The CBN released its Operational Framework for Open Banking in 2024, marking a fundamental shift in how financial data moves in Nigeria. For developers and businesses building on this framework, the opportunities are enormous. Here is what you need to know.
The Central Bank of Nigerias Operational Framework for Open Banking establishes comprehensive rules for sharing customer-permissioned financial data between licensed institutions. It applies to all commercial banks, microfinance banks, payment service banks, and mobile money operators operating in Nigeria. These institutions must publish standardised APIs that third-party providers can use to access customer account data and initiate payments, subject to explicit, informed, and revocable customer consent. The framework is modelled on the UKs Open Banking standard but carefully adapted for Nigerias unique financial ecosystem, accounting for the prevalence of mobile money wallets, USSD banking channels, and agent banking networks that serve millions of previously unbanked Nigerians.
For businesses, the framework provides much-needed legal clarity on what customer data you can access, how to handle the consent collection and management process, and what security standards apply to data storage and transmission. Before the framework was introduced, fintech companies relied on screen scraping bank internet banking portals, which was fragile, slow, operated in a regulatory grey area, and often violated bank terms of service. The open banking framework replaces this with standardised, secure, and legally sanctioned API access that benefits customers, banks, and third-party providers alike.
The CBN defines three API categories. Account Information Services (AIS) allow reading account balances, transaction history, and account details. This powers personal financial management apps and credit scoring products that assess a borrowers transaction behaviour. Payment Initiation Services (PIS) allow initiating payments from a customers bank account after customer authorisation through their banks authentication system. This enables checkout solutions where customers pay directly from their bank account without needing a debit card. Confirmation of Funds (CoF) verifies whether sufficient funds are available for a transaction and returns a simple yes or no response. All APIs return data in standard JSON format per the CBN technical specification.
Consent management is the cornerstone of the open banking framework. Every data-sharing arrangement requires explicit, informed, and revocable customer consent. The standard flow: your app requests account access, the customer is redirected to their banks consent screen showing exactly what data will be accessed and for how long, the customer approves, and your app receives an access token. Consent is valid for a maximum of 12 months. Your system must notify customers 30 days, 7 days, and 1 day before expiry and provide a seamless re-authorisation flow. Maintain a complete audit trail of all consent grants, modifications, and revocations for regulatory review.
Account aggregation connects to multiple banks through open banking APIs and displays all a customers accounts from different banks in a single unified dashboard. Building an aggregation service from scratch requires integrating with each banks API individually, handling different authentication flows, consent management, and token refresh mechanisms. This is why most developers use middleware aggregation platforms like OnePipe, Okra, or Mono. These platforms offer a single API connecting to all major Nigerian banks and handle the complexity of consent management, token refresh, and API rate limiting on your behalf. Data refresh frequency should follow these guidelines: transaction data refreshes on every app open, balance data refreshes on every manual pull, and historical transactions can be cached for up to 24 hours. Always respect bank API rate limits, which typically range from 10 to 30 calls per minute per customer account.
Payment Initiation Services allow customers to pay directly from their bank account with a single authorisation, bypassing cards entirely. Benefits include lower transaction fees typically 0.5% to 1% compared to 1.5% to 2.5% for cards and higher authorisation rates since bank transfers rarely fail. The flow: your system creates a payment request via the PIS API, the customer confirms via their banks authentication, and the bank processes the payment and sends a webhook confirmation. Total flow time is 10 to 30 seconds. PIS is a viable alternative to Paystack and Flutterwave for high-volume merchants. For more on payment integration, read our fintech app development guide.
As of 2026, over 15 open banking providers are licensed by the CBN to operate in Nigeria. They fall into three categories. Aggregation platforms like OnePipe, Okra, and Mono offer a single API connection that reaches all major Nigerian banks, handling consent management, token refresh, and API rate limiting on your behalf. Bank-operated platforms like GTBank HabariPay, Access Banks Africa Fintech Foundry, and Zeniths API marketplace offer direct access to that specific banks customer base with potentially lower latency. Specialist providers focus on specific use cases like credit scoring based on transaction history analysis, account verification for KYC processes, or business banking analytics. Choose a provider based on bank coverage, API reliability metrics, and pricing. The typical cost ranges from N5 to N20 per API call depending on committed monthly volume.
A basic account information product takes 4 to 8 weeks including integration with an aggregation platform and setting up the consent management flow. A payment initiation product takes 8 to 16 weeks because it involves more complex security requirements and bank API certification. A full platform offering AIS, PIS, and CoF capabilities takes 16 to 24 weeks and requires formal CBN approval before going live with customers. Compliance requirements include AES-256 encryption for all customer data at rest, TLS 1.2 or higher for all data in transit between your systems and bank APIs, complete consent audit trails that record every grant and revocation, documented incident response procedures with clear escalation paths, and regular third-party security assessments conducted at least annually. All open banking products must undergo a CBN Technology Risk Assessment before launching to the public. See our CBN TRA guide for detailed preparation steps.
A framework allowing customers to share financial data with third-party providers through standard APIs. Regulated by the CBN Operational Framework for Open Banking.
The CBN regulates open banking through the Operational Framework for Open Banking, defining API standards, consent requirements, data security, and licensing.
Account Information Services (AIS) for reading accounts, Payment Initiation Services (PIS) for initiating payments, and Confirmation of Funds (CoF) for verifying balances.
GTBank, Access Bank, Zenith Bank, UBA, First Bank, and Stanbic IBTC. Aggregators like OnePipe and Okra provide unified access.
