Professional Documents
Culture Documents
190
June 2021
Page 1 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
DOCUMENT INFORMATION
Document Owner
This document is owned by the undersigned who will be responsible for ensuring that the policy
is reviewed in line with requirements of policy approvals, broadcast and administration
framework.
Document History
Document Information
TABLE OF CONTENT
Page 2 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
CONTENT PAGE
Document Information 2
Document History 2
1.0 Introduction 4
2.0 Purpose & Objective 4
2.1 Scope 4
2.2 Related Policies 5
3.0 Policy Statement 5
3.1 Customer Acceptance Policy 5
3.2 Customer Due Diligence (CDD) Requirements 6
3.3 Permissible Business Activities 9
3.4 Risks Associated with Fintechs 9
4.0 Key Payment Service Providers 9
4.1 Digital Banks/Lenders (NeoBanks) 10
4.2 Payment Service Providers (Payment Facilitators/Aggregators) 11
4.3 Switches, Processors & eCommerce Merchants/Fintechs 14
4.4 Mobile Money Operators & Super Agents 14
5.0 Stakeholders Roles & Responsibilities 15
5.1 Roles & Responsibilities Matrix (Bank, Subsidiaries & Holdco Entities) 16
5.2 Responsibilities of Fintechs 19
6.0 Fintech Monitoring & Intelligence Center (FMIC) 20
6.1 Governance, Relationship with Group and Holdco entities 20
7.0 Data and Service Categories 22
7.1 Categories 22
7.1.1 Data & Service Risk Ratings 22
7.2 Data & Service Access Governance 23
7.2.1 Risk Management Maturity Level and Data Service Access Level 23
8.0 Periodic Review 23
9.0 Appendix 24
1.0 INTRODUCTION
Page 3 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
Financial Technology (Fintech) is one of the most promising places to be in financial services at
the moment. Technological innovation has changed the landscape of banking dramatically,
opening the door to new market entrants and exciting new developments across financial
services. Fintech’s in providing innovative financial solutions, products and services have to
share data between different Financial Institutions (FIs) often referred to as “Open Banking”.
Such changes have made it easier for customers to exploit many new financial possibilities as
well as expose new levels of risks to vested parties. In combination, a technologically evolving
industry and a supportive regulatory environment have created the space for a new Fintech
ecosystem.
Banks and other FIs need to navigate as they grow in size and business by getting compliance
right and managing risks associated with financial crime, cybercrime, terrorism financing,
settlement, data governance, third & fourth party risks, and other operational risks etc to ensure
a secure and sustainable customer experience. The concept of compliance needs to be seen in
the wider context of societies’ campaigns against financial crime and the predicate crimes -
human trafficking, the drugs trade, etc - that generate illicit funds. Compliance obligations are
vital ‘minimum standards’ in that fight, but they are really only a part of what AML/ CFT is about.
What leading regulators are increasingly looking towards is compliance as an integral element
within agile risk management, taking advantage of technology to deliver better outcome.
Access Bank Plc as a group, in delivering superior value to its esteemed customers and
providing innovative solutions to the markets and communities served; will within ambit of
Regulatory provisions continue to partner with financial technology start-ups, service providers
and other non-traditional market entrants which provides the agility needed to support and
create digital ecosystem that will retain existing customers and attract new ones.
2.0 Purpose
The purpose and objective of this framework are:
To guide Access Bank Plc, its subsidiaries and entities within the HoldCo relationship with
Fintechs and related partners tandem with external Regulations & Internal Policies relating to
Fintech and related partnership engagement.
To provide uniformity across the entire Access Bank Plc Group ecosystem.
To ensure that processes involved in the onboarding, monitoring, relationship management
and risk management of Fintechs and related partners within Access Bank Plc group
ecosystem guarantees optimum security, efficiency, cost effectiveness and customer
friendliness.
To set up an independent Fintech Monitoring & Intelligence Center (FMIC) made up of
experts culled from Compliance & Risk Management, Antifraud, Information & Cybersecurity,
Data Scientists & analysts, Legal, Partnerships & Digital Capabilities, Developers etc that will
provide support in the onboarding, monitoring and management of Fintechs engaged by
Access Bank Nigeria, Subsidiaries and other related entities within the HoldCo ecosystem.
To embellish controls front-end from relationship engagement to disengagement
2.1 Scope
This framework shall guide FMIC, Units and Departments that are involved directly or indirectly in
the engagement, operation, and management of all Fintechs and related partners in Access Bank
Group and entities within the HoldCo ecosystem. Fintechs under this framework includes other
Technology Integrations from external parties.
Page 4 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
This framework for Fintech Compliance is to be read in concert with the following documents:
i. Access Bank Plc, its subsidiaries and entities within the HoldCo shall not establish
relationships, engage in banking relationship, carry out occasional transactions or
otherwise facilitate any business or transactions with money launderers, terrorists, and
known criminals of all shades or with entities whose source(s) of wealth are
questionable.
ii. Access Bank Plc, its subsidiaries and entities within the HoldCo shall not do business
with entities that are reluctant, unable or unwilling to provide KYC or other Customer Due
Diligence (CDD) information that the Bank may consider necessary for the establishment
and retention of banking relationship.
iii. Access Bank Plc, its subsidiaries, and entities within the HoldCo shall not open
numbered, anonymous accounts, account in fictitious names or open/establish account
or business relationships with Shell banks/entities. 1
iv. Access Bank Plc, its subsidiaries and entities within the HoldCo shall not establish any
form of System/Application Program interface (API) integration with Fintechs for whom
Enhanced Due Diligence have not been concluded at the onboarding stage and for
which a satisfactory report is in place by FMIC working with other teams involved in the
due diligence process.
v. Access Bank Plc, its subsidiaries, and entities within the HoldCo shall thrive to comply
with Financial Action Task Force (FATF) 40 Recommendations and all AML/CFT Laws
and Regulations in Country of operation.
vi. Collaterals shall be in place for any relationship wherein the bank would act as
settlement banker. Collateral sums shall be appropriate and adequate to cover the Bank
in the event of an exposure. Exceptions (if any) to this shall be approved by the line
Executive Director of the initiating business and Executive Director in charge of IT &
Operations.
Consequently, Access Bank, its subsidiaries and entities within the HoldCo would not facilitate
onboarding, system integration and access to any Fintech or related partner that are unable,
unwilling or reluctant to provide essential Customer Due Diligence information deemed
necessary by the Bank for establishment/continuation of a banking relationship or the carrying
out of an occasional transaction.
1
These are banks/entities which have no physical presence in any country. Shell Companies or banks are prohibited from
operating in Nigeria and we will take all necessary measures to satisfy ourselves that we are not used by shell companies or
banks
Page 5 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
Documents stated in table 1 below shall be required for Fintechs onboarded by the Bank,
subsidiaries, and entities within the HoldCo for various business purposes. These documents
are noted as minimum requirements and may vary depending on Regulatory provisions for
each jurisdiction of operations.
7 Payment security A description of the activities and responsibilities of the fintech where
they undertake any aspect of the end to end payment process.
Evidence where required of registration with the respective card
schemes and demonstration of compliance with the Payment Card
Industry Data Security Standard.
8 Physical security Explanation of the activities and responsibilities where there is
access to, manage, processes or store the Institution’s assets; or
unescorted access rights to the Institution’s premises.
9 Access rights and Explanation of the activities and responsibilities in terms of technical
controls and support personnel having administrator or special access rights
to systems and data relating to the Bank’s deployment of a solution;
and how the rights and privileges are appropriately monitored,
controlled and audited.
10 Data protection Description of the activities, protections, controls and responsibilities
relating to compliance with GDPR regulations including an details of
access to any data, however stored, (including electronic data,
systems and printed records and confidential waste) relating to:
customers/clients, staff (including contractors, job applicants,
pensioners etc.) and shareholders; and protection of company
confidential and secret information.
11 Technology An understanding of the technologies being applied, how they can be
scaled and the future road-map and support arrangements.
12 Platform readiness The readiness of the fintechs product or platform will help to drive the
type of the discussions being had with potential partners. The fintech
should be clear about the current state of the product or service that
is being or has been developed e.g. alpha, beta, MVP, market ready.
13 Technology architecture An explanation of the technology architecture. This information
should be documented in detail along with high level architecture
diagrams
showing system connectivity as well as data flow. An architecture
diagram, should also detail differences between, development, test
and production services.
Page 7 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
14 Development roadmap An explanation of the direction of the solution during the proposed
period of the contract. The roadmap should be in as much detail as
possible over the near term (6-12 months) with an indication of future
direction beyond this.
15 Support arrangements Definition of support arrangements including details of SLAs, change
control processes, support times, escalation and reporting
arrangements.
16 IT resilience An understanding of the scenarios/responsibilities where there is
provision of IT solutions or services which, if lost, would disrupt one
or more critical activities. This would include arrangements for
recovery and resiliency and contingency testing.
17 Legal regulatory and Fintechs shall understand the structure of the agreements they are
commercial entering into before proceeding to execute such agreements. At the
same time, the Bank will only engage with fit and proper partners
who have the capacity to satisfy vaious regulatory obligations.
18 Non-disclosure, PoC Fintechs will be required to execute appropriate legal non-disclosure
and pilot agreements agreements with the Bank.
These agreements are ‘mutual’, meaning there are restrictions and
protections afforded to both the Bank and the fintech.
19 Company legal structure A review of the legal structure and set up of the fintech including
and conduct identification of holding companies, subsidiaries and other related
companies. There will be a requirement to demonstrate that there
are no aspects relating to the fintech which disregard appropriate
controls, activities or processes relating to: anti-bribery and
corruption laws and regulations; anti-money laundering, tax
avoidance or terrorist financing laws and regulations; sanctions
relating to restricted countries or individuals; and regulatory rules and
requirements.
20 Conflicts of interest Any engagement will need to operate on the principle that they
identify and manage conflicts of interest fairly and effectively. There
needs to be an understanding of any relationship between the Bank
and the fintech, including key personnel on both sides, to ensure any
engagement has been introduced, selected and contracted with
integrity and transparency to avoid the perception of, or actual:
bribery, corruption, questionable conduct, seeking to obtain any
improper influence; advantage obtained as a result of the giving or
receiving or gifts, hospitality and entertainment by any of its
employees or third parties; and breach of any law, regulation, code
or policy.
21 Company financials Evidence of financial performance and ongoing viability in terms of:
capital availability, funding stage and sources; existing revenues and
debts; profit and loss account, and balance sheet; cash flow; existing
engagement commitments; resourcing levels; and financial forecasts
and growth/scaling plans.
22 Commercial model A review of the commercial terms including the proposed use, by
either party, of brand marks or marketing collateral associating the
organisations. Include aspects such as: proposed pricing model e.g.
per transaction, user or enterprise level; revenue share; license fees
to be
charged; services levels and cost tiers, if costs change by volume or
other factor; support arrangements and service level agreements,
third parties used, including associated costs; guarantees and/or
indemnities expected or given; responsibility for any liabilities; and
penalties relating to non- performance.
23 Intellectual property An understanding of how the two businesses will work together, and
Page 8 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
agreements to provide clarity about: what intellectual property already exists; who
owns the existing intellectual property; how existing intellectual
property might be used by each party, and on what terms; who will
own any new intellectual property created as a result of working
together; and how intellectual property might be combined, where
necessary.
3.3 Permissible Business Activities
The framework is specifically for banking and other related financial services as follows:
As the Group and entities within the HoldCo expand business across frontiers, identifying and
managing risks associated with relationships onboarded such as Fintechs becomes necessary.
Such risks associated with Fintechs amongst many others includes:
• 3rd & 4th Party Risks such as API sharing, Aggregating, Nesting activities etc
• Acquiring & Issuing of web/online and Card transactions,
• Settlement & Credit
• Financial Crimes – Fraud, ML/TF, Cybersecurity
• Legal – Contract T&Cs etc
• Technology Stability and resilience
• Data Management
• Reputational etc
In response to the dynamic activities and attendant risks associated with Fintechs offering
financial services within the payment ecosystem either as processors, payment facilitators,
aggregators, merchant acquirers and digital lenders etc., this section outlines due diligence
requirements for these category of Fintechs. They include amongst others:
2
Neo banks or internet-only banks, these are entities with no physical infrastructure and yet offers similar services
as brick-and-mortar banks over electronic and mobile devices
Page 9 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
While the introduction of a special licensing regime for Digital Banking Services is said to be
underway, Fintechs are leveraging on the existing MicroFinance Bank (MFB) Framework to
launch such digital banking lending products over electronic and mobile devices.
Based on the above, Access Bank, its subsidiaries and entities within the HoldCo shall only
enter into a partnership with any digital and/or MFB bank duly licensed and operates within the
permissible activities of the MFB framework as stated in the Regulator’s policy. Such
MicroFinance and Digital banks shall be required to provide all documentations and satisfy due
diligence requirements stated under Section 3.2.
Activities of MFBs will be reviewed based on existing Regulatory framework governing their
operations in Country of presence. For the purpose of this document, permissible and non-
permissible activities under the Central Bank of Nigeria (CBN) MFB framework is outlined below
i. Acceptance of various types of deposits including savings, time, target and demand
deposits from individuals, groups and associations.
ii. Provision of credit to its customers
iii. Provision of housing micro loans
iv. Provision of ancillary services such as capacity building on record keeping and small
business management and safe custody.
v. Issuance of debentures to interested parties to raise funds from members of the public
with the prior approval of the CBN
vi. Collection of money or proceeds of banking instruments on behalf of its customers
including clearing of cheques through correspondent banks.
vii. Act as agent for the provision of mobile banking, micro insurance and any other services
as may be determined by the CBN from time to time, within the geographic coverage of
its license.
viii. Appoint agents to provide financial services on its behalf in line with the CBN Agent
Banking Guidelines, within the geographic coverage of its license.
ix. Provision of payment services such as salary, gratuity, pension for employees of the
various tiers of government
x. Provision of loan disbursement services for the delivery of the credit program of
government, agencies, groups and individual for poverty alleviation on non-recourse
basis.
xi. Provision of banking services to its customers such as domestic remittance of funds.
xii. Maintenance and operation of various types of account with other banks in Nigeria.
xiii. Investment of its surplus funds in suitable money market instruments approved by the
CBN;
xiv. Operation of micro leasing facilities, microfinance related hire purchase and arrangement
of consortium lending;
xv. Participate in CBN Intervention Fund and funds other sources;
xvi. Provision of microfinance related guarantees for its customers;
xvii. Financing agricultural inputs, livestock, machinery and industrial raw materials to low-
income persons
xviii. Investment in cottage industries and income generating projects for low-income persons
as may be prescribed by the CBN from time to time
xix. Provision of professional advice to low-income persons regarding investments in small
businesses;
xx. Issuance of domestic commercial paper subject to the approval of the CBN
xxi. Provide financial and technical assistance and training to microenterprises; and
xxii. Any other permissible activity as may be approved by the CBN from time to time
Page 10 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
Payment Facilitators (PFs) are service providers that provide payment capabilities and accept
card payments on behalf of multiple sponsored merchant businesses (“sub- merchant”) that are
in the ecommerce space with simplified enrolment process. Payment Facilitators can operate a
diversified portfolio of merchant target-markets or be target-market specific under the
sponsorship.
Currently, PFs are required to nominate and partner with a financial institution as its
acquiring/settlement Bank. PFs are classified as high-risk merchants due to the diversity of the
merchant portfolio which could contain any category of merchant. Like Financial Institutions,
PFs are to be an associated member of the card schemes. They are also recognized by the
CBN as a Non-Bank Merchant Acquirer
In addition to fulfilling all due diligence requirements provided in Section 3.2 above and Access
Bank Plc Framework for Acquisition of Merchant and Cashless Collection, the following are key
requirements:
i. Must be a registered company in Nigeria and country of operations
ii. Must be duly licensed by the CBN or Regulatory authority in country of presence
iii. Must have a corporate account with the Bank for settlement which must relate to the
Business Name
iv. Must executed a PF Agreement & forms with Access Bank with clear SLAs
v. The relationship manager/officer must provide a completed Merchant Enhanced Due
Diligence (EDD) form and confirmation on Merchant Physical location visitation
vi. Must ensure the sub-merchant’s website must be in line with the web requirements
vii. Ensure policies and procedures are in place for sub-merchant underwriting which would
at a minimum contain the following:
a. Identity of sub merchant
b. Sub-merchant ultimate beneficial owners
c. Authorization of merchant; Board Resolution required where merchant onboarded
is a corporate entity
Page 11 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
Page 12 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
xxii. Observe and comply with all security measures and ensure that the sub- Merchants in
turn comply with such measures whether or not prescribed by Access Bank PLC and
shall further comply with any instruction given by Access Bank PLC in respect of card
transaction or customer (cardholder) payment instruction.
xxiii. Ensure that Access Bank Plc is promptly notified of any suspected security breach,
misuse, and irregularity, suspected fraudulent transaction, account numbers or any
suspicious activities that may be connected with attempts to commit fraud or other illegal
activity through the use of its website.
xxiv. Be responsible for communicating the Terms and Conditions of transactions on the
systems to its sub-Merchants and on-line users (cardholders)
xxv. Take all steps to keep secure confidential information or data related to transactions
initiated on the website. In the event any such information is lost, stolen or otherwise
compromised, the Merchant shall forthwith report and give written notice of such
occurrence to Access Bank Plc where upon the Payment Facilitator shall, in consultation
with the Bank, take immediate steps to remedy the situation and prevent its re-
occurrence. Need to specify that all fraud claims from such cases shall be borne by the
Payment Facilitator.
xxvi. Be notified by Access Bank once the fraud threshold is reached.
xxvii. Allow Access Bank to carry out an audit of its facilities/platform for compliance with
PCIDSS and ISO 27001.
4.2.3 Role of the Bank & Entities within the Payment Facilitators/Aggregators
Page 13 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
investigation and any other records that are pertinent the business relationship with the
merchant
xv. Be responsible for the training of merchants on managing the platform and identify
suspicious transactions.
xvi. Carry out an annual audit of Merchants, Payment Facilitators, etc.
xvii. Administer AML/CFT and ABC questionnaire on all aggregated merchants on an annual
basis and on the on-boarding
These are electronic funds transfer and transaction switching and processing service providers
that operate within Nigeria. The switching companies facilitate the exchange of value between
financial service providers, merchants, their customers and other stakeholders. A switching
company shall:
The increasing use of technology today has seen gadgets like phones and laptops acquire a
“do-all-facility”. A mobile phone now combines the function of a camera, laptop, fitness tracker,
alarm, and now banks too. This, therefore, has eventually led to the emergence of Mobile
Money Operators (MMOs) in Nigeria. They are platforms that offer financial services through
mobile phones and telecommunication networks.
Mobile money is a technology that allows you to save, receive, and spend money from the
convenience of a mobile phone. In general, they call it a mobile wallet, or whatever name
befitting to the company that’s hosting the service. Mobile money is very popular today,
especially in Africa, and a country like Nigeria. Whereas, MMOs are simply mobile money
Page 14 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
facilitators in the country, most telecommunication and some fintech companies are now mobile
money operators. Activities MMOs are driven through agency banking network. Similarly, they
also work with super-agents. Super-agents are agents contracted by the principal (deposit
taking Financial Institution and/or Mobile Money Operator) and thereafter may sub-contract
other agents in a network while retaining overall responsibility for the agency relationship.
In addition to Section 3.2 requirements, the following requirements must be met before
onboarding approval is granted.
i. Enter into an Agreement with each Agent/MMO taking into consideration SLAs covering
charge backs, dispute resolution etc.
ii. Ensure that adequate due diligence is conducted on all Agents/MMOs
iii. Conduct sanctions screening and adverse press searches on other Agents/MMOs prior
to being on-boarded
iv. Carry out annual KYC reviews on the Agents/MMOs
v. Notify the agents/MMOs once the fraud/chargeback threshold is reached
vi. Keep complete, well-documented files containing Agent/MMO records, for at least five
(5) years after agreement termination.
vii. Maintain files on all Agents/MMOs either in physical or electronic format.
viii. Ensure that Agent records kept include the Agency agreement, application, underwriting
documentation, any information connected to a present or past investigation and any
other records that are pertinent the business relationship with the Agent/MMO
ix. Carry out an annual audit of Agents/MMO, etc.
x. Administer AML/CFT and ABC questionnaire on all Agents/MMO on an annual basis and
on the on-boarding
In ensuring Fintechs and related partners are onboarded seamlessly and efficiently, profiled
effectively, properly managed all through the relationship, transaction are monitored, settlement
done within agreed SLAs in line with regulation amongst others, grid below will serve as
baseline responsibility for designated Strategic Business Units (SBUs) and Assurance Groups
working in concert with the Fintech Monitoring & Intelligence Center. Stakeholders include:
Channels Support
Information Technology Group
Information & Cybersecurity Group
Operational Risk Management
Conduct and Compliance
Legal
FINCON
Centralized Operations
Internal Audit – Antifraud
Data Management Office (Data Governance Unit)
Africa Fintech Foundry (API Development Unit)
Fintech Monitoring & Intelligence Center
5.1 – Roles and responsibility matrix (Access Bank, Subsidiaries & Entities within
HoldCo)
thresholds;
2 Information Technology Ensure agility and re-usability of digital assets to form new value
Group and AFF proposition.
Digital Factory Achieving a seamless customer experience across multiple lines
Enterprise of business and distribution channels
Architecture Modular, loosely coupled systems to reduce the complexity of
API Dev Unit (AFF) upgrading individual systems.
Maintenance and Life cycle management of technology assets
Scalability and optimisation of technology assets
Change Management Approval
Partner on-boarding – API integration upon receipt of EDD report
Maintain logs on adoption and usage and other metrics on
performance of APIs
Maintain updated API Risk catalogues; API Process Control Mapping
and Risk Control Matrix
Align incident management processes and procedures with partner
institutions clearly outlining responsibilities of each party.
Also, AFF Dev Unit must maintain a list of ALL partners that each API is
exposed to.
AFF to ensure a documented process for approval is in place for
exposing partners to the sandbox and maintain a list of partners that
have used our sandbox.
3 Information & Have information technology, information security policies and a
Cybersecurity Group risk management framework that address APIs
Maintain an up to date list of all APIs in the bank, classified as
external or internal and the parties that have been approved, via
this process, to access such APIs
Ensure access to APIs and the Bank's sandbox is strictly via the
approved process and only approved APIs are exposed on a
case by case basis.
Ensure strict adherence to the security policies and governance
around API development, exposure and management
Collaborate with partner participants on cyber risks; Protect
against attacks on operations, technology assets or theft of
sensitive information.
Carry out regular (minimum yearly) assessment of partner cyber
posture which includes partner cybersecurity capabilities, and
how they will protect assets and sensitive information.
Have the ability to instruct immediate suspension of any
connectivity with partners deemed as posing a security to the
Bank
Improve the bank’s ability to identify and respond to
cybersecurity incidents by integrating the partner into the bank’s
Security Incident and Event Management (SIEM) capability.
Carry out regular monitoring of the control environment of the partner
participants and revalidates the Data Access Agreement and Service
Level Agreements on an annual basis
Deploy and implement automated monitoring system for evaluation of
the vulnerability of its systems and environment to partner participant
and for the management of fraud or related risks;
4 Conduct & Compliance Ensure onboarding EDD checks are done using 3rd party due
Group; diligence workflow on Processmaker
E-Business & Digital Ensure KYC Onboarding reviews and Transaction Monitoring
Compliance; and sanction screening is done
IT, Cybersecurity Carry out reviews to ensure Fintechs/related partners are
Compliance; Financial onboarded and properly profiled in line with requirements of the
Crimes framework
Ensure transaction monitoring is carried out based on rules set
Carry out reviews to ensure accountability and controls of
Page 17 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
or internal and the parties that have been approved, via this process, to
access such API.
Ensure access to APIs and the Bank's sandbox is strictly via the
approved process and only approved APIs are exposed on a
case by case basis.
Ensure strict adherence to the security policies and governance around
API development, exposure and management
12 FMIC Carry out onsite assessments to test adequacy of partners
platform, systems and control; share assessment report with due
diligence team so as to conclude EDD at Onboarding process
Ensure all EDD documentation provided are adequate
Ensure that EDD is concluded at Onboarding stage for all
partners before APIs are exposed either at Test/Live
environment including activities at the sandbox.
Ensure that all stakeholders identified in 1-11 above carry out
their tasks as clearly defined.
Ensure every partner onboarded is properly profiled to enable
efficient activity monitoring.
Ensure systems are in place for monitoring and analysis
Render periodic report to management team and stakeholders
on outcomes of triggered alert and/or intel analysis.
Provide advisory support as needed with stakeholders, training
based on new and emerging trends/threats and engagements
with Regulators.
Ensure responsible owners of existing API policies/frameworks
and other related policy documents outlined in section 2.2 above
update such documents to align with FinTech Compliance
requirements, current trends, IT Governance, Regulatory
provisions and global best practices
Fintechs are usually consumers of APIs, however this framework recognizes that there could be
occasions for Fintechs to be Providers of API. Fintechs shall therefore assume the
responsibilities of either consumer or provider depending on the role they play at any point in
time tandem with Regulatory Framework on Open Banking. In addition, Fintechs onboarded
shall:
i. Ensure that it leverages API to innovate products and solutions that are interoperable.
ii. Avoid alteration of APIs published by provider without consent of the providers.
iii. Any Modification of published APIs shall be based on the provisions of Data Access
Agreement or where necessary an addendum to the agreement. The agreement shall
specify rights of the parties to the modified API and commercial terms.
iv. Comply with data privacy laws and regulations.
v. Adhere to the provisions of this framework.
vi. Maintain customer service/complaint desk on 24 hours/7 days a week basis for financial
institutions to resolve complaints of end-users.
vii. Have appropriate monitoring tool for security infraction detection, remediation and anti-
fraud.
viii. Report any issues regarding fraud and/or security to the Bank immediately these are
detected.
Fintech Monitoring & Intelligence Center, set up to mitigate risk associated with Fintechs shall
comprise of experts from Compliance & Risk Management, Antifraud, Information &
Cybersecurity, Data Scientists & analysts, Legal, Partnerships & Digital Capabilities,
Developers etc and will provide support in the onboarding, monitoring and management of
Fintechs engaged by Access Bank Nigeria, Subsidiaries and other related entities within the
HoldCo ecosystem.
It is also instructive to note that Financial Intermediaries and respondent FIs to the Bank such
as Microfinance Banks (MFBs), Discount House etc who are digitally driven will also be
identified and categorized as Fintech. Consequently, objectives of FMIC shall include:
6.1.1 Relationship with Access bank, Subsidiaries and entities within the HoldCo
Diagram 1 – Relationship with the Bank, Regulators, and all vested parties within the Ecosystem
o Retention/Exits
Avail the Bank with risk assessment report on partner participants
and provide the Bank with reports on the assessments of its control
environment before engagement
2. Advisory & Engagement Regulatory Engagement
Third Party Provider Contract Management
Engagement with Users of Alert Analysis for implementation
Mgt Reporting – Access Bank, Subsidiaries & entities within the
HoldCo
Specialized Training and Support to Access
Advisory Services
Service Delivery
3 Monitoring & Analysis Transaction Monitoring; Alert Investigations; Screenings; Data analysis
& Dev Ops etc…
Fraud Mgt
Cybersecurity
API monitoring
AML & CTF Monitoring
Settlement & Collateral Mgt
Environmental Scans
Data Analysis and Reporting
To ensure operational independence, Fintech Monitoring & Intelligence Center will sit within
HoldCo structure as a Unit/Team to provide support to the Bank, Subsidiaries, and entities
within the Holdco in the onboarding and effective monitoring of Fintechs.
Personnel from stakeholders stated in Section 4.1 above which includes Compliance & Risk
Management, Antifraud, Information & Cybersecurity, Data Scientists & analysts, Legal,
Partnerships & Digital Capabilities, Developers etc will be required to form this team and
commence operations effectively. Where manning cannot be sourced for internally to
adequately staff roles, Human Resources will be required to recruit personnel suitable based on
minimum key skills and competencies listed below:
Page 21 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
Right Attitude
Critical Design Thinking & Problem Solving
Data Analytics
Soft Skills – Communication, Leadership, Responsibility
Investigation & Reporting
Adaptability
Technology Savvy & IT Skills
Knowledge of Regulatory & Operating Environment
Professional Certifications in areas of expertise such Compliance, Fraud, Cybersecurity,
Information Technology, Operations, Legal etc.
This framework in recognition of Regulation on open banking, provides for data that may be
exchanged; and corresponding API services that may be implemented and used by
participants.
7.1 Categories
Open exchange of data and services through APIs shall be according to the following data and
services categories:
i. Product Information and Service Touchpoints (PIST): This shall include information
on products provided by participants to their customers and access points available for
customers to access services e.g. ATM/POS/Agents locations, channels (website/app)
addresses, institution identifiers, service codes, fees, charges and quotes, rates, tenors,
etc.
ii. Market Insight Transactions (MIT): This shall include statistical data aggregated on
basis of products, service, segments, etc. It shall not be associated to any individual
customer or account. These data could be exchanged at an organizational level or at an
industry level.
iii. Personal Information and Financial Transaction (PIFT): This shall include data at
individual customer level either on general information on the customer (e.g. KYC data,
total number or types of account held, etc.) or data on the customer’s transaction (e.g.
balances, bills payments, loans, repayments, recurring transactions on customer’s
accounts, etc.)
iv. Profile, Analytics and Scoring Transaction (PAST): This shall include information on
a customer which analyses, scores or give an opinion on a customer e.g. credit score,
income ratings etc.
Page 22 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
7.2.1 Risk Management (RM) Maturity Level and Data & Services Access Level
Data and API access requirements among participants shall be guided by the following risk
management maturity levels of participants 3:
S/N Participant Risk Mgt Access Level Data & API Access
Category Maturity by Data Requirement
Level Category
1 Participants Tier 0 PIST and MIT The on-boarding requirements
without regulatory for Tier 0 Participants shall be
license determined by Access Bank
as a sponsoring Tier 3
participant;
Access Bank shall within 3
working days of onboarding
the Tier 0 participant register
the Tier 0 participant on the
CBN Open Banking Registry;
In registering a Tier 0
participants on the Open
Banking Registry, a
comprehensive risk
assessment report on the Tier
0 participant, duly signed by
the Chief Risk Officer of the
Bank shall be in place.
2 Licensed Tier 2 PIST, MIT, PIFT Tier 2 Participant shall hold a
Payments Service and PAST valid license from the Central
Providers and Bank of Nigeria;
OFIs Satisfactory Risk Assessment
Report by at least two (2)
partner participants. The
report should address, the
Know Your Partner (KYP)
assessment in respect of
business & governance,
financial strength analysis,
control environment
assessment and risk
management practices.
Tier 2 participant shall be
listed on the Open Banking
Registry
Given the rapid pace of change and progress in the electronic and digital world, this document
shall be reviewed annually in line with the Risk rating of the Document and earlier in the event
of significant regulatory changes.
9.0 APPENDIX
3
Deposit Money Banks are categorized as Tier 3 participants under the CBN Regulatory Framework for Open Banking.
Tier 1 Participants are those participants through CBN Regulatory Sandbox. They must be listed on the Open Banking
Registry.
Page 23 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
ABP.CIC.0617.190
Authorisation
OAuth 2.0
ISO 10181-3 – Access Control Framework
FAPI
Encryption
Data Integrity
JSON Web Token (JWT)
WS-Security
Keyed Hash Message Authentication Code
(HMAC)
Secure Hosting
ISO 27001
ISO 22301
PCI DSS
Page 25 of 25
Framework for Fintech and other Technology Integrations from External Parties Compliance (FMIC)
@
access@bank@plc
fイ。ュ・キッイォ@ヲッイ@fゥョエ・」ィ@。ョ、@ッエィ・イ@t・」ィョッャッァケ@iョエ・ァイ。エゥッョウ@ヲイッュ@eクエ・イョ。ャ@p。イエゥ・ウ@cッューャゥ。ョ」・
@fゥョエ・」ィ@。ョ、@ッエィ・イ@t・」ィョッャッァケ@iョエ・ァイ。エゥッョウ@ヲイッュ@eクエ・イョ。ャ@p。イエゥ・ウ@mッョゥエッイゥョァ@F@iョエ・ャャゥァ・ョ」・
c・ョエ・イ@HfmicI
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@hゥァィ
r・エオイョ@エィゥウ@pッャゥ」ケOfイ。ュ・キッイォ@エッ@cッョ、オ」エ@。ョ、@cッューャゥ。ョ」・@t・。ュ@。ヲエ・イ@。ーーイッカ。ャN@@
pッャゥ」ケ@aーーイッカ。ャL@aエエ・ウエ。エゥッョ@。ョ、@eョァ。ァ・ュ・ョエ@dッ」オュ・ョエ
g・ョ・イ。エ・、@ヲッイ@」。ウ・@ョオュ「・イ@SUQYWPSS
dッ」オュ・ョエ@iョヲッイュ。エゥッョ
dッ」オュ・ョエ@oキョ・イ
tィゥウ@、ッ」オュ・ョエ@ゥウ@ッキョ・、@「ケ@エィ・@オョ、・イウゥァョ・、N@tィ・@ッキョ・イ@ゥウ@イ・ウーッョウゥ「ャ・@ヲッイ@・ョウオイゥョァ@エィ。エ@エィ・
、ッ」オュ・ョエ@ゥウ@イ・カゥ・キ・、@ゥョ@ャゥョ・@キゥエィ@エィ・@イ・アオゥイ・ュ・ョエウ@ッヲ@エィ・@pッャゥ」ケ
aーーイッカ。ャL@bイッ。、」。ウエ@。ョ、@a、ュゥョゥウエイ。エゥッョ@ヲイ。ュ・キッイォN
dッ」オュ・ョエ@n。ュ・
fイ。ュ・キッイォ@ヲッイ@fゥョエ・」ィ@。ョ、@ッエィ・イ@t・」ィョッャッァケ@iョエ・ァイ。エゥッョウ@ヲイッュ@eクエ・イョ。ャ@p。イエゥ・ウ
cッューャゥ。ョ」・
@fゥョエ・」ィ@。ョ、@ッエィ・イ@t・」ィョッャッァケ@iョエ・ァイ。エゥッョウ@ヲイッュ@eクエ・イョ。ャ@p。イエゥ・ウ@mッョゥエッイゥョァ@F@iョエ・ャャゥァ・ョ」・
c・ョエ・イ@HfmicI
@dッ」オュ・ョエ@hゥウエッイケ
eク・」オエゥカ・@sオュュ。イケ
fゥョ。ョ」ゥ。ャ@t・」ィョッャッァケ@Hfゥョエ・」ィI@ゥウ@ッョ・@ッヲ@エィ・@ュッウエ@ーイッュゥウゥョァ@ーャ。」・ウ@エッ@「・@ゥョ@ヲゥョ。ョ」ゥ。ャ
ウ・イカゥ」・ウ@。エ@エィ・@ュッュ・ョエN@t・」ィョッャッァゥ」。ャ@ゥョョッカ。エゥッョ@ィ。ウ@」ィ。ョァ・、@エィ・@ャ。ョ、ウ」。ー・@ッヲ@「。ョォゥョァ
、イ。ュ。エゥ」。ャャケL@ッー・ョゥョァ@エィ・@、ッッイ@エッ@ョ・キ@ュ。イォ・エ@・ョエイ。ョエウ@。ョ、@・ク」ゥエゥョァ@ョ・キ@、・カ・ャッーュ・ョエウ
。」イッウウ@ヲゥョ。ョ」ゥ。ャ@ウ・イカゥ」・ウN@b。ョォウ@。ョ、@ッエィ・イ@fiウ@ョ・・、@エッ@ョ。カゥァ。エ・@。ウ@エィ・ケ@ァイッキ@ゥョ@ウゥコ・@。ョ、
「オウゥョ・ウウ@「ケ@ァ・エエゥョァ@」ッューャゥ。ョ」・@イゥァィエ@。ョ、@ュ。ョ。ァゥョァ@イゥウォウ@。ウウッ」ゥ。エ・、@キゥエィ@ヲゥョ。ョ」ゥ。ャ@」イゥュ・L
」ケ「・イ」イゥュ・L@エ・イイッイゥウュ@ヲゥョ。ョ」ゥョァL@ウ・エエャ・ュ・ョエL@、。エ。@ァッカ・イョ。ョ」・L@エィゥイ、@F@ヲッオイエィ@ー。イエケ@イゥウォウL
。ョ、@ッエィ・イ@ッー・イ。エゥッョ。ャ@イゥウォウ@・エ」@エッ@・ョウオイ・@。@ウ・」オイ・@。ョ、@ウオウエ。ゥョ。「ャ・@」オウエッュ・イ@・クー・イゥ・ョ」・N
a」」・ウウ@b。ョォ@pャ」@。ウ@。@ァイッオーL@ゥョ@、・ャゥカ・イゥョァ@ウオー・イゥッイ@カ。ャオ・@エッ@ゥエウ@・ウエ・・ュ・、@」オウエッュ・イウ@。ョ、
ーイッカゥ、ゥョァ@ゥョョッカ。エゥカ・@ウッャオエゥッョウ@エッ@エィ・@ュ。イォ・エウ@。ョ、@」ッュュオョゥエゥ・ウ@ウ・イカ・、[@キゥャャ@キゥエィゥョ@。ュ「ゥエ@ッヲ
r・ァオャ。エッイケ@ーイッカゥウゥッョウ@」ッョエゥョオ・@エッ@ー。イエョ・イ@キゥエィ@ヲゥョ。ョ」ゥ。ャ@エ・」ィョッャッァケ@ウエ。イエMオーウL@ウ・イカゥ」・
ーイッカゥ、・イウ@。ョ、@ッエィ・イ@ョッョMエイ。、ゥエゥッョ。ャ@ュ。イォ・エ@・ョエイ。ョエウ@キィゥ」ィ@ーイッカゥ、・ウ@エィ・@。ァゥャゥエケ@ョ・・、・、@エッ
ウオーーッイエ@。ョ、@」イ・。エ・@、ゥァゥエ。ャ@・」ッウケウエ・ュ@エィ。エ@キゥャャ@イ・エ。ゥョ@・クゥウエゥョァ@」オウエッュ・イウ@。ョ、@。エエイ。」エ@ョ・キ
ッョ・ウN
aーーイッカ。ャ@lッァ
pャ・。ウ・@r・エオイョ@tィゥウ@pイッ」・、オイ・@b。」ォ@tッ@cッューャゥ。ョ」・@a、カゥウッイケ@。ョ、@sオーーッイエ@uョゥエ@aヲエ・イ
aーーイッカ。ャ
pッキ・イ・、@「ケ@tcpdf@HキキキNエ」ー、ヲNッイァI