Open Banking refers to banks and other financial institutions opening up data for regulated providers to access, use, and share. Ensuring security for a data-sharing project such as open banking is paramount, and banks are effectively putting in place the infrastructure for their customers’ data to be shared more securely with third parties, with customer permission. That data sharing takes place only with customer authorization is important. Open banking wasn’t designed to allow banks to sell their customers’ data more easily.
The intention is quite the opposite — open banking was conceived to improve financial services for customers by opening up access to data that has historically been kept in-house; new companies and new products can enter the market and use this data in helpful, innovative ways.
So what does it all mean?
- For financial service providers — At the top of the chain, open banking will allow financial service providers to significantly innovate their product offerings to businesses.
- For businesses (large and small) — Those innovations made by financial service providers will mean more effective and efficient financial tools in your business — notably payments. This will mean more automation, freeing up more time, doing away with the headaches of manual tasks, and ultimately saving you money.
- For customers — Open banking will mean better ways to spend, borrow, and invest.
Why is it important/relevant?
The promotion of Open Banking holds the promise of bringing about innovation in the banking industry. Fintechs typically take up positions that traditional banks cannot fill. Ensuring a good open banking system will mean greater efficiencies leading to better services and, ultimately, better customer experiences. The banks and the fintech create a network of data sharing, which could be used to create more robust customer profiles, and information, understand spending habits, and aid in better risk modeling, which in turn will help reduce risk, particularly for institutions providing credit facilities.
In addition, open banking will necessitate new technology to bolster existing banking systems and will, in turn, provide efficiencies and profits that will exceed the investment required for these technologies. It’s a WIN-WIN situation.
What Was the situation PRIOR to the regulation?
Open banking, particularly in Nigeria, has been largely unregulated. Fintechs have low regulatory barriers to entry and face hardly any oversight compared to traditional banks (no banking licenses required). As such, the fintech industry in Nigeria has been expanding at a significantly high rate over the past five years. Numerous apps are available for consumers; some have become household names: Quickteller, Paga, Carbon, Piggyvest, etc.
However, as with any industry that sees such rapid expansion, the risks posed and faced by this industry become more apparent. When it comes to Open Banking, two prominent issues need to be addressed.
The first issue is privacy. This refers to the privacy of customers’ banking information that the banks share with third-party financial service providers. By regulations, banks are not allowed to share customers’ banking information without their consent. As such, customers making use of third-party financial services providers are required to agree to the providers’ “Terms of Service,” in which the customer will agree to the provider being granted access to certain information about the customer from the banks. Once the customer agrees to these terms, the banks can then grant the provider access to the information through the API. This part is all fine and well and is standard practice. However, once the provider gains that information, no strong regulatory framework dictates what they can and can’t do with that information.
The second issue is regarding Security: The security of the customers’ information and the security of the banking systems. Due to the lack of a strong regulatory framework for the providers and Fintechs, the requirements for the protection and security of customers’ information is vague at best. While this could be considered an existential threat to the providers, which they would have to address prior to commencing business, there are no guarantees of security, monitoring, or oversight.
Also, with regards to security, the providers and APIs being employed create extra points of vulnerability to the banking system. Of course, customers’ information is at risk, but the customer account information and access to the accounts could also be compromised. In Nigeria, the recently alleged hacking for Flutterwave is a good case in point. It is alleged that hackers got into Flutterwaves systems and were able to move NGN 2.9bn to a number of different accounts. Flutterwave is a payment system provider, not a money deposit bank, so where did the NGN 2.9bn come from? From Flutterwave’s customers’ bank accounts. It is important to note that Flutterwave has publicly denied this alleged hacking, but this highlights what is potentially at risk here.
Why is CBN putting out guidance for it?
The CBN initially put out a circular for the regulatory framework for Open Banking in Nigeria in February 2021. This framework covered some critical issues regarding Data and Service Access Governance, Guiding Principles for API specifications, Risk Management guidelines, Customer Rights, Responsibility, and Redress mechanism.
In furtherance of the released framework, the CBN in March 2023 approved the operational guidelines for Open Banking in Nigeria. While the regulatory framework addressed the overarching issues regarding open banking in Nigeria, the operational guidelines seek to tackle the more granular operational issues faced by third-party financial providers.
In conjunction with the regulatory framework, the operational guidelines should alleviate the risk and security concerns surrounding opening banking in Nigeria.
What does the guidance mean for Nigerian markets?
These guidelines mean that financial institutions and fintech companies will have stricter requirements to adhere to in order to ensure the security of customers’ information and their systems.
However, there are a few points that are important to note.
The level of monitoring and oversight that the CBN will do on fintech companies is not certain. It is expected that it will not be at the level of oversight provided to the traditional banks, but whether it will be effective enough to fully rein in the fintech industry is yet to be seen.
While the CBN guidelines for open banking are directed more toward the fintech, the traditional banks have their roles to play in ensuring a viable open banking environment in Nigeria. Banks need to update their Third-party risk management frameworks and policies to incorporate Open Banking into their risk management considerations.
H. Pierson Advisory Team