The rapid growth of finance and technology (fintech) companies in the last decade has been necessitated by consumers' needs for faster and more convenient financial services. These needs continue to evolve over time and traditional financial institutions struggle to keep up. Open banking offers financial institutions who have access to information of customers (“Providers”) the opportunity to share such information with other financial institutions (“Consumers”) to keep them aware of those needs and enable them offer optimum services.
In our previous article, we highlighted the provisions of the recent Central Bank of Nigeria's (CBN) Regulatory Framework for Open Banking in Nigeria (“Framework”). In today's article, we consider specifically, the implication of data sharing under the Framework in light of the Nigeria Data Protection Regulation 2019 (NDPR).
The NDPR was issued by the National Information Technology Development Agency (NITDA) in 2019 to regulate the collection, processing and storage of personal data. Personal data is information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier. It includes a name, address, a photo, an email address, bank details, medical information, IP address, IMEI number, IMSI number, SIM, and others.
Due to the fact that the damage an individual may suffer in the course of breach of some personal data may be higher, data such as ethnic and racial information, religious beliefs, biometric and health information are categorized as sensitive data. These data must, therefore, be subject to a higher level of protection. Although the NDPR does not classify financial data as sensitive data, financial institutions have access to a number of sensitive data such as ethnicity and biometrics.
Applicable Personal Data
Under the Framework, four types of data qualify for the open exchange of data. These are Product Information and Service Touchpoints (PIST), Market Insight Transactions (MIT), Personal Information and Financial Transaction (PIFT), Profile, Analytics and Scoring Transaction (PAST). Only the PIFT and PAST, however, involve the sharing of personal data of consumers amongst participants.
The PIFT deals with the sharing of customer's information provided during the Know Your Customer (KYC) process and information of the customer's transactions such as account balance, payments, loans, recurring transactions etc. The PAST involves the sharing of information on the customer which analyses, provides scores and gives an opinion on customer behaviour (profiling).
Safeguards of the Framework
The Framework stipulates a number of security standards and protocols with respect to sharing of personal information over the Application Programming Interface (API) as it relates to authentication, authorisation, encryption, and secure hosting of data. The Framework also provides for a risk management system for each participant to, among others, track the risk of data sharing with other participants, comply with data privacy laws such as the NDPR, and report such associated risks to the CBN.
Irrespective of the data protection requirements under the Framework, the Framework specifically requires participants to comply with all extant laws on data privacy such as the NDPR and the NDPR Implementation Framework. Under the NDPR, before personal data of a customer can be used for a purpose different from that which it was initially given, the data controller, (in this case, the financial institution) is required to inform the customer of:
- the purpose for which the data was originally collected;
- if there is any connection between the original purpose and the proposed purpose;
- the possible impact of the new processing on the data subject; and
- the existence of security safeguards to protect the data.
The Framework further requires participants to list the specific rights which customers may grant to the participants and obtain the consent of the customer for each right separately.
Providers are also expected to ensure that customers revalidate their consent annually or after 180 days in cases where the services of the provider has not been used.
While the Framework seeks to support innovation in the Nigerian financial sector, participants of the open exchange of data are expected to reassess their data privacy practices to ensure they meet data compliance requirements of the NDPR and the Framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.