Steps CIOs should take to protect customer data in Nigeria’s open banking systems

Due to Nigeria’s fintech boom fueled by its open banking framework, the Central Bank of Nigeria (CBN) has released a much-anticipated draft regulation to govern open banking practices. And at the core is the need to secure customer data through a robust set of requirements.

The regulations streamline how companies that handle customer banking data secure their systems and exchange details within protected application program interfaces. They will also seek to standardize policies for all open banking participants, and come at a time when the country is experiencing a boom in fintech and banking services that have attracted international startup funds.

According to the Africa Funding Startup 2021 report, Nigerian fintech has funded more than half of the $4.6 billion total in African startups, underpinning the growing need for more financial products and enabling greater data sharing between banking and payment systems opening the banking system offers.

For Emmanuel Morka, CIO of Access Bank Ghana, open banking is the future and companies should seize the opportunity.

“Traditional banking is disappearing,” he says. “Open banking is the only way to set up systems like agency banking, mobile banking and use dollars.”

He notes that fintech is at the forefront of the open banking system in the region and believes it will spread across the continent. But where there is money, there is uncertainty, and the free exchange of application programming interfaces (API) across banking platforms has also opened up opportunities and risks. Unsecured systems and API channels can present vulnerabilities.

Back up customer data

“One of my problems as a CIO is that nobody is completely protected,” Morka said, adding that Open Banking needs to ensure that customer data and assets are not compromised, which is why all endpoints in his organization need to be secured. The operational guidelines for Open Banking in Nigeria, published by CBN, emphasize that the security of customer data is critical to the security of the open banking model. The preliminary draft will guide the industry discussion before the final guidelines come into effect by the end of the year.

According to Morka, the most important thing to secure data is to disclose relevant data for consumption. This means CIOs must limit data access to what can be requested and used.

“I see open banking as exposing some data through a secured standardized channel to third parties for consumer banking,” he said. “I am the bridge between business and technology.”

He also says that not only core banking products need to be protected, but also tools for CRM and other software focused on customer data.

The framework provided by the CBN also takes into account the constant monitoring of the systems of third-party API users in the Open Banking system. TeamApt, a Nigeria-based fintech startup, has helped over 300,000 businesses use its digital banking platform and is rooted in open banking.

The Company views laws such as the Nigeria Data Protection Regulation (NDPR) as an important consideration for companies that handle personal data.

“Due to the sheer size of shared personal data in the hands of bad actors, this data can be used to steal bank accounts, undermine credit ratings and conduct large-scale identity theft,” said Tosin Eniolorunda, Founder and CEO of TeamApt.

Organizations like banks also suffer from using resources to recover stolen data, losing customers’ trust in the process in the process, he said.

“These regulations ensure that customers have some kind of control over how their data is collected, processed and shared,” he says.

The central bank’s regulation also incorporated NDPR requirements to specify how financial institutions manage customer data, and the regulations state that consent is required for the use of customer data in open banking to benefit them from financial products and services.

Six steps to a secure open data platform

There are several steps IT pros can take to ensure customer data is compliant with privacy laws and that security is in place in all systems to protect these data points from leakage.

1. Technology leaders must ensure that their systems and processes comply with data protection laws and the final guidelines to be published by the CBN. “It is important that leadership teams work closely with lawyers who have the necessary data expertise to advise on the requirements and implications of applicable regulations and policies such as those published by CBN on open banking,” says Eniolorunda.

2. Morka suggests that only a customer’s information relevant to a transaction should be used – something he calls pertinent data. Not all data points need to be disclosed during transactions. CIOs need to determine what type of data is sufficient for transactions to take place securely.

3. Eniolorunda encourages the use of technology in Know Your Customer (KYC) processes. Morka also says that the use of artificial intelligence (AI) should be implemented to simplify the KYC process for financial institutions while making it accurate and efficient.

4. According to Morka, banking systems and APIs used in transactions must be constantly evaluated. Regarding supply chains, Eniolorunda adds that companies must ensure that the third-party providers they use have the highest possible security standards, and these providers’ security programs must be routinely audited and validated.

5. Customer education is key. Morka agrees that some technologies, such as smartphones and internet access, have not reached most rural areas in African countries. This hinders the appropriate use of banking technology and slows its adoption. For those who have opted for digital banking, constant training on how to protect their accounts is essential.

6. Cooperation between stakeholders will make the banking ecosystem resilient and guide its growth. CBN, through its open banking policies, seeks to ensure its oversight enables more collaboration for superior digital banking products for customers.