Introduction

In a landmark move for Nigeria’s digital financial landscape, the Central Bank of Nigeria (CBN) announced on April 29, 2025, that it will officially launch the open banking system in August 2025.¹ This positions Nigeria as the first African country to adopt this transformative financial framework.

The launch answers the long-standing demand from stakeholders in Nigeria’s financial ecosystem for more transparent and interoperable banking practices. This development is not entirely unexpected, as the CBN has been laying the groundwork since 2021, beginning with a circular outlining the regulatory framework for open banking, followed by the release of operational guidelines in 2023. These efforts aim to align Nigeria’s financial system with global standards and best practices.

Until now, customer financial data has remained siloed within individual banks, each using proprietary and customized APIs that limit interoperability and data sharing. Open Banking seeks to change this by introducing standardized Application Programming Interfaces (APIs) that, with customer consent, enable secure and seamless data access for licensed third-party financial service provider. This secure data-sharing model fosters innovation, healthy competition, and financial inclusion across the financial ecosystem.

As Nigeria joins global pioneers like United Kingdom, Austrailia, India, and Brazil² in embracing Open Banking, key stakeholders including banks, fintechs and consumers must recognize the significance of this shift and prepare for the operational transformation it entails. For instance, Brazil’s Open Finance initiative has enabled faster credit approvals and broader financial access to unbanked populations, while in the UK, challenger banks like Monzo and Revolut have emerged due to access to open APIs. These examples show the transformative potential of Open Banking when properly implemented.

What is Open Banking?

Open Banking also known as “open bank data”³ is a financial system that enables the secure sharing of a customer’s financial information between banks, and licensed third-party service providers through standardized APIs, with a customer explicit consent. At its core, Open Banking is designed to empower the customer. It shifts control of financial data from banks to consumers, enabling consumers to decide how, when and with whom their data is shared. In essence, open banking places the customer at the center of the financial ecosystem, allowing them to grant access to licensed third-parties such as fintech companies, payment platforms and other financial service providers for the delivery of more personalized and innovative financial products and services.

Nigeria is a leading African tech hub with rapidly growing fintech ecosystem and a youthful, digital savvy population, but collaboration between traditional banks and fintechs has been historically slow and quite fragmented. With open banking there will be seamless interoperability between banks, fintechs and other licensed third-party providers via secure APIs.  This will make it easier to form a strategic partnership, launch new products and scale digital financial services more efficiently, leading to a dynamic financial ecosystem.

Highlights of the CBN’s Open Banking Framework and Guidelines

The CBN pursuant to its role in deepening the financial system and promoting the financial stability, through its Payments System Management Department issued the Regulatory Framework for Open Banking in Nigeria (“Framework”) and the accompanying Operational Guidelines (“Guidelines”). Both the Framework⁴ and Guidelines⁵ were issued to formally establish the principles and rules governing the interoperability of customer-permissioned financial data sharing between banks and licensed third-party service providers.  The overarching goal is to foster innovation by enabling the development of customer-centric products and services and deepen financial inclusion. Below are the key highlights:

1. Scope: The framework applies specifically to banking and related financial services, including but not limited to payment and remittance services, collection and disbursement services, deposit-taking, credit, personal finance advisory and management, treasury management, credit ratings/scoring, mortgage, leasing/hire purchase.⁶ The CBN also reserves the rights to expand the scope from time to time to include allied financial services as necessary.

2. Participants: In recognition that open banking extends beyond traditional banks, the Guidelines define an eligible participant as any organization that holds customer data and is capable of exchanging such data with other entities for the purpose of delivering innovative financial services within Nigeria.⁷ This in essence means that a wide range of entities as captured in the aforementioned scope, are eligible to participate in the Open Banking ecosystem.

Participants are categorised based on their roles or services in the open banking ecosystem.  Eligible participants include: API Provider (AP), API Consumer, and Consumer.⁸API Provider refers to a participant that makes data or services available via API to another participant.⁹ It defines the data and services accessible through the APIs. An API Provider include licensed financial institution, fintechs, and non-bank entity like Fast-Moving Consumer Goods (FMCG) company, or Payroll Service Bureau with access to financial data. An API Consumer is a participant that uses API released by the API Providers to access data or Services.¹⁰ It integrate the API provided by API Provider into their platform to build or enhance services for added functionality. An API Consumer can be a licensed financial institution/service provider, an FMCG or other retailers, Payroll Service Bureau etc. Consumer refers to the individual or business that owns the financial data whose consent is required before any data can be shared or accessed.  

It is however important to note that a single entity may act as both API Provider and API Consumer in certain circumstances to enhance its own service offerings or operational capabilities. For example, a commercial bank, as API Provider offers APIs that expose customer account balances, transactions, and KYC data (with consent) to licensed fintechs, while also consuming APIs from other providers such as a credit bureau or payroll processing company to verify customer information before approving a loan. Similarly, a fintech company may operate in the both capacities depending on its business model. This dual role reflects the flexible and interconnected nature of open banking ecosystem.  

Categories of Data

While the Open Banking Framework and its accompanying guidelines promote secure, consent-driven data sharing, not all customer data or services are eligible for exchange via APIs. To manage this, the framework classifies data into four distinct categories based on their associated risk levels:

1. Product Information and Service Touchpoints (PIST) – This includes publicly available data such as ATM/POS/agent locations, digital channel addresses (e.g., websites and apps), institution identifiers, service codes, fees, charges, rates, and tenors¹¹. These are considered low-risk.¹²

2. Market Insight Transactions (MIT) – Comprising aggregated, non-personalized transaction data not linked to individual customers¹³, this category is deemed moderate-risk.¹⁴

3. Personal Information and Financial Transactions (PIFT) – This includes customer-specific data such as KYC details, transaction history, bill payments, and loan information¹⁵. It is classified as high-risk¹⁶.

4. Profile, Analytics, and Scoring Transactions (PAST) – This category involves derived or analytical data such as credit scores and internal ratings¹⁷ and is considered high and sensitive risk¹⁸.

Access to these data categories is determined by a participant’s licensing status, risk management maturity, and regulatory compliance. The framework aligns data access with a tiered risk model: Tier 0 – Low risk; Tier 1 – Moderate risk; Tier 2 – High risk; Tier 3; High and sensitive risk¹⁹

Only participants that meet the stringent licensing, risk management, and regulatory requirements of Tier 2 and Tier 3 are permitted to access and process sensitive personal data (PIFT and PAST). Such access must also be backed by explicit customer consent. Entities without the appropriate licensing or risk maturity such as non-regulated entities or Tier 0 participants are strictly prohibited from accessing or processing high-risk data.

Open Banking Registry

The Guidelines mandate the CBN to establish and maintain an Open Banking Registry (OBR)²⁰, referred to as “the Registry” which serve as the cornerstone of operational governance within the Nigeria’s open banking framework. The Registry function as a centralized repository of APIs across the ecosystem and is empowered to provide regulatory oversight function on participants, enhance transparency and ensure that only registered institutions participate in the open banking ecosystem.  

Beyond its oversight and transparency roles, the Registry enforces structured participation through a risk-based onboarding process. To be onboarded into OBR, an organisation must first be categorized into the appropriate tier (0-3) and must meet both technical and non-technical requirements.²¹  Technical assessment includes evaluation of API security, data encryption standard, and infrastructure capabilities. Non-technical requirements, involve holding a valid CBN licence (for higher tiers), passing Know your Partner (KYP) checks, and submitting formal risk assessment reports signed by their Chief Risk Officer. Only entities that meet the defined criteria for their assigned tier are onboarded into the Registry.

IMPLICATIONS FOR KEY STAKEHOLDERS

Banks

In Nigeria’s evolving financial ecosystem, the Open Banking regulatory framework, marks a fundamental shift in the role of banks from gatekeepers or custodians of customer data to facilitators of secure data sharing. Under this model, banks are now required to share customer-permissioned financial data with authorized third parties via standardized APIs in line with the CBN Guidelines.  

This transformation necessitates a comprehensive overhaul of how banks manage, secure and share customer data. In compliance with the Nigeria Data Protection Act 2023, banks must implement consent management systems. These systems must be capable of obtaining, validating, tracking, and managing customer consent for every API based data exchange.  Consent must be explicit, time-bound, and revocable, and banks must ensure that only services covered by customer’s consent are delivered, avoiding over-collection or over-sharing of personal data.

Open banking is only as strong as the bank sharing the data. As an API Provider, banks must invest significantly in data encryption, access control, and audit mechanisms to safeguard sensitive customer data. In doing this, Banks are required to comply with the CBN’s API standards and conduct regular risk assessment of connected third party partners (Know Your partner (KYP)²². Additionally, banks must establish internal controls, incident response protocols, data breach policies and consumer support system tailored to API-related services.

Participating in the Open Banking Registry (OBR) is mandatory. Banks must register maintain accurate and up-to-date information, monitor API usage and report performance metrics to the Registry.²³ This ensures transparency, accountability, and alignment with the broader goals of financial innovation and consumer protection.

Financial Technology Companies (Fintech)

While the Open Banking system is designed to benefit all participants in the financial ecosystem, it is particularly transformative for fintech companies. As outlined in CBN’s Framework and Guidelines, the core objectives of Open banking are to enable customer-centric products, broaden the range of financial products and services, enhance competition and deepen financial inclusion.  For fintechs, Open Banking reduces historical entry barrier by providing regulated access to financial data that was previously siloed within traditional institutions.  This access empowers fintechs to build innovative solutions such as budgeting tools, saving platforms, and personalized financial planning services, leveraging customer-permissioned data obtained through standardized APIs.  

However with these opportunities come heightened responsibilities. Notably as they gain ability to secure access to customer permissioned data which risk are categorized to be high and sensitive to deliver innovative financial solutions, fintechs operating as API Consumers must comply with strict regulatory, data protection and risk management obligations. In line with the Nigeria Data Protection Act, 2023, fintechs must obtain explicit, time-bound, and revocable²⁴ consent from customers before accessing their data. Customers’ data must only be used for the purpose for which consent was granted and the relevant entity must provide a mechanism for customers to withdraw consent and request data deletion.

To participate in the Open banking ecosystem, fintechs are further required to meet technical standards for API integration, obtain appropriate tier- based licensing or approvals, and implement robust cybersecurity controls. The strength of Open Banking in Nigeria depends not only on the robustness of banks but also on the compliance, accountability, and operational resilience of fintechs. Fintech must demonstrate a commitment to building trust through secure and ethical data practices.

To ensure legal clarity, accountability and risk management, entering into formal agreement is part of the KYP obligations fintechs must fulfil. Fintechs operating as API consumers are mandated to enter into Service Legal Agreement (SLA’s) and Data Access Agreement²⁵ with API Provider (such as Banks) before accessing customer data or initiating services via APIs. This agreement stands as the foundational relationship between API Provider and API Consumer to ensure smooth operational and interoperability.

Seamless user experience is the necessary for the operation of open banking system. Consequently, fintechs are mandated to maintain a 24 hours/7days a week customer service and compliant resolution desk to address API related issues raised by financial institution or end users.²⁶

It is essential that fintechs not only demonstrate technical compliance but also build long-term trust through responsible data stewardship and transparent practices.

Consumer

At the heart of Nigeria’s Open Banking framework, is the consumer, whose consent is the foundation for sharing financial data with third-party providers via APIs. The rights and interest of consumer are highly protected under the Nigeria Data Protection Regulation, Nigeria Data Protection Act, 2023 and the Guidelines and Framework.  

API Providers are required to obtain the explicit, informed, and voluntary consent of a consumer before sharing their data with third parties. This consent must be free from fraud, undue influence or coercion²⁷. Similarly, API Consumers are obligated to use the data strictly for the purpose for which the consumer granted permission.  

The Framework further mandates that the consent of the customer must be re-validated annually where the consumer has not used the service of the third-party provider for which the consent was obtained, in 180 consecutive days.²⁸ Before consent is obtained, consumers must be clearly informed of the specific right they are granting to each participant, the implication of granting those rights, and must be allowed to consent separately to each right. As such, consumers are encouraged to carefully review and understand the terms and conditions of service, the purpose and scope of the data being shared, the duration of the consent, the risks and implications of data sharing, the credibility of the data recipient, their rights and control over their data, and the confidentiality, legal and regulatory protections in place. As the ultimate beneficiaries, consumers should take advantage of Open Banking to access better financial services while being vigilant about their rights and data privacy.

Conclusion

There is no doubt that while Open Banking introduces increased competition for banks, it also unlocks significant opportunities for strategic partnership, co-innovation, and the development of innovative product. As Nigeria’s financial industry transition into this new era, all participants, banks, fintechs and other stakeholders must commit to full compliance with the applicable laws, regulations and the CBN’s Open Banking Guidelines.  

Early movers who invest in robust API architecture, consent systems, and cybersecurity controls will not only ensure successful onboarding but also gain a competitive edge in Nigeria’s future digital economy. With collaboration, compliance, and consumer trust, Open Banking has the potential to reshape Nigeria’s financial landscape for the better.  

Reference

[1] Muktar Oladunmade “Nigeria’s open naming to launch in August after four-year wait” Techcabal  https://techcabal.com/2025/04/29/cbn-launches-open-banking/

[2] HPS Worldwide “Open banking and Open Finance: Global Update 2024” https://www.hps-worldwide.com/blog/open-banking-and-open-finance-global-update-2024

[3] Investopedia “Open Banking: Definition, How it works, and Risks” https://www.investopedia.com/terms/o/open-banking.asp

[4] PSM/DIR/PUB/CIR/02/001 “ISSUANCEOF REGULATORY FRAMEWORK FOR OPEN BANKING IN NIGERIA” February 17, 2021.(hereinafter referred to as Framework).

[5] PSM/DIR/PUB/CIR/001/043“ISSUANCE OF THE OPERATIONAL GUIDELINES FOR OPEN BANKING IN NIGERIA” March 7,2023. (hereinafter referred to as Guidelines).

[6] Framework S. 3

[7] Guidelines 4.1

[8] Guidelines 4.1

[9] Guidelines 4.1

[10] Guidelines 4.1

[11] Framework 4.1

[12] Framework 4.2

[13] Framework 4.1.

[14] Framework 4.2

[15] Framework 4.1

[16] Framework 4.2

[17] Framework 4.1

[18] Framework 4.2

[19] Framework 5.1

[20] Guidelines 6.0

[21] Guidelines 6.1

[22] FrameworkS. 7.2.1

[23] Guidelines 8.2.3

[24] Guidelines APPENDIX 1- 3.2

[25] Guidelines 7.2.2, 8.1.2

[26] Guidelines 7.2.3

[27] Framework S. 10.0

[28] Framework S. 10.0;Guidelines 11.11

‍