Open banking – revolution or risk?

OnDemand

29 May 2020

Banking & Financial Services Nigeria

Open banking (ie, the authorised provision of consumer banking data to third parties through application programming interfaces) looks set to drive innovation and competition in the banking sector to the benefit of customers. However, the financial services industry should be aware of the potential risks associated with open banking, including market concentration, data compliance concerns, hacking and data breaches, risks to financial privacy and the resulting liability of banks.

 

General overview
AML concerns
Apps
Consumer protection
Revolution or risk?



General overview

Can you provide a general overview of open banking in your jurisdiction?
Open banking is in its infancy in Nigeria. Typically, parties to an open banking arrangement in Nigeria are the consumer (payer or payee), the consumer's bank and third-party financial providers (TPPs). TPPs licensed by the Central Bank of Nigeria (CBN) include:

  • payment services solution providers;
  • mobile money operators;
  • other financial institutions, for example:
    • micro finance banks;
    • primary mortgage institutions;
    • finance houses;
    • development finance banks;
    • super agents;
    • payment terminal services providers;
    • web portals; and
    • payment service banks.

Open banking in Nigeria may also involve new players such as electricity distribution companies, accounting firms and a myriad of other utility service providers, which aim to enhance their service delivery to the public through data analytics available by virtue of open banking.(1)

While open banking has the potential to revolutionise the Nigerian banking industry, some of the essential infrastructure needed for it to thrive is still lacking. For instance, the industry is yet to agree common application programming interface (API) standards. Thus, licensed third-party providers may have to separately connect to individual banks given the disparate interface specifications in the industry. Such a process imposes significant costs, time and effort compared with a truly open API framework.

With respect to regulation, there is currently no comprehensive regulatory framework for open banking operations in Nigeria. However, some CBN, Nigerian Communication Commission and National Information Technology Development Agency regulations apply. Relevant CBN regulations include:

  • the CBN Guidelines on Mobile Money Services in Nigeria 2015;
  • the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria 2016;
  • the CBN Guidelines on International Money Transfer Services in Nigeria; and
  • the CBN Guidelines for Licensing and Regulation of Payment Service Banks in Nigeria 2018.

However, in 2018 the Open Technology Foundation launched Open Banking Nigeria to work with other stakeholders to develop and advocate for open API standards in Nigeria. In addition to these private efforts, the CBN released a request for information (RFI) document on 14 May 2019 on Formulations of a Payment Systems Vision 2030 (PSV 2030). In its RFI, the CBN prioritised open banking in the development of PSV 2030. The CBN is currently working on an exposure draft on open banking guidelines in Nigeria, which is expected to give much-needed direction to the industry.

How does open banking benefit banks, as it is performed by third-party service providers?
In Nigeria, open banking is currently performed by third-party providers as well as digital banking arms of some traditional banks. There are some banks that believe open banking could lead to the weakening of customer relationships as customers could deal directly with TPPs. As a result, some banks are developing competing platforms of their own (eg, Wema Bank Plc's ALAT).

While open banking comes with risks, it has the potential to provide considerable benefits to all players in the financial services sector. The benefits of open banking to banks in Nigeria include the following:

  • As customers' needs become more diverse and traditional banks cannot provide the solutions craved by customers, open banking can help to develop better financial products through data gathered from third-party providers. For example, banks can use data gathered from various TPPs to assess a borrower's likelihood of repaying loans, their financial position and goals and purchasing preferences. Banks will be better placed to understand consumer financial behaviour and trends and can offer more valuable financial products.
  • Open banking APIs give banks a new method of increasing digital revenue. One such new revenue stream includes bank charges on TPPs for customer data access per transaction. Whereas banks could previously offer only additional financial products and services contingent on banking data to their own customers, they can now serve customers of other banks, with the potential of significantly more revenue.(2)
  • Banks may actively assist such TPPs by offering additional functionality, dedicated support or even developmental collaboration. In exchange, third parties can return the favour with various non-monetary offerings (eg, additional product functionality for the bank in question or cross branding).
  • Open banking forces banks to improve their digital infrastructure, which enables data to be used better internally to improve customer experience, thereby increasing customer lifetime value.
  • Banks already have strong brands and are better placed to provide the additional role as a centralised repository of personal data that can be accessed by approved TPPs (eg, electricity distribution companies) through open data agreements.

AML concerns

What should the banking industry do to address the anti-money laundering (AML) concerns associated with open banking (eg, if a service is wholly online and there is no way to provide or verify original documents, how will such concerns be addressed)?
Such concerns can be adequately addressed by appropriate processes. According to the relevant CBN regulations on money laundering and know-your-customer (KYC) requirements, TPPs must obtain appropriate documentary proof of identification and other required information, all of which can be submitted electronically, as provided for under the relevant KYC requirements and regulations.

The regulations further provide that in instances of non-face-to-face identification, an additional measure or check should be undertaken as a supplement to the documentary or electronic evidence in order to ensure that the applicant is who they claim to be. No specific additional measures are provided for in the regulations; however, the measures used must ensure that sufficient documentary or electronic evidence to confirm the address and personal identity of the customer is provided. These additional measures or checks should be applied to all applicants regardless of where they reside and should be particularly thorough where the applicant requests a bank account or other product or service that provides a financial transmission or third-party payment.

The bank verification number (BVN) system which provides each enrolled customer with a traceable unique customer identification number may be used for the deterrence, prevention, detection and mitigation of AML concerns in the banking industry. Biometric and demographic data is captured in the BVN central database system during the enrolment process and a unique identification number is generated for each customer. Collected biometric data is then compared against the biometric data of all enrolled customers for confirmation purposes prior to the issuance of the number. The BVN is then linked to all of the customer's bank accounts to ensure that enrolment is not duplicated and that information regarding the customer's activity, specifically in the instance of suspicious activity, may be made easily available.

Blockchain technology may additionally be implemented as a form of KYC verification. Blockchain is a data structure that captures transactional records and stores the information within 'blocks' which may be accessed only by authorised persons. Customer identification data may be stored in such blocks and banks and other financial institutions that wish to access such information will be required to send a request to the blockchain platform to gain access thereto. This system allows for users to maintain ownership of the data while providing access to third parties. This blockchain-based KYC system is already being implemented by companies such as IBM.

How can banks or other providers build a know-your-customer (KYC) environment where open banking services are provided online, considering that banks or providers might be unable to assess customer feasibility directly?
As stated above, online KYC is permitted in the regulations governing TPPs. Banks and other providers can enable an online KYC environment by collaborating with TPPs and ensuring that they implement adequate technology required for an effective eKYC system, including technology for the purposes of obtaining, verifying, processing, maintaining and updating identification information obtained from customers. Technology which may be employed by banks and other providers in the implementation of an effective eKYC system includes the following:(3)

  • Photos and scans of identification documents may be provided, the details of which can then be digitised using optical character recognition (OCR). OCR can extract textual data for the purposes of determining the authenticity of the documents. The collected and digitised data may then be compared with internal bank databases and external databases (eg, AML and combating the financing of terrorism databases).
  • Video calls enable comparison between customer and identification documents (eg, passports, driver's licences and national ID cards) and additionally enable a semblance of face-to-face interaction with prospective customers. Facial recognition software may be implemented during a video call to determine the authenticity of identity.
  • Digital signatures, text messages and recorded verbal agreement may be used for authorisation purposes.
  • Blockchain technology may be used to store necessary customer information in a secure, decentralised platform.

Apps

App providers rarely have local offices and end users will most likely not have the resources to prosecute abroad, making the relationship and recourse to justice unequal. What can be done to safeguard consumers in this respect?
Unfortunately, a consumer who is unable or does not have the necessary resources to prosecute an app provider that has no local office or local assets against which a judgment may be enforced, faces an uphill battle to obtain justice or remedy against an app provider.

Under Nigerian law, the options available to a such a consumer are limited and such a consumer may seek the assistance of the Federal Competition and Consumer Protection Commission (FCCPC) and other regulatory bodies which may use their offices to protect or provide a remedy to such a consumer.

As most apps have an international user base, with whose regulatory requirements must app providers comply?
All app providers registered in Nigeria and licensed by the CBN will be required to comply with the regulatory requirements stipulated by the CBN and other relevant regulatory authorities in Nigeria whether or not they have an international user base.

However, an app provider that provides services to Nigerian users on an offshore basis will not ordinarily be subject to Nigerian regulatory requirements unless it is deemed to be carrying on business in Nigeria, in which case it will be required to register as a Nigerian company and be licensed by the CBN.

However, an app provider providing products to Nigerian users on an offshore basis will at a minimum be required to comply with data protection or privacy law in Nigeria. The processing of personal data including app services is regulated by the Nigeria Data Protection Regulation (NDPR).

All app providers are advised to have a simple and conspicuous privacy policy in place. The policy must contain:

  • the data subject's consent;
  • a description of collectable personal information;
  • the purpose of the private data collection;
  • details of the technical methods used to collect and store personal information (eg, cookies and web tokens);
  • details of third-party access;
  • available remedies in the event of violation;
  • details of a remedy timeframe; and
  • details of a limitation clause, if any.

The NDPR provides that data processors, including app providers, must ensure that data processing applies with the purpose consented to by the data subject and that any data obtained is stored for only the period for which it is needed and is secured against all foreseeable hazards and attacks.

Consumer protection

How can banking customers be sure that their financial data will not be used by unauthorised open banking providers or shared among other unauthorised parties? What kind of data protection can banks provide customers?
In addition to the data protection rights outlined in the NDPR, banks are bound by the CBN Consumer Protection Regulations (CPR), which places a responsibility on banks to protect customer information and assets entrusted to them from theft, unauthorised access and unauthorised disclosure. Further, the CPR holds banks accountable for acts or omissions which arise in respect of the CPR. The CPR stipulates that in order to ensure data protection and privacy, banks must:

  • obtain written consent from consumers authorising the collection and processing of their personal data for specific purposes and provide the option of withdrawal of consent at any time;
  • not transfer consumers' personal data to a third party without obtaining their express consent, except in instances of compliance with a legal obligation;
  • inform consumers whenever their data is exchanged with an authorised third party and supply details of the exchange;
  • review data processing and privacy procedures in order to ensure the continued validity of the purpose for which the initial consent was granted; and
  • maintain accurate and updated customer data at all times.

Will customers be updated by their banks (where they have provided their consent to share their financial data) about which open banking providers have been authorised?
Customers will be updated in line with the CPR. See the first consumer protection answer above.

Will banks or third-party providers be liable to consumers for data breaches, unauthorised payments or defective payments?
The CPR requires that banks obtain the express consent of customers before transferring their personal data to a third party. However, the CPR provides no penalties for data privacy breaches, but instead incorporates penalties provided under enabling laws and regulations such as the NDPR.

In addition to potential civil liabilities, the penalties for a breach of the NDPR are:

  • in the case of a data controller dealing with more than 10,000 data subjects, a fine of 2% of its annual gross revenue in the preceding year or N10 million, whichever is greater; or
  • in the case of a data controller dealing with fewer than 10,000 data subjects, a fine of 1% of its annual gross revenue in the preceding year or N2 million, whichever is greater.

Market concentration

What can financial regulators do to prevent market concentration and the emergence of a dominant player in the open banking market?
One of the drivers of open banking is the desire to foster competition between traditional or incumbent banks and TPPs. Thus, the emergence of a dominant player in the open banking market stifles competition and defeats the primary objective to promote a fairer, more efficient and competitive financial services market.

The prime regulator of competition in Nigeria is the FCCPC. The FCCPC can prevent market concentration and the emergence of a dominate player in the open banking market by enforcing the FCCP Act 2018.

The FCCP Act contains provisions that prohibit the abuse of dominant position, the ability of companies or TPPs to enter into cartel arrangements and the power to break up companies that are deemed to be monopolistic in nature or that abuse their market dominance.

Revolution or risk?

Do the benefits of open banking outweigh the potential pitfalls?
Open banking could lead to unintended consequences with potentially harmful implications unless the potential pitfalls are effectively managed from the outset. The risks associated with open banking include privacy breaches, cybercrime and fraud. As stated above, the CBN has prioritised open banking in its PSV 2030. It is believed that comprehensive open banking guidelines (in addition to Nigerian privacy and anti-cybercrime laws) will help to mitigate the risks associated with open banking in Nigeria.

A potential pitfall of open banking in Nigeria is the likelihood to technically exclude low credit quality customers by banks and TPPs. It is recommended that dynamic products which cater for all customers with varying credit scores should be developed to manage the risk of financial exclusion.

Traditional Nigerian banks (like their counterparts in the European Union when the EU Payment Services Directive (2015/2366/EC) (PSD2) was being formulated) are concerned that open banking will weaken the relationship between banks and their customers or lead to the loss of customers to fintechs or TPPs. The operation of the PSD2 has shown that TPPs are a new customer base for banks that can develop and innovate in consumer-facing areas that banks might not be resourced enough to tackle. Further, the authentication and identity management part of this new evolving ecosystem still rests solely with the account-holding banks.(4)

Open banking is a relatively new concept in Nigeria, and this means that a lot of trial and error situations are yet to come. However, the following benefits far outweigh the risks posed by open banking in Nigeria:

  • In its Financial Inclusion Newsletter of July 2019, the CBN disclosed that adult financial inclusion targets will reach 95% in Nigeria by 2024. Open banking can help Nigeria to reduce its approximately 60.1 million unbanked population (which is the highest worldwide).
  • Open banking also has the potential to extend the services of traditional banks. With better customer insights (eg, customers' spending patterns), new products more suited to customers' needs will typically emerge.
  • Open banking has already begun to change the landscape. It affords customers greater control across all their bank accounts and greater choice. As such, customers will enjoy competitive pricing and value for their money having been given a larger number of financial products or service providers from which to choose.
  • New business channels and opportunities are likely to start strongly in Nigeria as a result of open banking (eg, business offerings such as comparison sites and centralised KYC management). While these businesses are not prevalent in Nigeria due to a lack of public information such as loan rates, current account returns and fixed deposit rates, open banking provides the opportunity for this type of business to take off in Nigeria.

In conclusion, open banking can help to unlock the potentials of the payment services industry in Nigeria. According to CBN data, mobile money transaction volume rose by 333% between 2018 and 2019, while volume of internet transactions rose by 104% from 50.82 million in 2018 to 103.5 million in 2019. This upward trend is poised to continue. With a comprehensive open banking guideline, some of the biggest concerns listed above can be mitigated.

For further information on this topic please contact Oludare Senbore, Ebube Akabueze or Oluwaseun Ayansola at Aluko & Oyebode by telephone (+234 1 462 8360 71) or email (oludare.senbore@aluko-oyebode.com, ebube.akabueze@aluko-oyebode.com or oluwaseun.ayansola@aluko-oyebode.com). The Aluko & Oyebode website can be accessed at www.aluko-oyebode.com.

Endnotes

(1) NIBSS Position Paper on Open Banking (December 2018).

(2) Thomas Bush, "6 Reasons for Banks to Embrace Open Banking", 6 February 2020.

(3) Deloitte, "Digital Onboarding for Financial Services: A must have for digital natives".

(4) The Bank as Universal Digital Trusted ID Provider, a white paper produced by Finextra in association with HID Global, October 2018.

The materials contained on this website are for general information purposes only and are subject to the disclaimer.

ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.