Given Bankers’ customers’ market awareness of Banks’ liabilities for non-compliances to CBN’s (Central Bank of Nigeria) regulatory framework to Banks for the use of unstructured supplementary service data (USSD) financial services in Nigeria (the “USSD Regulatory Framework”) which became effective on 01:06:2018, it is necessary for compliance officers and programmers to use a Checklist to ensure that USSD banking applications comply strictly with the USSD Regulatory Framework.
1. DEFINITIONS
Financial institutions include Banks, Switches, Application vendors, Payment Providers (mobile money operators (MMO) and mobile network operators (MNO)) as well as value added service providers while USSD means Unstructured Supplementary Service Data, a text messaging application that provides session-based communication. It is a technology used by the network to send information between a mobile phone and an application on the network. It will allow any subscribers to initiate banking transaction using short codes (starting with * and ending with #) and on USSD menus on a mobile phone <\p>
2. PROCESS CONTROL AND SECURITY
MMOs may obtain USSD short codes (USSD codes) from NCC upon satisfying NCC’s requirements for USSD codes and except for MMOs, NCC would require a letter of no objection/introduction from CBN before issuing any USSD codes.
Auditable encryption is required – this means CBN should have access to transaction history as well as any other competent bodies including dispute resolution bodies. USSD Banking application does not “operate by store and forward”, that is, data are not stored on the mobile phone or on the application.
USSD banking application should be able to validate that requests are generated through authenticated users through a combination of any of International Mobile Subscriber Identity (IMSI), Date of SIM Swaps, Date of Mobile Station International Subscriber Directory Number (MSISDN) Recycle, International Mobile Equipment Identity (IMEI) and, date of device change amongst others.
It should display status of each customer’s transaction on its menu and it must not rely details of any other e-banking channels (in case of banks) to a customer.
USSD banking at the minimum should transmit secured messages between network operator and USSD aggregators, and between the USSD aggregators and the bank while any customer information that is logged by the USSD banking application during transaction should not include sensitive information such as customer PIN.
Ensure that encrypted data stored by the USSD banking application at Financial Institutions’ is warehoused subject to NCC’s minimum security standard for MNOs and aggregators. It should enable customers to opt in or opt out of the USSD Banking application.
3. COMPLIANCE OBLIGATIONS
N100, 000.00 daily transaction limit is imposed while allowing customers to increase their higher limits provided they execute indemnities in favour of service provider. USSD banking application can include options of e-indemnity forms with e-signature options.
Any customer’s transactions above N20 000.00 must require an effective 2nd factor authentication (2FA) which must be in addition to the PIN being used as a 1st level authenticator (1st LA). Ensure that 1st LA applies to any transaction amounts and note that USSD banking application should not send 2FA to a customer’s registered GSM number or device. This is because USSD banking application should be able to identify each customer’s device and SIM in addition to any other form of device registration that may be required.
You have to ensure it embeds a Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, and unusual transactions at weekends amongst others.
USSD banking service providers should set up dispute resolution mechanism to facilitate and resolve USSD banking complaints within 3 (three) working days’ time limit otherwise it will be penalized by CBN.
Ensure that your company (if a non-financial institution) executes an SLA with a financial institution, MNOs/VAS and a payment Aggregator which should contain key provisions of NCC’s Quality of Service (QoS) Regulation and service availability requirements of e-payment services of the CBN.
USSD banking application should include options that allow customers to block their account from operating USSD banking service and no USSD banking application should be activated if this feature is not included.
Finally, NCC and CBN has powers to fine USSD banking service providers for any non-compliance.