The Central Bank of Nigeria (CBN) framework on open banking has now transitioned from a policy document to a phased implementation. Nigeria has a comprehensive history of open banking; with the Central Bank issuing Africa’s first Open Banking Regulatory framework in February 2021, followed by the Operational Guidelines in March 2023. In April 2025, the CBN provided August 2025 as the launch date for an operation that would have seen Nigeria emerge as the first African country to launch national open banking. However, the initial launch date was deferred as the CBN stressed that a wholly automated system that offers robust data protection and stringent consumer protection mechanisms should first be in place.
By May 2026, Nigeria’s phased rollout, the implementation dates are now spread across mid-2026, confirmed in CBN’s FinTech Report which was released in February 2026. The implementation workstreams comprise 5 key areas, namely:
- Governance & Regulation;
- Legal & Compliance;
- Technical & Infrastructure;
- Data Security; and
- Stakeholder Engagement.
Stakeholders have finalized and submitted their various deliverables in September 2025 and are currently pending review by the CBN. The Nigeria Inter-Bank Settlement System (NIBSS) has been nominated as the Open Banking Registry and will hold the public repository for all registered participants in the framework. All institutions that intend to participate will need to obtain a CBN license.
Legal and Regulatory Considerations for Intending Open Banking Participants
Here, we consider 5 legal questions that all banks and FinTech’s in Nigeria should now be seeking answers to, and which compliance gaps organisations in general have not addressed.
- Do Application Programming Interface (API) Agreements meet CBN Data sharing obligations?
The legal and technical standards that apply to the application programming interfaces that allow for the sharing of financial information under Nigeria’s Open Banking framework are not guidelines; they are mandatory requirements and should not be treated as optional. The API agreements in place between banks and technology suppliers that existed prior to the extant open banking regime were not designed with this framework in mind and most of these will not satisfy the CBN framework.
All organisations with existing API agreements should re-examine them and ensure they meet all extant requirements. The relevant questions to ask regarding every API agreement include: whether it adequately defines the categories of data allowed to be accessed and if those are consistent with the tiers prescribed by CBN data access framework; whether the security levels required of the third party supplier meet the CBN’s minimum technical specifications; what the third party supplier’s obligations would be should data breach occur, including details on notification timelines and remedies, and whether the agreement’s terms for termination effectively allow the data supplier to cease data access if the third party supplier does not comply with their obligations under the framework.
- Are Customer Consent Frameworks Updated for Open Banking?
All data sharing arrangements under the CBN Open Banking framework will be contingent on customer consent which must be informed, specific, granular, and withdrawable. CBN has clearly stated that the open banking initiative should operate with customer ownership and control of personal data; which means that customer should dictate who gets access to it, for how long, and must be able to revoke access at any time. Customer ownership and control over data was one of the key reasons given for the August 2025 delay.
A compliant open banking consent framework should outline; the specific data categories accessible to the third-party supplier; the purpose for which the third-party supplier would be utilizing the data; duration and frequency of third-party supplier’s access to data; customer’s right to revoke consent at any time, how that is done; and ramifications to the customer’s relationship with both bank and third-party supplier if the customer withdraws consent or withholds it.
A consent framework review should involve examining all customer-facing terms and digital interfaces where the company currently captures customer data and assesses its suitability for open banking. Where consent is not suitable for this purpose, new consent needs to be collected from existing customers before the institution’s data is shared under the open banking regime.
