THE CBN REGULATORY FRAMEWORK FOR OPEN BANKING IN NIGERIA

The Central Bank of Nigeria “CBN” on 17 February 2021 issued the Regulatory Framework for Open Banking in Nigeria (‘the Framework’) which aims to promote the sharing and leveraging of customer-permissioned data by Banks in order to build solutions and services that provide efficiency, greater financial transparency, the ability to review all customers banking and financial information in a central location, options for account holders and to enhance access to financial services in Nigeria.

As an introduction to the Framework, the CBN stated “having observed the growing integration of banks and other financial institutions with innovators in the financial services space and the increasing adoption of Application Programming Interface (API) based integrations in the industry, it has become expedient for the Bank to provide appropriate framework to regulate the practice”. 

OBJECTIVES

The objectives of the Framework include:

•the provision of an enabling regulatory environment to provide innovative financial services through the safe use and exchange of data; 

•define risk-based data access levels (what Bank data can be shared and who can access it) for effective risk management;

•define baseline requirements and standards for the exchange of data; and 

•provide risk management guidance.

SCOPE  

The scope of the Framework clearly outlined in Paragraph 3.0 includes:

Payments and remittance services;

Collection and Disbursement services;

Deposit-taking; 

Credit; 

Personal Finance Advisory and Management;

Treasury Management;

Credit ratings/scoring;

Mortgage;

Leasing/Hire purchase;

Other services as may be determined by the Bank. 

DATA AND SERVICE CATEGORIES                                              

Under the Framework, there are four (4) data and services categories of open exchange and or what can be shared through APIs.  Each category of data and service is allocated a risk rating on a scale of Low to High and Sensitive.

The categories and risk rating are as follows;

Product Information and Service Touchpoints (PIST): This includes information on products provided to customers and access points for customers to access those services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc. This risk in this category is Low.

Market Insight Transactions (MIT): This includes any statistical data aggregated on basis of products, service, segments, etc., which are not associated to any individual customer or account either at an organizational or industry level. The risk in this category is Moderate.

Personal Information and Financial Transaction (PIFT): This includes data at individual customer level either on general information on the customer (e.g. KYC data, total number or types of account held, etc.) or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc.). The risk in this category is High.

Profile, Analytics and Scoring Transaction (PAST): This include information on a customer which analyses, scores or give an opinion on a customer e.g. credit score, income ratings etc. The risk in this category is High and Sensitive.

CATEGORIES OF PARTICIPATING INSTITUTIONS

The Framework categorized participating institutions and used a Tier system to determine which category of data and risk can be accessed by participants based on their risk management maturity level: 

•Participants without regulatory licence- Tier 0- can access PIST and MIT data;

•Participants through CBN Regulatory Sandbox – Tier 1- can access to PIST, MIT & PIFT;

•Licensed Payments Service Providers & OFI  – Tier 2- can access PIST, MIT, PIFT & PASTs; 

•Deposit Money Banks – Tier 3- can access PIST, MIT, PIFT and PAST.

DATA AND API ACCESS REQUIREMENTS 

The Framework prescribe the requirements which must be fulfilled by participants to be admitted into any Tier described above:

Tier 0 participant

•can only gain access to the data sharing framework on the sponsorship of either a Tier 2 or 3 participant.

•the Sponsoring Participant (SP) determines the onboarding requirements •the SP conducts a comprehensive risk assessment of the Tier 0 participant and assessment report to be duly signed by the Chief Risk Officer of the SP •upon onboarding, the SP registers the Tier 0 participant on the Open Banking Registry of the CBN within 3 working days. v

Tier 1 participant

•The admission into the CBN regulatory sandbox cohort shall be the primary requirement for Tier 1 participants

• CBN may as it deemed fit and on a case-by-case basis stipulate further requirements.

•Tier 1 participants shall also be listed on the Open Banking Registry.

Tier 2 and 3 participants

•Tier 2 and 3 participants are required to submit a Satisfactory Risk Assessment Report by at least two (2) partner participants.

•The report should address, the Know Your Partner (KYP) assessment in respect of business & governance, financial strength analysis, control environment assessment and risk management practices.

•The Tier 2 and 3 Participants shall hold a valid Licence from the CBN and be listed on the Open Banking Registry .

ROLES AND RESPONSIBILITIES OF PARTICIPANTS

The Framework also provides for the roles and responsibilities of the Provider, API Users/Consumer, Development Community, Fintechs, and the CBN in the regulation and smooth running of the open banking system in Nigeria’s financial space:  

Provider

•A provider is a participant that uses API to avail data or service to another participant.

•Required to define the data and services accessible through the APIs

• Establish Data Access Agreement and Service Level Agreements with other participants

• Carry out Know Your Partner (KYP) due diligence on partner participants before executing said agreements; among others.

Consumer

•A consumer is a participant that uses API released by the providers to access data or service.

•API Users are required to Execute a Data Access Agreement and Service Level Agreement with Provider

•Ensure an annual re-validation of the Data Access Agreement and Service Level Agreement

•Comply with data privacy laws and all consumer protection regulations; among others.

Fintechs 

•Companies that provide innovative financial solutions, products and services.

•Required to ensure that it leverages API to innovate products and solutions that are interoperable

•Avoid alteration of APIs published by provider without consent of the providers

• Comply with data privacy laws and regulations; among others.

Developer Community

• Individuals and entities that develop APIs for participants based on requirements.

•Required to execute service agreements with the partner participant outlining the participant’s business requirement and technical guidelines

•Employ secure coding and development standards and practices among others. 

CBN

•Facilitation of the Development of Common Banking Industry API Standards within 12 months of the issuance of this Framework

•Maintenance of Open Banking Registry

•Enforcement of this Framework among others.

Rights of Customers and Redress Mechanisms

A noteworthy innovation of the framework is the inclusion of Paragraph 10.0 which clearly outlines the customer’s rights, responsibilities and redress mechanisms. It provides that the full spectrum of the CBN’s Consumer Protection Framework is available to customers in the open banking system as well as making specific pronouncements aimed at protecting the customer’s rights, data and to ensure that the proper consent to customer’s data is obtained while conducting open banking operations.

Kindly reach us on E: lawyers2021@tonbofa.com;  T: +234(0)1-2954080