Male bank worker in navy blue suit, smiling and leaning over desk to shake hands with female bank customer in financial office.

Nigeria: Cloud in Financial Services

An Interactive Guide for Legal and Compliance
Professionals

Download compliance checklist for financial institutions in Nigeria

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The banking sector in Nigeria, as with other sectors, has witnessed tremendous change in recent years. In particular, Nigerian banks have adopted a radical Information Communication Technology drive and are relying on various IT platforms for the provision of faster and more efficient banking solutions to their customers. Nigerian banks have identified the significant benefits and competitive opportunities offered by cloud services, such as agility, scalability, cyber resilience and secure access. The Central Bank of Nigeria (CBN) has acknowledged many of these benefits1. Cloud is expected to drive a rapid transformation in the Nigerian financial services sector as more institutions move to the cloud as part of the reassessment of their technology strategies. This includes testing and development of data analytics solutions, communications, CRM and business productivity applications.

Nigeria is witnessing great development in the financial service sector. New payment systems are emerging and FinTech has received significant interest to provide, for example, financial inclusion2 We expect that the Banks Verification Number which was introduced by the CBN in 20143 will improve collaboration and facilitate asset risk analytics to enhance decision making.

In principle, the financial services industry and the applicable regulators are open to cloud adoption provided concerns related to issues like privacy, control, and transparency are appropriately addressed4. In a highly regulated sector such as the financial services sector, it is however crucial to ensure that any move to the cloud complies with applicable regulation, and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE NIGERIAN FINANCIAL SERVICES SECTOR

We believe that no cloud services provider has more experience of delivering compliant solutions to financial institutions in Nigeria than Microsoft. Having helped a number of financial institutions move to the cloud, Microsoft recognises that the role of the cloud service provider is to help facilitate compliance through full, transparent, proactive engagement with the financial institution and where appropriate, with financial regulators. Through this process of collaboration over a number of years (with both customers and regulators), Microsoft has developed excellent experience and a pool of practical resources to help financial institutions move to the cloud in a way that meets the highest compliance, risk and security standards.

From sharing product and service information in the initial project scoping phase through to assisting in any required consultation with financial regulators in Nigeria, Microsoft stands ready to support our financial services customers in Nigeria. Microsoft has already initiated plans to deliver the Microsoft Cloud - including Microsoft Azure, Office 365 and Dynamics 365 - from data centres located on the African continent, which will offer enterprise-grade reliability and performance to customers across Africa.

In addition, our subject-matter experts are available to understand your requirements and provide detailed information on the technical, contractual, regulatory and practical aspects of any cloud project. This is all part of our commitment to helping our financial services customers smoothly navigate their way to the Microsoft cloud with confidence and enjoy the benefits of the digital transformation.

THE REGULATORY ENVIRONMENT

The current financial services industry in Nigeria is characterized by a cohesive regulatory regime, with the Central Bank of Nigeria (the "CBN") being the major regulator for banks pursuant to the Central Bank of Nigeria Act, 2007. Other financial institutions, including those in the capital markets and the insurance sectors, pension funds and collective investment schemes are supervised by separate market regulators.

  • Currently, the banking industry in Nigeria is regulated by the CBN, the insurance industry by National Insurance Commission, and the pension industry by the National Pension Commission. The Security and Exchange Commission however has overarching responsibility for financial institutions other than banks, such as capital markets, primary investment of pension funds and collective investment schemes.

  • Cloud services are in principle permitted.

  • There is presently no specific regulation for cloud services in Nigeria.

    For a bank, with respect to its move to the cloud, the following should (in addition to its other regulatory and compliance obligations5) be noted:

    1. Outsourcing rules: There are presently no specific rules regulating outsourcing of banking operations in Nigeria;
    2. (ii) banker-client confidentiality: A bank must maintain client confidentiality in respect of customer information. Banking secrecy covers information relating to the customer's account, the customer's transactions with the bank and information relating to the customer acquired through the keeping of his account. The duty to respect privacy and confidentiality is recognised under Nigerian law as a right to which a bank customer is entitled; and
    3. (iii) the CBN recommends that a bank complies with its IT Standards Blueprint.6

    The Nigerian Insurance Act currently does not regulate outsourcing by insurers.

    A move to the cloud by a bank or insurer will likely remain subject to the following key principles: (i) the financial institution remains responsible for the function (ii) the arrangement must not compromise the services provided to clients; (iii) privacy and (iv) the services must be regularly monitored.

  • Generally, approval is not required.

  • A bank must at all times be able to provide the CBN with necessary information and ensure the right of the CBN to carry out its supervisory functions and objectives, including the right to access information and on-site visits if the CBN considers necessary

  • Under the National Information Technology Development Agency Guidelines on Data Protection (the "Draft Guidelines"), personal information may be transferred out of Nigeria provided the requirements of the Draft Guidelines are met.7 The Draft Guidelines will permit the transfer of personal information outside Nigeria where adequate provisions are in place for its protection. This could take the form of legislation or contractual provisions which ensure adequate protection of personal information or could be sanctioned by consent of the data subject.

    Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft also ensures compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

  • 1 In the Nigerian Banking Industry Information Technology Standards Blueprint issued by the CBN (paragraph 6.1.1), it notes that benefits can include cost efficiencies, an elastic utility computing environment that supports on-demand scalability, convenience and continuous availability, back-up and recovery, and storage capacity.
    2 Central Bank of Nigeria Guidelines on Mobile Money Services in Nigeria
    3 Central Bank of Nigeria Regulatory Framework for Banks Verification Number Operations in Nigeria
    4 Some of the risks noted by the CBN include risks of security, privacy, dependency, vulnerability and downtime (see Nigerian Banking Industry Information Technology Standards Blueprint issued by the CBN, paragraph 6.1.1).
    5 Including under the Consumer Protection Framework.
    6 Nigerian Banking Industry Information Technology Standards Blueprint issued by the CBN, which sets out the CBN's recommended framework and standards, and offers guidelines for a bank in relation to its engagement of information technology vendors and service providers.
    7 Paragraph 4.1.8 of the National Information Technology Development Agency Draft Guidelines on Data Protection in Nigeria

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Privacy

Our policies and processes help keep your data private and in your control

Compliance

We provide industry-verified conformity with global standards

Transparency

We make our policies and practices clear and accessible to everyone

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

CUSTOMER STORIES

*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.