SRJ

FRAUD IN NIGERIA’S FIN TECH SERVICES: A REGULATORY WEAK LINK?

INTRODUCTION

Our view is that fraud in Nigeria’s financial technology (“fin tech”) services result largely from regulatory and compliance weak links in Central Bank of Nigeria’s (“CBN”) and other regulators of micro or macro financial services’ regulatory and compliance procedures.

Micro financial services include micro-credit organizations that are not supervized by the CBN while other non-banks and financial institutions not regulated by the CBN are within the realm of macro financial technology service providers such as PFA or insurance companies.

Financial technology or fin tech services have given rise to democratizing digital financial services that include agency banking, mobile banking applications, USSD (unstructured supplementary service data) banking platforms, ATM (automated teller machines) and associated chip and PIN (card) transactions, mPOS (mobile point of sale) devices, POS (point of sale)  devices, utilities payment that include airtime vending or electricity, insurance sales as well as operation of retirement savings account.

EFiNA’s (enhancing financial innovation & access) 2019 reports claimed that key obstacles to uptake of mobile financial services in Nigeria include low awareness, access and trust. Fraud is identified as a material element of trust.

Adeyemo Kingsley acknowledged in year 2012 that incidence of fraud is not peculiar to Nigerian banking industry nor to Nigerian economy. Yet high rate of fraud within the banking industry called “for urgent attention with a view to finding solutions”.

NIBSS’ (Nigerian inter-bank settlement system) Fraud in the Nigerian Financial Services (volume 2) that analyzed frauds from Q3, 2019 to Q3, 2020, affirms that the total number of attempted frauds increased by 186% from year 2019 to 2021.

Fraud attempts via mobile channels saw a 330% increase year-on-year (“YoY”) while web and POS channels increased by 173% and 215% YoY. NIBSS noted that fraud was expected to continue as Nigeria grows its financial inclusion agenda that may result in consumers being increasingly dependent on digital financial services or fin tech.

 NIBSS in its report was unable to clarify proportion of fraud that arose internally against those externally perpetrated. It merely relied on global data when it stated that approximately 39% percent of frauds in the relevant year were perpetrated by external parties while 37% percent were carried out by internal parties.

Our discussion in this paper is limited to FIs regulated by the CBN only. We do not intend to comment on any other regulators that include PENCOM (National Pension commission), NAICOM (Nigerian insurance Commission) or NDIC (Nigerian Deposit Insurance Commission) or respective ministry within the State Government that regulate micro-lending organization, known as money lenders.

 FRAUD CATEGORIZATION

The office of controller of currency (“OCC”) categorizes fraud as follows:

  • Internal fraud occurs when a director, employee, former employee, or 3rd party engaged by a bank or financial institution commits fraud, colludes with another to commit fraud, or otherwise enables or contributes to fraud.
  • External fraud consists of 1st-party fraud and victim fraud. Usually committed by a person or entity that is not a bank or financial institution, employee, former employee, or 3rd party engaged by bank or financial institution.
  • 1st-party fraud occurs when an external party, including a bank customer, commits fraud against a bank or financial institution.
  • Victim fraud occurs when a bank customer or client is the victim of an intentional fraudulent act.

In Nigeria’s financial technology sector, fraud is broadly categorized as friendly fraud or 3rd party frauds. Friendly frauds occur when a customer discloses its sensitive personal details that include PIN, password, hardware token or e-token number  to any person and unauthorized debits or transactions result therefrom.

Nigerian banks or financial institutions (“FIs”) are generally not liable to customer for any friendly fraud that may include accessing micro-credits using customer’s e-banking channels and any form of “unauthorized” debits on a customer’s bank account.

In our view, fraud incidence that FIs bear reasonable degree of liabilities gravely outweigh fraudulent transactions where FIs bear no liabilities to consumers.

Consumers include beneficiaries of transactions performed on any FIs’ financial technology channels pursuant to FCCPA 2018 (federal competition and consumer protection act).

In Nigeria, regulators and media outfits hush internal fraud, given that Nigerian journalists deliberately do not name any FIs that is involved in any disputed transactions with its customers.

The CBN and other regulators do not publish any data related to internal frauds in Nigeria’s financial services sector. Nigeria’s financial services sector has come of age and, the culture of silence now works against its development as well as consumer protection.

REGULATORY QUESTIONS IN FRAUDS

The CBN is generally under-staffed, especially, its consumer protection department (“CPD”). As at year 2017, the CPD had 58 staff that were responsible for and should be responsive to over 30 million financial consumers in Nigeria.

CBN’ circular on establishment of industry fraud desk, 2015 (the “fraud desk circular”), recognizes NIBSS as the coordinator of all fraud desks across banks, mobile money operators (MMOs), switches and payment service providers.

Henceforth, we shall use FIs to mean all consumer-facing entities under CBN’s regulatory supervision.

The fraud desk circular mandates FIs not only to establish functional fraud desks but to implement across all e-channels, an enterprise fraud monitoring system capable of monitoring customers’ behaviours, patterns, and hold/block controls on transactions suspected to be fraudulent.

All FIs’ inter-bank transactions on all e-channels ought to pass through NIBSS’ central anti-fraud solution, and NIBSS shall have access to fraudulent transactions as well as provide monthly reports to CBN.

In Bonaventure Afamefuna Iyida v. Guaranty Trust Bank Ltd (unreported) suit number MCL/1338/2019, the claimant claimed against Gtb for refund of unauthorized debits in his account that occurred after his mobile phone was stolen and the thief allegedly activated USSD banking account that resulted in unauthorized debits.

Hon. (Magistrate) A. A. Runsewe, of Lagos Magisterial district, in her judgment delivered on 14:10:2021, found that Gtb allowed the debits on the claimant’s account without the required documented indemnity pursuant to CBN’s USSD regulation (regulatory framework for the use of unstructured supplementary service data for financial services in Nigeria). The USSD regulation requires Gtb in its USSD banking platform or Bank 737 not to perform any transactions above 100, 000NGN unless its customer had executed in its favour, an indemnity.

The honourable magistrate who had reached a clear judicial finding, in our view, performed a somersault in her reasoning when she found that Gtb’s failure in its obligation was not a cause of action or a duty to claimant but a breach that the CBN ought to sanction Gtb for only.

Our view is predicated on the fact that the USSD regulation is a subsidiary legislation, and claimant rightfully derives benefit from it, upon any wrong that include Gtb’s USSD banking (737) platform’s non-compliance with the USSD regulation.

USSD regulation requires FIs not to log customer’s PIN or send token to customers via the registered SIM or phone number. A PIN and a token or a 2FA (2nd factor authentication) are required for any transactions that exceeds 20, 000NGN.

In Bonaventure Afamefuna Iyida v. Guaranty Trust Bank Ltd (supra), Hon. A. A. Runsewe, found (per incuriam, to our mind) that ATM card PAN (primary account number) is a token or 2FA contrary to the USSD regulation’s definition of 2FA as a number that FIs send to a customer. – ATM card PAN is not a number that could be sent to a customer by any FIs as a token, given that it is impressed, permanently, on a customer’s ATM card.

Admittedly, we lack data on the proportion of fraud that arises from USSD banking transactions given that CBN lumps any such data into a broad categorization of ETF (electronic fund transfer) frauds.

Friendly frauds arise when customers compromise their sensitive details. Some frauds arising from USSD banking transaction result from FIs USSD banking platform’s non-compliance to the USSD regulation.

Nigerian legal services industry is yet to develop, in broad scale, the practice of auditing fin tech solutions’ compliance to regulatory standard – largely due to a debilitating knowledge gap and regulatory weak links.

CBN’s framework for regulatory sandbox operations, 2021, will assist in reducing fin tech company’s exposure during a Go Live situation. Prior to year 2021, fin techs had to go live in an open market (with the attendant risks) instead of within a regulated sandbox.

Internet banking and mobile banking applications are relatively more secured than USSD banking. These e-channels are apparently underutilized, perhaps, because it is internet data enabled as against USSD banking that rides on mobile telephone network operations.

Friendly frauds may occur in respect of internet banking and mobile banking. ATM card related frauds result from friendly fraud or pretentious social relationship.

EFCC (economic and financial crime commission) asserts that majority of frauds in the banking sector were committed by insiders especially information and communication technology (ICT) employees

All frauds arising from agency banking result from compromised card details (friendly fraud) or if EFCC’s assertion is correct, from FI’s employees or FI’s employees assisting external persons.

It is common assumption within Nigeria’s financial service industry that FIs’ employees aid in defrauding customers. Credible data are unavailable given the conspiracy of silence by media practitioners and regulators.

CONCLUSION

At the heels of fraud in Nigeria’s financial technology services is low level of financial literacy or education, over-stretched or under-stretched regulators, knowledge gap among professionals and law enforcement officers, as well as perennial high cost of consumers’ redress mechanism.

Nigeria’s lack of financial ombudsman framework that results from government’s apparent unwillingness to enact the financial ombudsman act weakens the financial inclusion drive and the digital economy plan of the federal government of Nigeria.

We had argued that a multi-sectorial approach to implementing the digital economy plan will benefit all and not a select few.

CBN’s commitment to fulfil its statutory role is not to be doubted yet it is peopled by Nigerians who share similar work ethics and world view with the rest of us. For CBN to succeed in its drive to ensure financially educated consumers, it must more intentionally surround itself with staff and employees of entities under its supervision with work ethics comparable to other front-line economies.

Pursuant to BOFIA (banks and other financial institutions act) 2020, CBN may utilize the services of other persons who are not its staff in performing some of its functions.

Insistence on ethical compliance to regulations will incrementally secure our financial technology market. Fraud which diminishes trust should be deliberately abhorred by all stakeholders.

Osita Enwe heads our fin tech, Agribusiness law and, education law groups

You may give your feedback to Osita on oenwe@srjlegal.com

Scroll to Top