With Nigeria’s fintech boom fueled by an open banking system, the Central Bank of Nigeria (CBN) has released the long-awaited draft regulation governing open banking procedures. And at its core is the need to protect customer data with a robust set of requirements.

The rules govern how organizations that handle customer banking information will protect their systems and share information in secure application program interfaces. They will also seek to standardize policies for all open banking participants and will come at a time when the country is experiencing a fintech and banking boom that has attracted international funding in the startup space.

According to the Africa Funding Startup 2021 report, Nigerian fintech has generated more than half of the US$4.6 billion in total African startup funding, fueling the growing need for complementary financial products and facilitating greater data sharing between banking and payment systems that open banking provides.

For Emmanuel Morki, Chief Information Technology Officer of Access Bank Ghana, open banking is the future and businesses should seize this opportunity.

“Traditional banking is disappearing,” he says. “Open banking is the only way to set up systems like agencies, mobile banking and use dollars.”

He notes that fintech has been at the forefront of open banking in the region and believes it will spread across the continent. But wherever there’s money, there’s uncertainty, and the free exchange of application programming interfaces (APIs) between banking platforms opens up opportunities and risks. Unsecured systems and API channels can be a place of vulnerability.

Storage of customer data

“One of my biggest headaches as an IT director is that no one is completely secure,” Morka said, adding that open banking must ensure that customer data and assets are not compromised, so all endpoints in his organization must be strengthened. Operational guidelines for open banking in Nigeria, published by the CBN, emphasizes that the security of customer data is critical to the security of the open banking model. The preliminary draft will guide industry discussions before final guidelines are adopted by the end of the year.

According to Morka, the key to data protection is to expose usable data. This means that CIOs must limit access to data to what is requested and can be used.

“I see open banking as transferring some data through a secure, standardized channel to third parties for consumer banking,” he said. “I am the bridge between business and technology.”

He also says that not only core banking products need protection, but also CRM tools and other software that centers on customer data.

The framework provided by the CBN also provides for continuous monitoring of third-party API user systems in the open banking system. Nigerian fintech startup TeamApt has helped more than 300,000 businesses use its digital banking platform and is based on open banking.

The company views legislation such as the Nigerian Data Protection Regulation (NDPR) as a major concern for companies that handle personal data.

“Due to the sheer volume of personal information in the hands of criminals, this data can be used to steal bank accounts, lower credit scores and steal identity on a large scale,” said Tosin Eniyolarunda, Founder and CEO of TeamApt.

Organizations such as banks also suffer from having to use resources to recover stolen data, losing customer trust in the process, he said.

“These rules ensure that customers have some control over how their data is collected, processed and shared,” he says.

The Central Bank Regulation has also taken into account the NDPR’s requirements for how financial institutions manage customer data, with the regulations outlining that consent is required for the use of customer data in open banking for the use of financial products and services.

Six steps to building a secure open data platform

IT professionals can take several steps to ensure that customer data complies with privacy laws and that security is in place across all systems to protect these data points from being leaked.

1. Technology leaders must ensure that their systems and processes comply with privacy laws and the final guidelines to be issued by the CBN. “It is important that executive teams work closely with lawyers who have the necessary data expertise to advise on the requirements and implications of current regulations and guidelines such as those issued by the CBN on open banking,” says Eniyolarunda.

2. Morka suggests using only customer information that is relevant to the transaction – what he calls “fit for purpose” data. Not all data points need to be exposed during transactions. CIOs must determine what type of data may be sufficient for secure transactions.

3. Eniolorunda encourages the use of technology in Know Your Customer (KYC) processes. Morka also says that the use of artificial intelligence (AI) should be implemented to ease the KYC process for financial institutions by making it accurate and efficient.

4. According to Morka, there is a need to constantly evaluate the banking systems and APIs used in transactions. On the supply chain side, Eniyolarunda adds that companies should ensure that the third-party vendors they use have the highest security standards possible, and those vendors’ security programs should be regularly reviewed and audited.

5. Customer education is key. Morka agrees that some technologies, such as smartphones and Internet access, have not reached most rural areas in African countries. This hinders the proper use of banking technology and slows its adoption. For those who have mastered digital banking, constant training is required on how to keep their accounts secure.

6. Collaboration between stakeholders will make the banking ecosystem strong and guide its growth. The CBN, through its Open Banking Guidelines, is committed to ensuring that its oversight provides greater collaboration to create the best digital banking products for customers.