Nigeria’s Central Bank deserves some commendation for publishing a well thought-out Open Banking Framework. Here are 6 (six) compliance/operational and time-critical takeaways from CBN’s new Open Banking Regulations, for Nigerian Fintechs and Financial Institutions.
- The Open Banking Regulations does not specify a cut-off date by which API platforms, Developer Communities, Fintechs and Banks and other Financial institutions (BOFIs) must comply with the Open Banking Regulations. In practice, compliance will typically be driven by the compliance teams within BOFIs who would usually require Fintechs and API platforms to comply with relevant central banking regulations as a condition precedent for new and continuing partnerships. Regardless, it is advisable for API platforms, Fintechs and BOFIs to take immediate steps to comply with the Open Banking Regulations.
- To be able to operate legally in Nigeria, developer communities (like the Open Banking Initiative ) will also need to comply with the Open Banking Regulations. Understandably, such developer communities may not have a commercial imperative to secure a CBN License. However, it appears that the intention of the Open Banking Regulations is for such developer communities to obtain Open Banking registration either as an unlicensed entity or as a sandbox entity and to also be officially listed in the Open Banking Registry.
- BOFIs now have a mandatory obligation to review the entirety of pre-existing API partnerships with API platforms and other Fintechs to the extent that such engagements require access to any of the categories of consumer financial data provisioned under the Regulations
- The Open Banking Regulations makes it mandatory for participants to submit disputes between them to the CBN for arbitration before resort to any litigation or commencement of judicial process. The CBN is yet to announce or empanel an arbitral panel for this purpose. If one thinks about how swiftly any such disputes need to be resolved, it would be prudent for industry stakeholders or for developer communities like the Open Banking Initiative to assemble a panel of experts, to which participants may first, willingly, submit their disputes to, for resolution.
- API platforms and other Fintechs which have had direct API integrations with BOFIs prior to to the issuance of the Open Banking Regulations, must now comply with the Open Banking regulations. This means, such API Platforms and Fintechs will now have to obtain a CBN license to continue to access customer financial data through BOFIs. Where an API Platform/Fintech decides to continue its operations without a CBN license, BOFIs will have to limit their access to customer financial data based on the risk classifications in the Open Banking Regulations. There are generally two paths for entities without a CBN License. The first is to continue without a CBN license, in which case, such API platforms and Fintechs would only have access to product and market insight information from BOFIs. The other option is to join the CBN Sandbox, in which case, access to consumer financial data will be limited to only product, market insight and personal/financial transaction information of bank customers. In either case, unlicensed entities will require a CBN licensed sponsor and a listing in the Open Banking registry to be able to operate legally.
- With enterprise-facing API platforms, it is mostly in the Fintech interface that bank customers will be provided with the first opportunity to give consent to the use of their financial data. The Open Banking Regulations mandates that customer consent must meet certain UX, security and consent validation protocols. For this reason, Fintech customers of API Platforms will need to rework their consent management structure to comply with the Open Banking Regulations and with CBN’s Consumer Protection Framework. In point of fact, the Open Banking Guidelines requires all participants to comply with its consent management provisions. The practical implication of this provisioning is that BOFIs and API platforms must obtain consent separately from the customer and per transaction.
Some of the consent management requirements stipulated in the Open Banking Regulations are reproduced below:
- “The agreements presented to the customer by the participant shall be simple, explicit and in the customer’s preferred language;
- The agreement shall be presented to the customer’s preferred form including written, electronic, video or audio;
- Customer’s consent shall be obtained in the same form the agreement was presented and a copy of the consent of the customer shall be made available to the customer and preserved by the participant;
- The specific rights which the customer will be granting to the participant and the implication of granting those rights to the participant shall be listed for the customer to consent to separately for each right to be given to the participant;
- The consent of the customer shall be re-validated annually and where the customer had not used the service of the partner for 180 days;
- The responsibility of the customer for his/her protection shall be clearly communicated to the customer at the on-boarding stage;
- The participant shall avail the customer with security updates regularly in his/her preferred form and language to help him or her conduct transactions safely”
Please note that the following does not constitute legal advice. For support specific to your situation, Kindly reach out to your Balogun Harold contact or via support@balogunharold.com
