OPEN SESAME #2: DATA ACCESS/SERVICE LEVEL AGREEMENT FOR OPEN BANKING IN NIGERIA

Today we look at the clauses needed in the Data Access/Service Level Agreement required by the Open Banking Guidelines

Last week, we started off with the background knowledge required to understand the Operational Guidelines for Open Banking in Nigeria (OGOB/the Guidelines) as issued by the Central Bank of Nigeria (CBN). Today we dive into the crux of this series, which is the Service Level Agreement required to be entered into by participants in the Open Banking ecosystem.

Section 8.1.2 of the OGOB mandates:

A Service Level Agreement (SLA) shall be executed between API providers and API consumers to govern the relationships between the parties

The Guidelines mention “SLA” about nineteen (19) times, each time stipulating some mandatory matters that must be addressed in the SLA or some minimum service levels that must be achieved in the SLA.

The Data Access Agreement is mentioned just once in Appendix V of the Guidelines, which lists out the “Operational Readiness Checklist”.

What is a Service Level Agreement (SLA)?

Two things make Service Level Agreements different from other agreements:

1. It provides very specific responsibilities to the parties to the arrangement by setting out a minimum expected level of service to be provided (hence the name being ‘service level’!). Think of it as managing the expectation of the parties to the contract.

2. To that extent, it cannot be effectively drafted only by a lawyer, it requires the active involvement of technically competent persons in the concerned field to stipulate the minimum level of service (which is usually very technical).

So the SLA is two things at once,

1. A legal agreement

2. A technical specification manual

Forms of a Service Level Agreement (SLA)?

As to the form, there are two approaches to drafting an SLA:

1. The dual agreements approach, which consists of:

   1. A Master Service Agreement containing the general boilerplate legal terms and conditions, e.g a Machine Support Maintenance Agreement

   2. A Service Level Agreement containing the technical responsibilities of both parties as related to the Master Agreement, e.g. Machine Support Maintenance Service Level Agreement

   This seems to be the approach that the CBN has in mind in Appendix V of the Guidelines - Operational Readiness Checklist, where it lists the requirement of “Master Agreements” and two requirements under it as “Data Access Agreement” and “Service Level Agreement”.

2. The single agreement approach, where there is just one agreement with clauses that handle the technical matters and the legal matters.

   This is the approach I am going to take, I am going to make a single document that is an API Licensing/Data Access/Service Level Agreement.

Remember, we said last week that “Open Banking is the sharing of financial data” and that “Application Programming Interfaces (APIs) are how financial data is shared”. This is why the Agreement is not called an “Opening Banking Agreement” and is instead called a “Data Access/API Licensing/Service Level Agreement”. You know because, at the core, it is an agreement to get access to Data through a suite of APIs that should meet some specified level of service.

Clauses required in the Data Access/Service Level Requirement

1. Recital - Summary of the purpose of the Agreement, nature of parties in terms of Tier etc

2. Definitions - Technical terms defined here before subsequent use in the document

3. Grant of Licence to Use API - Exclusive or Non-Exclusive, sublicencing allowed or restricted, reference to API specification document, etc

4. Conditions Precedent to Connection - Reference to required tests, security standards, policy document, disclosure if any third party vendor is in use such as Very Good Security etc to be provided before data access can take place

5. Intellectual Property Rights - The Guidelines take a weird approach by stipulating some base intellectual property arrangement regarding the APIs and source codes, I think this should have been left for parties to decide. Perhaps it is potentially a void provision, the CBN does not own the intellectual property in the APIs of the parties.

6. Fee Structure, Accounting and Settlement, Reconciliation of Bills - The Guidelines require that these matters be stipulated in the SLA (See Clause 8.1.2.1, 8.1.2.2 and 8.1.2.3). So we need to take care to ensure ease of amendment too.

7. Duties of the Sponsoring Participant - Duties of the API Provider. Extremely technical bits, references to technical standards and appendixes

8. Duties of the Sponsored Participant - Duties of the API User. Extremely technical bits, references to technical standards and appendixes

9. Data Access - Authentication and Tokens

10. Incidence Response - Steps and timelines to resolve incidences such as unauthorized access, failure of API service, etc

11. Compensation for Bank customers - Establish how to navigate monetary compensation for customers where a fault is from the API provider or API user etc

12. Monitoring, Supervision and Reporting - The Guidelines contain strict rules on these matters and the need to report to the CBN, this clause fix the duty to the parties as may be required.

13. Limitation of Liability - When each party would not be responsible for damage or the extent to which such liability is capped, etc

14. Linked Service Providers - Where the API has another service provider it relies on, how to navigate and handle connection and protect user data. The Guideline says a thing or two as well

15. Prohibition - A list of unacceptable acts. Helps to prevent liability as well by being able to rely on a breach of an express provision of the contract.

16. Suspending Access to API - Terms to allow you to cease access to the API to prevent loss and damages and legal liability

17. Handling Data - This is a crucial bit and should cover stringent requirements for protecting user data

18. Change Management - How to handle changes to the API structure or service without causing interruptions that can affect customers, the notice period for changes etc. Again, the Guidelines provide some timelines and I don't think this is within the purview of the regulator.

19. Termination - How to finally end the data-sharing arrangement for good

20. General Terms and Conditions - Some requirements in the Guidelines do not fit into themes that we can group. We dump them here

21. Dispute Resolution - The Guideline again has some weird provisions that make the CBN some sort of adjudicator, I consider it unnecessary but hey, we have to comply.

Drafting Template Clauses Open Source

I want to embark on a side project to draft up sample template clauses for the Data Access/Service Level Agreement required for the Open Banking endeavour.

I would however need a lot of help, and I think we could have some fun doing this together as a community.

If you are a lawyer, and you are willing to donate time to this endeavour, please reach out to me by email.

If you are a startup operator or a software engineer in the open banking field, I need you for the technical bits of this agreement, please reach out to me by email.

Finally, if you are willing to donate some financial support to my endeavours to keep this newsletter running, monetary donations would go a long way. This would cover costs such as my internet access, paid research resources, spa dates etc.

I really do not want to create a paid-tier subscription to my newsletter, and I would not have to if goodwill donations can cover the costs. You can make a goodwill donation here. There is no cap on the amount.

If you want to discuss paid sponsorship, you can reach out to me by email.

See you again, soon.

---

Post-credits: Today’s episode was edited by Feyisekemioluwa Akande and Olugbemilke Olushuyi. Thank you so much.