CBN’s Operational Guidelines For Open Banking

By Oyetola Muyiwa Atoyebi, SAN

Introduction

It is evident that there is a current rush of countries to adopt Open banking standards, having tasted the beauty of FinTech innovations in varying degrees of impact and sub-domains. The importance of FinTech companies/startups cannot be over-emphasized as their products have made dealing with financial issues easier and more affordable. However, Open banking is not enough to issue regulations but needs to draw up an implementation model that is suitable for a particular, distinct environment.

The apex regulator of Nigeria’s banking and financial system, the Central Bank of Nigeria (CBN) has recently issued a circular – ‘Operational guidelines for open banking in Nigeria’. This was in its effort to improve the sharing of data across the banking/ financial institution and payment systems, to stimulate and expand innovations and financial products available to bank customers.

Open banking is a banking practice in which third-party financial service providers are given open access to customer banking, transaction and other financial data from banks and non-bank financial institutions via application programming interfaces (APIs)[1]. Open Banking is a blanket financial services (FS) term used to describe the use of open technologies by third-party providers (TPPs), to build services and applications around financial institutions. It provides guidance on how TPPs can access and utilize customer bank data in a standard format to provide more open, transparent and competitive banking services.

To put it in straightforward terms, Open banking means that no matter how many accounts and financial products a customer has, he/she can view and manage them from a centralized location. Data is power, and open banking has the potential to revolutionize the FS landscape for all stakeholders from customers to traditional banks and even the regulators. It is a fundamental shift from a closed model, to one in which data is shared between different members of the banking ecosystem with authorization from the customer.[2]

It is also pertinent to note that open banking, by its already stated definition, recognizes the ownership and control of data by customers of financial and non-financial services, and their right to grant authorizations to service providers to access innovative financial products and services.

The objectives of the guideline ensure that it:

• Provides clear responsibilities and expectations for the various participant categories;
• Ensures consistency and security across the open banking system;
• Stipulates safeguards for financial system stability under an open banking regime;
• Promotes competition and enhances access to banking and other financial services; and
• Outlines minimum requirements for participants.

Notable Provisions in the Guideline

Creation of Open Bank Registry[3]

The Open Bank Registry (OBR) is a public repository of details of registered participants. Each participant shall be identified by its business registration number issued by the Corporate Affairs Commission (CAC), which shall be the unique key across the OBR system.

The Central Bank of Nigeria (CBN) shall provide and maintain an Open Banking Registry (OBR) for the industry. The OBR shall be maintained for the following purposes:

1. To provide regulatory oversight on participants.
2. To enhance transparency in the operations of Open Banking.
3. To ensure that only registered institutions operate within the open banking ecosystem.

 Service Level Agreement[4]

It is also provided that a Service Level Agreement shall be executed between the Application Programming Interface (API) providers and API consumers to govern the relationships between the parties (i.e. API providers and API consumers). The Service Level Agreement for Open Banking shall include the following: Accounting Settlements, Fee Structures, Reconciliation of Bills, Registration and Sponsorship Activities.

 Data Ethics and Data Privacy[5]

The Board of Directors or at a minimum an Executive Management Committee of the API Consumer shall approve a Data Governance policy.

The policy shall ensure that all aspects of the data are well managed and fulfil legal and regulatory requirements.

The AC shall incorporate the following into its Data governance policy, procedures, and mechanisms:

1. Have a clear approach to collection, collation, analysis, sharing, storage and retrieval of customer data in line with extant Laws and Regulations;
2. How the data interplays with the algorithmic system and models, regarding how data is weighted or attributed in the algorithmic system to produce the outcomes;

• Impact the combination of the data and the algorithmic system has on results;

1. Intended outcomes of the data-driven service on customers and society; and
2. Unintended consequences of the service on customers and society.

It is also provided that ACs shall comply with the Nigerian Data Protection Regulation or any CBN-issued data protection regulation for FIs, to protect customer data.

Data Breach Policy[6]

The ACs are obligated to create a data breach policy and operate as follows:

1. Operate regular risk assessment and risk monitoring in order to anticipate potential data threats, hazards and impacts.
2. Ensure that the procedures for managing data incidents are clearly set out, in addition to clear roles and responsibilities, lines of escalation and communication for all parties involved in risk management procedures.

• Assess each data incident according to its impact in order to determine a proportionate response and trigger the most appropriate command and control arrangements.

1. Activate the relevant processes and procedures to limit the impact of the incident.
2. Ensure that all relevant parties receive efficient, regular and timely communication in the event of a data incident.
3. Conduct a robust analysis of the underlying cause of the data breach incident, the efficacy of the incident response, the lessons learned, and the actions required to prevent future similar incidents.

• Start the recovery process to ensure minimal disruption to service delivery.
• Regularly test adherence to the Incident Management Policy and associated Incident Management Procedures to ensure their adequacy and effectiveness.

 In the same vein, participants shall develop and implement a data breach policy and procedure as part of information security management system to;

1. Carry out regular risk assessment and monitoring;
2. Ensure that the procedures for managing data incidents are clearly set out;
3. Assess the impact of each data incident;
4. Activate the relevant processes and procedures to limit the impact of the incident;
5. Adopt a three-line defense model into its business standard policies and procedure for risk management and compliance;
6. Ensure that all relevant parties receive efficient, regular, and timely communication in the event of a data incident;
7. Start the recovery process promptly to ensure minimal disruption to service delivery;
8. Conduct a robust analysis of the underlying cause of a data breach incident, the efficacy of the incident response, the lessons learned, and the actions required to prevent future similar incidents; and
9. Regularly test adherence to the incident management policy and associated incident management procedures to ensure their adequacy and effectiveness.

Cybersecurity[7]

ACs shall ensure the following:

1. Entrench an appropriate risk management regime;
2. Have a secure configuration management system;

• Ensure network security for all connections;

1. Ensure appropriate management of access rights and user privileges;
2. Conduct user education and awareness;
3. Deploy malware prevention and detection tools;

• Implement system monitoring to detect actual or attempted attacks on systems and business services; and
• Restrict use of removable/portable storage media.

Information Sharing[8]

The API Providers (APs) shall only share information of a customer with an AC, upon presentation of a valid proof of consent by the customer, and shall authenticate such consent to ensure it emanates from its customer.

For consent obtained from a customer to be valid, the following information shall be presented to the customer by the AC:

1. Full and legal name of the AC;
2. Shortened or brand name of the AC in situations where the AC operates under a different name from its legal registered name;

• The accreditation/registration number or other valid means of identification in the open banking registry;

1. The business registration number of the AC with the Corporate Affairs Commission (CAC);
2. Compliance with access level to data by service category;
3. Nature of request, which shall be explicit and describe the following:

• The type of access the AC shall have on the customer account in line with access level by data and service category;
• Duration/tenor of the consent or the date when the access shall be invalidated;
• Frequency of access to the customer information by the AC or if such access shall be one-off;
• If the request includes the customer’s consent to collect data for anonymous/de-identified data analysis;

vii.  Information regarding the process for withdrawal of consent by the customer including the following;

• A statement that the end-user can withdraw their consent at any point in time if so desired;
• Detailed process for withdrawal of consent by the customer;
• Information on the consequences of withdrawal of such consent to the customer, if any.

viii. Information about redundant data including the following touchpoints;

• ACs general policy in relation to decision making on the deletion or de-identification of redundant data in accordance with extant laws and regulations;
• An outline of the customer’s rights to elect for deletion of their redundant data and information on how to exercise such rights.

If the customer’s data will be disclosed to an outsourced service provider including non-Nigerian participants, the approval of the Bank shall be obtained, and the following additional information shall be required:

• A statement indicating that the data would be used or disclosed in such manner;
• Sufficient information about the data handling/privacy policy of the service provider; and
• A guarantee that the customer can obtain further information about such disclosures from the policy or on request to the participant, if they so wish.

Intellectual Property Preservation[9]

Participants’ intellectual property in proprietary and protectable software source and object codes, aggregate data, and aggregate services among other protectable information shall be protected under the applicable laws in Nigeria.

No Party shall unlawfully acquire any proprietary rights, title, or interest in or to any Intellectual Property Rights of another Party, or any other Participant pursuant to the participation in Open Banking in Nigeria.

All ownership rights in any open data or other information shall at all times remain with the Party, or Participant from which such open data or other information originated, whether the open data or other information is in human or machine-readable form.

Participants shall be allowed to grant royalty-free license for their intellectual property in aggregated data, subject to the satisfaction of the consent requirement, for use by other participants to such extent as may be required for Open Banking in Nigeria.

Conclusion

Innovations are good, however, unregulated innovations may be injurious to the economy and the growth of a nation. The CBN in conjunction with the relevant stakeholders should be applauded for anchoring this guideline, to further shape and systematically guide the operationalization of open banking in Nigeria. This will serve as a workable model, which other African countries with similar economic and financial setups can emulate in the growth of the FinTech industry.

AUTHOR: Oyetola Muyiwa Atoyebi, SAN.

Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.

Mr Atoyebi’s vast knowledge and expertise in Corporate and Commercial Law has enabled him to advise and represent a vast clientele in a variety of high-level transactions involving apex regulatory bodies in Nigeria. He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.

He can be reached at atoyebi@omaplex.com.ng

CONTRIBUTOR: John Oladipo.

John is a member of the Dispute Resolution Group at OMAPLEX Law Firm. He also holds commendable expertise in Banking Law.

He can be reached at john.oladipo@omaplex.com.ng

[1]Ubah Jeremiah Ifeanyi, ‘CBN issues guidelines for Open Banking in Nigeria to enhance financial services’, https://nairametrics.com/2022/05/19/cbn-issues-guidelines-for-open-banking-in-nigeria-to-enhance-financial-services/ date accessed: 22/05/2022

[2] Demola Yusuf and Adedeji Olowe’ the case for open banking in Nigeria’,  https://www.pwc.com/ng/en/assets/pdf/case-open-banking-nigeria.pdf date accessed: 22/05/2022

[3] Article 6.0

[4] Art 8.1.2

[5] Art. 9.1 and 9.2

[6] Art 9.3.3 and Art 11.9

[7] Art 9.3.3.3 and Art 11.9

[8] Art 11.1

[9] Art 11.12