Five Data Protection Issues in CBN’s Regulatory Framework for Open Banking
By: Chukwuyere Ebere Izuogu
On 17 February 2021, the Central Bank of Nigeria (CBN) issued the Regulatory Framework for Open Banking in Nigeria (the Open Banking Framework). One of the objectives of the Open Banking Framework is promote competition in banking and other financial services and enhance access to financial services. Under the Open Banking Framework, participants are to adopt a common standard for application programming interface (API) for the sharing of customer-permissioned data among themselves to build solutions and services that provide efficiency, greater financial transparency, and options for account holders and to enhance access to financial services in Nigeria. The Open Banking Framework applies to banking and other types of financial services, and other types of services as may be determined by the CBN.
In this article, I identify and discuss five key data protection compliance issues in the operational implementation of the Open Banking Framework.
Personal data and data processing in the Open Banking Framework
The Nigerian Data Protection Regulations 2019 (NDPR) issued by the National Information Technology Development Agency (NITDA) is the primary regulatory framework for data protection in Nigeria. To this end, the NDPR sets out the rules governing the processing of personal data and defines personal data as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly…”. A person is identified or identifiable when he or she is able to be distinguished or differentiated from another person.
Under the Open Banking Framework, the categories of data that are subject to exchange through the API are; Product Information and Service Touchpoints (PIST) which shall include information on products provided by participants to their customers and access points available for customers to access services e.g. ATM/POS/Agents locations, channels (website/app) addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors, etc; Market Insight Transactions (MIT) which shall include statistical data aggregated on basis of products, service, segments, etc; Personal Information and Financial Transaction (PIFT); which shall include data at individual customer level either on general information on the customer (e.g. KYC data, total number or types of account held, etc) or data on the customer’s transaction (e.g. balances, bills payments, loans, repayments, recurring transactions on customer’s accounts, etc); and Profile, Analytics and Scoring Transaction (PAST) which shall include information on a customer which analyses, scores or give an opinion on a customer e.g. credit score, income ratings.
Due to the ability of PIFT and PAST to identify a particular customer, they would constitute personal data within the meaning of the NDPR. The Open Banking Framework assigns a risk rating of high and high & sensitive to PIFT and PAST respectively and only participants tier 1, tier 2 and tier 3 (collectively referred to as participants) are authorised to access PIFT and PAST through the API. For the purpose of this article, I refer to PIFT and PAST collectively as personal data.
Data Protection compliance issues
- Lawfulness of processing personal data
The NDPR provides in Section 2.2, five legal grounds including consent, for processing personal data, failure of which to apply at least one would make the data processing operation unlawful. On the other hand, the Open Banking Framework requires that consent of a customer shall be the only legal basis for accessing and using his/her personal data. The implication of this is that it is permissible for participants to rely on grounds other than consent under the NDPR to process personal data in so far as such processing is done in a manner not prescribed by, and/or for purposes unconnected with the Open Banking Framework.
Rules relating to consent are also provided for in the Open Banking Framework and they are; that consent shall be obtained in the same form the agreement was presented and a copy of the consent of the customer shall be made available to the customer and preserved by a participant; the specific rights which the customer will be granting to the participant and the implication of granting those rights to the participant shall be listed for the customer to consent to separately for each right to be given to the participant and the revalidation of the customer’s consent annually and where the customer has not used the service of the partner for one hundred and eighty days. These rules are supposed to reinforce the consent requirements under NDPR.
Section 2.1 (1) of the NDPR requires that personal data be collected and processed in accordance with inter alia a lawful purpose consented to. In terms of open banking, this requires that participants must process personal data only to accomplish the purpose of the Open Banking Framework.
Thus, the processing of personal data in connection with the Open Banking Framework is the limit placed on the participants’ data processing operation. To do otherwise would be a violation of the Open Banking Framework unless a different purpose can be justified under the NDPR or another law, for instance where the processing is done for law enforcement, or for archiving, scientific research, historical research, or statistical purposes.
- Security of Processing
Section 2.1 d) of the NDPR requires that personal data shall be secured against all foreseeable hazard and breaches. In accordance with this provision, participants are obligated to implement information security measures to protect the confidentiality, integrity and availability of the personal data they process.
A data breach resulting from a failure to adopt the appropriate information security measures could make an organisation liable to a fine imposed by NITDA as recently happened, where a Fintech company was fined N5,000,000:00 (Five Million Naira) for a data breach. In the event of a data breach, an organisation is required to notify NITDA within seventy-two hours of becoming aware.
- Data Protection Impact Assessment
A data protection impact assessment (DPIA) is the process to identify, evaluate and minimise possible data protection risks in a proposed operation involving the intense use of personal data. According to NITDA, a DPIA is recommended in a data processing operation involving evaluation or scoring. As previously stated, PAST is information used in connection with and/or derived from scoring, profiling or evaluating certain aspects of a customer, for instance his or her credit worthiness. One of the data protection risks inherent in processing PAST or similar data is that it can produce a legal effect or significantly affect the customer, hence it seems appropriate for the CBN in the Open Banking Framework to assign a risk rating of high & sensitive to PAST.
To mitigate such “high” risk, a DPIA should be conducted which as a minimum addresses the following; a description of the envisaged processing operations; the purposes of the processing; the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subject; and risk mitigation measures being proposed to address the risk.
- Cross-border transfer of personal data
Participants may decide to transfer personal data to a foreign country or international organisation for processing. This transfer could be in the form of storage, or for use in connection with the cross-border provision of financial services, in which case such transfer will be lawful and thus not prohibited if; the foreign country or international organisation has been determined by NITDA to have an adequate level of protection or data protection law; the data subject has explicitly consented to the proposed transfer; the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request; the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject; the transfer is necessary for important reasons of public interest; the transfer is necessary for the establishment, exercise or defence of legal claims; the transfer is necessary in order to protect the vital interests of the data subject or of other persons; or done through binding corporate rules where an organisation seeks to transfer personal data to another entity within its group of companies or an affiliate company.
Historically, the CBN has put consumers at the heart of several of its rulemaking processes, thus giving consideration to data privacy with specific attention to consent in the Open Banking Framework is quite encouraging. The ability of a consumer to exercise a real choice when granting consent is the fundamental basis of consumer protection and from a data protection perspective puts the data subject in control of how his or her personal data is used. This importance is reflected in all data protection frameworks including the NDPR which considers consent as the most preferred ground for legitimising the processing of personal data.
While the NDPR applies to all data processing operations in Nigeria including that occurring in banking and financial services, the Open Banking Framework however makes rules specifically for open banking including rules guiding how certain customer personal data may be used in this respect. In fact, the Open Banking Framework imposes an obligation on participants to collaborate to ensure compliance with data privacy laws and regulations. This overlap between the NDPR and Open Banking Framework should not be read as a conflict but rather as complementing in so far as it relates to matters of data processing or data privacy. Thus, every time personal data is processed in accordance with the Open Banking Framework, both the CBN and NITDA also require participants to look to the NDPR on how compliance with existing data protection obligations may be achieved.
Chukwuyere LL.M (Hannover) CIPP/E, is Senior Research Fellow at the African Academy Network on Internet Policy and Solicitor at Streamsowers & Köhn