BY CHUMA AKANA
Open banking is simply defined as a system where data is shared among banks, investment companies, fintechs, or other third-party apps, through the use of application programme interface (APIs). It is widely accepted that traditional banking models can be harnessed to provide more tailored services and options to the customers, and one of such innovative means is through the proper use of open banking. In February of 2021, the Central Bank of Nigeria issued a regulatory framework for the operation of open banking in Nigeria, and the framework establishes principles for data sharing across the banking and payments ecosystem, which will promote innovation, broaden the range of financial products and services, and most importantly, deepen financial inclusion.
Under an open banking regime, participants will be able to download and share information about account balances, payments, transactions and investments. Open banking further extends to instances where a third party app may be allowed to initiate transactions from a customer’s account, such as sending payments or withdrawing money. Proponents have also argued that financial services could be more personalised to the individual’s behaviours and lifestyle thereby making banking more effective and useful to the consumer. Indeed, a range of financial technological ‘tools’ will make dealing with money more convenient, simpler and quicker.
With such huge potential, there is the need for adequate guidelines to regulate and monitor the open banking space in Nigeria. This is more important as data of customers will be shared by all the players in the ecosystem; therefore, guidelines that promote fairness and security of data are important. In its regulatory framework, CBN categorised the open exchange of data and services through API as product information and service touch points, market insight transactions, personal information and financial transactions, and profile analytics/scoring transactions, and prescribed a risk rating for each of these categories. The regulatory framework also provided the risk management maturity level of participants for the foregoing categories and Data and API access requirements and the roles and responsibilities of participants which include provider, consumer, fintechs and developer community.
One of the key components of the open banking regulatory framework is the operation and maintenance of the Open banking registry. To further boost the open banking system, CBN published its operational guidelines on open banking in May 2022, where the open banking registry is defined as a public repository for details of registered participants. The OBR shall be maintained for the purposes of providing regulatory oversight on participants, enhancing transparency in the operations of open banking and ensuring that only registered institutions operate within the banking system ecosystem.
In comparison, the Indian open banking policy is largely facilitated by Account Aggregators, which has been developed by the Reserve Bank of India through a master direction. Account Aggregators are impartial third party operators, and are merely channels through which data will pass based on consent, as they are not allowed to access, store or utilise the data handled by them. They are impartial third party operators and operate a strict consensus model, wherein there is authorization agreement between the customer, the bank and themselves.
Once a customer grants consent that their specific data may be shared with particular Fintech seeking it for the mentioned purpose for a certain period, the Account Aggregators procure same from the bank holding the data and deliver it to the Fintech Company (FC). Based on that, the FC may offer new financial services to the consumer. The customers also have the option of revoking their consent in respect of the time period, the Fintech and the particular data shared.
The model is very similar to what obtains in the UK where the regime of open banking is government regulated through the Open Banking Standard, which is part of the Open Banking Implementation Entity, wherein a data sharing or API framework is prescribed and enforced by independent parties, to tackle the competitive concerns. On the other hand, the US open banking framework is largely industry-driven, though the country is considering a possible regulatory mechanism.
For Fintech companies, open banking could help lenders get a more accurate picture of a consumer’s financial situation and risk level in order to offer more profitable loan terms. It could also aid consumers get a more accurate picture of their own finances before taking on debt. For instance, a mortgage app for customers who want to buy a property could automatically calculate what customers can afford based on all the information in their accounts. Open banking can also help small businesses save time through online accounting and help fraud detection companies better monitor customer accounts and identify problems sooner.
It will open up a huge market for technology companies involved in embedded finance, as these startups may have to re model their business and work closely with banks to scale the business. It will help these startups in improving customer journeys, gaining access to customer data, increasing customer lifetime value and creating new revenue lines.
However, convenience and simplicity may come at the expense of losing more control of a customer’s money, a reduction in privacy/security and a more complex marketplace. One key challenge of open banking is data policy which is to ensure that access to personal data is handled according to the preferences of the individuals it affects. In Nigeria, the Nigeria Data Protection Regulation (NDPR) establishes the obligations of the data controller and processor to ensure that the rights of the data subject are respected as data is transferred for analysis and value extraction. The CBN operational guideline provides that API consumers shall comply with the Nigeria Data Protection Regulation or any CBN issued data protection regulation for financial institutions to protect customer data.
Under the guideline, consent is required from customers whose data may be required by a service provider to avail them of financial products and services. For consent obtained from a customer to be valid, the guidelines provide that the API consumer must make full and total disclosure of its identity to the customer amongst other requirements.
In addition, API providers shall only share information of a customer with an API consumer upon presentation of a valid proof of consent by the customer, and shall authenticate such consent to ensure it emanates from its customer. Authentication of end-users and the validation of information to be shared with the API consumer shall be done directly by the API provider using prescribed authentication mechanisms. Also, API consumers shall comply with the extant Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) in Banks and Other Financial Institutions in Nigeria Regulation.
In conclusion, the operational guideline aims to ensure that open banking players use security systems to protect consumer data, and that consumers have full control over what information they wish to make available to third-party companies. The onus now lies with the fintech companies to leverage on this initiative to deepen financial inclusion and offer better banking services to customers. Globally, the adoption of open banking has led to the deepening of API banking platforms by financial institutions, thereby leading some banks to go fully digital, transformation of multiple payment/lending fintechs into neobanks, verticalization of finance, as traditional financial activities will get customised to the needs of each industry vertically, launch and entry of international neobanks focused on SMEs/unbanked, and enlarged funding round for fintechs.
Chuma Akana, managing partner of Chestter Law LP, has his practice area in Fintech and Intellectual Property law. He can be reached via email@example.com, and is on Linkedin at www.linkedin.com/in/chuma-akana