The Central Bank of Nigeria (CBN) on 17:04:2018 issued a regulatory framework to Banks for the use of unstructured supplementary service data (USSD) banking services (the “USSD Regulatory Framework”) which became effective on 1st June 2018. The USSD Regulatory Framework applies to financial institutions that include Banks and other payment service providers, mobile money operators, mobile network operators, value added services providers or aggregators and, anyone using the USSD banking services in Nigeria.
The CBN acknowledged in the introductory paragraph of the USSD Regulatory Framework that “mobile phone has become a veritable tool for enhancing financial inclusion” in view of the advent of mobile payments, mobile commerce, mobile banking and other types of mobile telephony based financial transactions.
According to the USSD Regulatory Framework, USSD banking service “is a protocol used by the GSM network to communicate with USSD banking service providers’ platform” – it is real time messaging communication technology which Bankers’ customers access through a string that begins with asterisk (*) and ends with a hash (#). The USSD Banking service does not “operate by store and forward”, this means that data are neither stored on the mobile phone nor on the application.
Nairametrics on 24th October 2019 states that according to the CBN’s Financial Stability Report (December) 2018 mobile payment channels related fraud in Nigeria ranked 28.21% (twenty eight decimal point twenty one percent) second after ATM (automated teller machine) related frauds that stood at 34.87% (thirty four decimal point eight seven percent) while POS (point of sale system) related fraud was at 19.55% (nineteen decimal point twenty one percent) for the year 2018. – We note that POS fraud often times include mobile payment channels related fraud given that USSD banking frauds can also be consummated through POS withdrawal on any POS enabled accounts or by agency banking.
The CBN’s USSD Regulatory Framework acknowledges that USSD banking has given rise to risks and, exposures of Banks and other financial institutions due to breach in its technology and associated threats. It noted the customers’ exposure to risks in the absence of a common standard for all stakeholders. The core objective of the USSD Regulatory Framework is to “establish the rules and risk mitigation considerations when implementing the USSD for financial services offering in Nigeria.”
USSD Regulatory Framework requires Banks and other financial institutions to install proper encryptions and message authentication solutions to ensure that requests are generated through authenticated users – this implies that each user of USSD banking must be authenticated not only through the registered telephone number only (known as the mobile station international subscriber directory number (MSISDN) but also through international mobile subscriber identity (IMSI) – IMSI is used internally within telephone systems to identify a the telephone, date of swim swaps, international mobile equipment identity (IMEI) amongst others. Had Banks in Nigeria – out of duty of care to their customers – complied to this particular requirement, the rate of USSD banking frauds would have been near zero.
Another key feature of the USSD Regulatory Framework is that Banks are not allowed to send customers’ sensitive information such as PIN (personal identification number) through the USSD application. This means that in all fraudulent debits to any Banker’s customers where the PIN had been logged through the USSD Banking application that the Bank is liable to the Customer for negligence and upon any default on any request for refund by its customer will be liable for damages.
Certain Banks claim that they do not activate USSD Banking application, rather, customers activate USSD banking application by inputting their ATM card PIN and authenticate it through the OTP (one time password) usually sent to the customer through his registered telephone number and mobile phone. – This practice flagrantly violates the USSD Regulatory Framework.
Banks are not allowed to roll out its USSD Banking application if it does not allow a customer to de-activate its USSD Banking services or to opt in/out of the channel. The USSD Regulatory Framework sets a daily limit of N100, 000.00 (one hundred thousand naira) for USSD transactions provided that customers may in writing authorize Banks to debit its account for any amount in excess of the daily limit. – In such event, Banks must request a Customer to indemnify it against any losses that may arise from USSD banking.
In addition to a PIN which is required for authentication of USSD Banking service, the USSD Regulatory Framework mandate Banks to use a second factor authentication (2FA) otherwise known as OTP which the Bank shall not send to the Customer through the Customer’s registered GSM number or device and it must not be displayed on the USSD menu or screen. This has far reaching implication aimed at protecting the Customer but certain Banks have failed to observe this vital requirement while lamely denying its liabilities for any unauthorized debits via USSD banking application.
We note that Banks are perpetually liable to its Customer for any fraud or loss of deposit money arising from USSD banking services where it failed to observe any of the foregoing requirements of USSD Regulatory Framework. Largely all USSD frauds would have been avoided if Banks had faithfully implemented customer-friendly prescriptions of USSD Regulatory Framework.
Second factor authentication (2FA) or OTP is required for any transaction above N20, 000.00 (twenty thousand naira) – that is, in addition to the PIN which is a first layer authentication. According to USSD Regulatory Framework both PIN and 2FA cannot be sent to the customer through the USSD application. In our view, the PIN contemplated by USSD Regulatory Framework appear to be similar to the PIN used in internet banking services and not ATM card PIN while the OTP should be in the form of OTP for web payments which is generated per transaction – we do not know of any Nigerian Banks that require PIN and OTP for USSD transactions.
Nearly all USSD fraud occur once robbers and thieves snatch a customer’s mobile phone that has the number registered against the customer’s bank account from the customer and, they use the registered number to initiate USSD transactions. In response Banks negligently debit customers’ account in excess of the daily limits without a 2FA – and in some instances without use of PIN – in clear breach of USSD Regulatory Framework. Customer now can instruct Lawyers – skilled in this practice – to recover all unauthorized debits via USSD application from his Bank including damages for negligent breach of contract.
USSD Regulatory Framework require Banks – effective on 31st October 2018 – to install Behavioural Monitoring Systems capable of detecting SIM-Swap/Churn status, user location, and unusual transactions at weekends amongst others. CBN’s reference to Behavioural Monitoring Systems is a clear reference to the Banks’ obligations to monitor suspicious or fraudulent transactions under the 2015 Establishment of Industry Fraud Desk, a directive of the CBN to deposit money Banks and payment service providers in Nigeria.
In view of the way Banks carry on their USSD Banking services in Nigeria, in clear breach of the USSD Banking Framework, Banks are generally liable to their customers for unauthorized debits via USSD banking. Nigerian Banks can only attempt to evade liabilities for all USSD banking related frauds, perhaps, because of the combined and cumulative effective of its customers’ apathy towards our courts of law and justice administration and, legal practitioners’ seemingly apathetic concern for promoting rule of law in Nigeria – rule of law is an acknowledged bedrock and fulcrum of any true development in a society.