly biometrics.
- If already registered, they enter their credentials.
- NIBSS generates a secure token with the customer’s consent and sends it to the bank.
- The bank then passes the token to the fintech, granting access only to authorized data.
- If the customer revokes consent, access is immediately disabled.
Why Nigeria should use FAPI
There are several reasons why Nigeria should adopt FAPI:
Global standards compliance – Many countries with open banking systems use FAPI for secure data exchange.
Stronger security and consent framework – FAPI ensures authentication is controlled by users, reducing unauthorized access risks.
Centralized authentication – With NIBSS handling authentication, users will not need separate credentials for every financial app.
Regulatory alignment – A unified authentication system would meet CBN’s security requirements better than fragmented approaches.
Familiarity in function – While FAPI is unfamiliar in name, the experience would be similar to logging in with Google, making adoption easier.
The biggest hurdle to FAPI adoption is not its technical capability but how it is communicated. People are familiar with OAuth because they use it regularly, even if they do not know the term itself. However, FAPI is not widely understood outside of specialized technical circles.
This presents a challenge: financial institutions and regulators must ensure that the benefits of FAPI are clearly explained to banks, fintech companies, and end users. If the messaging is unclear, it could slow adoption, just as unclear terminology has made open banking difficult to implement in other countries.
So, will Nigeria use FAPI for authentication? Most signs point to yes. Should Nigeria use FAPI? Absolutely. If implemented correctly, users will log in, approve access, and continue with their activities without needing to understand the technical details
