OPEN SESAME #1: A DISCUSSION ON THE NEW OPERATIONAL GUIDELINES FOR OPEN BANKING IN NIGERIA

This series would slowly build up towards breaking down the Data Access Agreement/Service Level Agreement components of the Master Agreements as required by Appendix V of the Guidelines - Operational

If you spend money, I think you should have a quest for decent financial literacy. If you operate a bank account in Nigeria, you ought to know what’s going on in the industry where your money sleeps. And If you are a business owner or you offer professional services, then the obligation to understand the specifics of the financial industry is even higher.

In Nigeria, many people believe that there is room for a truckload of improvements in the banking and financial sector and  I agree with this argument. However, Nigeria has a pretty advanced arrangement of its financial systems regulations. I highly regard this, and I constantly express this opinion ever so often.

The Central Bank of Nigeria (CBN) finally issued the Operational Guideline for Open Banking in Nigeria on March 7, 2023. This is coming just a little over two years after it released the Regulatory Framework for Open Banking on February 17, 2021.

STRUCTURE OF THE OPEN BANKING GUIDELINES

After studying the Guideline, I discovered  that  it can be grouped into 6 major sections:

1. Legal Agreements

2. Data and Information Treatment

3. Monitoring and Reporting

4. Business Operations

5. Technical Security Standards

6. Risk Management

FOCUS OF THIS SERIES

As we walk through this series analysing this fresh banking Guideline, I don’t want to waste time by merely repeating the content of the document. You can as well read it up for yourself since it is written in fairly simple language.

I want to create a different kind of value, so this series would slowly build up towards breaking down the Data Access Agreement/Service Level Agreement components of the Master Agreements as required by Appendix V of the Guidelines - Operational Readiness Checklist. It's a daring challenge, but we can do it. Matters in the other categories can be explained by other experts in those fields.

I am taking this approach so that we can put the Guidelines into a context that we can appreciate, the financial services ecosystem. So as we work through the Agreements, we make reference to the part of the Guidelines that guides the terms needed in these Agreements.

Oh, have I mentioned that this is not legal advice? Okay, this is not legal advise, please consult your professional (I am curious to know what Open Banking components are being built, so I'm available to consult).

DISAMBIGUATING THE OPEN BANKING ECOSYSTEM

OPEN BANKING

I really do not want to explain what Open Banking is, as there are quite a number of posts out there that explain what Open Banking is. However, I want to set a background that does not require you leaving this article to read yet another article on Open Banking. I would oversimplify in the following paragraphs, but it would be more than enough to get you started, especially as a lawyer who would soon need to prepare to have your clients in compliance with the Guidelines or as a startup operator who would need to have base idea of what you need to do.

Open Banking is the sharing of financial data. Yes, it is that simple, and I have framed it that way so that the implications of Open Banking can be immediately appreciated. Too many times, we tend to shroud the meaning of things between too many layers of fancy jargon that makes it difficult to appreciate the implications because you need to unwrap layers. Now that we know that we know that Open Banking is the sharing of financial data, we know that the bulk of the work to be done revolves around data protection. Now we can start to add layers to this base meaning, as opposed to unwrapping layers.

WHAT DOES THE SHARING OF DATA HAVE TO DO WITH BANKING?

Let us look at the current financial system that exists. The only providers of financial services are licensed entities. For banking, you either use a licensed bank such as GTBank, etc or a fintech that does not have a licence but essential services such as the keeping of your deposits are hosted by a sponsoring licensed bank.

To oversimplify, licensed activities generally involve;

1. taking money from the public for safekeeping (think of banking and savings app)

2. taking money from the public for investment (think of banking and savings app)

3. facilitating payments

4. other activities that would involve trusting the service provider ti hold your money

However, there are some other services you use that make up your financial lifestyle, but which do not necessarily attempt to hold or deal with your money. Think about budgeting apps, for instance. It is an essential part of your financial lifestyle, but they do not fall within the activities that require a licence.

If you use a budgeting app, this is what would usually happen. When you get to the grocery shop and make payments, you manually open your budgeting app and input the amount spent as well as the item it was spent on. This can get very, very tedious, and you would probably need a reminder to track your spending.

Let’s look at the same scenario with Open Banking in play. Here is what happens instead. Your budgeting app gains your permission to receive your financial details from your bank. Your bank OPENS up your BANKING data to the budgeting app. Now, when you make a payment, your budgeting app knows the amount you have spent and even what you spent it on. Let me explain, every merchant has a merchant code that identifies what kind of business it is engaged in. So when you pay at a Petrol Station with your card, your bank shares that the payment happened at a merchant categorized as a Petrol Station. Same thing happens when you pay at a restaurant, the payment detail is shared. Now, when you open your budgeting app, you do not have to manually fill in spending details, it is already there. Easy, right? TrakkaHQ, a Nigerian budgeting app, relies on Open Banking to provide this exact service.

So you understand now that Open Banking allows related financial services to provide personalized services to users by tailoring it to their financial data.

WHAT KIND OF FINANCIAL DATA IS SHARED?

The CBN recognizes four categories of data that can be shared (Section 4.1 Regulatory Framework for Open Banking). Each of these also carry a Risk Rating (Section 4.2 Regulatory Framework for Open Banking).

Understanding these categorizations forms the basis for permissible activities under the Open Banking System in Nigeria.

1. Product Information and Service Touchpoints (PIST): “include information on products provided by participants to their customers and access points available for customers to access services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc.”

   Think of it this way, instead of going on Google to manually check the prices and fees of Piggyvest and Cowrywise, a fintech can collate this data as PIST and have a product providing comparative analysis to help you decide between similar products. Instead of going on Google to search for what banks still support international payments with debit cards, a fintech can collate this as PIST and display a comparative table for you.

   This kind of information is rated Low Risk.

2. Market Insight Transactions (MIT): “include statistical data aggregated on basis of products, service, segments, etc. It shall not be associated to any individual customer or account. These data could be exchanged at an organizational level or at an industry level.”

   Think of statistics such as total amount of FX sent into Nigeria from people abroad, total volume of transactions in a year. The sort of things that you would usually read from Stears Business.

   This kind of information is rated Moderate Risk.

3. Personal Information and Financial Transaction (PIFT): “include data at individual customer level either on general information on the customer (e.g. KYC data, total number or types of account held, etc) or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc)”

   This is getting to the very personal part of open banking. The part that allows others to see your financial information as it relates to you.

   This kind of information is rated High Risk.

4. Profile, Analytics and Scoring Transaction (PAST): “include information on a customer which analyses, scores or give an opinion on a customer e.g. credit score, income ratings etc.”

   This take the PIFT further to profile a customer, such as assigning credit worthiness. This would most likely be used by third party services that rate customer's worthiness, and then recommend to loan services if the customer should be given a loan.

   This kind of information is rated High Risk & Sensitive.

WHO CAN ACCESS WHAT KIND OF DATA?

The CBN recognizes four categories of participants in the Open Banking system in Nigeria, and they are ranked into tiers (Section 5.1 Regulatory Framework for Open Banking).

Each of these have the categories of data they can access

1. Participants without regulatory licence are ranked Tier 0 and can access Product Information and Service Touchpoints (PIST) and Market Insight Transactions (MIT).

2. Participants in CBN Regulatory Sandbox are ranked Tier 1 and can access Product Information and Service Touchpoints (PIST), Market Insight Transactions (MIT) and Personal Information and Financial Transaction (PIFT).

3. Licenced Payments Service Providers and OFIs are ranked Tier 2 and can access Product Information and Service Touchpoints (PIST), Market Insight Transactions (MIT), Personal Information and Financial Transaction (PIFT) and Profile, Analytics and Scoring Transaction (PAST).

4. Deposit Money Banks are ranked Tier 3 and can access Product Information and Service Touchpoints (PIST), Market Insight Transactions (MIT), Personal Information and Financial Transaction (PIFT) and Profile, Analytics and Scoring Transaction (PAST).

Of course, an obvious question comes to mind. A lot of the players in the Open Banking system do not have a license as their activities are not such to require a license.

Budgeting apps etc do not necessarily have a license, so they are Tier 0.

However, they need to access Personal Information and Financial Transaction (PIFT) to be able to view your transactions and record it. Yet Tier 0 cannot access PIFT. So should they have to acquire a financial license only because they need to access PIFT?

It would seem that the CBN recognizes this and provides for the concept of ”Sponsored Participants” and “Sponsoring Participants”. Section 5.2.1 of the Regulatory Framework for Open Banking implies that Tier 0 participants must have a Tier 2 or Tier 3 Participant sponsoring them.

According to Section 5.2.1 of the Regulatory Framework for Open Banking;

i. The on-boarding requirements for Tier 0 Participants shall be determined by respective sponsoring Tier 2 or Tier 3 participants; ii. Upon on-boarding the Tier 0 Participant, the sponsoring Tier 2 or Tier 3 participants, within 3 working days of on-boarding the Tier 0 participant shall register the Tier 0 participant on the Open Banking Registry to be maintained by the Central Bank of Nigeria; iii. The sponsoring Tier 2 or Tier 3 participants shall seek the registration of the Tier 0 participants on the Open Banking Registry with a comprehensive risk assessment report, duly signed by the Chief Risk Officer of the sponsoring participant, carried out on the Tier 0 participant.

Section 2.0 of the Operational Guidelines for Open Banking provides the following definition;

Sponsored Participants - Tier 0 & Tier 1 Sponsoring Participants - Tier 2 & Tier 3

To this extent, Participants without a license and Participants in CBN Regulatory Sandbox must have a Sponsor.

Further to this, Section 8.1.2.4 of the Operational Guidelines for Open Banking says that;

The details, roles and responsibilities of sponsored participants and direct third parties shall be included in the contract and the sponsoring participant shall be responsible for the execution and performance of the contract.

This is why apps that allow you connect your bank details list the banks with which they have entered the required legal arrangements as the only supported banks that can be linked to the app.

HOW IS DATA ACCESSED?

Application Programming Interfaces (APIs) is one term you would come across a lot when you start to deal with Open Banking and as a lawyer or business consultant, you would see it more times than you might be comfortable with.

Fortunately, you do not need to even know exactly how it works on a technical level. I only understand it because I took a gap year and while at it, I learnt how to code because I thought I wanted to be a developer (I am not quite sure that I want to any more, haha).

Let’s look at what you need to know. I am oversimplifying, again, but it is sufficient knowledge. When you open your banking app, it takes a little moment for your account balance to load up, right? When you select transaction history, it takes a few second for it to load up as well. This is because those details are not stored on your phone, they are stored in an online database. The storage looks something like this, this is oversimplified, but useful for you to visualize;

{

"name":"John",

"surname":"Paul",

"age":30,

"accountType":"Savings"

"accountBalance":3000,

}

When you open your bank app, it sends a request to the database to give it the information it needs, and it then displays it to you. The app was made by your bank and it has an identifier that allows it access the database. i.e your Application Program has an Interface to communicate with the database. No other app outside your bank can access the information.

With Open Banking, the Bank that holds your data is agreeing to throw its Interface open so other Application Programs can access the database and retrieve information that you have permitted them to access.

Now when you grant your budgeting apps tries to connect to the Bank’s database, the ‘conversation’ between the apps would go something like this;

Budget App: Hey, bank I need to get John Paul’s account balance, previous transaction history and future transaction history.

Bank Database: Huh, who are you and why do you think I would give you a user’s financial information

BA: Oh, erm, John Paul asked me to do this. Here is his consent form signed and his authorization letter

BD: Hmm, let me look at this… Okay this looks right, except for one tiny detail. John Paul only agreed to give you his future transaction history. He did not agree to share his account balance or previous transaction history.

BA: Oh, I thought I could use one consent for all data.

BD: Nope, Clause 3.2(iii) in Appendix II of the Operational Guidelines says that you must inform the user of the type and purpose of data requested specifically and the user must authorise each of them individually.

This conversation happens in split seconds because apps are way faster than humans and this conversation happens through API checking codes and permissions et al.

Oversimplified but that is the API, for people who know nothing about APIs.

NEXT STEPS

Now that we have put the technicalities behind us, we shall over the course of this series consider the legal arrangments needed for the Data Access Agreement/Service Level Agreement components of the Master Agreements as required by Appendix V of the Guidelines - Operational Readiness Checklist. See you tomorrow, or next week or something.