Open banking in Nigeria in 2026: who's actually compliant

Nigeria's Central Bank has spent years talking about open banking. In 2026, the conversation has shifted: the rules are written, deadlines have passed, and most of the fintech ecosystem is scrambling. The question founders are asking now isn't whether open banking is coming—it's which platforms have genuinely implemented it, and which ones are still performing compliance theatre.

This matters because open banking is not a feature you bolt onto your existing API. It's a structural change that forces you to rethink authentication, data sharing, and liability. If you're building a payment app, a lending platform, or any service that touches customer banking data, you need to know exactly which aggregators and banks are compliant, and which ones are still operating in the grey zone.

In this article, we'll map the actual state of open banking compliance in Nigeria right now—not the marketing claims, but the real implementation. You'll walk away knowing which platforms (Mono, Okra, and others) have actually certified with the CBN, what the compliance gaps are, and how to build your stack without getting caught in a regulatory trap.

What the CBN actually mandated, and when

In 2023, the Central Bank of Nigeria issued the Regulatory Framework for Open Banking in Nigeria. The framework set out a phased timeline, with the first compliance deadline arriving in Q3 2024. By that point, all Tier 1 banks (the big ones: GTBank, Zenith, Access, UBA, FCMB, etc.) were supposed to have exposed APIs for account information services and payment initiation services.

The second wave of compliance—covering Tier 2 banks and non-bank financial institutions—was supposed to land in Q1 2025. Third-party providers (TPPs) like Mono, Okra, and others had to be certified by the CBN's Payments System Management Department (PSMD) to act as intermediaries.

Here's where it gets real: most of those deadlines slipped. Some banks published APIs that were barely functional. Some TPPs got certified but their integrations didn't match the spec. The CBN didn't publicly name-and-shame non-compliant actors, which meant the market remained murky heading into 2026.

What's changed in the last 12 months is enforcement. Banks that missed deadlines have faced regulatory pressure. TPPs that couldn't prove certification have lost access to certain banking partnerships. For founders, this means the landscape has consolidated: only genuinely compliant platforms are still operating at scale.

Who's actually compliant: the TPP layer

Mono and Okra are the two names everyone mentions. Both are Nigerian-founded, both operate across East Africa, and both claim CBN certification. But "certification" is a fuzzy term—it doesn't mean they're equally compliant, or that they've implemented every part of the spec.

Mono has been in the market since 2019. Their core play is account aggregation: they connect to customer bank accounts (with explicit consent) and pull transaction history, balance data, and account metadata. They've published their API docs openly and integrated with hundreds of apps across Nigeria, Kenya, and Uganda. In 2024-25, they underwent formal CBN certification and were added to the PSMD's registry of approved TPPs. Their compliance is genuine, but it's narrowly focused: they do account information services well, but their payment initiation service (PIS) layer is less developed than their AIS.

Okra entered the market later (around 2021) but moved faster on payment initiation. Their pitch is broader: they offer AIS, PIS, and fund confirmation services. They've also been certified by the CBN, and they've integrated with more payment corridors than Mono. However, their documentation is less transparent, and fewer independent developers have publicly verified their compliance implementation.

Both have limitations that matter for founders:

• Neither has achieved full coverage of Tier 2 and Tier 3 banks. Most of their integrations are with Tier 1 banks and a handful of larger Tier 2 players (like Wema, Zenith's subsidiaries, and some microfinance banks).
• Both rely partly on screen-scraping fallbacks for banks that haven't published proper APIs, which introduces fragility and security risk.
• Neither has published their full certification audit reports, so you can't independently verify the scope of their compliance.

There are other TPPs in the market—Irorun, Interswitch's open banking arm, and a few smaller players—but they operate in narrower niches (B2B invoice financing, for example) rather than as general-purpose account aggregators.

For founders using Mono or Okra, the practical implication is this: they're compliant enough to use for production apps, but you should not assume they cover every bank your users will use. You need fallback mechanisms, and you need to test thoroughly with Tier 2 and regional banks before launch.

The bank layer: compliance is patchy

The CBN's mandate was clear: banks must publish APIs. The reality is murkier.

All Tier 1 banks have published something. GTBank's API is mature and well-documented. UBA's is functional but slower. Access Bank's is newer and still seeing updates. Zenith and FCMB have working implementations. But "published" doesn't mean "good." Many bank APIs:

• Have inconsistent data models. One bank returns account balance as a decimal, another as a string. One returns transaction dates in ISO 8601, another in a custom format.
• Lack proper error handling. Rate limits are undocumented. Timeouts happen without explanation.
• Don't implement the full CBN spec. Some banks have exposed only read-only account information, not payment initiation. Others have payment initiation but no fund confirmation.
• Have unstable uptime. Several Tier 1 bank APIs have experienced outages or degradation, particularly during high-traffic periods (month-end, quarter-end).

Tier 2 banks are worse. The CBN's Q1 2025 deadline for Tier 2 compliance was largely missed. As of mid-2026, maybe 40-50% of Tier 2 banks have published working APIs. The rest either haven't published anything, or have published APIs that are non-functional or don't follow the spec.

This is why TPPs like Mono and Okra still rely on screen-scraping for many banks. It's a compliance workaround, not a solution.

Payment initiation vs. account information: the gap

Open banking has two main functions: account information services (AIS) and payment initiation services (PIS). They're not the same, and compliance differs between them.

AIS is reading: you connect to a customer's bank account, pull their balance and transaction history, and use that data to underwrite a loan, verify income, or build a spending dashboard. Most TPPs and banks have implemented AIS reasonably well because it's lower-risk and lower-complexity.

PIS is writing: you initiate a payment on behalf of the customer, drawing from their account. This is higher-risk (fraud, chargebacks, liability) and requires stronger authentication and audit trails. The CBN spec mandates multi-factor authentication, explicit consent, and detailed logging.

Here's the compliance gap: most TPPs and banks have implemented AIS but not PIS, or have implemented PIS in a limited form (only for certain transaction types or account types). This matters because many use cases require PIS—bill payments, salary advances, loan disbursements, etc.

If you're building an app that relies on PIS, you cannot assume your chosen TPP or bank has it fully implemented. You need to test, and you need to have a backup plan (direct bank integration, or fallback to traditional payment methods like USSD or card transfers).

How this compares to payment processors

If you're evaluating between open banking and traditional payment processors like Paystack vs Flutterwave vs Moniepoint in 2026: full comparison, here's the key difference: payment processors are mature, compliant, and reliable. They've been through multiple regulatory cycles and they work. Open banking is newer, compliance is uneven, and integration is more complex.

Paystack, Flutterwave, and Moniepoint all use open banking APIs behind the scenes (they've integrated with TPPs like Okra and Mono), but they abstract that complexity away. You get a simple API and they handle the bank integration and compliance. That's a trade-off: less control, but more reliability.

For most founders, that's the right choice. Use Paystack or Flutterwave for payment collection, and use open banking (via Mono or Okra) only for specific use cases where you need direct account access (income verification, spending insights, etc.). Don't try to build your entire payment stack on open banking in 2026—the infrastructure isn't there yet.

For fintech founders building more specialized products—like apps that need Best Paystack alternatives for African SMEs in 2026—open banking can be a differentiator, but only if you're willing to invest in robust fallback mechanisms and extensive testing.

The real compliance checklist for founders

If you're building a product that uses open banking, here's what you actually need to verify:

1. TPP certification: Check the CBN's PSMD registry to confirm your chosen TPP (Mono, Okra, or other) is listed. Don't rely on their website—go to the CBN's official list. The registry is not always public, but you can request it from your bank's regulatory affairs team.

2. Bank coverage: For each bank your users will use, verify that the TPP has a working integration. Test it yourself. Don't assume coverage based on the TPP's marketing.

3. Service scope: Confirm whether the integration is AIS-only or includes PIS. If you need PIS, test it end-to-end with real transactions (use test accounts or very small amounts).

4. Data consistency: Pull sample data from your target banks via your chosen TPP. Check that data models are consistent, that all required fields are present, and that you can parse everything reliably.

5. Error handling: Document what happens when the TPP or bank is down, when authentication fails, when rate limits are hit. Build fallback logic for all of these.

6. Audit and consent: Ensure you're capturing explicit user consent for each data access or payment initiation. Log everything. The CBN spec requires you to retain audit logs for at least 2 years.

7. Data security: Open banking involves handling sensitive banking data. Ensure you're encrypting data in transit and at rest, using secure key management, and not logging sensitive fields (PINs, OTPs, full account numbers).

Regulatory risk: what can go wrong

The CBN is watching. They've set up a monitoring framework, and they're starting to enforce it. Here are the risks:

• Using non-certified TPPs: If you integrate with a TPP that isn't on the CBN's approved list, you're operating outside the regulatory framework. The CBN can direct your bank partner to cut off your access, or fine you directly if you're licensed.

• Poor data handling: If you're not logging consent, not securing data, or not retaining audit trails, you're non-compliant. This can result in regulatory action against you and your bank partner.

• Liability confusion: If something goes wrong (a payment is initiated without consent, a customer's data is leaked), who's liable—you, the TPP, or the bank? The CBN spec says all three are responsible, but the enforcement is unclear. This is a legal minefield.

• Competitive pressure from regulators: The CBN wants open banking to succeed, but they also want to protect consumers and maintain financial stability. If open banking platforms (like Mono or Okra) start experiencing outages or security incidents, the CBN could tighten rules or reduce TPP licenses. This affects you indirectly.

The safest approach is to treat open banking as a complementary layer, not a core dependency. Use it where it adds clear value (income verification, spending insights, etc.), but keep your core payment flows on established processors like Paystack or Flutterwave.

Looking ahead to 2027 and beyond

Open banking in Nigeria is improving, but it's still in the "early majority" phase, not the "early adopter" phase. By 2027, we expect:

• More Tier 2 and Tier 3 banks will publish working APIs, reducing reliance on screen-scraping.
• TPPs will standardize their data models and error handling, making integration less fragile.
• The CBN will publish enforcement cases, making it clearer what "compliance" actually means.
• Startups like NaijaCard and Bolt that rely on open banking will either scale successfully (proving the model works) or pivot (proving it doesn't).

For now, the advice is simple: use open banking, but carefully. Verify compliance at every layer, test thoroughly, and always have a fallback plan.

FAQ

Q: Is Mono or Okra better for my app? A: Both are compliant and functional. Mono is stronger on account information services (AIS), Okra is broader on payment initiation (PIS). Test both with your target banks and choose based on which covers your users better. For most apps, the difference is small.

Q: Can I use open banking instead of Paystack? A: Not yet. Paystack is a payment processor; open banking is a data layer. You can use open banking to enhance Paystack (e.g., verify income before offering payment terms), but not to replace it. Payment processing requires different compliance, infrastructure, and fraud prevention.

Q: What if a bank isn't supported by my TPP? A: Build a fallback. This could be USSD, card transfer, or direct bank transfer. Test your app with users from multiple banks before launch. Don't assume 100% coverage.

Q: Do I need my own CBN license to use open banking? A: No, as long as you're using a certified TPP. The TPP holds the regulatory relationship with the CBN. You need to comply with data handling and consent rules, but you don't need a separate fintech license.

Q: How do I verify a TPP's CBN certification? A: Ask the CBN's Payments System Management Department (PSMD) directly, or ask your bank partner. The official registry is not always public, but your bank should have access to it. Don't rely on the TPP's website alone.

What to do next

Start by mapping your specific use case. If you're collecting payments, stick with Paystack vs Flutterwave vs Moniepoint in 2026: full comparison. If you need account access (income verification, spending data), evaluate Mono and Okra directly—set up test accounts and integrate with both, then choose based on real coverage of your target banks.

If you're exploring alternative payment infrastructure, read Best Paystack alternatives for African SMEs in 2026 to understand the full landscape. And if you're working with regulated assets (like stablecoins or crypto), understand the regulatory context first: Crypto regulation in Nigeria, simplified for founders.