As digital finance expands across borders, progress is increasingly constrained by fragmented regulation and uneven supervisory practices. Divergent standards, inconsistent consent models, and misaligned risk controls continue to challenge both interoperability and effective oversight.
In this first of a two-part interview, digital finance strategist Elias Tayeh, examines the core barriers to harmonisation, the evolving role of RegTech and SupTech, and the frameworks needed to balance innovation with consumer protection and trust. With over two decades of experience across the MENA region and West Africa, Elias brings a practitioner’s perspective shaped by hands-on work with regulators, financial institutions, and payment providers.
Given the rapid expansion of open banking and cross-border digital finance, what do you see as the most pressing compliance and supervisory challenges regulators and financial institutions face when trying to harmonise rules across jurisdictions?
From my direct hands-on experience leading open-banking and digital payments projects across Nigeria, MENA, and supporting cross-border fintech operators, I’ve observed that harmonisation failures stem from seven recurring challenges:
- Fragmented rulebooks and definitions
- Divergent consent models
- Data protection and identity infrastructure gaps
- Competing API and security standards
- AML/CFT asymmetries
- Operational resilience inconsistencies
- Consumer protection variance
Let me unpack each with concrete examples.
1. Fragmented rulebooks and definitions: Different jurisdictions classify third-party providers inconsistently (AIS/PIS, gateways, TPPs), creating passporting gaps and unclear liability. In Nigeria, where I led a project for a licensed PSP/PTSP/Super Agent, the Central Bank had not yet defined a uniform open-banking compliance path. We proactively pursued ISO 27001, NDPR, and PCI DSS certifications. Later, a mandatory ISO 20022 circular forced us to overhaul workflows, interfaces, and reporting across all systems – costly and avoidable with earlier standardisation.
2. Divergent consent models: One-time versus ongoing consent, purpose-bound versus broad permissions, and inconsistent revocation mechanics fragment user experience. In the same Nigerian project, customers had to physically visit bank branches and pay ₦50 just to authorise account linking – contradicting our instant A2A positioning. Worse, banks delayed reporting consent updates to the national switch (NIBSS), retaining control over authorisation data and blocking transparency.
3. Data protection and identity infrastructure gaps: Weak identity frameworks collide with data-protection mandates. Supporting FIs across MENA, I saw firsthand how onboarding refugees, displaced persons, and the under-banked stalls when formal IDs are absent. For corporates, the lack of API-enabled registries makes real-time verification impossible, slowing inclusion and raising compliance costs.
4. Competing API and security standards: PSD2/OBIE, India Account Aggregator, Brazil Open Finance, and Nigeria Open Banking differ on tokenisation, mutual TLS, and event notifications. Multinational institutions must maintain multiple compliance stacks simultaneously, fragmenting ecosystems and multiplying integration costs.
5. AML/CFT asymmetries: Threshold differences, divergent sanction lists, and inconsistent VASP definitions create uneven treatment of cross-border transfers. This is particularly acute in remittance corridors between developing and developed markets, where institutions face overlapping, contradictory reporting obligations.
6. Operational resilience inconsistencies: Without harmonised incident-reporting tiers and third-party assurance standards, regulators struggle to monitor cloud concentration risk and outsourcing dependencies that span borders and service layers.
7. Consumer protection variance: Disclosure formats, complaint-handling timeframes, and dispute-resolution channels differ widely. Cross-border users face reduced trust and complicated recourse when things go wrong.
Pathways forward include outcome-based mutual recognition, minimum technical floors (FAPI 1.0 Advanced, ISO 20022, LEI identifiers), unified consent artifacts with standard revocation, shared incident schemas, risk-based AML bridges, joint supervisory test suites, and proportional inclusion safeguards – including regulatory recognition of alternative-data credit scoring to expand access without compromising oversight.
How are RegTech and SupTech solutions reshaping the supervisory landscape, and what are the key barriers preventing regulators and financial institutions from scaling these tools effectively?
RegTech and SupTech automate compliance and supervision, replacing periodic manual reviews with continuous, data-driven monitoring. The promise is clear: near-real-time oversight, reduced compliance costs, and faster detection of risks. But the reality is more complicated.
The transformation happens when API-based reporting replaces quarterly PDFs, when common data schemas enable cross-institution analytics, and when model inventories let supervisors audit AI-driven credit scoring or fraud detection with actual evidence trails instead of policy documents.
Graph analytics catch mule networks and market abuse patterns that rules-based systems miss. Privacy-enhancing technologies like tokenisation and differential privacy make cross-border oversight possible without violating confidentiality laws. Machine-readable regulation shrinks the gap between policy publication and implementation.
But scaling these tools consistently fails because of structural gaps – not technology limitations.
Data quality is the first barrier. In Nigeria, consent status for bank account linking wasn’t reliably reflected at the national switch, creating latency that undermined any SupTech relying on timely data. You can’t automate supervision over data you can’t trust.
Identity infrastructure is the second. Across MENA, onboarding refugees or displaced persons with limited IDs exposed the hard ceiling – without robust eKYC rails and corporate registries, even sophisticated RegTech can’t move beyond pilots. Legacy cores can’t emit event streams or support schema evolution. Their interfaces remain batch-only, so sandbox-to-production migration hits a wall when adapters don’t exist.
Standards fragmentation makes it worse. The late ISO 20022 mandate in Nigeria forced ecosystem-wide refactoring – illustrating how delayed or shifting standards multiply costs and slow adoption. Legal constraints add another layer: many supervisors lack mandates for granular data, and secrecy laws restrict cross-agency sharing and cloud use.
Model risk governance remains underdeveloped. Supervisors expect auditability for AI and machine learning, but tools often lack versioning, bias testing, or human-in-the-loop controls. Alternative-data credit scoring – valuable for thin-file customers – lacks regulatory recognition, limiting deployment. Procurement cycles, talent scarcity, and unclear ROI stall adoption. Without demonstrable KPIs like reduced false positives or faster onboarding, frontline staff see RegTech as extra work.
What works: start narrow with “report once, use many” pipelines like incident reporting and fee transparency, then expand. Co-develop machine-readable rules and test suites so firms self-validate before submission. Implement tiered identity regimes while foundational infrastructure matures. Adopt vendor-neutral reference architectures to reduce lock-in. Establish explicit model-risk playbooks to build supervisory comfort with AI and machine learning.
Throughout this process, CTOs and decision-makers must remain cost-conscious and strategically pragmatic. RegTech and SupTech implementations should be architected for incremental scalability – avoiding monolithic, vendor-dependent solutions that become expensive bottlenecks as transaction volumes or regulatory requirements evolve.
The goal is not perfection at launch, but adaptable infrastructure that can absorb future complexity without requiring costly overhauls. Every technical choice – API design, data architecture, integration patterns – should be evaluated not only for compliance efficacy but for total cost of ownership and operational flexibility over time.
In your view, what frameworks or strategies best balance the need for innovation and interoperability in digital finance with the obligation to ensure financial inclusion, consumer protection, and trust?
The best balance comes from treating interoperability as critical infrastructure – not a competitive afterthought – and embedding consumer protection structurally into product design rather than layering it on retroactively.
Early in my career, I helped build a route-management and collections tool in the UAE for salesmen servicing merchants. We saw it as pure operations efficiency – not fintech. It worked, but we never designed for interoperability with other wallets.
Today, many wallets intentionally stay closed loop for competitive reasons. Value doesn’t move easily or cheaply across providers, so customers get locked in and inclusion suffers. That experience taught me that innovation without interoperability by design creates friction, weakens consumer outcomes, and ultimately erodes trust.
Outcome-based, risk-tiered regulation is the foundation. Regulate for outcomes – security, transparency, redress, service continuity – rather than prescribing identical methods. This keeps room for innovation while fixing what matters for users: safety, fairness, and reliability. Tiered KYC and AML, proportional controls for low-risk uses, and graduated requirements as transaction values and risks rise allow institutions to serve diverse customer segments without imposing one-size-fits-all burdens that exclude the underbanked.
Interoperability as policy, not accident. Treat it like roads – mandate open, royalty-free interface standards for domestic instant payments, QR codes, and account-to-account transfers. Require published access terms and conformance testing. This lowers switching costs, prevents lock-in, and ensures innovation competes on service quality rather than walled gardens.
Trust-by-design controls preserve velocity while anchoring consumer protection. Standardised disclosures, consent receipts with simple revocation, clear liability and chargeback rules, and 24/7 incident notification with remediation SLAs build structural trust into products rather than relying on post-incident enforcement.
Data portability and purpose-bound consent enable competition without sacrificing privacy. Human-readable and machine-readable consent, unified consent logs, easy export of transaction history, and strong audit trails let users move their data and value safely between providers.
Inclusive design as non-negotiable. Design for the hardest-to-reach first – offline and low-bandwidth modes, vernacular languages, accessibility features, agent networks, fee caps for small values, user education, and dispute assistance. This expands the addressable market and meets public-interest mandates.
Model governance for AI and machine learning encourages advanced analytics under rigorous guardrails. Documented model inventories, explainability artifacts, bias testing, challenger models, monitored drift, and clear accountability unlock alternative data for thin-file customers while preventing harm.
Operational resilience and third-party risk ensure reliability as part of consumer protection. Minimum resilience SLOs covering RTO and RPO, standard incident tiers, cloud and outsourcing transparency, and periodic failover drills mean innovation scales only when uptime, recovery, and vendor risk are governed.
What should be done now? Regulators should set an interoperability baseline requiring domestic schemes to support open APIs, standard QR, and account-to-account transfers with public conformance suites. Codify user protections through standardised disclosure templates, consent receipts, and redress timelines.
Make proportionality explicit by publishing risk tiers for KYC, monitoring, and reporting. Establish an operational resilience rulebook harmonising incident reporting, minimum SLOs, and third-party risk expectations. Market infrastructures should offer shared utilities – KYC and KYB rails, dispute resolution hubs, fraud and mule data-sharing, scheme-wide risk analytics – to level the field for smaller providers. Financial institutions and wallets should design for portability with exportable transaction histories, interoperable identifiers, and clear off-ramps.
Embed trust controls: explainable decisions, model logs, consent audit trails, published uptime and dispute KPIs. Build inclusion playbooks with offline features, agent-assisted flows, low-value fee relief, multilingual support, and financial education content.The UAE collections tool worked – but stopped at the firm boundary. Today’s wallets often do the same by design. The cure is to institutionalise interoperability through open rails, fair access, and clear recourse while enforcing trust primitives like consent, portability, resilience, and redress. That balance lets innovation move fast while value and data move freely and safely – which is how inclusion, consumer protection, and trust are sustained.
Elias M. Tayeh is a digital finance strategist with over 20 years of international experience leading fintech, regulatory, and digital transformation initiatives across the MENA region, West Africa, and beyond. He is the Founder and General Manager of Cedratech Consulting Services Ltd., a consultancy specialising in digital finance solutions, systems modernisation, and systems integration. He also serves as Managing Director of Epic Payment Technologies Ltd., a licensed Payment Services Provider under the Central Bank of Nigeria. Elias has advised semi-governmental authorities, regulatory authorities and financial institutions on open banking, Digital Finance, RegTech, SupTech, and national payment platforms. His work emphasises and embeds financial inclusion, consumer protection, SME finance, and women-led business empowerment. He has delivered training programmes at the IBS Fintech Academy Jordan, CBF Tunisia, and Alex Bank Egypt, and has collaborated on large-scale projects with GOPA AFC, GFA Group, and the Frankfurt School of Finance & Management. He also recently participated as a session chair and session moderator at the Amman Forum 2025 – “Harnessing Artificial Intelligence in Combating Money Laundering and Terrorism Financing: Opportunities, Risks, and the Way Forward”, held in September 2025 in Amman, Jordan. The forum addressed topics such as artificial intelligence in AML/CFT, supervisory innovation, and the role of RegTech and SupTech in compliance.
