Open Banking in Nigeria

Central Bank of Nigeria

Nigeria

Banking

Open Banking

• Account information
• Payment initiation (transactions)

Upon verification, an encrypted token shall be generated to represent the rights granted to the AC by the customer. This token must be validated by the AP for each API call that accesses a customer’s information or performs transactions on their account. Consent management consists of a Consent Stage followed by an Authentication Stage.

APIs are categorised into direct debit, bill payments, virtual accounts, and card creation.

ISO 20022 | JSON | REST

Regulated

API Providers are required to maintain:

• A Configuration Management (CM) policy approved by an Executive-level or Board-level IT Steering Committee, or an equivalent governance body.
• Automated CM processes.
• A log of all changes within the CM system, audited quarterly, or more frequently, as defined in the approved CM policy.
• A configuration database with the following structure:
  • • Logical listing of system types.
    • Definition of configuration items for each system type.
    • Physical listing of systems and specifications for each configuration item per system type.
    • A diagramming tool that reads the inventory to visualize the system architecture, showing connections and dependencies.

• A diagnostic assessment tool to evaluate the functional status of configuration items and identify potential points of failure within the system.

Mandated

The CBN’s approach defines a comprehensive set of Open Banking standards, covering direct debits, transactions, payments, virtual accounts, and card creation.

The consent management process specifies a system that is explicit, fully informs customers about the data being accessed, is time-bound, allows opting out, and is easy to understand.

The framework emphasizes accessibility for all stakeholders, interoperability across technologies, platforms, and organizations, robustness, modularity, a seamless user experience, and the protection of data privacy and secure data exchanges.

The CBN will maintain an Open Banking Registry (OBR) to ensure regulatory oversight, transparency, and to monitor participants.

Additionally, a service level agreement between API providers and consumers is required.

Throttling/Rate Limiting | Message Signing & Encryption | Token Format and Expiry: JWT | METHOD Access and Control | Global Runtime Policies

• Authentication:
  OAuth 2.0, OpenID Connect, FAPI, Security Assertion Markup Language (SAML) 2.0
• Authorisation:
  OAuth 2.0, oISO 10181-3 – Access Control Framework, FAPI
• Encryption:
  Transport Layer Security (TLS) v 1.2, RSA Public/Private Key, AES, Secure File Transfer Protocol (SFTP)
• Data Integrity:
  JSON Web Token (JWT), WS-Security, Keyed Hash Message Authentication Code (HMAC)
• Secure Hosting:
  ISO 27001, ISO 22301, PCI DSS

Consent must be explicit, with conditions that are clear and easy to understand. All consent is time-limited and includes the option to opt out explicitly.

The consent management process is organized into the following stages:

1. Consent Stage – where explicit, time-bound consent is granted.
2. Authentication Stage
3. Authorisation Stage – where the timestamp and scope of consent permissions are recorded.

Open Banking Nigeria, the non-profit organization promoting Open Banking in the country and representing one of the committees that drafted the guidelines, has launched a developer site based on its own specifications.

In February 2021, the CBN introduced its Open Banking framework, detailing the sharing of data across the banking and payments ecosystem.

The framework covers a wide range of services, including payments and remittances, collection and disbursement services, deposit-taking, credit, personal finance advisory and management, treasury management, credit ratings/scoring, mortgages, and leasing/hire purchase.

Nigeria became the first African country to implement Open Banking. Building on the 2021 framework, the CBN issued Operational Guidelines in March 2023, which establish clear rules for customer consent, licensed third-party providers, centralized registries, and API standards.

Incident management is defined, addressing functional, performance, and systemic operations, with detailed procedures for handling such incidents.

All affected banks must be capable of sharing customer-authorized financial data through standardized APIs.

Deposit Money Banks (DMBs) in Nigeria are required to adhere to the Central Bank of Nigeria’s (CBN) Open Banking standards, as set out in the Regulatory Framework for Open Banking Nigeria (2021) and the Operational Guidelines for Open Banking (March 2023).

A Data Governance policy must be approved by the AC’s Board Committee or, at a minimum, by the Executive Management Committee. The policy should outline the approach to data collection, analysis, and sharing, as well as the intended impact of the data-driven services on customers and society.

Participants are required to follow the dispute resolution procedures specified under “Liability Management, Customer Complaint and Redress Management” in the Customer Experience Standards (Appendix IV) and comply with the CBN Consumer Protection Framework.

Nigerian Data Protection Regulation 2019