Due to Nigeria’s fintech boom borne out of its open banking framework, the Central Bank of Nigeria (CBN) has published a much-awaited regulation draft to govern open banking procedures. And at its core is the need to secure customer data through a robust set of requirements.
The regulations streamline how entities who handle customer banking information will secure their systems and share details within protected application program interfaces. They’ll also seek to standardize policies for all open banking participants, and come at a time when the country is enjoying a boom of fintech and banking services that have attracted international funding in the startup space.
According to the Africa Funding Startup 2021 report, Nigerian fintech has brought in more than half of the US$4.6 billion of total African startups, which underpins the growing need for more financial products, and facilitates greater data sharing across banking and payments systems that open banking provides.
For Emmanuel Morka, CIO at Access Bank Ghana, open banking is the future and enterprises should seize on the opportunity.
“Traditional banking is fading away,” he says. “Open banking is the only way you can set systems like agency banking, mobile banking and use dollars.”
He notes that fintech has been at the forefront of the open banking system in the region and believes it will spread across the continent. But wherever there’s money, there’s insecurity and the free exchange of application programming interface (API) across banking platforms has opened opportunities and risks as well. Unsecured systems and API channels can be a point of vulnerability.
Securing customer data
“One of my headaches as a CIO is no one is fully protected,” Morka said, adding that open banking has to ensure that customer data and assets aren’t compromised, so all endpoints in his organization must be fortified. The Operational Guidelines for Open Banking in Nigeria published by the CBN stress that customer data security is critical for the safety of the open banking model. The preliminary draft will guide the industry discussion before the final guidelines are put in place by the end of the year.
The foremost thing to secure data, according to Morka, is to expose fit-for-purpose data for consumption. This means that CIOs need to limit data accessibility to what is requested and can be used.
“I see open banking as an exposure of some data over a secured standardized channel to third parties for consumer banking,” he said. “I am the bridge between business and technology.”
He also says that it’s not only the core banking products that need protection but also tools on CRM and other software that centers on customer data.
The framework provided by the CBN also considers constant monitoring of systems of third-party API users in the open banking system. TeamApt, a Nigeria-based fintech startup, has helped over 300,000 businesses use its digital banking platform and is anchored in open banking.
The company sees legislation such as the Nigeria Data Protection Regulation (NDPR) as a big consideration for companies dealing with personal data.
“Due to the sheer size of personally identifiable information being shared, in the hands of bad actors, this data can be used to pilfer bank accounts, erode credit ratings, and conduct identity theft on a large scale,” said Tosin Eniolorunda, founder and CEO of TeamApt.
Organizations like banks also suffer using resources to recover stolen data, losing customer trust in the process, he said.
“These regulations ensure that customers have some sort of control over how their data is collected, processed and shared,” he says.
The Central Bank’s regulation has also factored in the NDPR requirements to craft how financial institutions manage customer data, and the regulations outline that consent is needed for use of customer data in open banking to avail them of financial products and services.
Six steps to achieve a secure open data platform
There are several steps IT experts can take to make sure customer data are in line with privacy laws, and that security across all systems is in place to shield these data points from leakage.
1. Technology leaders must have their systems and processes adhere to privacy laws and the final guidelines to be published by the CBN. “It’s important that executive teams work closely with lawyers who have the necessary data experience to advise on the requirements and implications of applicable regulations and guidelines like those released by the CBN on open banking,” says Eniolorunda.
2. Morka suggests that only a customer’s information that’s relevant to a transaction should be used—something he calls fit-for-purpose data. Not all data points need to be exposed during transactions. CIOs need to ascertain what type of data can be enough for transactions to securely take place.
3. Eniolorunda encourages the use of technology in know your customer (KYC) processes. Morka also says that the use of artificial intelligence (AI) should be implemented to make the process of KYC easier on financial institutions while making it accurate and efficient.
4. There needs to be constant evaluation of banking systems and APIs used in transactions, according to Morka. In terms of supply chains, Eniolorunda adds that companies must ensure that third-party vendors they use have the highest possible security standards, and the security programs of these vendors must be routinely audited and validated.
5. Customer education is key. Morka agrees that some technologies like smartphones and internet access have not reached most rural regions in African countries. This hinders the appropriate use of banking technology and slows down its adoption. For those who have embraced digital banking, constant education on how to keep their accounts secure is essential.
6. The collaboration between stakeholders will make the banking ecosystem robust and guide its growth. The CBN, through its Open Banking Guidelines, seeks to ensure that its oversight affords more collaboration for superior digital banking products for customers.