Data Privacy Concerns In The Nigerian Open Banking Industry

By Oladapo John A.

Introduction

The Central Bank of Nigeria (CBN) has been working tirelessly towards establishing an Open Banking framework. In the last seven of years, the CBN has worked relentlessly on implementing Open Banking and has published various regulations on open banking, which are targeted at regulating the activities in the financial industry vis-a-vis open banking. This is understandable as the Central Bank has a critical role to play in maintaining financial stability in the country and open banking better helps achieve their obligations as it promotes financial inclusion, increases the trust existing in the banker-customer relations, improves accessibility to relevant data in the financial industry, places a premium on customer’s convenience and satisfaction, and also by implication eliminates certain bottlenecks in the financial services sector.

The Central Bank of Nigeria has made a major groundbreaking regulatory achievement when it issued the Open Banking Operational Guidelines issued on Tuesday, 7^th of March, 2023 thus making Nigeria the first African country to institute the open banking guidelines. This is a step in the right direction, as its implementation positions financial institutions, fintech start-ups, industry stakeholders to better perform.

With the introduction of Open Banking also raises concerns as to the safety of the data of citizens of the country. However, before delving deep into these concerns, it is pertinent to define the concept of open banking.

Understanding Open Banking

Open Banking is a system that allows third-party providers (TPPs) access to consumer financial data from banks and non-bank financial institutions (NBFIs) through the use of Application Programming Interfaces (APIs). With Open Banking, banks are essentially putting in place infrastructure that will allow their consenting Customer’s data to be easily shared with TPPs. Access to customer financial information will enable TPPs to provide services directly to customers.[1]

For instance, a customer of a traditional bank can have his data shared with other financial and non-financial institutions such as fintech companies, restaurants, supermarkets, insurance companies, mortgage Institutions and many others as long as he consents. As the customer, you do not have to submit fresh data when dealing with other institutions, you can simply let such have access to your data from a central platform using APIs which reveals your transactional history, from which your financial behaviour can be studied and understood. This build trusts, better understanding of between consumers and these institutions. This comes with great prospects. Imagine a country wherein the health sector can assess your financial history from a centralized platform.

The Guidelines state that any organization that has data of customers which may be exchanged with other entities for the purpose of providing innovative financial services within Nigeria, will be eligible to participate in the open banking system.
The major entities with key roles to play in the Nigerian Open Banking Regime as can be gleaned from the provisions of the Operational Guidelines issued by the CBN includes the API providers, the API Consumers, the consumers.

A Brief Overview of the Roles of Key Players[2]

Understanding the role of key participants better help understand the parties who deal with the customer’s data directly or indirectly, and the standards required from them.

1. API Provider (AP): This refers to a participant that uses API to avail data or service to another participant. An API Provider can be a licensed financial institution/service provider, a Fast-Moving Consumer Goods (FMCG) Company or other retailers, Payroll Service Bureau etc.
2. API Consumer (AC): This refers to a participant that uses API released by the (API) providers to access data or service. An API Consumer can be a licensed financial institution/service provider, an FMCG or other retailers, Payroll Service Bureau etc
3. Customer: This refers to the data owner that shall be required to provide consent for release of data for the purpose of accessing financial services.

Data Privacy Concerns in the Nigerian Open Banking Industry

I have been able to emphasize the upsides to the Open Banking Industry, however, open banking does come with its downsides. The concept of dealing with customer’s data illustrates some of the biggest concerns with open banking: privacy breaches, data security, cybercrime and fraud. A breach of a customer’s data can create instances of online bullying, availing such data to criminal organizations, fraudsters, and so much more. You can imagine where sensitive data such as your bank balance, purchase history falls in the hands of robbers.

Nigerian financial services companies lost ₦5.2 billion to fraud between January and September 2020. The Nigeria Inter-Bank Settlement System (NIBSS) industry fraud report[3] reveals how much of a target our financial institutions are to criminals and fraudsters and thus emphasizing the sensitivity around the need to secure user’s data.[4] Open banking has the potential to magnify the impact of breach and cybersecurity incidents when they happen, which could mean reputational risk and erosion of customer trust for the banks.[5]

Generally, the transfer of personal and financial information through digital channels raises an important question: How much of your personal data is protected and kept private? According to a 2020 study published by KPMG, 87% of consumers say data privacy is a basic human right. Yet 68% say they don’t trust companies to ethically sell their personal data.[6]

The Open Banking Operational Guidelines reflects the fact the Central Bank of Nigeria fully understand the data privacy and protection issues which are bound to arise with the growth of the open banking industry, as it makes extensive provisions aimed at securing the consumer’s data and information. This article attempts an overview of the relevant provisions and attempts to determine whether or not the provisions contained in the Operational Guidelines are sufficient to ensure the protection and safety of sensitive data.

An Overview of the CBN’s Operational Guidelines for Open Banking on Data Privacy and Protection

The CBN shall through it newly created organ – The Open Banking Registry (OBR) oversee the activities of the key players earlier mentioned above. The major roles of the OBR would be to provide regulatory oversight on participants, enhance transparency in the operations of Open Banking, and ensure that only registered institutions operate within the open banking ecosystem.[7]

In defining the roles of the CBN in data governance, it is positioned to provide data oversight and governance for open banking information assets for participants in the open banking arrangement to ensure compliance with relevant legal and regulatory provisions. Notwithstanding this role, all participants shall be guided by all extant laws relating to data protection, consumer rights and fair practices.[8]

Premium is placed on the need to obtain costumer’s consent in the Open Banking industry, which is very essential. This aligns with the rights the provision of the NDPR seeks to secure. A situation where data owners have substantial level of control over their personal data and information.

The Regulations stipulates the need for all APs/ACs to maintain a Data Governance policy shall be approved by their Committee of Board of Directors or at a minimum their Executive Management Committee. The policy is to ensure that all aspects of the data is well managed and fulfil legal and regulatory requirements. The following are to be incorporated in their Data governance policy, procedures and mechanisms:

1. A clear approach to collection, collation, analysis, sharing, storage and retrieval of customer data in line with extant Laws and Regulations;
2. How the data interplays with the algorithmic system and models, regarding how data is weighted or attributed in the algorithmic system to produce the outcomes;
3. Impact the combination of the data and the algorithmic system has on results;
4. Intended outcomes of the data-driven service on customers and society;
5. Unintended consequences of the service on customers and society.[9]

The CBN via its regulation equally requires that the APs/ACs have a data ethics framework in place, which shall:

1. provide principles for the acquisition, collection, collation, analysis, use, and sharing of personal data;
2. provide for a consistent process and document procedures to guide documentation, verification and decision making to ensure data processing activities:
3. Comply with extant laws and regulations
4. Generate fair and accurate reports for both the customers and society[10]

The APs/ACs are bound to operate in compliance to the provisions of the Nigerian Data Protection Regulation (NDPR) or any CBN issued data protection regulation for FIs, to protect customer data. To protect the confidentiality, integrity and availability of information and data in the open banking system, all participants shall implement Information Security controls. To ensure effective Information Security management, APs/ACs are required to:

1. Develop, maintain, and implement an Information Security Policy, ensuring adequate resources, processes, technology, people and budget are allocated;
2. Complete regular threat assessments;

iii. Allocate accountability to a nominated board member to oversee risks;

1. Implement strong passwords and access management controls applying multi-factor authentication;
2. Routinely vet all staff, suppliers and service providers thoroughly;
3. Establish a strong security awareness culture;

vii. Implement and run a dedicated security operations centre;

viii. Ensure strong IT systems controls;

1. Ensure information security requirements are clearly stated in all contracts with suppliers;
2. Regularly undertake assurance of third-party providers; and
3. Create and regularly test an incident response plan

APs/ACs are required to create a data breach policy geared at preventing potential data breach, ensure there is clarity in roles and procedures for managing data incidents, assess data incidents, limit and contain the impacts of data incident, ensure effective communication among relevant parties in the event of a data incident, conduct review of data incidents, expedite recovery process to ensure minimal disruption to service delivery, and regularly test adherence to the Incident Management Policy and associated Incident Management Procedures to ensure their adequacy and effectiveness.[11]

The CBN’s Operational guidelines for open banking equally highlight the need for ACs/APs to set certain measures in place to ensure the security of their cyberspaces. The APs/ACs are to ensure the following:[12]

1. Entrench an appropriate risk management regime;
2. Have a secure configuration management system;

• Ensure network security for all connections;

1. Ensure appropriate management of access rights and user privileges;
2. Conduct user education and awareness;
3. Deploy malware prevention and detection tools.

As earlier stated, the Open Banking Guidelines places much importance to the consent of the customers whose information are to be share, and the regulators were careful to make regulations around this to ensure that there is a reasonable standard expected of  the key participants to play.

Paragraph eleven of the Guidelines[13] sets requirements to ensure that valid consent of the customer is obtained. It stipulates the information to be provided to the customers by the ACs:

1. Full and legal name of the AC;
2. Shortened or brand name of the AC in situations where the AC operates under a different name from its legal registered name;

• The accreditation/registration number or other valid means of identification in the open banking registry;

1. The business registration number of the AC with the Corporate Affairs Commission (CAC);
2. Compliance with access level to data by service category;
3. Nature of request, which shall be explicit and describing the following:
   1. The type of access the AC shall have on the customer account in line with access level by data and service category;
   2. Duration/tenor of the consent or the date when the access shall be invalidated;
   3. Frequency of access to the customer information by the AC or if such access shall be one-off; and
   4. If the request includes the customer’s consent to collect data for anonymous/de-identified data analysis;

• Information regarding the process for withdrawal of consent by the customer including the following;
  1. A statement that the customers can withdraw their consent at any point in time if so desired
  2. Detailed process for withdrawal of consent by the customer;
  3. Information on the consequences of withdrawal of such consent to the customer, if any.
• Information about redundant data including the following touchpoints;
  1. ACs general policy in relation to decision making on the deletion or deidentification of redundant data in accordance with extant laws and regulations;
  2. An outline of the customer’s rights to elect for deletion of their redundant data and information on how to exercise such rights.

In the event that the information of customers is to be shared to an outsourced service provider, it is necessary to obtain the approval of the CBN and the APs/ACs are required to furnish the CBN with the following:

1. A statement indicating that the data would be used or disclosed in such manner;
2. Sufficient information about the data handling/privacy policy of the service provider; and
3. A guarantee that the customer can obtain further information about such disclosures from the policy or on request to the participant, if they so wish.

It is mandatory for the AP upon receiving customer’s consent to provide customer’s data to an AC to verify that:[14]

1. the consent emanated from its customer: This shall require Two Factor Authentication (2FA) of the customer to verify the consent.
2. the request for customer’s data contains the purpose of the request.

iii. the request contains the credentials of the requesting AC.

1. the request contains a valid date and was made through appropriate channels.

Amidst other major provisions geared at ensuring the safety of customer’s data, the provision on Cybersecurity Breach Incident Reporting and the introduction of an Incident Reporting Portal by the CBN are major steps in the right direction. The incidents envisaged in Guidelines for reporting are such as affect participants, operations, the systems and such as may be determined by the CBN through relevant regulations and guidelines.  APs/ACs are required to develop and implement a data breach policy and procedure, and a data Incident Management Procedure.\

Regulatory Loopholes on the subject of Data Privacy in the Open Banking Industry

Although the CBN operational guidelines on open banking provide a strong foundation for data protection, however, there may still be some potential loopholes or areas that require further attention and refinement to ensure that data protection is effectively implemented across the Nigerian Open Banking Industry. Some of these areas include:

1. Lack of standardization: The guidelines do not specify a uniform set of technical standards for data protection, which could lead to inconsistencies in implementation across different banks and TPPs.
2. Third- Party Risk: The guidelines focus primarily on data protection by banks and TPPs, but do not exhaustively address the risks associated with third-party service providers that may be used by banks or TPPs.
3. Scope of consent: The guidelines require explicit customer consent before sharing data, but the scope of consent may not always be clear or transparent to customers.
4. Enforcement: While the guidelines establish penalties for non-compliance, the effectiveness of enforcement mechanisms is yet to be seen.
5. Data ownership: The guidelines do not fully address the issue of data ownership, which could cause disputes between banks, TPPs, and customers over who has control over the customer data.
6. Cybersecurity threats: The guidelines do not sufficiently address the growing cybersecurity threats facing the banking industry, which could lead to data breaches and compromise customer data.

Conclusion

Regardless of the loopholes pointed out, it is still very clear that the CBN has put in place solid mechanisms to protect the data of Nigerian citizens. In ensuring financial sustainability, we must not be distracted by innovation without factoring the implications of innovation. It is my humble opinion that we have regulation sufficient enough to ensure safe practice of the Open Banking innovation.

The industry is in its formative stage and perfection is not required as long as it promises considerable safety to all key participants, most especially the customers whose data and information are the crux of this innovation. The best approach to attending to these data concerns is optimism over pessimism as there is much to be learnt by all players, including the regulators.

[1] Overview Of The Operational Guidelines For Open Banking In Nigeria – Financial Services – Nigeria (mondaq.com)

[2] Paragraph 4.0 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[3] NIBSS Insights Fraud.pdf (nibss-plc.com.ng)s

[4] In 2020, Nigeria lost ₦5b to fraud in 9 months: What you need to watch out for (techpoint.africa)

[5] Putting security and privacy at the heart of open banking | PwC Canada

[6] Increase In Digital Banking Raises Consumer Data Privacy Concerns: How To Protect Yourself – Forbes Advisor

[7] Paragraph 6.0 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[8] Ibid.

[9] Paragraph 9.0 – 9.1 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[10] Paragraph 9.1.1 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[11] Paragraph 9.3.3 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[12] Paragraph 9.3.3.3 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[13] Paragraph 11.1 of the CBN’s Operational Guidelines for Open Banking in Nigeria.

[14] Paragraph 11.2 of the CBN’s Operational Guidelines for Open Banking in Nigeria