Breaking Down the Operational Guidelines for Open Banking in Nigeria

The Central Bank of Nigeria (CBN),  as parts of its efforts to stabilize and deepen the financial system, issued the Operational Guidelines for Open Banking in Nigeria (the “Guidelines“), on the 7^th of March 2023 to all Deposit Money Banks, Mobile Money Operators and Payment Service Providers.

The Guidelines set out detailed provisions on the duties and expectations for participants in the open banking ecosystem. It will enable the building of customer-focused financial products and services and also  enhance efficiency, healthy competition, and access to drive financial inclusion of millions of unserved and underserved people in Nigeria.

What is Open Banking?

Open banking is a financial services innovation that allows Third-Party Providers (TPPs) to access customers’ financial information and build services based on it, to create competition and promote innovation in the financial industry. Through open banking, the financial data of consenting customers can be shared between banks and TPPs, allowing TPPs to directly provide products and services to the customers.

For example,  as a small business owner looking to access a loan facility, open banking allows the business to aggregate your banking data across multiple financial institutions, and securely prove your creditworthiness to Lending TPPs. 

Nigeria is one of the African countries that have shown keen interest in open banking and has expressed that interest through the issuance of the Guidelines to regulate the ecosystem. The Guidelines outline the rules and procedures that all parties involved in open banking must follow, including ensuring the safety and security of the customers’ financial data. It also provides a framework for how TPPs can access and use bank data to provide their services. 

By the Guidelines, financial institutions are also required to develop and publish open API (Application Programming Interfaces) specifications that conform to the international standards for open banking. The API specifications must enable secure and efficient access to customer data and must be tested and certified by the CBN before they can be made available to TPPs.

Who are Third-Party Providers?

Third-Party Providers (TPPs) are organizations that provide services to bank customers using open banking APIs (Application Programming Interfaces). These organizations are not banks themselves but may offer a range of services including account aggregation, payment initiation, and financial advisory. TPPs can be categorized into three types:

1. Account Information Service Providers (AISPs): These are TPPs that provide services that allow customers to access and aggregate information from their bank accounts and other financial institutions in one place. This information can be used to help customers better understand their finances and make informed financial decisions.

2. Payment Initiation Service Providers (PISPs): These are TPPs that provide services that allow customers to initiate payments directly from their bank accounts. This can include making payments to merchants, paying bills, and transferring money between accounts.

3. Card-Based Payment Instrument Issuers (CBPIIs): These are TPPs that issue payment cards, such as credit or debit cards, that are linked to a customer’s bank account. These cards can be used to make payments to merchants or withdraw cash from ATMs.

As a leading payment technology company that enables individuals, governments, and businesses across Africa and the rest of the world to perform cross-border transactions seamlessly and globally, Flutterwave operates as a Payment Initiation Service Provider (PISP) and Card-Based Payment Instrument Issuer (CBPII). As a PISP, Flutterwave Store allows businesses to create online stores and accept payments directly from customers’ bank accounts or cards. As a CBPII, Flutterwave offers a virtual card service that enables customers to own virtual cards for making online purchases and enables businesses to create and manage virtual cards for their customers or employees

In addition to our payment capacities and comprehensive reach, Flutterwave’s Fintech as a Service (FaaS) provides APIs that allow developers to build custom payment solutions and integrate them with other financial services. This ensures other startups are able to start and take their fintech product to market in a record time. Our APIs support a range of programming languages and provide access to features such as payment processing, refunds, and fraud management.

Overall, Flutterwave is a key player in the African fintech ecosystem committed to providing payment infrastructure and services that enable businesses and individuals to transact more easily and securely across borders. Our recent partnership with Token.io–a leading open-banking-powered payment infrastructure provider in Europe, further reiterates that commitment.  

Key Provisions of the Guidelines

• Licensing/Authorization Requirements: The CBN requires all TPPs to obtain a license before they can offer open banking services in Nigeria. The licensing process is aimed at ensuring that only credible and qualified TPPs are allowed to access customers’ financial information. The TPPs must be registered with the CBN and meet certain requirements, including having a minimum capital base of NGN250,000,000.00(Two Hundred and Fifty Million Naira Only) and adhering to CBN’s risk management guidelines. The CBN will also carry out a fit and proper test on the directors and senior management of the TPPs.

• Customer Consent: Before any TPP can access a customer’s financial information, they must obtain the customer’s consent. The customer must be fully informed of the data that will be accessed, how it will be used, and who will have access to it.

• Data Privacy, Data Security and Data Protection: Players in the open banking ecosystem are also required to comply with the Nigerian Data Protection Regulation (NDPR) and any other CBN-issued data protection regulation for financial institutions, while ensuring constant protection against data breaches. TPPs are required to comply with these measures, and failure to do so can result in the revocation of their license.

• Liability: The liability incurred as a result of any fraudulent activity or data breach is borne by the TPP. The TPP is required to have adequate insurance coverage to cover any losses that may arise from such incidents.

• Dispute Resolution: Dispute resolution is an important aspect of open banking. The Guidelines require TPPs to have a dispute resolution mechanism in place to resolve disputes with customers or other financial institutions. It also empowers the CBN to intervene in disputes between TPPs and financial institutions.

• Consumer Protection: The Guidelines contain measures to ensure that customers are protected from unfair practices by TPPs. These include providing customers with the right to dispute any unauthorized transactions and the right to have their financial information deleted from the TPP’s system.

• Interoperability and Standardization: Interoperability and standardization are critical components of open banking. To promote competition and innovation, the CBN requires all TPPs to use a common set of standards and protocols that will enable them to share information with each other. This is done using APIs that are interoperable with the APIs of other TPPs and financial institutions.

• Transaction Limits: The Guidelines set transaction limits for open banking transactions and the TPPs are required to comply with them. These limits are designed to prevent fraud and protect customer funds, and are based on the level of KYC (know your customer) carried out by the TPPs.

• Reporting Requirements: TPPs are required to render regular reports to the CBN on their activities in open banking. The reports are designed to provide the CBN with an overview of the state of open banking in Nigeria and to enable the CBN to monitor compliance with the operational guideline.

Conclusion

The adoption of open banking practices promises benefits to the customers, TPPs and other players in the ecosystem. These benefits include more opportunities for collaboration between financial institutions, access to better customer experience, and improved customer-focused products and services. 

However, the accompanying security risks are significant as abuse of customer data or incidents of security breaches could increase.  Be that as it may, proper implementation of the Guidelines as issued by the CBN would enable customers to have better control over their financial data and generally ensure the safe operation of open banking in Nigeria. 

Flutterwave is committed to ensuring that safety is front, center, and back of open banking in Nigeria and believes that synergy with regulators, active collaboration among all stakeholders, and raising customers’ awareness about the Guidelines are fundamental strategies to achieving that.

Written by Chinemerem Henry Akanwa with contribution from the Flutterwave Legal Team.