IT’S COMING: IN PREPARATION FOR THE ADOPTION OF “OPEN BANKING” IN GHANA

In less than a decade, the global financial sector has witnessed a remarkable transformation accelerated by emerging technological advances, ushering in a new era of financial service offerings than previously offered. The results – new financial innovations and business models – have become existential threats to long-held traditional banking practices.

One such innovation seeking to democratize the practice of banking and redefine interactions between and among customers, 3^rd party service providers, and financial institutions is “open-banking”. Across the world, central banks are beginning to embrace its adoption as an integral part of renewed commercial banking practice in today’s technological era. In Africa, the Central Bank of Nigeria (CBN) has taken the lead in rolling out a regulatory framework for its adoption in Nigeria earlier this year.

While it may be early days, the large-scale adoption of open banking is coming. It will become a dominant component of commercial banking practice across many jurisdictions in less than 5 years and stakeholders must begin to fashion out appropriate adoption strategies to enable seamless integrations into the existing financial services sector. It is in this light that, we aim to provide some considerations stakeholders must ensure have paramount balance in any open-banking framework rollout in Ghana.

THE CONCEPT OF “OPEN-BANKING”

Traditionally, banking services are provided on a restricted basis – data relative to customer information, transaction history, and other financial records are kept and maintained as private and confidential between the customer and the bank within the bank’s closed data infrastructure systems. Ordinarily, such records are not shared with 3^rd parties for any financial service provision – either complimentary or competitive. With “open-banking”, financial service providers will be required to permit open access to customer records hitherto held privately using Application Programming Interfaces (APIs) in what some have termed “open bank data” sharing.

The practice of “open-banking” seeks to promote collaborative and competitive financial service offerings enabling greater customer control over their financial records. By employing secure data-sharing frameworks, customers will be able to authorize third-party providers to access their financial records, thereby unlocking scores of tailored innovative financial services and products. This strategic sharing of data will foster a dynamic and customer-centric financial ecosystem, where personalized and tailored financial offerings can be designed to cater to the needs, preferences, and goals of individual customers. In short, open banking opens the door and helps create varied financial offerings through stakeholder collaboration and shared data-based solutions.

Technically, it permits financial and non-financial institutions such as fintech companies, to access and manage customers’ personal and financial information. This process, however, is not executed without the customer’s consent. Customers are typically expected to grant their consent to financial institutions before such access is granted. This consent could involve interacting with a pop-up message on a digital application and then selecting an option, indicating their understanding of, and agreement to the provided terms and conditions. Subsequently, the APIs of these third-party providers will utilize the shared customer data for specific purposes, including comparing account details and transaction histories with a range of financial services, gathering information from interconnected financial entities and their customers to develop marketing profiles, or initiating new transactions and adjustments to the customer’s account on their behalf.

These possibilities are opposed to how financial institutions currently offer and perform financial services. With open banking, the following outcomes will be enabled:

• Sound Financial Decisions: With access to historical financial data, financial service providers will now be able to accurately predict and offer tailored financial solutions to customers. Moreover, open-banking APIs will streamline the process of switching between services offered by financial institutions, making it more seamless and convenient for customers. This practice which ensures the secure sharing of financial data will foster a trustworthy and collaborative relationship between customers and financial service providers.

• Improved Customer Lending: Through networked accounts, open-banking will operate to offer lenders a clear and comprehensive understanding of a borrower’s financial status, enabling them to assess risks and determine appropriate loan terms. Equally, consumers will be able to leverage open-banking to gain insights into their financial status before making loan applications, thereby affording them the opportunity to make more informed decisions.

• Competition and Cost Efficiency: open-banking is set to drive increased competition between traditional financial institutions with a well-established heritage and smaller, newer financial service providers such as fintech companies. This competitive environment will potentially result in positive outcomes, including reduced service costs, improved technology offerings, and enhanced customer service from the differing service providers.

• Fraud Detection: This lies in open-banking’s functional ability to allow fraud detection tools and financial institutions real-time access to customers’ financial data through secure APIs. This functionality will enable advanced monitoring and analysis of transactional information, leading to timely detection of suspicious activities and enhanced security measures.

• Expedited Fund Transfer Services: Importantly, open-banking will facilitate fund transfer by utilizing APIs to enable direct communication between financial institutions and third-party providers, eliminating the need for manual processing. This streamlined approach potentially will allow for real-time transactions, enabling faster and more efficient fund transfers, both domestically and internationally.

While open banking offers numerous benefits, its implementation may come with some risks – some of which are discussed below:

• Data Privacy and Security: Unlimited access to customers’ financial data will present significant risks to both financial privacy and the security of customers’ financial records, which can result in potential liabilities for financial service providers. The use of APIs may introduce serious security concerns, including the possibility of a malicious third-party app accessing and compromising a customer’s account. Additionally, the interconnected nature of data in open-banking may increase the vulnerability to data breaches, hacking incidents, and insider threats, a trend observed in modern times and expected to persist as data interconnectivity continues to expand.

• Market Concentration: Despite open-banking’s potential to transform the financial sector through the diversified solutions offered to customers, it also raises concerns about market concentration and pricing power, which might offset the advantages it presents. With the observation and occurrence of issues of market consolidation and data misuse in other internet-based services, like online shopping, search engines, and social media, there is a looming fear of similar issues in the implementation of open-banking. Apart from the direct costs of market concentration, there is a significant concern about the potential misuse of customers’ private financial data by the various service providers.

• Fraud: Increased access and financial data sharing could expose vulnerabilities to malicious hackers. Third-party service providers with weak security systems may likely result in hackers breaching their systems resulting in unauthorized access, fraudulent activities, and identity theft. Hence, a robust security system and authentication protocols are crucial for both financial institutions and third-party service providers.

THE STAKEHOLDER CONSIDERATIONS

With a mixed bag of benefits and risks, open-banking’s adoption must be championed on some critical considerations. These considerations we discussed below:

• Regulatory Framework: At present, open-banking is not practiced in Ghana and falls under the unregulated activities of the central bank. However, the central bank has shown commitment to promoting open-banking initiatives as part of its policy initiatives outlined in the National Payment Systems Strategic Plan (2019-2024).

Undoubtedly, the key to the successful adoption of open-banking in Ghana lies in the establishment of a comprehensive regulatory framework. This framework should provide clear guidelines and safeguards to protect consumer data while fostering innovation and competition in the financial sector. It is therefore important for policymakers and regulatory bodies to fully comprehend the existing regulatory landscape and identify areas for improvement to effectively implement open-banking practices.

To ensure a smooth implementation, the regulator must carefully consider the impact of open-banking on competition, innovation, and financial inclusion. Thus, the regulator should strike a balance in creating an accommodating regulatory landscape that encourages new market entrants and prevents monopolistic and anti-competitive practices. Adopting a flexible regulatory approach will allow for iterative improvements and adaptation to emerging trends while maintaining a stable regulatory environment.

Importantly so, while digital transformation has driven financial service providers to re-evaluate their product and service offerings, by embracing technological tools to enhance their financial solutions and remain relevant in the market, one critical component of a smooth adoption and operationalization of open-banking, will be the compliance with its regulatory framework and data protection laws. Adhering to the mandatory regulatory and privacy requirements will be vital to uphold responsible data-sharing practices and building customer trust.

• Customer Consent and Control: Open-banking holds the potential to empower customers, granting them enhanced control over their financial data and access to personalized services. However, finding the right balance between convenience and protection will be vital. To this end, the regulator must adopt a customer consent and control framework which will operate to institute appropriate mechanisms and thresholds to be met by financial institutions and third-party service providers in the collection, sharing, and use of customer data. Implementing clear and transparent consent mechanisms will be critical to ensure that customers fully understand what data they are sharing, who will have access to it, and how it will be used. Additionally, the consent framework must provide for the revocation of consents by customers at any time, granting them greater control over their data.

For financial institutions and third-party service providers, there will be the need to leverage technological tools for real-time risk management and the implementation of effective data governance principles which will be critical for managing information flow to customers and maintaining the accuracy and integrity of data shared with third parties.

Before opting into open-banking services, opportunities should be provided for the customers to thoroughly assess the security measures and data protection protocols implemented by financial institutions and third-party providers. Understanding how their financial data will be accessed, used, and protected will help win customer trust in the practice. Further, transparency must be enhanced about related transaction fees, data usage policies, and any potential liability clauses so as to help customers to make well-informed choices.

• Data Security and Privacy: Data privacy and security are critical aspects of open-banking that regulators must consider, as consent alone is insufficient to ensure data protection. Granting access to sensitive financial information requires robust data protection measures to prevent unauthorized access, data breaches, and identity theft. Clear and comprehensive regulatory guidelines are needed to outline the roles and responsibilities of each participant, promoting fair competition and customer protection among banks, fintech companies, and third-party providers.

It also remains an important consideration for financial institutions as they adopt and deploy advanced technologies such as artificial intelligence and blockchain. Financial service providers must implement robust security measures, and data access controls to protect sensitive information from unauthorized access and cyber threats and/or attacks. Third-party providers need to adhere to high standards of data protection, transparency, and accountability, and cooperate with banks and regulators to ensure compliance with data security and privacy.

While financial institutions will need to update their systems and processes to accommodate the new data flows and interactions, and to mitigate the risks of data breaches and fraud, regulators need to establish and enforce consistent and harmonized rules for open-banking across the financial sector and to monitor and address any emerging issues or challenges.

• Interoperability and Standardization: A lack of standardized data formats and APIs can hinder the seamless exchange of information between various banks and third-party providers. Establishing common technical standards and protocols will be crucial to enable interoperability and prevent fragmentation within the financial ecosystem.

The regulator should therefore work at adopting standardized protocols and data formats which are essential to enhancing interoperability among open-banking platforms, ensuring efficiency, and reducing integration challenges. Cross-border data transfer regulations and agreements will also be crucial, particularly with the implementation of the African Continental Free Trade Agreement (AfCFTA) Protocols, to uphold data protection laws across jurisdictions.

In terms of operationalization, financial institutions must develop standardized and secure APIs to facilitate data sharing with third-party providers. These APIs should adhere to industry-standard security protocols, including encryption and authentication mechanisms, to safeguard customer information during data transmission.

• Cybersecurity and Risk Management: The increased integration of third-party systems can potentially introduce new forms of cyberattacks and fraudulent activities. The regulator in conjunction with the relevant statutory bodies responsible for cyber security concerns should consider formulating clear and comprehensive regulations that address cybersecurity and risk management frameworks. This would include the adoption and enforcement of stringent security standards and consistently monitoring third-party providers to mitigate these cyber risks and ensure that financial institutions and third-party providers adhere to robust security practices.

On the part of financial institutions and third-party providers, there will be the need for the implementation of multi-layered cybersecurity protocols such as encryption, strong authentication, and real-time monitoring to counter potential threats. A well-defined incident response plan will also be essential for addressing cyber breaches effectively.

Additionally, a risk management framework and mechanism encompassing thorough risk assessments, mitigation strategies, ongoing monitoring, and regulatory compliance will be crucial to boost the secured use and access of systems and technology.

• Testing and Piloting: For a country looking to adopt open-banking, it is advisable to adopt a phased implementation instead of a wholesale implementation. A phased adoption strategy will provide controlled environments for rigorous risk assessment, identification of security vulnerabilities, and collaboration with other stakeholders in devising effective risk mitigation strategies for full-scale adoption. Through testing, regulators can evaluate the efficacy of data security measures, authentication protocols, and access controls, ensuring the protection of sensitive customer information.

Further, a phased adoption will offer insights into customer experiences, consent mechanisms, and the alignment of the technical framework with user expectations. By simulating interactions between financial entities, testing will help address interoperability challenges, and evaluate regulatory compliance, and enforcement mechanisms, leading to refined guidelines – which will contribute to the establishment of a secure, customer-centric, and adaptable open-banking practice.

• Capacity Building and Education: Open-banking will drive new financial service offerings based on data, and this will require a basic understanding of its workings and underlying technologies. It is therefore important that new financial literacy must be designed and deployed by stakeholders to help build customer appreciation and drive participation in the new possibilities to be enabled by open-banking.

Equally, financial institutions and third-party service providers must actively drive initiatives that provide foundational understandings of this new way of banking and how customers can help build a strong compliance culture. These educational efforts must be pursued on an ongoing basis to support a compliant, secured, and innovative deployment of a customer-centric open-banking ecosystem.

CONCLUSION

One expected outcome of technology in reshaping finance and the delivery of financial services is the general adoption of open-banking practices in commercial banking in the coming years. While many central banks are preparing for its adoption, it is imperative for Ghana to begin the design of a framework that accounts for the concerns in ways to leverage its usefulness in building an innovative, resilient, and robust financial service delivery ecosystem. And we have highlighted some of these concerns in this article noting the opportunities and risks in the adoption of an open-banking framework.

ABOUT THE AUTHORS

RICHARD NUNEKPEKU is a Fintech Consultant and the Managing Partner of SUSTINERI ATTORNEYS PRUC (www.sustineriattorneys.com)a client-centric law firm specializing in transactions, corporate legal services, dispute resolutions, and tax. He also heads the firm’s Start-ups, Technology, and Innovations Practice divisions. He welcomes views on this article and is reachable at richard@sustineriattorneys.com.

CECILIA ANTWI KYEM is an Associate at SUSTINERI ATTORNEYS PRUC. Cecilia specializes in Technology, Startups, Corporate and Commercial Transactions, Intellectual Property, and Dispute Resolution. She welcomes views on this article via cecilia@sustineriattorneys.com.