Select a location

This selection will switch the site from presenting information primarily about Kenya to information primarily about . If you would like to switch back, you may use location selection options at the top of the page.

Insights

Open banking in Africa after COVID-19

Africa Connected: Issue 6

By Amrit Soar

Open banking is a system where banks allow or authorize third parties, such as financial technology or fintech companies, to access their clients’ financial data to build applications or services. Anchored on providing better customer experiences, open banking has stirred a lot of interest in Africa, including banking apps with detailed analytics of finances, the ability to send money from one bank to another using mobile phones, or the ability to transfer money from one telecoms network to another.

COVID-19 affected many businesses, with the banking industry among the first to feel its effects. In December 2020, Kenya’s Central Bank released its four-year strategy and highlighted Open Infrastructure as one of its main strategic objectives.1 Earlier in 2019, two large South African banks embraced open banking2 and at the height of the pandemic, South African and Nigerian startups TrueID and Okra, respectively, announced3 they had received significant funding to develop open banking infrastructure.

This article looks at how open banking is gaining traction in Africa, its regulatory frameworks and what this transformation means for the continent in a post-COVID-19 world.

Open banking enablers

Among the assets a bank may have, customers’ financial data is one of the most valuable. Information such as spending patterns, financial capabilities and lifestyle preferences are potential gold mines of data. However, in the past five years, fintech companies have arrived on the scene, armed with the capability of providing new products and better customer experiences. With this new wave, banks have started participating and outsourcing innovation to authorized third parties by opening up their customer data to them.

M&A activity has also created investor excitement in the area. VISA’s announcement4 of its intention to purchase US open banking platform Plaid for USD5.3 billion surprised many. Regional mobile telecom company MTN recently launched its API5 marketplace, Chenosis,6 as did Kenya’s Co-operative Bank with its open APIs, while Safaricom continues to take an open approach through its Daraja API. Several African startups have also been founded and successfully funded to build open banking infrastructure. These include Nigeria’s Okra, OnePipe and Mono, and South Africa’s Stitch.

The case for open banking

Payments

Instant payments, automated bulk payments, government payments as well as checkout points in e-commerce solutions are some examples of how open banking has changed the world of payments. PesaLink, developed by the Kenya Banker’s Association fully owned fintech firm IPSL facilitates inter-bank transactions and covers all the above examples. What was previously a fragmented environment from a data perspective appears to bring positive implications of a more connected financial ecosystem.

Lending

Lending platforms leverage customer financial data, credit scores and access to other data such as social media and online activity using artificial intelligence (AI) and machine learning (ML) to make for better informed data-driven lending decisions. Individuals and businesses applying for loans experience reduced paperwork and approval timelines from days to minutes, dispensing with the need to physically go to banks to apply for loans.

However, online lending has come with its share of adverse negative effects including:

  • increased indebtedness by individuals due to multiple loans from different lenders;
  • transparency issues on loan terms and conditions such as unclear and often high interest rates;
  • hidden fees and clients’ lack of ability to compare rates;
  • aggressive and sometimes misleading marketing practices;
  • customer data privacy issues, including lack of information on data collection practices, lack of control over customer data and in some cases, the misuse of customer information; and
  • lack of, or irresponsible credit reporting and consumer complaint management practices.7

In a bid to boost confidence in this category, players and regulators have begun working together to safeguard customer interests. This can be seen with the passage of data privacy laws across many African countries, the establishment of digital lending associations such as Kenya’s Digital Lenders Association (DLAK) and regulators amending their laws to extend oversight to digital lenders.8

Customer verification and onboarding

Customer data access has also brought innovation in know you customer (KYC) and risk assessment procedures. The solutions seek to reduce the customer onboarding process while at the same time offering better customer experiences. Examples of regional KYC applications include Nigeria’s VerifyMe, South Africa’s TrueID and Kenya’s Pngme.

Regulatory frameworks

Outside of Africa, open banking is driven by market forces and regulatory interest. Some have pointed to the EU as the “cradle of open banking”9 because of the Payment Services Directive (PSD2)10 and the UK’s open banking standard which essentially pioneered it.

In Africa, one may observe a similar approach. Most, if not all countries, are yet to implement open banking legal frameworks, but regulators have begun promoting and offering guidelines on the rolling out of these platforms. Kenya’s Central Bank (CBK), for example, has prioritized open infrastructure in its 2021-2025 strategy. The policy paper states, in part that “CBK will facilitate development of industry wide standard for open but secure APIs in a way that guarantees access, safety and integrity of data sharing systems. These standards will include API specifications for identification, verification, and authentication; customer account information / data access; transaction initiation; and formats and coding languages for APIs. Due to the risk associated with opening up data from financial institutions to third-parties, CBK will define clear risk management frameworks and standards, including providing clarity on liability and consumer protection.”11

Further, as data sharing forms the basis of open banking, a strong data protection regime is critical to its success. Banks play the dual role of data controller and processor as they are both holders of customer data and processors through their own sandboxes or APIs.

Data protection laws operationalize the constitutional right to privacy and mandate banks and third-party providers to keep customer information confidential even when passed through APIs. This will involve incorporating privacy in the design of these systems to achieve a high level of compliance. This means, in part, being allowed access to data only for lawful purposes and giving the customer their rights back through well-articulated opt-outs and the return and subsequent deletion of their data.

COVID-19 has accelerated digital transformation

The pandemic has brought about a new normal, and open banking can help boost the recovery from its effects, enrich customer experiences and transform banking as we know it.

Customer experience

Open banking is all about client data. Platforms need to be designed with the customer's experience and interest in mind. The products and services created should consider the customer’s journey online and banking must be plugged in wherever required. As an example, EverSend, a Ugandan mobile-only bank that facilitates money transfers for customers anywhere in the world, allows users to instantly set up virtual debit cards that can be topped up with funds to facilitate online shopping.

Data Privacy

Data privacy and security are the most important factors for the success of open banking as the ability to securely process data while complying with data privacy and information security standards and laws will ensure customer confidence and acceptance to the processing of their data and drive the adoption of open banking. Otherwise, regardless of its benefits, consumers will not be convinced to share their personal data.

It will be prudent and crucial for companies to review their data security policies considering the sensitivity of the data exposed. For example, interest rates and exchange rates can be shared without worry of security. On the other hand, personal information such as customer names and account details must have high levels of security such as multi-layered verification features.

While this is purely best market practice, sound regulations need to be passed to complement these efforts. As it stands, there is still a high degree of risk that may impede its success. Data privacy laws are relatively new in Africa with further guidelines and regulations yet to be rolled out. And except for countries like Rwanda and South Africa where open banking is highly regulated, other central banks are yet to follow suit.

Regulators may look at the UK’s PSD2 for guidance. PSD2 mandates customer consent to be at the center of these platforms. Authorized third parties must ensure customer consent is freely given in an easily accessible format and in plain language. Further, companies must be able to demonstrate that customers gave their consent as well as putting features that enable the withdrawal of such consent.

The location of processing and storage of this data is another factor regulators and banks must consider. If an open banking platform uses a third party to process customer data, it is crucial that it obtains guarantees from its data processors that they can comply with data protection mandates.

A company may look to perform its own analysis on whether its processors are data protection and information security compliant. For example, any company that processes, stores, or transmits credit card information must be PCI-DSS12 compliant. This is a global standard that mandates companies to maintain a secure environment before being allowed to handle card data. It would be a red flag if a third party looking to be authorized to undertake open banking is not PCI-DSS compliant. However, if the third party they are relying on for processing has that certification, then that may offer comfort to banks and regulators, and by extension, clients.

Acceleration of digitalization

Regional lockdowns have pushed bank customers to switch to online channels. With cashless transactions becoming the norm, use of digital products will likely increase. This will push banks to invest in digital products to offer new experiences to their customers. Absa Bank, for example, marked its first anniversary in Kenya by committing a multimillion-USD move to digital services aimed at improving the customer experience.13

By Amrit Soar (Partner, IKM Advocates) and Victor Mwago (DLA Piper Africa, IKM Advocates)

Authors