CBN's Open Banking Guidelines: Implications for Non-Bank Entities

It is often assumed that the Central Bank of Nigeria’s (the “CBN”) Open Banking Framework and related guidelines ( the “Open Banking Guidelines”) are relevant only to banks and licensed fintech companies. However, a closer reading of the Open Banking Guidelines suggests that its application may be significantly broader, extending to any company that holds or consumes financial data through APIs, regardless of sector.

The Legal Basis for Broad Applicability

First, section 6.1 of the CBN Operational Guidelines for Open Banking (2023) states unambiguously that only entities that are registered on the Open Banking Registry are eligible to participate in the open banking ecosystem, either as API Providers or API Consumers.

Secondly, the Open Banking Guidelines define API Providers and API Consumers based not on sector, but on function, that is, whether an entity holds financial data and exposes it via APIs (i.e., an API Provider), or whether it accesses financial data through APIs (i.e., an API Consumer). We find no provisions that expressly limit or restrict these roles to licensed banks or fintechs. This suggests that any company, regardless of sector, that shares or accesses customer financial data via APIs must register with the Open Banking Registry (the “OBR”) and comply with the Guidelines.

Although the Open Banking Guidelines do not define financial data in specific terms, it appears that  the categories of financial data which may trigger application under the Guidelines are limited to:

(a) Product and service information (PIST)

(b)Market insights (MIT)

(c) Personal information and transaction data (PIFT)

(d) Profiling and scoring data (PAST).

This structure reflects a deliberate move by the CBN towards a truly open banking system, and anticipates participation by non-traditional financial entities such as telecom companies, payment processors, retailers, ride-hailing platforms, payroll providers, insurance firms, and investment platforms.

Regulatory Risk of Non-Compliance

Except the CBN provides some clarification regarding the scope of the Open Banking Regulations, the implications for non-bank and non-fintech entities can be material. We discuss some considerations as follows:

1. Unregistered participation in Open Banking: Companies that exchange financial data through APIs without registering on OBR expose themselves to CBN enforcement, and potentially to liability under Nigeria’s data protection laws for unauthorized data processing.

2. Companies may inadvertently fall within scope: To illustrate this concern, a ride-hailing company that exposes driver earnings data to a lending platform, or an HR tech company offering payroll APIs to salary advance providers, may, subject to clarification from the CBN, be caught within the scope of the Guidelines and may therefore need to comply, even if they do not hold a financial services licence.

3. Liability and reputational exposure: In the event of a data breach or dispute involving shared financial data, a non-registered entity may be viewed as operating unlawfully, thereby limiting its ability to enforce agreements or benefit from legal protections afforded to compliant participants.

Conclusion

It may be prudent for legal and compliance teams within non-bank organizations to conduct a regulatory impact assessment of their API-driven data flows to determine whether financial or transactional data processed falls within the scope of the Open Banking Guidelines.

Balogun Harold's insights are shared for general informational purposes only and do not constitute legal advice. For tailored guidance, please contact our Technology Lawyers at bhlegalsupport@balogunharold.com