29 May 2020
Open banking (ie, the authorised provision of consumer banking data to third parties through application programming interfaces) looks set to drive innovation and competition in the banking sector to the benefit of customers. However, the financial services industry should be aware of the potential risks associated with open banking, including market concentration, data compliance concerns, hacking and data breaches, risks to financial privacy and the resulting liability of banks.
Can you provide a general overview of open banking in your jurisdiction?
Open banking is in its infancy in Nigeria. Typically, parties to an open banking arrangement in Nigeria are the consumer (payer or payee), the consumer's bank and third-party financial providers (TPPs). TPPs licensed by the Central Bank of Nigeria (CBN) include:
Open banking in Nigeria may also involve new players such as electricity distribution companies, accounting firms and a myriad of other utility service providers, which aim to enhance their service delivery to the public through data analytics available by virtue of open banking.(1)
While open banking has the potential to revolutionise the Nigerian banking industry, some of the essential infrastructure needed for it to thrive is still lacking. For instance, the industry is yet to agree common application programming interface (API) standards. Thus, licensed third-party providers may have to separately connect to individual banks given the disparate interface specifications in the industry. Such a process imposes significant costs, time and effort compared with a truly open API framework.
With respect to regulation, there is currently no comprehensive regulatory framework for open banking operations in Nigeria. However, some CBN, Nigerian Communication Commission and National Information Technology Development Agency regulations apply. Relevant CBN regulations include:
However, in 2018 the Open Technology Foundation launched Open Banking Nigeria to work with other stakeholders to develop and advocate for open API standards in Nigeria. In addition to these private efforts, the CBN released a request for information (RFI) document on 14 May 2019 on Formulations of a Payment Systems Vision 2030 (PSV 2030). In its RFI, the CBN prioritised open banking in the development of PSV 2030. The CBN is currently working on an exposure draft on open banking guidelines in Nigeria, which is expected to give much-needed direction to the industry.
How does open banking benefit banks, as it is performed by third-party service providers?
In Nigeria, open banking is currently performed by third-party providers as well as digital banking arms of some traditional banks. There are some banks that believe open banking could lead to the weakening of customer relationships as customers could deal directly with TPPs. As a result, some banks are developing competing platforms of their own (eg, Wema Bank Plc's ALAT).
While open banking comes with risks, it has the potential to provide considerable benefits to all players in the financial services sector. The benefits of open banking to banks in Nigeria include the following:
What should the banking industry do to address the anti-money laundering (AML) concerns associated with open banking (eg, if a service is wholly online and there is no way to provide or verify original documents, how will such concerns be addressed)?
Such concerns can be adequately addressed by appropriate processes. According to the relevant CBN regulations on money laundering and know-your-customer (KYC) requirements, TPPs must obtain appropriate documentary proof of identification and other required information, all of which can be submitted electronically, as provided for under the relevant KYC requirements and regulations.
The regulations further provide that in instances of non-face-to-face identification, an additional measure or check should be undertaken as a supplement to the documentary or electronic evidence in order to ensure that the applicant is who they claim to be. No specific additional measures are provided for in the regulations; however, the measures used must ensure that sufficient documentary or electronic evidence to confirm the address and personal identity of the customer is provided. These additional measures or checks should be applied to all applicants regardless of where they reside and should be particularly thorough where the applicant requests a bank account or other product or service that provides a financial transmission or third-party payment.
The bank verification number (BVN) system which provides each enrolled customer with a traceable unique customer identification number may be used for the deterrence, prevention, detection and mitigation of AML concerns in the banking industry. Biometric and demographic data is captured in the BVN central database system during the enrolment process and a unique identification number is generated for each customer. Collected biometric data is then compared against the biometric data of all enrolled customers for confirmation purposes prior to the issuance of the number. The BVN is then linked to all of the customer's bank accounts to ensure that enrolment is not duplicated and that information regarding the customer's activity, specifically in the instance of suspicious activity, may be made easily available.
Blockchain technology may additionally be implemented as a form of KYC verification. Blockchain is a data structure that captures transactional records and stores the information within 'blocks' which may be accessed only by authorised persons. Customer identification data may be stored in such blocks and banks and other financial institutions that wish to access such information will be required to send a request to the blockchain platform to gain access thereto. This system allows for users to maintain ownership of the data while providing access to third parties. This blockchain-based KYC system is already being implemented by companies such as IBM.
How can banks or other providers build a know-your-customer (KYC) environment where open banking services are provided online, considering that banks or providers might be unable to assess customer feasibility directly?
As stated above, online KYC is permitted in the regulations governing TPPs. Banks and other providers can enable an online KYC environment by collaborating with TPPs and ensuring that they implement adequate technology required for an effective eKYC system, including technology for the purposes of obtaining, verifying, processing, maintaining and updating identification information obtained from customers. Technology which may be employed by banks and other providers in the implementation of an effective eKYC system includes the following:(3)
App providers rarely have local offices and end users will most likely not have the resources to prosecute abroad, making the relationship and recourse to justice unequal. What can be done to safeguard consumers in this respect?
Unfortunately, a consumer who is unable or does not have the necessary resources to prosecute an app provider that has no local office or local assets against which a judgment may be enforced, faces an uphill battle to obtain justice or remedy against an app provider.
Under Nigerian law, the options available to a such a consumer are limited and such a consumer may seek the assistance of the Federal Competition and Consumer Protection Commission (FCCPC) and other regulatory bodies which may use their offices to protect or provide a remedy to such a consumer.
As most apps have an international user base, with whose regulatory requirements must app providers comply?
All app providers registered in Nigeria and licensed by the CBN will be required to comply with the regulatory requirements stipulated by the CBN and other relevant regulatory authorities in Nigeria whether or not they have an international user base.
However, an app provider that provides services to Nigerian users on an offshore basis will not ordinarily be subject to Nigerian regulatory requirements unless it is deemed to be carrying on business in Nigeria, in which case it will be required to register as a Nigerian company and be licensed by the CBN.
However, an app provider providing products to Nigerian users on an offshore basis will at a minimum be required to comply with data protection or privacy law in Nigeria. The processing of personal data including app services is regulated by the Nigeria Data Protection Regulation (NDPR).
The NDPR provides that data processors, including app providers, must ensure that data processing applies with the purpose consented to by the data subject and that any data obtained is stored for only the period for which it is needed and is secured against all foreseeable hazards and attacks.
How can banking customers be sure that their financial data will not be used by unauthorised open banking providers or shared among other unauthorised parties? What kind of data protection can banks provide customers?
In addition to the data protection rights outlined in the NDPR, banks are bound by the CBN Consumer Protection Regulations (CPR), which places a responsibility on banks to protect customer information and assets entrusted to them from theft, unauthorised access and unauthorised disclosure. Further, the CPR holds banks accountable for acts or omissions which arise in respect of the CPR. The CPR stipulates that in order to ensure data protection and privacy, banks must:
Will customers be updated by their banks (where they have provided their consent to share their financial data) about which open banking providers have been authorised?
Customers will be updated in line with the CPR. See the first consumer protection answer above.
Will banks or third-party providers be liable to consumers for data breaches, unauthorised payments or defective payments?
The CPR requires that banks obtain the express consent of customers before transferring their personal data to a third party. However, the CPR provides no penalties for data privacy breaches, but instead incorporates penalties provided under enabling laws and regulations such as the NDPR.
In addition to potential civil liabilities, the penalties for a breach of the NDPR are:
What can financial regulators do to prevent market concentration and the emergence of a dominant player in the open banking market?
One of the drivers of open banking is the desire to foster competition between traditional or incumbent banks and TPPs. Thus, the emergence of a dominant player in the open banking market stifles competition and defeats the primary objective to promote a fairer, more efficient and competitive financial services market.
The prime regulator of competition in Nigeria is the FCCPC. The FCCPC can prevent market concentration and the emergence of a dominate player in the open banking market by enforcing the FCCP Act 2018.
The FCCP Act contains provisions that prohibit the abuse of dominant position, the ability of companies or TPPs to enter into cartel arrangements and the power to break up companies that are deemed to be monopolistic in nature or that abuse their market dominance.
Do the benefits of open banking outweigh the potential pitfalls?
Open banking could lead to unintended consequences with potentially harmful implications unless the potential pitfalls are effectively managed from the outset. The risks associated with open banking include privacy breaches, cybercrime and fraud. As stated above, the CBN has prioritised open banking in its PSV 2030. It is believed that comprehensive open banking guidelines (in addition to Nigerian privacy and anti-cybercrime laws) will help to mitigate the risks associated with open banking in Nigeria.
A potential pitfall of open banking in Nigeria is the likelihood to technically exclude low credit quality customers by banks and TPPs. It is recommended that dynamic products which cater for all customers with varying credit scores should be developed to manage the risk of financial exclusion.
Traditional Nigerian banks (like their counterparts in the European Union when the EU Payment Services Directive (2015/2366/EC) (PSD2) was being formulated) are concerned that open banking will weaken the relationship between banks and their customers or lead to the loss of customers to fintechs or TPPs. The operation of the PSD2 has shown that TPPs are a new customer base for banks that can develop and innovate in consumer-facing areas that banks might not be resourced enough to tackle. Further, the authentication and identity management part of this new evolving ecosystem still rests solely with the account-holding banks.(4)
Open banking is a relatively new concept in Nigeria, and this means that a lot of trial and error situations are yet to come. However, the following benefits far outweigh the risks posed by open banking in Nigeria:
In conclusion, open banking can help to unlock the potentials of the payment services industry in Nigeria. According to CBN data, mobile money transaction volume rose by 333% between 2018 and 2019, while volume of internet transactions rose by 104% from 50.82 million in 2018 to 103.5 million in 2019. This upward trend is poised to continue. With a comprehensive open banking guideline, some of the biggest concerns listed above can be mitigated.
For further information on this topic please contact Oludare Senbore, Ebube Akabueze or Oluwaseun Ayansola at Aluko & Oyebode by telephone (+234 1 462 8360 71) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Aluko & Oyebode website can be accessed at www.aluko-oyebode.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.