Open Banking in Nigeria

Central Bank of Nigeria

Nigeria

An encrypted token shall be made upon verification to reflect the details of the rights granted to the AC by the customer. This token must be validated by the AP for every API call made to read a customer’s information or conduct transactions on a customer’s account. Consent management is divided into a Consent Stage, followed by an Authentication Stage.

The categorisation of APIs includes direct debit, bill payments, virtual accounts and card creation.

Not yet available

v1 / 7 Mar 2023

API Providers shall be required to have:

A Configuration Management (CM) policy approved by its Executive or Board Level IT Steering Committee or equivalent governance body not less than Executive level:

• Automated CM processes

• A log of all changes within the CM system, audited on a quarterly basis, or more frequently, and defined in the approved CM

A configuration database with the following architecture:

• Logical listing of system types

• Definition of configuration items per system type

• Physical listing of systems and specifications of each configuration item per system type

• Diagramming tool that reads off the inventory to typify the architecture of the systems showing connections and dependencies

• A diagnostic assessment tool for the functional status of the configuration items and points of failure in the system

The CBN approach outlines a comprehensive list of Open Banking standards, including direct debits, transactions, payments, virtual accounts and card creation.

The consent management steps outline a consent system which is explicit, fully informing the customer of the data being accessed, time-bound, capable of being opted out, and easily understood. 

Emphasis was outlined in the framework for accessibility for all interested parties, interoperability across technologies, platforms and organisations, robustness, modularity, a good user-experience and ensuring data privacy and safe exchanges.

The CBN will provide an Open Banking Registry (OBR) for regulatory oversight, transparency, and to moderate participants.

A service level agreement between API providers and consumers is required.

Open Banking

• Account information
• Payment initiation (transactions)

Consent must be explicit with the conditions easy to understand. All consent is time-bound with an option to explicitly opt-out.

The overall consent management is structured into stages: 

1. The Consent Stage, where time-bound, explicit consent is provided. 

2. Authentication Stage

3. Authorisation Stage, where a timestamp and permissions scope of consent is recorded.

Throttling/Rate Limiting
Message Signing & Encryption
Token Format and Expiry: JWT
METHOD Access and Control
Global Runtime Policies

• Authentication:
  OAuth 2.0, OpenID Connect, FAPI, Security Assertion Markup Language (SAML) 2.0
• Authorisation:
  OAuth 2.0, oISO 10181-3 – Access Control Framework, FAPI
• Encryption:
  Transport Layer Security (TLS) v 1.2, RSA Public/Private Key, AES, Secure File Transfer Protocol (SFTP)
• Data Integrity:
  JSON Web Token (JWT), WS-Security, Keyed Hash Message Authentication Code (HMAC)
• Secure Hosting:
  ISO 27001, ISO 22301, PCI DSS

The non-profit advocate for Open Banking in the country, Open Banking Nigeria, who represents one of the committees that wrote the draft guidelines, released a developer site based on their own specifications.

In February 2021, the CBN released their framework for Open Banking, outlining the data sharing across the banking and payments ecosystem.

The scope of the framework included payments and remittance services, collection and disbursement services, deposit-taking, credit, personal finance advisory and management, treasury management, credit ratings/scoring, mortgages and leasing/hire purchase.

The operational guidelines were then released in May 2022.

A Data Governance policy shall be approved by a Committee of the Board of Directors or at a minimum an Executive Management Committee of the AC. The policy should cover their approach to data collection, analysis and sharing, the intended outcomes of the data-driven service on customer and society. 

Participants shall abide by the dispute resolution mechanism laid down under “Liability Management, Customer Complaint and Redress Management” of the Customer Experience Standards (Appendix IV) as well as the CBN Consumer Protection Framework.

API providers shall:

• Monitor infrastructural and API levels performance – internally monitor hardware, hypervisor, operating system, and application environment metrics at the functional level.
• Collect performance metrics for all API transactions – these metrics shall be frequently stored.
• Implement monitoring processes that alert (visually or otherwise) first-level support personnel to identify suspicious and critical level occurrences.

Incidence management is outlined, covering functional, performance and systemic operations. The procedures to deal with such incidents are thoroughly outlined.

Key Performance Indicators (KPIs) must be published on the Open Banking portal, which will be fully open to the public, and a monthly report sent to the CBN. These metrics will include times for validation, network processing, logging API calls, the total number of API calls and the percentage success and approval of messages. 

Incidence management is outlined, covering functional, performance and systemic operations. The procedures to deal with such incidents are thoroughly laid out.

Nigerian Data Protection Regulation 2019