ABP.CIC.0617.

190

ACCESS BANK PLC

Framework for Fintech and other Technology

Integrations from External Parties Compliance

Fintech and other Technology Integrations from

External Parties Monitoring & Intelligence Center
(FMIC)

Risk Rating: Above Average

June 2021

Page 1 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

DOCUMENT INFORMATION

Document Owner

This document is owned by the undersigned who will be responsible for ensuring that the policy
is reviewed in line with requirements of policy approvals, broadcast and administration
framework.

Name Role Date Version

TBD Head, Fintech Monitoring & June, 2021 1.0
Intelligence Center (FMIC)

Document History

Prepared By Date Version Comment

Chukwuma Osahor June 14, 2021 1.0 This maiden version of the “Framework for
Fintech Compliance 2021” shall be subject to
Caleb Izedonmi review as the need arises In line with Regulatory
changes and Strategic focus of the Group and/or
HoldCo.

Document Information

Document Review / Approval

Name Designation Signature Date

Reviewed By Caleb Izedonmi Unit Head, E-business & Digital
Compliance
Concurrence Toye Soladoye GH, Partnership & Digital Capabilities
Concurrence Daniel Awe Head, AFF
Concurrence Joseph Osogbue Unit Head, Global Advisory
Concurrence Ogor Chukudebelu GH, Customer Experience
Concurrence Amitkumar Sethi CIO
Concurrence Robert Imowo Head, Legal
Concurrence Rob Giles Senior Business Advisor, RBD
Concurrence Favour Femi-Oyewole GH, ICSG
Concurrence Kola Ajimoko GH, Operational Risk Management
Concurrence Yinka Tiamiyu Chief Audit Executive
Concurrence Pattison Boleigha Head, Group Conduct & Compliance
Concurrence Ade Bajomo ED, IT and Operations
Concurrence Seyi Kumapayi ED, African Subsidiaries
Concurrence Victor Etuokwu ED, Retail Banking
Concurrence Gregory Jobome ED, Risk Management
Approval Herbert Wigwe Group Managing Director

TABLE OF CONTENT
Page 2 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

CONTENT PAGE

Document Information 2
Document History 2

1.0 Introduction 4
2.0 Purpose & Objective 4
2.1 Scope 4
2.2 Related Policies 5
3.0 Policy Statement 5
3.1 Customer Acceptance Policy 5
3.2 Customer Due Diligence (CDD) Requirements 6
3.3 Permissible Business Activities 9
3.4 Risks Associated with Fintechs 9
4.0 Key Payment Service Providers 9
4.1 Digital Banks/Lenders (NeoBanks) 10
4.2 Payment Service Providers (Payment Facilitators/Aggregators) 11
4.3 Switches, Processors & eCommerce Merchants/Fintechs 14
4.4 Mobile Money Operators & Super Agents 14
5.0 Stakeholders Roles & Responsibilities 15
5.1 Roles & Responsibilities Matrix (Bank, Subsidiaries & Holdco Entities) 16
5.2 Responsibilities of Fintechs 19
6.0 Fintech Monitoring & Intelligence Center (FMIC) 20
6.1 Governance, Relationship with Group and Holdco entities 20
7.0 Data and Service Categories 22
7.1 Categories 22
7.1.1 Data & Service Risk Ratings 22
7.2 Data & Service Access Governance 23
7.2.1 Risk Management Maturity Level and Data Service Access Level 23
8.0 Periodic Review 23
9.0 Appendix 24

1.0 INTRODUCTION
Page 3 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

Financial Technology (Fintech) is one of the most promising places to be in financial services at
the moment. Technological innovation has changed the landscape of banking dramatically,
opening the door to new market entrants and exciting new developments across financial
services. Fintech’s in providing innovative financial solutions, products and services have to
share data between different Financial Institutions (FIs) often referred to as “Open Banking”.
Such changes have made it easier for customers to exploit many new financial possibilities as
well as expose new levels of risks to vested parties. In combination, a technologically evolving
industry and a supportive regulatory environment have created the space for a new Fintech
ecosystem.

Banks and other FIs need to navigate as they grow in size and business by getting compliance
right and managing risks associated with financial crime, cybercrime, terrorism financing,
settlement, data governance, third & fourth party risks, and other operational risks etc to ensure
a secure and sustainable customer experience. The concept of compliance needs to be seen in
the wider context of societies’ campaigns against financial crime and the predicate crimes -
human trafficking, the drugs trade, etc - that generate illicit funds. Compliance obligations are
vital ‘minimum standards’ in that fight, but they are really only a part of what AML/ CFT is about.
What leading regulators are increasingly looking towards is compliance as an integral element
within agile risk management, taking advantage of technology to deliver better outcome.

Access Bank Plc as a group, in delivering superior value to its esteemed customers and
providing innovative solutions to the markets and communities served; will within ambit of
Regulatory provisions continue to partner with financial technology start-ups, service providers
and other non-traditional market entrants which provides the agility needed to support and
create digital ecosystem that will retain existing customers and attract new ones.

2.0 Purpose
The purpose and objective of this framework are:

 To guide Access Bank Plc, its subsidiaries and entities within the HoldCo relationship with
Fintechs and related partners tandem with external Regulations & Internal Policies relating to
Fintech and related partnership engagement.
 To provide uniformity across the entire Access Bank Plc Group ecosystem.
 To ensure that processes involved in the onboarding, monitoring, relationship management
and risk management of Fintechs and related partners within Access Bank Plc group
ecosystem guarantees optimum security, efficiency, cost effectiveness and customer
friendliness.
 To set up an independent Fintech Monitoring & Intelligence Center (FMIC) made up of
experts culled from Compliance & Risk Management, Antifraud, Information & Cybersecurity,
Data Scientists & analysts, Legal, Partnerships & Digital Capabilities, Developers etc that will
provide support in the onboarding, monitoring and management of Fintechs engaged by
Access Bank Nigeria, Subsidiaries and other related entities within the HoldCo ecosystem.
 To embellish controls front-end from relationship engagement to disengagement

2.1 Scope

This framework shall guide FMIC, Units and Departments that are involved directly or indirectly in
the engagement, operation, and management of all Fintechs and related partners in Access Bank
Group and entities within the HoldCo ecosystem. Fintechs under this framework includes other
Technology Integrations from external parties.

Page 4 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

2.2 Related Policies:

This framework for Fintech Compliance is to be read in concert with the following documents:

i. CBN Regulatory Framework for Open Banking in Nigeria, February 2021

ii. Access Bank Plc Digital Partners/Third Party Monitoring Framework, March 2021
iii. Access Bank Plc Digital Banking Risk Management Framework, March 2021
iv. Access Bank Plc Framework for the Acquisition of Merchant and Cashless Collection August
2020
v. Access Bank Plc Application Program Interface (API) Policy, January 2020
vi. Any other Regulatory provision by the Central Bank or applicable Regulatory Authority of
jurisdiction where the Bank, its subsidiaries, and entities within the HoldCo are operational.

3.0 POLICY STATEMENT

3.1 Customer Acceptance Policy (CAP)

i. Access Bank Plc, its subsidiaries and entities within the HoldCo shall not establish
relationships, engage in banking relationship, carry out occasional transactions or
otherwise facilitate any business or transactions with money launderers, terrorists, and
known criminals of all shades or with entities whose source(s) of wealth are
questionable.
ii. Access Bank Plc, its subsidiaries and entities within the HoldCo shall not do business
with entities that are reluctant, unable or unwilling to provide KYC or other Customer Due
Diligence (CDD) information that the Bank may consider necessary for the establishment
and retention of banking relationship.
iii. Access Bank Plc, its subsidiaries, and entities within the HoldCo shall not open
numbered, anonymous accounts, account in fictitious names or open/establish account
or business relationships with Shell banks/entities. 1
iv. Access Bank Plc, its subsidiaries and entities within the HoldCo shall not establish any
form of System/Application Program interface (API) integration with Fintechs for whom
Enhanced Due Diligence have not been concluded at the onboarding stage and for
which a satisfactory report is in place by FMIC working with other teams involved in the
due diligence process.
v. Access Bank Plc, its subsidiaries, and entities within the HoldCo shall thrive to comply
with Financial Action Task Force (FATF) 40 Recommendations and all AML/CFT Laws
and Regulations in Country of operation.
vi. Collaterals shall be in place for any relationship wherein the bank would act as
settlement banker. Collateral sums shall be appropriate and adequate to cover the Bank
in the event of an exposure. Exceptions (if any) to this shall be approved by the line
Executive Director of the initiating business and Executive Director in charge of IT &
Operations.

Consequently, Access Bank, its subsidiaries and entities within the HoldCo would not facilitate
onboarding, system integration and access to any Fintech or related partner that are unable,
unwilling or reluctant to provide essential Customer Due Diligence information deemed
necessary by the Bank for establishment/continuation of a banking relationship or the carrying
out of an occasional transaction.

1
These are banks/entities which have no physical presence in any country. Shell Companies or banks are prohibited from
operating in Nigeria and we will take all necessary measures to satisfy ourselves that we are not used by shell companies or
banks

Page 5 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

3.2 Customer Due Diligence (CDD) Requirements

Documents stated in table 1 below shall be required for Fintechs onboarded by the Bank,
subsidiaries, and entities within the HoldCo for various business purposes. These documents
are noted as minimum requirements and may vary depending on Regulatory provisions for
each jurisdiction of operations.

Table 1. General CDD Requirements – Applicable to all Fintech Types

S/ Documentation Description Remark
N Type
1 Licensing & Regulatory license: Permits (applicable to entities Mandatory
permits whose activities/businesses are licensed
2 Proof of Identity Certification of Incorporation/Business Registration; Mandatory
Memorandum & Articles of Association; Valid IDs of
Directors & Shareholders with 5% holdings
3 Proof of Address Utility bill (in forms applicable by Regulation;) Site Mandatory
Visitation*
Site Visitation report can be provided later date if
unavailable at the time of processing the EDD. Such will be
signed off by GH or SBU sponsoring the relationship.
4 Ultimate Particulars of Directors; Allotment of shares (CAC Mandatory
Beneficial FORM CO2/CO7/2.1 or its equivalent)
ownership (UBO)
5 Due Diligence Duly Completed AMLQuestionnaire; Duly Completed Mandatory
Questionnaires Operational Risk Questionnaire
(AML &
Operational Risk)
6 Policies & AML/CFT/KYC Policy; Anti-Bribery & Corruption Mandatory
Certifications Policy; Information Security Policy; Business
Continuity Policy; Business Continuity / Disaster
Recovery Plan; PCI DSS Certification; ISO 27001,
23001 Certifications; evidence of Business Continuity
tests
7 Others – Organogram; Most recent Audited Financials; Not mandatory for
Governance Business & Management Profile; Staff recruitment & Start-Ups (Tier 0);
Structure; Selection policy; Mandatory for
established entities
(Tier 2)Fintech
8 API Refer to existing API Policies and Framework and Mandatory for all
Requirements Regulatory Standards for specific and minimum forms of API
requirements integration either in
test/live
environment

3.2.1 Other Onboarding Due Diligence Criteria

Table 2. Other Onboarding Criteria – Applicable to all Fintech Types

S/ Criteria Description
N
1 Fraud Monitoring & Due diligence shall include a review of scenarios/responsibilities
prevention which relate to fraud risk, particularly with relation to introduction of
customers, processing money transactions and handling classified
(including customer) data.
Page 6 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

2 Business resilience Details of business resilience plans in place in case their

3 Regulatory compliance
4 Other ethical policies
5 Information security and
data protection
6 Data Management and
Retention
premises/staff fail to enable them to continue to operate and supply
the contracted service or product within an acceptable recovery time.
Demonstration of regulatory compliance and required approvals,
along with disclosure of any information that may give rise to
regulatory concern.
Review of each Fintech’s sustainability policy including economic,
ethical (social) and environmental considerations. As a minimum
requirement, demonstration of adherence to all relevant human
rights, labour, health & safety and environmental laws.
There is a need to ensure that both customer data and the Bank’s
data are safe and adequately protected through appropriate physical,
procedural and technological protection and controls.
An explanation of the activities and responsibilities relating to:
capturing, storing or disposing of records, customer transactions,
data or assets; supporting or maintaining facilities or infrastructure
containing or processing any information whether on-site or off-site;
and having remote access or connectivity or access to their data or
premises.

7 Payment security A description of the activities and responsibilities of the fintech where
they undertake any aspect of the end to end payment process.
Evidence where required of registration with the respective card
schemes and demonstration of compliance with the Payment Card
Industry Data Security Standard.
8 Physical security Explanation of the activities and responsibilities where there is
access to, manage, processes or store the Institution’s assets; or
unescorted access rights to the Institution’s premises.
9 Access rights and Explanation of the activities and responsibilities in terms of technical
controls and support personnel having administrator or special access rights
to systems and data relating to the Bank’s deployment of a solution;
and how the rights and privileges are appropriately monitored,
controlled and audited.
10 Data protection Description of the activities, protections, controls and responsibilities
relating to compliance with GDPR regulations including an details of
access to any data, however stored, (including electronic data,
systems and printed records and confidential waste) relating to:
customers/clients, staff (including contractors, job applicants,
pensioners etc.) and shareholders; and protection of company
confidential and secret information.
11 Technology An understanding of the technologies being applied, how they can be
scaled and the future road-map and support arrangements.
12 Platform readiness The readiness of the fintechs product or platform will help to drive the
type of the discussions being had with potential partners. The fintech
should be clear about the current state of the product or service that
is being or has been developed e.g. alpha, beta, MVP, market ready.
13 Technology architecture An explanation of the technology architecture. This information
should be documented in detail along with high level architecture
diagrams
showing system connectivity as well as data flow. An architecture
diagram, should also detail differences between, development, test
and production services.
Page 7 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

14 Development roadmap An explanation of the direction of the solution during the proposed
period of the contract. The roadmap should be in as much detail as
possible over the near term (6-12 months) with an indication of future
direction beyond this.
15 Support arrangements Definition of support arrangements including details of SLAs, change
control processes, support times, escalation and reporting
arrangements.
16 IT resilience An understanding of the scenarios/responsibilities where there is
provision of IT solutions or services which, if lost, would disrupt one
or more critical activities. This would include arrangements for
recovery and resiliency and contingency testing.
17 Legal regulatory and Fintechs shall understand the structure of the agreements they are
commercial entering into before proceeding to execute such agreements. At the
same time, the Bank will only engage with fit and proper partners
who have the capacity to satisfy vaious regulatory obligations.
18 Non-disclosure, PoC Fintechs will be required to execute appropriate legal non-disclosure
and pilot agreements agreements with the Bank.
These agreements are ‘mutual’, meaning there are restrictions and
protections afforded to both the Bank and the fintech.
19 Company legal structure A review of the legal structure and set up of the fintech including
and conduct identification of holding companies, subsidiaries and other related
companies. There will be a requirement to demonstrate that there
are no aspects relating to the fintech which disregard appropriate
controls, activities or processes relating to: anti-bribery and
corruption laws and regulations; anti-money laundering, tax
avoidance or terrorist financing laws and regulations; sanctions
relating to restricted countries or individuals; and regulatory rules and
requirements.
20 Conflicts of interest Any engagement will need to operate on the principle that they
identify and manage conflicts of interest fairly and effectively. There
needs to be an understanding of any relationship between the Bank
and the fintech, including key personnel on both sides, to ensure any
engagement has been introduced, selected and contracted with
integrity and transparency to avoid the perception of, or actual:
bribery, corruption, questionable conduct, seeking to obtain any
improper influence; advantage obtained as a result of the giving or
receiving or gifts, hospitality and entertainment by any of its
employees or third parties; and breach of any law, regulation, code
or policy.
21 Company financials Evidence of financial performance and ongoing viability in terms of:
capital availability, funding stage and sources; existing revenues and
debts; profit and loss account, and balance sheet; cash flow; existing
engagement commitments; resourcing levels; and financial forecasts
and growth/scaling plans.
22 Commercial model A review of the commercial terms including the proposed use, by
either party, of brand marks or marketing collateral associating the
organisations. Include aspects such as: proposed pricing model e.g.
per transaction, user or enterprise level; revenue share; license fees
to be
charged; services levels and cost tiers, if costs change by volume or
other factor; support arrangements and service level agreements,
third parties used, including associated costs; guarantees and/or
indemnities expected or given; responsibility for any liabilities; and
penalties relating to non- performance.
23 Intellectual property An understanding of how the two businesses will work together, and

Page 8 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

agreements to provide clarity about: what intellectual property already exists; who
owns the existing intellectual property; how existing intellectual
property might be used by each party, and on what terms; who will
own any new intellectual property created as a result of working
together; and how intellectual property might be combined, where
necessary.
3.3 Permissible Business Activities

The framework is specifically for banking and other related financial services as follows:

i. Payments, Remittance Services, BIN sponsorship, Acquiring

ii. Collection and Disbursement services
iii. Deposit-taking and Agency Banking
iv. Personal finance advisory and management
v. Treasury Management
vi. Credit, Credit ratings/scoring
vii. Mortgage
viii. Leasing/Hire purchase
ix. Other services as may be determined by the Bank

3.4 Risks Associated with Fintechs

As the Group and entities within the HoldCo expand business across frontiers, identifying and
managing risks associated with relationships onboarded such as Fintechs becomes necessary.
Such risks associated with Fintechs amongst many others includes:

• 3rd & 4th Party Risks such as API sharing, Aggregating, Nesting activities etc
• Acquiring & Issuing of web/online and Card transactions,
• Settlement & Credit
• Financial Crimes – Fraud, ML/TF, Cybersecurity
• Legal – Contract T&Cs etc
• Technology Stability and resilience
• Data Management
• Reputational etc

4.0 KEY PAYMENT SERVICE PROVIDERS – Due Diligence Requirements

In response to the dynamic activities and attendant risks associated with Fintechs offering
financial services within the payment ecosystem either as processors, payment facilitators,
aggregators, merchant acquirers and digital lenders etc., this section outlines due diligence
requirements for these category of Fintechs. They include amongst others:

 Digital Banks/Lenders (NeoBanks2)

 Payment Service Providers (Payment Facilitators/Aggregators)
 Switches & Processors
 Mobile Money Operators (MMOs) and Super Agents
 Online / eCommerce Platforms (Web Merchants)

4.1 Digital Banks/Lenders (NeoBanks)

2
Neo banks or internet-only banks, these are entities with no physical infrastructure and yet offers similar services
as brick-and-mortar banks over electronic and mobile devices
Page 9 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

While the introduction of a special licensing regime for Digital Banking Services is said to be
underway, Fintechs are leveraging on the existing MicroFinance Bank (MFB) Framework to
launch such digital banking lending products over electronic and mobile devices.

Based on the above, Access Bank, its subsidiaries and entities within the HoldCo shall only
enter into a partnership with any digital and/or MFB bank duly licensed and operates within the
permissible activities of the MFB framework as stated in the Regulator’s policy. Such
MicroFinance and Digital banks shall be required to provide all documentations and satisfy due
diligence requirements stated under Section 3.2.

Activities of MFBs will be reviewed based on existing Regulatory framework governing their
operations in Country of presence. For the purpose of this document, permissible and non-
permissible activities under the Central Bank of Nigeria (CBN) MFB framework is outlined below

4.1.1 Permissible activities Under the MFB Regulatory Framework

i. Acceptance of various types of deposits including savings, time, target and demand
deposits from individuals, groups and associations.
ii. Provision of credit to its customers
iii. Provision of housing micro loans
iv. Provision of ancillary services such as capacity building on record keeping and small
business management and safe custody.
v. Issuance of debentures to interested parties to raise funds from members of the public
with the prior approval of the CBN
vi. Collection of money or proceeds of banking instruments on behalf of its customers
including clearing of cheques through correspondent banks.
vii. Act as agent for the provision of mobile banking, micro insurance and any other services
as may be determined by the CBN from time to time, within the geographic coverage of
its license.
viii. Appoint agents to provide financial services on its behalf in line with the CBN Agent
Banking Guidelines, within the geographic coverage of its license.
ix. Provision of payment services such as salary, gratuity, pension for employees of the
various tiers of government
x. Provision of loan disbursement services for the delivery of the credit program of
government, agencies, groups and individual for poverty alleviation on non-recourse
basis.
xi. Provision of banking services to its customers such as domestic remittance of funds.
xii. Maintenance and operation of various types of account with other banks in Nigeria.
xiii. Investment of its surplus funds in suitable money market instruments approved by the
CBN;
xiv. Operation of micro leasing facilities, microfinance related hire purchase and arrangement
of consortium lending;
xv. Participate in CBN Intervention Fund and funds other sources;
xvi. Provision of microfinance related guarantees for its customers;
xvii. Financing agricultural inputs, livestock, machinery and industrial raw materials to low-
income persons
xviii. Investment in cottage industries and income generating projects for low-income persons
as may be prescribed by the CBN from time to time
xix. Provision of professional advice to low-income persons regarding investments in small
businesses;
xx. Issuance of domestic commercial paper subject to the approval of the CBN
xxi. Provide financial and technical assistance and training to microenterprises; and
xxii. Any other permissible activity as may be approved by the CBN from time to time
Page 10 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

4.1.2 Non-Permissible Activities

i. Foreign currency transactions, except foreign currency borrowings;

ii. International commercial papers
iii. International corporate finance
iv. International electronic funds transfer;
v. Clearing house activities
vi. Collection of third-party cheques and other instruments for the purpose of clearing
through correspondent banks
vii. Dealing in land for speculative purposes
viii. Dealing in real estate except for its use as office accommodation.
ix. Provision of any facility for speculative purposes;
x. Leasing, renting, and sale/purchase of assets of any kind with related parties and/or
significant shareholders (five per cent or more of the equity) of the MFB, without the prior
written approval of the CBN;
xi. Financing of any illegal activities; and
xii. any activity other than those permitted as stated above or as may be prescribed by the
Central Bank of Nigeria from time to time

4.2 Payment Service Providers (Payment Facilitators/Aggregators)

Payment Facilitators (PFs) are service providers that provide payment capabilities and accept
card payments on behalf of multiple sponsored merchant businesses (“sub- merchant”) that are
in the ecommerce space with simplified enrolment process. Payment Facilitators can operate a
diversified portfolio of merchant target-markets or be target-market specific under the
sponsorship.

Currently, PFs are required to nominate and partner with a financial institution as its
acquiring/settlement Bank. PFs are classified as high-risk merchants due to the diversity of the
merchant portfolio which could contain any category of merchant. Like Financial Institutions,
PFs are to be an associated member of the card schemes. They are also recognized by the
CBN as a Non-Bank Merchant Acquirer

4.2.1 Onboarding Requirements for Payment Facilitators/Aggregators

In addition to fulfilling all due diligence requirements provided in Section 3.2 above and Access
Bank Plc Framework for Acquisition of Merchant and Cashless Collection, the following are key
requirements:
i. Must be a registered company in Nigeria and country of operations
ii. Must be duly licensed by the CBN or Regulatory authority in country of presence
iii. Must have a corporate account with the Bank for settlement which must relate to the
Business Name
iv. Must executed a PF Agreement & forms with Access Bank with clear SLAs
v. The relationship manager/officer must provide a completed Merchant Enhanced Due
Diligence (EDD) form and confirmation on Merchant Physical location visitation
vi. Must ensure the sub-merchant’s website must be in line with the web requirements
vii. Ensure policies and procedures are in place for sub-merchant underwriting which would
at a minimum contain the following:
a. Identity of sub merchant
b. Sub-merchant ultimate beneficial owners
c. Authorization of merchant; Board Resolution required where merchant onboarded
is a corporate entity
Page 11 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

d. Proper profiling of all its merchants and sub-merchants

e. Perform enhanced due diligence checks on its high-risk merchants
f. Charge back resolution mechanism and
g. AML/CFT policies and procedures embedded in its onboarding processes
viii. Must align onboarding processes, monitoring and payment activities with Regulatory
provisions, Payment Card Scheme Rules and Bank’s Requirements as BIN sponsor.
ix. API integration shall only be completed upon conclusion of satisfactory due diligence
4.2.2 Responsibilities of Payment Facilitators/Aggregators

i. Have an unrevoked CBN license to operate as a Payment Facilitator

ii. Provide visibility to merchant on-boarding process and transactions being processed.
iii. Have a merchant agreement with each of its sponsored merchants in line with the rules
and protocols established by the card schemes and the bank
iv. Must not be involved in cross-border merchant acquiring
v. All merchants onboarded shall have unique Merchant Identifications (MIDs)
vi. Ensure that all acquired sub-merchants complete the Sub-Merchant Registration Form
and provide a clear description of goods and services being purchased
vii. Shall not enable any sub-merchant for live transactions until (iv) and (v) above have
been submitted and duly authorized by Access Bank
viii. Unless otherwise approved by the Bank, introduce any sponsored merchant that
exceeds $1,000,000 in card combined annual Transaction volume to enter into a
Merchant Agreement directly with the Bank.
ix. Obtain sufficient Know-Your-Customer (KYC) and Know-Your-Customer’s Business
(KYB) information which verifies that the sub-merchant is a qualified (in good standing)
business and the record of such information must be provided to Access Bank PLC upon
request. In circumstances where the KYC information provided is not sufficient, the
merchant would not be on-boarded.
x. Periodically update information on its sub-merchants as part of ongoing due diligence
xi. Abide by and enforce Access Bank PLC’s Web Merchant Categorizations and
communicate such to the sub-merchants
xii. Be responsible for ensuring that its sub-merchants are appropriately categorized and
shall be liable if a transaction from any of its sub-merchants violates the limits and risks
approved in the Risk Categorization and shall refund the value lost in the event of a fraud
to any party.
xiii. Provide the bank account details into which Access Bank PLC shall settle its
transactions
xiv. Not introduce or onboard another Payment Facilitator/aggregator either as a merchant or
sub- merchant. Such entities will be onboarded by the Bank directly as a PayFac.
xv. Provide details of all merchant for settlement by the bank as acquirer of record.
xvi. Be responsible for the training of its sponsored-merchants on managing the platform and
identify suspicious transactions
xvii. Be responsible for first level support of its sub-merchants
xviii. Also mandate its sub-merchants to put controls in place to prevent fraud on their sites;
on an annual basis provide certificate of security tests done on its website and those of
sub-merchants.
xix. Key risks not mitigated should be stated for review by the Bank’s Security Team
xx. In the event of a fraud investigation, the Payment Facilitator agrees to be responsible for
the recovery process and shall provide Access Bank PLC with details of transactions
when requested. The Payment Facilitator shall also facilitate the required
chargebacks/recovery of funds from its Sub- Merchants if necessary
xxi. Investigate and report to Access Bank PLC all transactions that it deems to be
suspicious or fraudulent

Page 12 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

xxii. Observe and comply with all security measures and ensure that the sub- Merchants in
turn comply with such measures whether or not prescribed by Access Bank PLC and
shall further comply with any instruction given by Access Bank PLC in respect of card
transaction or customer (cardholder) payment instruction.
xxiii. Ensure that Access Bank Plc is promptly notified of any suspected security breach,
misuse, and irregularity, suspected fraudulent transaction, account numbers or any
suspicious activities that may be connected with attempts to commit fraud or other illegal
activity through the use of its website.
xxiv. Be responsible for communicating the Terms and Conditions of transactions on the
systems to its sub-Merchants and on-line users (cardholders)
xxv. Take all steps to keep secure confidential information or data related to transactions
initiated on the website. In the event any such information is lost, stolen or otherwise
compromised, the Merchant shall forthwith report and give written notice of such
occurrence to Access Bank Plc where upon the Payment Facilitator shall, in consultation
with the Bank, take immediate steps to remedy the situation and prevent its re-
occurrence. Need to specify that all fraud claims from such cases shall be borne by the
Payment Facilitator.
xxvi. Be notified by Access Bank once the fraud threshold is reached.
xxvii. Allow Access Bank to carry out an audit of its facilities/platform for compliance with
PCIDSS and ISO 27001.

4.2.3 Role of the Bank & Entities within the Payment Facilitators/Aggregators

Access Bank shall:

i. Enter into an Agreement with each Payment Facilitator/Merchant

ii. Enter into a direct Merchant Agreement with any sponsored/sub-merchant that exceeds
$1,000,000 in all card combined annual Transaction volume
iii. Register the Merchants, Payment Facilitator and its sub-merchants with the card
schemes (where applicable)
iv. Query MATCH (Member Alert to Control High-risk Merchant) regarding all proposed
merchants requesting for international card acceptance (Merchants, Payment Facilitator
and its sub-merchants)
v. Register all high-risk sub-merchants with the card schemes via the respective risk
programs (where applicable)
vi. Ensure that adequate due diligence is conducted on all PFs
vii. Conduct sanctions screening and adverse press searches on other PFs prior to being
on-boarded
viii. Carry out annual KYC reviews on the sub-merchants of PF to ascertain the KYC
adequacy of sub-merchants
ix. Send periodic awareness on ecommerce trends and guidelines to the merchants through
the respective SBUs.
x. Only accept a PF merchant on its network after verifying that the merchant meets all the
requirements as a web merchant and verifies that the merchant has sufficient controls to
prevent fraud on its site. It shall be the merchant’s responsibility to ensure that the
security features on its systems are maintained appropriately and are up-to-date.
xi. Notify the PF/merchant once the fraud threshold is reached.
xii. Keep complete, well-documented files containing merchant records, for at least five (5)
years after merchant agreement termination.
xiii. Maintain files on all its merchants, either in physical or electronic format.
xiv. Ensure that merchant records kept include the merchant agreement, merchant
application, underwriting documentation, any information connected to a present or past

Page 13 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

investigation and any other records that are pertinent the business relationship with the
merchant
xv. Be responsible for the training of merchants on managing the platform and identify
suspicious transactions.
xvi. Carry out an annual audit of Merchants, Payment Facilitators, etc.
xvii. Administer AML/CFT and ABC questionnaire on all aggregated merchants on an annual
basis and on the on-boarding

4.3 Switches, Processors and E-Commerce Merchants/Fintechs

These are electronic funds transfer and transaction switching and processing service providers
that operate within Nigeria. The switching companies facilitate the exchange of value between
financial service providers, merchants, their customers and other stakeholders. A switching
company shall:

i. Operate its switch in accordance to CBN Regulations

ii. Ensure compliance with minimum standards on Transaction Switching, as provided in
CBN Guidelines
iii. Open its network for reciprocal exchange of transactions/messages between it and the
Nigeria Central Switch
iv. Enter into agreement with member institutions, specifying in clear terms the
responsibilities of each party, operational rules and procedures and liabilities of parties in
the event of loss of funds arising from negligence of any of the parties. A copy of the
agreement shall be submitted to the CBN for record purposes.
v. Ensure that all notifications and information that its employees have obtained in the
course of discharging their responsibilities are treated as confidential.
vi. Establish adequate security procedures to ensure the safety and security of its
information and those of its clients, which shall include physical, transactions, logical,
network and enterprise security.
vii. Submit to the CBN, its security plans and periodic updates. Any security breach shall
have a record and such instances shall be reported to CBN for record purposes.
viii. Have a Business Continuity Plan, as approved by the CBN.
ix. Ensure full compliance with relevant provisions of payments system guidelines, policies
and Circulars issued by the CBN, in relation to its operations.
x. Not be an issuer of payment cards.
xi. Report all instances of fraud/attempted fraud on the switch to the CBN.
xii. In addition to the primary site, maintain a business continuity arrangement, to ensure
failsafe operation.

4.4 Mobile Money Operators (MMO) & Super Agents

The increasing use of technology today has seen gadgets like phones and laptops acquire a
“do-all-facility”. A mobile phone now combines the function of a camera, laptop, fitness tracker,
alarm, and now banks too. This, therefore, has eventually led to the emergence of Mobile
Money Operators (MMOs) in Nigeria. They are platforms that offer financial services through
mobile phones and telecommunication networks.

Mobile money is a technology that allows you to save, receive, and spend money from the
convenience of a mobile phone. In general, they call it a mobile wallet, or whatever name
befitting to the company that’s hosting the service. Mobile money is very popular today,
especially in Africa, and a country like Nigeria. Whereas, MMOs are simply mobile money
Page 14 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

facilitators in the country, most telecommunication and some fintech companies are now mobile
money operators. Activities MMOs are driven through agency banking network. Similarly, they
also work with super-agents. Super-agents are agents contracted by the principal (deposit
taking Financial Institution and/or Mobile Money Operator) and thereafter may sub-contract
other agents in a network while retaining overall responsibility for the agency relationship.

4.4.1. On-boarding Requirements

In addition to Section 3.2 requirements, the following requirements must be met before
onboarding approval is granted.

i. Must be a registered company in Nigeria and licensed by the CBN licensed

ii. Must have a corporate account with the Bank for settlement; which must relate to the
Business Name
iii. Must have a Charge Back account with the Bank for chargebacks
iv. Must pre-fund the Charge Back account with an agreed percentage of projected monthly
collections volumes trading limits.
v. Must forward duly executed SLA & Enrolment forms with Access Bank
vi. The relationship manager/officer must provide a completed Merchant Enhanced Due
Diligence (EDD) form and confirmation on Agent Physical location visitation.

4.4.2 Roles & Responsibilities

Access Bank Shall

i. Enter into an Agreement with each Agent/MMO taking into consideration SLAs covering
charge backs, dispute resolution etc.
ii. Ensure that adequate due diligence is conducted on all Agents/MMOs
iii. Conduct sanctions screening and adverse press searches on other Agents/MMOs prior
to being on-boarded
iv. Carry out annual KYC reviews on the Agents/MMOs
v. Notify the agents/MMOs once the fraud/chargeback threshold is reached
vi. Keep complete, well-documented files containing Agent/MMO records, for at least five
(5) years after agreement termination.
vii. Maintain files on all Agents/MMOs either in physical or electronic format.
viii. Ensure that Agent records kept include the Agency agreement, application, underwriting
documentation, any information connected to a present or past investigation and any
other records that are pertinent the business relationship with the Agent/MMO
ix. Carry out an annual audit of Agents/MMO, etc.
x. Administer AML/CFT and ABC questionnaire on all Agents/MMO on an annual basis and
on the on-boarding

5.0 STAKEHOLDERS ROLES AND RESPONSIBILITIES

In ensuring Fintechs and related partners are onboarded seamlessly and efficiently, profiled
effectively, properly managed all through the relationship, transaction are monitored, settlement
done within agreed SLAs in line with regulation amongst others, grid below will serve as
baseline responsibility for designated Strategic Business Units (SBUs) and Assurance Groups
working in concert with the Fintech Monitoring & Intelligence Center. Stakeholders include:

 Partnerships & Digital Capabilities (PDC)

 Channels Sales
Page 15 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

 Channels Support
 Information Technology Group
 Information & Cybersecurity Group
 Operational Risk Management
 Conduct and Compliance
 Legal
 FINCON
 Centralized Operations
 Internal Audit – Antifraud
 Data Management Office (Data Governance Unit)
 Africa Fintech Foundry (API Development Unit)
 Fintech Monitoring & Intelligence Center

5.1 – Roles and responsibility matrix (Access Bank, Subsidiaries & Entities within
HoldCo)

Table 2 – Responsibility Grid

S/N Stakeholders
1 Strategic Business Units:
 Partnership & Digital
Capabilities (PDC)
 Channels Sales and
 Channels Support
 Other Entities within
HoldCo
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
Responsibility
 Carry out Know Your Partner (KYP) due diligence (EDD) on
partners which shall include a comprehensive risk assessment
on the partners duly signed off by the Chief Risk Officer or his
designate before executing agreements
 Control merchant approvals, review and approve all merchants
on-boarded to Fintech platforms
 Work with Fintechs to maintain adequate risk controls to monitor
merchant activity to ensure compliance with the various Card
Scheme Rules and prevent undue harm to the issuer, acquirer,
and Card scheme payment systems.
 Provide a comprehensive list of ALL APIs, integration points and
data requirement for each partner and maintain this list. for
Fintech Integrations and define requirements and technical
guidelines and define the data and services accessible through
the APIs
 Establish Data Access Agreement and Service Level
Agreements with partners;
 Ensure collateral limits in line with the business risk are in place
for each partner
 Establish the initial collateral limits required by each partner and
ensure it is reviewed as required in line with risks to the bank and
 Ensure appropriate contractual terms are executed prior to
onboarding the merchant; EDD process is concluded before any
API integration.
 Work closely with Settlement and Reconciliation Units, Antifraud,
ICSG and other critical stakeholders to ensure full alignment on
core processes in this area prior to any commencement of
activities with a partner
 Notify the CBN of any terminated relationships with partner
participants within 3 business days to update information in the
Open Banking Registry where necessary
 Specify risk metrics and thresholds, the breach of which could lead to a
review of the relationship with partner participants
 Ensure all data access requirement by the 3rd party are explicitly
dimensioned in line with Open Banking Guidelines; provide such
information to Data Governance Unit and ICSG for assessment and
mitigation as required.
 Notify the partner participant of intention to terminate relationship
immediately and no later than 12 hours of breaching the risk
Page 16 of 25
 ABP.CIC.0617.190

thresholds;
2 Information Technology  Ensure agility and re-usability of digital assets to form new value
Group and AFF proposition.
 Digital Factory  Achieving a seamless customer experience across multiple lines
 Enterprise of business and distribution channels
Architecture  Modular, loosely coupled systems to reduce the complexity of
 API Dev Unit (AFF) upgrading individual systems.
 Maintenance and Life cycle management of technology assets
 Scalability and optimisation of technology assets
 Change Management Approval
 Partner on-boarding – API integration upon receipt of EDD report
 Maintain logs on adoption and usage and other metrics on
performance of APIs
 Maintain updated API Risk catalogues; API Process Control Mapping
and Risk Control Matrix
 Align incident management processes and procedures with partner
institutions clearly outlining responsibilities of each party.
 Also, AFF Dev Unit must maintain a list of ALL partners that each API is
exposed to.
 AFF to ensure a documented process for approval is in place for
exposing partners to the sandbox and maintain a list of partners that
have used our sandbox.
3 Information &  Have information technology, information security policies and a
Cybersecurity Group risk management framework that address APIs
 Maintain an up to date list of all APIs in the bank, classified as
external or internal and the parties that have been approved, via
this process, to access such APIs
 Ensure access to APIs and the Bank's sandbox is strictly via the
approved process and only approved APIs are exposed on a
case by case basis.
 Ensure strict adherence to the security policies and governance
around API development, exposure and management
 Collaborate with partner participants on cyber risks; Protect
against attacks on operations, technology assets or theft of
sensitive information.
 Carry out regular (minimum yearly) assessment of partner cyber
posture which includes partner cybersecurity capabilities, and
how they will protect assets and sensitive information.
 Have the ability to instruct immediate suspension of any
connectivity with partners deemed as posing a security to the
Bank
 Improve the bank’s ability to identify and respond to
cybersecurity incidents by integrating the partner into the bank’s
Security Incident and Event Management (SIEM) capability.
 Carry out regular monitoring of the control environment of the partner
participants and revalidates the Data Access Agreement and Service
Level Agreements on an annual basis
 Deploy and implement automated monitoring system for evaluation of
the vulnerability of its systems and environment to partner participant
and for the management of fraud or related risks;
4 Conduct & Compliance  Ensure onboarding EDD checks are done using 3rd party due
Group; diligence workflow on Processmaker
E-Business & Digital  Ensure KYC Onboarding reviews and Transaction Monitoring
Compliance; and sanction screening is done
IT, Cybersecurity  Carry out reviews to ensure Fintechs/related partners are
Compliance; Financial onboarded and properly profiled in line with requirements of the
Crimes framework
 Ensure transaction monitoring is carried out based on rules set
 Carry out reviews to ensure accountability and controls of
Page 17 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190
5 FINCON
6 Operational
Management
7 Legal
8 Centralized Operations
9 AntiFraud
10 Data Management Office
(Data Governance Unit)
11 Africa Fintech Foundry
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
business operations, partner and the bank’s obligations.
 Ensure Compliance with laws and regulations regarding security
and privacy as well as complying with industry-specific
regulations.
 Ensure strict compliance with Data protection laws with regards
to GDPR and NDPR, or applicable local personal privacy
legislation
Revenue recognition – measuring the contribution of APIs to the
bank’s profitability.
 Monetisation and billing.
 Customer acquisition cost.
 Cost allocation among users of the API capability – preferably
activity based
Risk  Ensure that an effective business continuity and contingency planning
process to help ensure the availability of critical systems and services
are in place. This will be done in conjunction with IT Governance
 Ensure that appropriate incident response plans to manage, contain
and minimize problems arising from unexpected events, including
internal and external attacks that may hamper the provision of critical
services are in place (this will be done in conjunction with IT and ICSG).
 Ensure that a comprehensive and ongoing due diligence and oversight
process for managing the Bank’s outsourcing relationships and other
third-party dependencies are in place.
 Determine Third Party access requirements
 Develop a standard contract document unique for Fintechs and related
partners which includes payments, termination, notice of variation and
responsibilities
 Notify the partner participant of intention to terminate relationship
immediately and not later than 12 hours (working with PDC/AFF and/or
SBU directly involved in managing the partner)
 Ensure FinTech contractual agreement include right to immediate
termination on breaches of terms, access to cybersecurity, audit and
compliance checks.
Settlement, Reconciliation and Dispute Management:
 Set threshold for collateral management
 Review and Monitor collateral limits based on transaction
volumes/value
 Settlement of funds within SLA and in line with Regulation
 Dispute Resolution within Regulatory timelines
 Implement fraud monitoring systems and promptly exchange fraud
intelligence with partner participants and assurance group within the
Bank (Compliance, ICSG, Operational Risk)
 Review and monitoring of Fraud charge back, fraud threshold set by
participating partners
 Work with Assurance group specified above in developing and
implementing fraud rules.
 Collaborate with partner participants to ensure compliance with
data privacy laws and regulation
 Maintain updated data footprint mapping in conjunction with
partner participants;
 Ensures the partner participant that owns the customer interface
obtains consent of the end-user based on agreed protocols
 Certify that the partner participant define to the end-user in explicit
terms the implication of granting consents to it and give the end-user
the option to choose access rights to data granted the partner
participant

 API Dev Unit should develop to this specification and maintain a
list of ALL APIs in the bank and integration points, together with
ICSG
 Maintain an up to date list of all APIs in the bank, classified as external
Page 18 of 25
 ABP.CIC.0617.190

or internal and the parties that have been approved, via this process, to
access such API.
 Ensure access to APIs and the Bank's sandbox is strictly via the
approved process and only approved APIs are exposed on a
case by case basis.
 Ensure strict adherence to the security policies and governance around
API development, exposure and management
12 FMIC  Carry out onsite assessments to test adequacy of partners
platform, systems and control; share assessment report with due
diligence team so as to conclude EDD at Onboarding process
 Ensure all EDD documentation provided are adequate
 Ensure that EDD is concluded at Onboarding stage for all
partners before APIs are exposed either at Test/Live
environment including activities at the sandbox.
 Ensure that all stakeholders identified in 1-11 above carry out
their tasks as clearly defined.
 Ensure every partner onboarded is properly profiled to enable
efficient activity monitoring.
 Ensure systems are in place for monitoring and analysis
 Render periodic report to management team and stakeholders
on outcomes of triggered alert and/or intel analysis.
 Provide advisory support as needed with stakeholders, training
based on new and emerging trends/threats and engagements
with Regulators.
 Ensure responsible owners of existing API policies/frameworks
and other related policy documents outlined in section 2.2 above
update such documents to align with FinTech Compliance
requirements, current trends, IT Governance, Regulatory
provisions and global best practices

5.2 Responsibilities of Fintechs other Technology Integrations from external parties .

Fintechs are usually consumers of APIs, however this framework recognizes that there could be
occasions for Fintechs to be Providers of API. Fintechs shall therefore assume the
responsibilities of either consumer or provider depending on the role they play at any point in
time tandem with Regulatory Framework on Open Banking. In addition, Fintechs onboarded
shall:

i. Ensure that it leverages API to innovate products and solutions that are interoperable.
ii. Avoid alteration of APIs published by provider without consent of the providers.
iii. Any Modification of published APIs shall be based on the provisions of Data Access
Agreement or where necessary an addendum to the agreement. The agreement shall
specify rights of the parties to the modified API and commercial terms.
iv. Comply with data privacy laws and regulations.
v. Adhere to the provisions of this framework.
vi. Maintain customer service/complaint desk on 24 hours/7 days a week basis for financial
institutions to resolve complaints of end-users.
vii. Have appropriate monitoring tool for security infraction detection, remediation and anti-
fraud.
viii. Report any issues regarding fraud and/or security to the Bank immediately these are
detected.

6.0 FINTECH MONITORING & INTELLIGENCE CENTER (FMIC)

Page 19 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

Fintech Monitoring & Intelligence Center, set up to mitigate risk associated with Fintechs shall
comprise of experts from Compliance & Risk Management, Antifraud, Information &
Cybersecurity, Data Scientists & analysts, Legal, Partnerships & Digital Capabilities,
Developers etc and will provide support in the onboarding, monitoring and management of
Fintechs engaged by Access Bank Nigeria, Subsidiaries and other related entities within the
HoldCo ecosystem.

It is also instructive to note that Financial Intermediaries and respondent FIs to the Bank such
as Microfinance Banks (MFBs), Discount House etc who are digitally driven will also be
identified and categorized as Fintech. Consequently, objectives of FMIC shall include:

• Close the Gaps associated with Fintech Onboarding

• Mitigate Risks identified in Section 3.3 working with Stakeholders stated in Section 4.1
• Reposition for Industry Leadership across jurisdiction of operations
• Build Fintech rules into the system for effective monitoring and analysis
• Support existing teams/SBUs involved in the process

6.1 Governance, Relationship with the Group and Team Structure

6.1.1 Relationship with Access bank, Subsidiaries and entities within the HoldCo

Diagram 1 – Relationship with the Bank, Regulators, and all vested parties within the Ecosystem

6.1.2 FMIC Team Structure and Activities

Table 3 – FMIC Activities

S/N Teams within FMIC Responsibility
1. Third Party EDD Support  Onsite Visitation, Assessment & testing of controls, systems,
platforms of Fintech
 Review adequacy of Onboarding documentation – licenses,
Certifications etc
 Relationship Development:
o Scheduled C/EDD reviews
o Trigger events
Page 20 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

o Retention/Exits
 Avail the Bank with risk assessment report on partner participants
and provide the Bank with reports on the assessments of its control
environment before engagement
2. Advisory & Engagement  Regulatory Engagement
 Third Party Provider Contract Management
 Engagement with Users of Alert Analysis for implementation
 Mgt Reporting – Access Bank, Subsidiaries & entities within the
HoldCo
 Specialized Training and Support to Access
 Advisory Services
 Service Delivery
3 Monitoring & Analysis Transaction Monitoring; Alert Investigations; Screenings; Data analysis
& Dev Ops etc…
 Fraud Mgt
 Cybersecurity
 API monitoring
 AML & CTF Monitoring
 Settlement & Collateral Mgt
 Environmental Scans
 Data Analysis and Reporting

6.1.3 FMIC Governance Structure

To ensure operational independence, Fintech Monitoring & Intelligence Center will sit within
HoldCo structure as a Unit/Team to provide support to the Bank, Subsidiaries, and entities
within the Holdco in the onboarding and effective monitoring of Fintechs.

Diagram 2 – Recommend Organogram for FMIC

6.1.4 FMIC Manning Requirements and Key Competencies

Personnel from stakeholders stated in Section 4.1 above which includes Compliance & Risk
Management, Antifraud, Information & Cybersecurity, Data Scientists & analysts, Legal,
Partnerships & Digital Capabilities, Developers etc will be required to form this team and
commence operations effectively. Where manning cannot be sourced for internally to
adequately staff roles, Human Resources will be required to recruit personnel suitable based on
minimum key skills and competencies listed below:
Page 21 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

 Right Attitude
 Critical Design Thinking & Problem Solving
 Data Analytics
 Soft Skills – Communication, Leadership, Responsibility
 Investigation & Reporting
 Adaptability
 Technology Savvy & IT Skills
 Knowledge of Regulatory & Operating Environment
 Professional Certifications in areas of expertise such Compliance, Fraud, Cybersecurity,
Information Technology, Operations, Legal etc.

7.0 DATA AND SERVICE CATEGORIES

This framework in recognition of Regulation on open banking, provides for data that may be
exchanged; and corresponding API services that may be implemented and used by
participants.

7.1 Categories

Open exchange of data and services through APIs shall be according to the following data and
services categories:

i. Product Information and Service Touchpoints (PIST): This shall include information
on products provided by participants to their customers and access points available for
customers to access services e.g. ATM/POS/Agents locations, channels (website/app)
addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors,
etc.
ii. Market Insight Transactions (MIT): This shall include statistical data aggregated on
basis of products, service, segments, etc. It shall not be associated to any individual
customer or account. These data could be exchanged at an organizational level or at an
industry level.
iii. Personal Information and Financial Transaction (PIFT): This shall include data at
individual customer level either on general information on the customer (e.g. KYC data,
total number or types of account held, etc.) or data on the customer’s transaction (e.g.
balances, bills payments, loans, repayments, recurring transactions on customer’s
accounts, etc.)
iv. Profile, Analytics and Scoring Transaction (PAST): This shall include information on
a customer which analyses, scores or give an opinion on a customer e.g. credit score,
income ratings etc.

7.1.1 Data and Service Risk Rating

S/N Category Risk Rating

1 Product Information and Service Touchpoints (PIST) Low
2 Market Insight Transactions (MIT) Moderate
3 Personal Information and Financial Transaction (PIFT) Above Average
4 Profile, Analytics and Scoring Transaction (PAST) High

7.2 Data and Service Access Governance

Page 22 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

7.2.1 Risk Management (RM) Maturity Level and Data & Services Access Level

Data and API access requirements among participants shall be guided by the following risk
management maturity levels of participants 3:

S/N Participant Risk Mgt Access Level Data & API Access
Category Maturity by Data Requirement
Level Category
1 Participants Tier 0 PIST and MIT  The on-boarding requirements
without regulatory for Tier 0 Participants shall be
license determined by Access Bank
as a sponsoring Tier 3
participant;
 Access Bank shall within 3
working days of onboarding
the Tier 0 participant register
the Tier 0 participant on the
CBN Open Banking Registry;
 In registering a Tier 0
participants on the Open
Banking Registry, a
comprehensive risk
assessment report on the Tier
0 participant, duly signed by
the Chief Risk Officer of the
Bank shall be in place.
2 Licensed Tier 2 PIST, MIT, PIFT  Tier 2 Participant shall hold a
Payments Service and PAST valid license from the Central
Providers and Bank of Nigeria;
OFIs  Satisfactory Risk Assessment
Report by at least two (2)
partner participants. The
report should address, the
Know Your Partner (KYP)
assessment in respect of
business & governance,
financial strength analysis,
control environment
assessment and risk
management practices.
 Tier 2 participant shall be
listed on the Open Banking
Registry

8.0 Periodic Review

Given the rapid pace of change and progress in the electronic and digital world, this document
shall be reviewed annually in line with the Risk rating of the Document and earlier in the event
of significant regulatory changes.
9.0 APPENDIX
3
Deposit Money Banks are categorized as Tier 3 participants under the CBN Regulatory Framework for Open Banking.
 Tier 1 Participants are those participants through CBN Regulatory Sandbox. They must be listed on the Open Banking
Registry.

Page 23 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

9.1 User journey – Onboarding Process of a Mobile Money Operator

9.2 Security Standards and Description

S/N Category Title Description

1 API DESIGN MODEL  Representational State Transfer (REST)
STANDARDS  Simple Object Access Protocol (SOAP)
2 DATA STANDARDS  Open Financial Exchange (OFX)
 eXtensible Business Reporting Language (XBRL)
 ISO 9735- Electronic Data Interchange for
Administration, Commerce and Transport
(EDIFACT)
 Financial product Markup Language (FpML)
 Financial Information Exchange (FIX)
 Market Data Definition Language (MDDL)
 Security Assertion Markup Language (SAML) 2.0
 ISO 20022
 Statistical Data and MetaData eXchange (SDMX)
3 INFORMATION SECURITY Authentication:
STANDARDS  OAuth 2.0
 OpenID Connect
 FAPI
 Security Assertion Markup Language (SAML)
2.0

Authorisation
 OAuth 2.0
 ISO 10181-3 – Access Control Framework
 FAPI

Encryption

 Transport Layer Security (TLS) v 1.2

 RSA Public/Private Key
Page 24 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
 ABP.CIC.0617.190

 AES oSecure File Transfer Protocol (SFTP)

Data Integrity
 JSON Web Token (JWT)
 WS-Security
 Keyed Hash Message Authentication Code
(HMAC)

Secure Hosting
 ISO 27001
 ISO 22301
 PCI DSS

Page 25 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
＠

ａｃｃｅｓｓ＠ｂａｎｋ＠ｐｌｃ
ｆｲ｡ｭ･ｷｯｲｫ＠ｦｯｲ＠ｆｩｮｴ･｣ｨ＠｡ｮ､＠ｯｴｨ･ｲ＠ｔ･｣ｨｮｯｬｯｧｹ＠ｉｮｴ･ｧｲ｡ｴｩｯｮｳ＠ｦｲｯｭ＠ｅｸｴ･ｲｮ｡ｬ＠ｐ｡ｲｴｩ･ｳ＠ｃｯｭｰｬｩ｡ｮ｣･

＠ｆｩｮｴ･｣ｨ＠｡ｮ､＠ｯｴｨ･ｲ＠ｔ･｣ｨｮｯｬｯｧｹ＠ｉｮｴ･ｧｲ｡ｴｩｯｮｳ＠ｦｲｯｭ＠ｅｸｴ･ｲｮ｡ｬ＠ｐ｡ｲｴｩ･ｳ＠ｍｯｮｩｴｯｲｩｮｧ＠Ｆ＠ｉｮｴ･ｬｬｩｧ･ｮ｣･
ｃ･ｮｴ･ｲ＠ＨｆｍｉｃＩ

＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠＠ｈｩｧｨ

ｒ･ｴｵｲｮ＠ｴｨｩｳ＠ｐｯｬｩ｣ｹＯｆｲ｡ｭ･ｷｯｲｫ＠ｴｯ＠ｃｯｮ､ｵ｣ｴ＠｡ｮ､＠ｃｯｭｰｬｩ｡ｮ｣･＠ｔ･｡ｭ＠｡ｦｴ･ｲ＠｡ｰｰｲｯｶ｡ｬＮ＠＠
 ｐｯｬｩ｣ｹ＠ａｰｰｲｯｶ｡ｬＬ＠ａｴｴ･ｳｴ｡ｴｩｯｮ＠｡ｮ､＠ｅｮｧ｡ｧ･ｭ･ｮｴ＠ｄｯ｣ｵｭ･ｮｴ
ｇ･ｮ･ｲ｡ｴ･､＠ｦｯｲ＠｣｡ｳ･＠ｮｵｭ｢･ｲ＠ＳＵＱＹＷＰＳＳ

ｄｯ｣ｵｭ･ｮｴ＠ｉｮｦｯｲｭ｡ｴｩｯｮ

ｄｯ｣ｵｭ･ｮｴ＠ｏｷｮ･ｲ
ｔｨｩｳ＠､ｯ｣ｵｭ･ｮｴ＠ｩｳ＠ｯｷｮ･､＠｢ｹ＠ｴｨ･＠ｵｮ､･ｲｳｩｧｮ･､Ｎ＠ｔｨ･＠ｯｷｮ･ｲ＠ｩｳ＠ｲ･ｳｰｯｮｳｩ｢ｬ･＠ｦｯｲ＠･ｮｳｵｲｩｮｧ＠ｴｨ｡ｴ＠ｴｨ･
､ｯ｣ｵｭ･ｮｴ＠ｩｳ＠ｲ･ｶｩ･ｷ･､＠ｩｮ＠ｬｩｮ･＠ｷｩｴｨ＠ｴｨ･＠ｲ･ｱｵｩｲ･ｭ･ｮｴｳ＠ｯｦ＠ｴｨ･＠ｐｯｬｩ｣ｹ
ａｰｰｲｯｶ｡ｬＬ＠ｂｲｯ｡､｣｡ｳｴ＠｡ｮ､＠ａ､ｭｩｮｩｳｴｲ｡ｴｩｯｮ＠ｦｲ｡ｭ･ｷｯｲｫＮ

ｄｯ｣ｵｭ･ｮｴ＠ｎ｡ｭ･

ｆｲ｡ｭ･ｷｯｲｫ＠ｦｯｲ＠ｆｩｮｴ･｣ｨ＠｡ｮ､＠ｯｴｨ･ｲ＠ｔ･｣ｨｮｯｬｯｧｹ＠ｉｮｴ･ｧｲ｡ｴｩｯｮｳ＠ｦｲｯｭ＠ｅｸｴ･ｲｮ｡ｬ＠ｐ｡ｲｴｩ･ｳ
ｃｯｭｰｬｩ｡ｮ｣･

＠ｆｩｮｴ･｣ｨ＠｡ｮ､＠ｯｴｨ･ｲ＠ｔ･｣ｨｮｯｬｯｧｹ＠ｉｮｴ･ｧｲ｡ｴｩｯｮｳ＠ｦｲｯｭ＠ｅｸｴ･ｲｮ｡ｬ＠ｐ｡ｲｴｩ･ｳ＠ｍｯｮｩｴｯｲｩｮｧ＠Ｆ＠ｉｮｴ･ｬｬｩｧ･ｮ｣･
ｃ･ｮｴ･ｲ＠ＨｆｍｉｃＩ

＠ｄｯ｣ｵｭ･ｮｴ＠ｈｩｳｴｯｲｹ

ｄｯ｣ｵｭ･ｮｴ＠ｐｲ･ｰ｡ｲ･､＠ｂｹ＠ ｄ｡ｴ･ ｖ･ｲｳｩｯｮ

ｃａｌｅｂ＠ｉｚｅｄｏｎｍｉ ＲＰＲＱＭＰＶＭＱＷ Ｑ

ｅｸ･｣ｵｴｩｶ･＠ｓｵｭｭ｡ｲｹ

ｆｩｮ｡ｮ｣ｩ｡ｬ＠ｔ･｣ｨｮｯｬｯｧｹ＠Ｈｆｩｮｴ･｣ｨＩ＠ｩｳ＠ｯｮ･＠ｯｦ＠ｴｨ･＠ｭｯｳｴ＠ｰｲｯｭｩｳｩｮｧ＠ｰｬ｡｣･ｳ＠ｴｯ＠｢･＠ｩｮ＠ｦｩｮ｡ｮ｣ｩ｡ｬ
ｳ･ｲｶｩ｣･ｳ＠｡ｴ＠ｴｨ･＠ｭｯｭ･ｮｴＮ＠ｔ･｣ｨｮｯｬｯｧｩ｣｡ｬ＠ｩｮｮｯｶ｡ｴｩｯｮ＠ｨ｡ｳ＠｣ｨ｡ｮｧ･､＠ｴｨ･＠ｬ｡ｮ､ｳ｣｡ｰ･＠ｯｦ＠｢｡ｮｫｩｮｧ
､ｲ｡ｭ｡ｴｩ｣｡ｬｬｹＬ＠ｯｰ･ｮｩｮｧ＠ｴｨ･＠､ｯｯｲ＠ｴｯ＠ｮ･ｷ＠ｭ｡ｲｫ･ｴ＠･ｮｴｲ｡ｮｴｳ＠｡ｮ､＠･ｸ｣ｩｴｩｮｧ＠ｮ･ｷ＠､･ｶ･ｬｯｰｭ･ｮｴｳ
｡｣ｲｯｳｳ＠ｦｩｮ｡ｮ｣ｩ｡ｬ＠ｳ･ｲｶｩ｣･ｳＮ＠ｂ｡ｮｫｳ＠｡ｮ､＠ｯｴｨ･ｲ＠ｆｉｳ＠ｮ･･､＠ｴｯ＠ｮ｡ｶｩｧ｡ｴ･＠｡ｳ＠ｴｨ･ｹ＠ｧｲｯｷ＠ｩｮ＠ｳｩｺ･＠｡ｮ､
｢ｵｳｩｮ･ｳｳ＠｢ｹ＠ｧ･ｴｴｩｮｧ＠｣ｯｭｰｬｩ｡ｮ｣･＠ｲｩｧｨｴ＠｡ｮ､＠ｭ｡ｮ｡ｧｩｮｧ＠ｲｩｳｫｳ＠｡ｳｳｯ｣ｩ｡ｴ･､＠ｷｩｴｨ＠ｦｩｮ｡ｮ｣ｩ｡ｬ＠｣ｲｩｭ･Ｌ
｣ｹ｢･ｲ｣ｲｩｭ･Ｌ＠ｴ･ｲｲｯｲｩｳｭ＠ｦｩｮ｡ｮ｣ｩｮｧＬ＠ｳ･ｴｴｬ･ｭ･ｮｴＬ＠､｡ｴ｡＠ｧｯｶ･ｲｮ｡ｮ｣･Ｌ＠ｴｨｩｲ､＠Ｆ＠ｦｯｵｲｴｨ＠ｰ｡ｲｴｹ＠ｲｩｳｫｳＬ
｡ｮ､＠ｯｴｨ･ｲ＠ｯｰ･ｲ｡ｴｩｯｮ｡ｬ＠ｲｩｳｫｳ＠･ｴ｣＠ｴｯ＠･ｮｳｵｲ･＠｡＠ｳ･｣ｵｲ･＠｡ｮ､＠ｳｵｳｴ｡ｩｮ｡｢ｬ･＠｣ｵｳｴｯｭ･ｲ＠･ｸｰ･ｲｩ･ｮ｣･Ｎ
ａ｣｣･ｳｳ＠ｂ｡ｮｫ＠ｐｬ｣＠｡ｳ＠｡＠ｧｲｯｵｰＬ＠ｩｮ＠､･ｬｩｶ･ｲｩｮｧ＠ｳｵｰ･ｲｩｯｲ＠ｶ｡ｬｵ･＠ｴｯ＠ｩｴｳ＠･ｳｴ･･ｭ･､＠｣ｵｳｴｯｭ･ｲｳ＠｡ｮ､
 ｰｲｯｶｩ､ｩｮｧ＠ｩｮｮｯｶ｡ｴｩｶ･＠ｳｯｬｵｴｩｯｮｳ＠ｴｯ＠ｴｨ･＠ｭ｡ｲｫ･ｴｳ＠｡ｮ､＠｣ｯｭｭｵｮｩｴｩ･ｳ＠ｳ･ｲｶ･､［＠ｷｩｬｬ＠ｷｩｴｨｩｮ＠｡ｭ｢ｩｴ＠ｯｦ
ｒ･ｧｵｬ｡ｴｯｲｹ＠ｰｲｯｶｩｳｩｯｮｳ＠｣ｯｮｴｩｮｵ･＠ｴｯ＠ｰ｡ｲｴｮ･ｲ＠ｷｩｴｨ＠ｦｩｮ｡ｮ｣ｩ｡ｬ＠ｴ･｣ｨｮｯｬｯｧｹ＠ｳｴ｡ｲｴＭｵｰｳＬ＠ｳ･ｲｶｩ｣･
ｰｲｯｶｩ､･ｲｳ＠｡ｮ､＠ｯｴｨ･ｲ＠ｮｯｮＭｴｲ｡､ｩｴｩｯｮ｡ｬ＠ｭ｡ｲｫ･ｴ＠･ｮｴｲ｡ｮｴｳ＠ｷｨｩ｣ｨ＠ｰｲｯｶｩ､･ｳ＠ｴｨ･＠｡ｧｩｬｩｴｹ＠ｮ･･､･､＠ｴｯ
ｳｵｰｰｯｲｴ＠｡ｮ､＠｣ｲ･｡ｴ･＠､ｩｧｩｴ｡ｬ＠･｣ｯｳｹｳｴ･ｭ＠ｴｨ｡ｴ＠ｷｩｬｬ＠ｲ･ｴ｡ｩｮ＠･ｸｩｳｴｩｮｧ＠｣ｵｳｴｯｭ･ｲｳ＠｡ｮ､＠｡ｴｴｲ｡｣ｴ＠ｮ･ｷ
ｯｮ･ｳＮ

ｆｕｎｃｔｉｏｎ ｎａｍｅ ｄａｔｅ

ｒ･ｱｵ･ｳｴ･､＠ｂｹ ｍｩ｣ｨ｡･ｬ＠ｂ｡ｳｳ･ｹ
ｕｮｩｴ＠ｈ･｡､＠ａｰｰｲｯｶ｡ｬ ｃ｡ｬ･｢＠ｉｺ･､ｯｮｭｩ ＲＰＲＱＭＰＶＭＱＷ＠ＱＵＺＱＲＺＳＴ
ｒ･ｶｩ･ｷ･､＠ｂｹ

ａｰｰｲｯｶ｡ｬ＠ｌｯｧ

＠ｆｕｎｃｔｉｏｎ＠＠ ｎａｍｅ ＠ｄｅｓｉｇｎａｔｉｏｎ＠ ｓｉｇｎａｔｕｒｅ ｄａｔｅ

ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＱＸ＠ＱＶＺＳＷＺＰＰ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＱ＠ＱＴＺＲＶＺＲＰ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＱ＠ＱＵＺＰＰＺＳＳ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＱ＠ＱＵＺＳＱＺＰＶ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＲ＠ＰＲＺＲＱＺＵＶ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＲ＠ＰＹＺＳＲＺＳＲ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＲ＠ＱＶＺＳＱＺＴＱ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＲ＠ＲＱＺＲＱＺＰＹ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＳ＠ＰＷＺＵＹＺＴＵ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＳ＠ＱＴＺＴＶＺＳＴ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＳ＠ＱＵＺＲＰＺＱＷ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＲＹ＠ＱＸＺＱＸＺＵＷ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＶＭＳＰ＠ＱＳＺＲＵＺＲＶ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＷＭＰＷ＠ＱＶＺＲＷＺＳＵ
ｒ･ｶｩ･ｷ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＷＭＰＸ＠ＲＱＺＱＰＺＲＵ
ａｰｰｲｯｶ･､＠ｂｹ ｃｯｭｰｬ･ｴ･､ ＲＰＲＱＭＰＷＭＱＸ＠ＱＰＺＵＹＺＵＹ

ｐｬ･｡ｳ･＠ｒ･ｴｵｲｮ＠ｔｨｩｳ＠ｐｲｯ｣･､ｵｲ･＠ｂ｡｣ｫ＠ｔｯ＠ｃｯｭｰｬｩ｡ｮ｣･＠ａ､ｶｩｳｯｲｹ＠｡ｮ､＠ｓｵｰｰｯｲｴ＠ｕｮｩｴ＠ａｦｴ･ｲ
ａｰｰｲｯｶ｡ｬ

ｐｯｷ･ｲ･､＠｢ｹ＠ｔｃｐｄｆ＠ＨｷｷｷＮｴ｣ｰ､ｦＮｯｲｧＩ