An Overview of CBN’s Operational Guidelines for Open Banking in Nigeria

By a Circular dated 7^th March 2023, the Central Bank of Nigeria (CBN) released the “Operational Guidelines for Open Banking in Nigeria” (‘the Guidelines’). The Guidelines set out rules for sharing the data/information of customers between participants in the open banking system. Although not defined in the Guidelines, open banking system may be defined as the exchange of the data of an entity’s customers with other entities for the purpose of providing innovative financial services. Thus, the Guidelines recognize the right of customers to privacy and data protection and set out the rules for engaging in open banking in Nigeria. It among other things, stipulates technical requirements/considerations for operating in the open banking system, identifies the risks associated with open banking to include cyber security, data privacy and integrity, product management, money laundering and regulatory compliance, and outlines the rules to manage these risks.

In this article, we highlight some salient provisions of the Guidelines such as who the participants in open banking are, the obligations of participants, regulatory oversight functions, policies/frameworks to be formulated by participants, reporting obligations, intellectual property issues and risk management.

Participants in Open Banking Operations

These are the organizations/persons who may engage in the exchange of customers’ data for the purpose of providing/receiving innovative financial services. Participants in open banking are classified based on the roles and the services they provide as follows:

1. API Providers;
2. API Customers; and
3. Customers.

API providers (APs) are those who use Application Programming Interface (API) to avail data or service to another participant. They can be licensed financial institutions, fast-moving consumer goods (FMCG) companies such as cosmetics, beverages, drugs, etc. companies, retailers, payroll service bureau, etc.

API Customers (ACs) are those that use API released by APs to access data or service. They are the recipients of API containing the data or service of other customers.

Customers as participants are the data owners who shall be required to provide consent for the release of their data for the purpose of accessing financial services. They may provide consent whilst filling out a form, etc.

Open Banking Registry

By the Guidelines the CBN is expected to maintain and provide an Open Banking Registry (‘the Registry’). The Registry is charged with regulatory oversight functions for participants in open banking. Participants in open banking are required to be registered with the Registry and their details are to be held by the Registry. The Registry is also to maintain an API interface which would serve as the primary means by which API providers manage the registration of their API customers.

Responsibilities of API Providers and API Consumers

The Guidelines set out several responsibilities which APs and ACs are expected to comply with. These responsibilities provide rules for ensuring accessibility of open banking systems and procedures, transparency, cybersecurity, privacy protection, etc.  Some of these responsibilities are:

1. Configuration management: APs and ACs are required to keep detailed inventory of open banking system configuration items in accordance with current Information Technology Infrastructure Library (ITIL) Standards. They are also to have automated configuration management (CM) processes and a configuration management policy.
2. Execution of a Service Level Agreement (SLA): They are required to execute an SLA which is to contain provisions on accounting and settlement, fee structure, reconciliation of bills, registration, and sponsorship responsibilities. The fee structure is also to be publicly disclosed on their websites and applications.
3. They are to ensure that all systems required for open banking are available, functioning optimally and meet up with the minimum standards on service monitoring, incident management, performance monitoring and event logging.
4. They are to ensure that they meet the minimum performance standards for open banking systems. The Guidelines outlines several key performance indicators (KPIs) to ascertain compliance with the minimum performance standards. One of such KPI is that where the average API total processing time is less than 3 seconds, it would be considered as ‘operational’, where it is less than or equal to 7 seconds, it would be considered as ‘suspect’, and where it is greater than 7 seconds, it would be considered as ‘critical’.
5. APs and ACs are required to maintain Business Continuity Plan (BCP) which are to among other things, indicate the architecture of the Online Transaction Processing (OLTP) and Online Analytical Processing (OLAP) infrastructure, trigger events, processes for failover and fail-back, and includes quarterly failover exercises and review of processes. The Guidelines also sets the threshold for failover and fail-back procedures as ’30 minutes of downtime’. They are also required to implement Disaster Recovery Plans (DRP) which may also be entrenched in the BCP. The plans are to be tested every 6 months. Whilst CBN is to oversee testing procedures, it is the responsibility of ACs and APs to provide the facilities for testing.
6. They are to ensure that they have problem management systems in place. The problem management system is aimed at managing incidents known to be recurring and which are not resolved under the SLAs. APs and ACs are to maintain a Problem Register which is to be made available to regulators, auditors, risk, and control teams within the organization. The problem management system is to be always electronic, or cloud based.
7. They are to ensure compliance with interface requirements. Some of these requirements are ensuring that interfaces between APs and ACs are 100% electronic, the data interchange format must be JavaScript Object Notation (JSON) and ensuring that the data standard for financial transactions are model based on ISO 20022 or any other global applicable minimum standard.
8. ACs and APs are to ensure that they maintain best competition practices. They are to comply with the provisions of section 2 of the Code of Conduct for the Nigerian Banking Industry which guards against unethical practices/unprofessional conducts by persons in the banking industry.
9. They are to ensure that the data in their possession is well protected and are to set up effective information security management systems and are to ensure compliance with technical security standards and minimum-security principles as contained in US NIST CSRC.
10. Change management obligations. They are required to collate change requirements and plan the changes for the next month. Changes to be made, whether pre-emptive or responsive are to be reported with sufficient details and in accordance with the prescribed notifications to be sent to all stakeholders that may be affected by such changes. The notifications are to be made in the following order:
     
    • 24 hours before the intended change
    • 1 hour before the intended change.
    • Immediately the change has been completed and the services have been confirmed restored.
    • 30 minutes after the change should have been completed but has been prolonged or failed.
    • At the point of commencing a change rollback.
    • When the services have been restored.
11. APs and ACs are required to have secure real-time communication platforms for first level incident responders within their organizations and respective ACs/APs for incident notification, investigation, and resolution. Emails are however not sufficient communication channels for incident management in open banking. The communication platforms are to accommodate text voice and video conferencing as effective modes of communication.
    
    

Termination of Agreement between Participants.

Any participant desirous of terminating a relationship is required to give the other party 20 business days’ notice of such termination. Where the relationship is terminated without notice due to fraud, abuse of service, etc. the AP is required to provide the AC with a report justifying the termination within 2 business days.

Policies/Frameworks to be Formulated under the Guidelines

ACs and APs are required to formulate the following policies:

1. Data Governance Policies. These policies are to govern the way APs and ACs handle the data of customers. They are to be approved by a committee of its Board of Directors or at minimum, an executive management committee.
2. Data Ethics Framework. The Data Ethics Framework is to provide the principles for collecting, collating, storing, analyzing, processing, etc. data. The Framework is also to provide consistent procedures for the documentation, verification, etc. of data to ensure compliance with extant laws and regulations.
3. Data Breach Policy. This policy is aimed at preventing, managing, assessing, reviewing, etc. data breach.
4. Configuration Management Policy. This Policy is to be approved by the AP’s or AC’s executive or board level information technology steering committee or an equivalent body not less than executive level.
5. Risk Management Framework. This Framework is to set out guiding principles for the management and mitigation of risks. Participants are to have a risk management committee which is to consist of at least three members of senior management cadre.

Rendition of Returns/Reporting Obligations

One of the ways CBN safeguards the privacy rights of customers and ensure data security under the Guidelines is by mandating ACs and APs to render periodic returns to the CBN. The returns are to state the volume and value of transactions, the number of users, success and failure rates, security and fraud incidents, downtime reports and any other information as CBN may require from time to time.

Participants are also required to introduce an incident reporting portal to enable easy, efficient, and fast reporting of cybersecurity breach incidents.

ACs and Aps are to provide monthly API Consumers Reports to each other indicating among other things, statistics of incidents/problems, SLA compliance and aggregate impact in downtime or loss of service, the number and category of Fraud and Disputes with accompanying SLA performance, and the excerpts of the problem register indicating new, existing, and resolved problems.

ACs and APs are also required to make ‘Customer Reports’ to customers who have subscribed to one or more ACs stating among other things, transcript of ACs activities on the use of customer-permissioned data shall be provided to the customers at the minimum every month or for a period less than a month as may be requested by a customer, a transcript of each AC’s activities against the customer’s account/wallet for at least the last 30 days, etc.

Data Sharing

The Data of individuals is an intangible yet sensitive asset. The Guidelines provide for rules for data sharing with other (outsourced) service providers as well as between APs and ACs. Before APs share the data of a customer with ACs, they are to obtain the consent of the customer and authenticate the consent to ensure it emanates from the customer. This is to be done by putting in place Two Factor Authentication (2FA). The AC on the other hand is also required to furnish the customer with certain information such as its legal name, CAC registration number, means of identification in the open banking registry, access type and duration, means of withdrawal of consent, etc. for the consent obtained to be valid.

Intellectual Property

The Guidelines make provisions on IP issues and stipulates that the IP rights in any data or other information would always remain with the participant/party whom such data emanated from. Thus, parties are to be mindful of this provision while drawing up Agreements to ensure that no clause runs contrary to this stipulation.

Resolution of Complaints

By the Guidelines, participants are to stipulate how customers can lodge their complaints during the customer’s onboarding. Where there is a complaint, participants are required to acknowledge receipt of the complaint within 24 hours and are to resolve the complaint within 48 hours of its receipt.

Conclusion

It is important to emphasize that the Guidelines only applies to the exchange of data for the purpose of providing innovative financial services in Nigeria. Any organization that controls the data of its customers is now allowed to exchange it with other entities for the purpose of providing innovative financial services in Nigeria. However, before the information of customers are shared, their consents must be obtained, authenticated by API provider, and validated by the API customer. The Guidelines provides minimum security measures and risk management systems to be put in place to protect the information of customers. It sets out rules that would guard against the violation of the privacy rights of customers while promoting efficiency, financial inclusion, healthy competition, and customers’ access to services available to them in the financial service industry.

--

Read the original publication at Goldsmiths Solicitors.