A REVIEW OF CBN’S EXPOSURE DRAFT GUIDELINES FOR CONTACTLESS PAYMENT IN NIGERIA

Share this:

Introduction

The CBN’s (Central Bank of Nigeria) exposure draft Guidelines for Contactless Payments[1] in Nigeria (“Draft Guidelines for Contactless Payments”) describes Contactless Payments as a buyer and seller completing financial transactions without physical contact between the parties and the acquiring devices.[2]

Put more plainly, contactless payment is a payment method which enables consumers to pay for goods and services by tapping a contactless payment-enabled EMV card over a contactless-enabled payment terminal.

Contactless payments are secured payment methods for products or services using a debit, credit, smart card, key fobs or hardware tokens, mobile electronic devices, or wearable devices on another payment device using Radio Frequency Identification Technology or Near Field Communication[3].

EMV Cards are globally accepted (ATM) cards. EMV stands for Euromoney Mastercard Visa-compliant. EMV Cards are known as ATM (automated teller machine) cards in Nigeria, are credit cards, debits cards and smart cards that are useable on ATMs, POS (point of sale), whether android POS or the traditional POS, payment portals and contactless devices.

Contactless payment is lauded as an innovative payment option in the payment services industry. It is considered a safe and efficient option for low-value large-volume payments.[4]

Assurances to Digital Financial Consumers

Consumers harbour myths that contactless payments are unsafe because of split or multiple transactions below the threshold. Thresholds are those low-value transactions that do not need 2FAs (second-factor authentication).

Thales Group[5] argues that unlike older generations of banking cards with magnetic stripes, EMV cards use an intelligent microprocessor chip technology which secures the cardholder’s credential and performs cryptographic computation to protect the cards’ communication with the POS terminal and the processing network.

According to Thales Group, since chips in EMV cards are virtually impossible to tamper with or clone, EMV cards are less vulnerable to counterfeit fraud than magnetic stripe cards.

Fraud-Proof Payment Option

We know that most frauds in Nigeria’s payment system arise from friendly fraud, namely family, friends and related third parties.

Friendly fraud occurs when a digital financial consumer discloses her sensitive personal details such as a PIN (personal identification number), password, hardware token or key fobs, or e-token number to a third party which results in an unauthorized debit.[6]

Contactless payments are fruits of the CBN’s[7] powers to regulate banks and other financial institutions under s.56 (2), Banks and other Financial Institutions Act (“BOFIA”) 2020 and the CBN’s mandate to ensure a safe and stable financial system in Nigeria[8].

Contactless payments further the CBN’s regulatory role to standardize operations in Nigeria’s payments system and sustainable system stability in the banking industry.

Types of Contactless Payments

Historically, Contactless payments were first introduced in the 1990s.[9] Incensed by post-COVID-19 regulatory approaches, Contactless payments are becoming a mainstream payment option, and Nigeria is willing to tap into it while aiming to protect digital financial consumers.

There are two principal types of contactless payments in the payment sector. One type transmits through a traditional credit or debit card equipped with an RFID chip. RFID means radio-frequency identification.

The other transmits from a Smartphone, tablet, or wearable device equipped with an NFC (Near Field Communications) chip.[10]

No matter the type of Contactless payment, the Draft Guidelines for Contactless Payment were ”conceived to ensure that participants in the contactless payment implement appropriate risk management processes and measures while keeping to best relevant standards”[11]

Objectively, the Draft Guidelines for Contactless Payment provide minimum standards and requirements for the operations of contactless payments in Nigeria while specifying the roles and responsibilities of the stakeholders involved in this form of payment.

The Stakeholders in Contactless Payments

The stakeholders involved in Contactless payment under the Draft Guidelines for Contactless Payments are:[12]

  1. Acquirers
  2. Issuers
  3. Payment Schemes
  4. Card Schemes
  5. Switching Companies
  6. Payments Terminal Service Providers
  7. Payment Terminal Service Aggregator
  8. Merchants
  9. Terminal Owners and
  10. Customers.

The CBN reserves the right to add or restrict critical players in the Contactless payment. The Draft Guidelines for Contactless Payment specify each stakeholder’s role and responsibility and conditions for participation.

Conditions for Participating in the Contactless Payments

Stakeholders in the Contactless payments that process and/or store customer information shall ensure that their terminals, applications and processing systems comply with the following standards at the minimum:[13]

(I) Payment Application Data Security Standard (PA DSS)

(II) Payment Card Industry PIN Entry Device PCI PED

(III) Payment Card Industry Data Security Standard (PCI DSS)

(IV) Advanced Encryption Standards (AES)

(V) ISO 27001 Information Security Management System

(VI) and other standards as may be specified by the CBN from time to time.

Stakeholders must comply with and maintain the minimum standards and required security certifications in the payment industry.

Compliance Regime

The Draft Guidelines for Contactless Payments propose to allow the CBN to determine transactions and the daily thresholds on contactless payment channels.

Payments below the daily thresholds would be completed without customer verification. Contactless payments above certain thresholds will require customer authentication such as PIN, mobile code, or biometrics identifier.

All stakeholders who process and store customers’ information[14] must ensure that terminals, applications and processing systems comply with these requirements.

Participants in Contactless Payments must obtain CBN’s approval for contactless payments products and value-added services.[15]

Contactless payment operators must execute a Contactless payment agreement which spells out terms and conditions and complies with the minimum requirements set by the CBN.[16]

Before concluding a contactless payments transaction, the transaction value and associated charges must be communicated to the customer.40

The Draft Guidelines for Contactless Payments forbid issuer or brand agnosticism[17]. Contactless payment devices must accept all EMV cards or approved payment instruments.

All domestic contactless payments are switched through the Nigerian Central Switch (NCS) as managed by NIBSS (Nigerian Inter-Bank Settlement System).

All contactless devices must be connected to a bank verified bank account or Wallet in Nigeria.

Contactless payment operators render monthly transaction returns on transaction value, fraud, data, and failed transactions to the CBN in a prescribed format.

Opportunity for Investors

The ever-developing financial technology leads to an advancement in payment options and the emerging frontline use of contactless payments.

The contactless payment market may reach a global value of over one hundred and sixty-four billion United States Dollars by 2030[18]. Nigeria must tap into that transaction value.

In September 2022, Interswitch, in partnership with Providus Bank, MasterCard and Thales Group, introduced a new Tap-to-Pay service in Nigeria.[19]

Additionally, Now-Now[20], a Nigerian Fintech that offers Tap-and-Pay services, recently raised USD 13 Million in seed investment and is expected to increase the adoption of contactless payment in Nigeria.

Similarly, Squad by GTB and Kuda[21], financial technology service providers, have introduced soft POS solutions, expected to drive the adoption of Contactless Payments in Nigeria.

We believe that contactless payments will gain adoption in Nigeria given that Nigerian consumers are highly aspiring and contactless payments add to personal style and the “ephizzy”.

In addition to speed and convenience. We submit that the Nigerian private sector is ready to benefit from contactless payments as digital financial consumers warm up for active use of contactless devices.

Consumer Protection Regime

Potential risks in adopting contactless payments include fraud, hacking of contact payments networks, data privacy, trust-deficit customers and implication of absence of authorization.

2020 research showed that £16 million was lost to contactless payments fraud in the UK. The UK contactless payments fraud accounted for 2.9% of overall card fraud losses.

While 55% of all card transactions were contactless, with adequate standards and compliance, contactless payments are convenient and significantly secure.

We noted how Thales Groups opined that contactless payments are safer than traditional magnetic stripe credit card payments. Scammers have mastered the art of skimming customer data off magnetic stripes, which do not encrypt customer data.

Contactless payments are chip-reading technology, an extra barrier of security – a rapid series of encrypted messages between the payment terminal and a financial institution – that makes fraud nearly impossible.

Conclusion

Innovative regulation adapts to the environment. The draft regulation for contactless payment in Nigeria provides minimum standards and compliances.

The Draft Guidelines for Contactless Payments did not specify the daily limits. A matter that the CBN has pronounced upon in the cash withdrawal limit.

Given the security features of contactless payments, an innovative regulatory approach and intentional customer confidence building will foster early adoption and scalability.

[1]https://www.cbn.gov.ng/Out/2022/CCD/Draft%20Guidelines%20for%20Contactless%20Payments%20in%20Nigeria.pdf   Accessed on 06.01.2023

[2] Ibid

[3] www.investopedia,com Accessed on 11.01.2023

[4]https://www.cbn.gov.ng/Out/2022/CCD/Draft%20Guidelines%20for%20Contactless%20Payments%20in%20Nigeria.pdf   Accessed on 06.01.2023

[5]https://www.thalesgroup.com/en/markets/digital-identity-and-security/banking-payment/cards/contactless/how-it-works#:~:text=Because%20low%2Dvalue%20contactless%20transactions,fraud%20amount%20would%20be%20negligible. Accessed on 09.01.2023

[6] Osita Enwe, https://srjlegal.com/fraud-in-nigerias-fin-tech-services-a-regulatory-weak-link/ Accessed on 09.01.2023

[7] Central Bank of Nigeria

[8] s.2(d), CBN Act 2007

[9] Banks AM ”History of contactless payment: From past century to present day”

[10] Contactlesspayment/google.com

[11] The vanguard news website www.vanguardnews.com.

[12] Exposure Draft for the Guidelines for Contactless payment in Nigeria pg. 3 table 4.0

[13] Exposure Draft for the Guidelines for Contactless payment in Nigeria pg. 4 table 5.0

[14]  This covers all stakeholders except the Customers themselves.

[15] Exposure draft guidelines

[16] Ibid

[17] Without inherent bias for or against any brand.

[18] Grand View Research ‘Global contactless payments market.

[19] https://interswitchgroup.com/interswitch-mastercard-and-providus-bank-launch-contactless-tap-to-pay-transactions-via-smart-devices-in-nigeria

[20] https://nownow.ng/

[21]https://proshare.co/articles/a-consideration-of-cbns-guidelines-on-contactless-payments?menu=Regulators&classification=Read&category=CBN%20Circulars%20%20%26%20Publications