.svg)
The Bank of Ghana (BoG) has published a draft of the country's first open banking directive for regulated financial institutions (RFIs), with a 30-day comment period.
When the comment period closes, the BoG will engage with key stakeholders before announcing an implementation date.
The draft directive establishes clear rules for open banking participants around data protection, security protocols and operational standards.
It applies to all RFIs, including banks, loans companies and payment service providers (PSPs), and compliance with the directive will be mandatory.
The directive serves as a roadmap for RFIs to securely share customer-consented data with one another through application programming interfaces (APIs).
“The central point of this directive lies in the proposition of providing an enabling environment for customers of financial institutions to access a myriad of personalised permissible financial products and services,” said the BoG.
“Influenced by the ongoing developments in financial technology, regulatory reforms and Ghana's expanding digital infrastructure, this open banking directive is a pioneering initiative set to significantly improve Ghana's financial services sector.”
BoG data-sharing platform to play a key role
Data shared under the directive shall be on the basis of consent granted explicitly by the data subject through established, secure and standardised APIs.
The APIs will network through a designated public digital infrastructure platform known as Open Data Exchange (OpenDX).
OpenDX, a legal entity established by the BoG, will facilitate the sharing and receiving of customer-consented data among participants.
Among its responsibilities, OpenDX will govern API standardisation and regulatory technical standards.
It will also provide access for participants to manage consent requests, and it will provide real-time notifications for consent management.
Participating RFIs will be required to connect to the Financial Industry Command Security Operations Centre (FICSOC) or have an in-house Security Operating Centre (SOC) licensed by the Cyber Security Authority (CSA).
In the event of non-compliance with any provision of the directive, the BoG will suspend the participant’s access to OpenDX.
The suspended participant may then submit to the BoG a “comprehensive corrective action plan” prior to rectifying the non-compliance.
The suspension will remain in effect until the BoG is satisfied that the violation has been rectified.
If the participant fails to do so within the required timeframe, or if it commits repeated violations, the BoG may terminate the participant’s access to OpenDX.
The participant must then cease offering open banking products and services to all customers.
