Logo/Home Page

Proofreading USSD Banking Applications in Nigeria: A Compliance Officer’s and Developer’s Checklist

 

Given Bankers’ customers’ market awareness of Banks’ liabilities for non-compliances to CBN’s (Central Bank of Nigeria) regulatory framework to Banks for the use of unstructured supplementary service data (USSD) financial services in Nigeria (the “USSD Regulatory Framework”) which became effective on 01:06:2018, it is necessary for compliance officers and programmers to use a Checklist to ensure that USSD banking applications comply strictly with the USSD Regulatory Framework.

1. Definitions

Financial institutions include Banks, Switches, Application vendors, Payment Providers (mobile money operators (MMO) and mobile network operators (MNO)) as well as value added service providers while USSD means Unstructured Supplementary Service Data, a text messaging application that provides session-based communication. It is a technology used by the network to send information between a mobile phone and an application on the network. It will allow any subscribers to initiate banking transaction using short codes (starting with * and ending with #) and on USSD menus on a mobile phone <\p>

2. Process Control and Security

MMOs may obtain USSD short codes (USSD codes) from NCC upon satisfying NCC’s requirements for USSD codes and except for MMOs, NCC would require a letter of no objection/introduction from CBN before issuing any USSD codes.

Auditable encryption is required – this means CBN should have access to transaction history as well as any other competent bodies including dispute resolution bodies. USSD Banking application does not “operate by store and forward”, that is, data are not stored on the mobile phone or on the application.

USSD banking application should be able to validate that requests are generated through authenticated users through a combination of any of International Mobile Subscriber Identity (IMSI), Date of SIM Swaps, Date of Mobile Station International Subscriber Directory Number (MSISDN) Recycle, International Mobile Equipment Identity (IMEI) and, date of device change amongst others.

It should display status of each customer’s transaction on its menu and it must not rely details of any other e-banking channels (in case of banks) to a customer.

USSD banking at the minimum should transmit secured messages between network operator and USSD aggregators, and between the USSD aggregators and the bank while any customer information that is logged by the USSD banking application during transaction should not include sensitive information such as customer PIN.

Ensure that encrypted data stored by the USSD banking application at Financial Institutions’ is warehoused subject to NCC’s minimum security standard for MNOs and aggregators. It should enable customers to opt in or opt out of the USSD Banking application.

3. Compliance Obligations

N100, 000.00 daily transaction limit is imposed while allowing customers to increase their higher limits provided they execute indemnities in favour of service provider. USSD banking application can include options of e-indemnity forms with e-signature options.

Any customer’s transactions above N20 000.00 must require an effective 2nd factor authentication (2FA) which must be in addition to the PIN being used as a 1st level authenticator (1st LA). Ensure that 1st LA applies to any transaction amounts and note that USSD banking application should not send 2FA to a customer’s registered GSM number or device. This is because USSD banking application should be able to identify each customer’s device and SIM in addition to any other form of device registration that may be required.

You have to ensure it embeds a Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, and unusual transactions at weekends amongst others.

USSD banking service providers should set up dispute resolution mechanism to facilitate and resolve USSD banking complaints within 3 (three) working days’ time limit otherwise it will be penalized by CBN.

Ensure that your company (if a non-financial institution) executes an SLA with a financial institution, MNOs/VAS and a payment Aggregator which should contain key provisions of NCC’s Quality of Service (QoS) Regulation and service availability requirements of e-payment services of the CBN.

USSD banking application should include options that allow customers to block their account from operating USSD banking service and no USSD banking application should be activated if this feature is not included.

Finally, NCC and CBN has powers to fine USSD banking service providers for any non-compliance.

Osita Enwe Esq is a Managing Associate at SRJ Legal Practitioners and regularly advise and assist financial technology companies on broad range of issues.

WRITTEN BY Osita Enwe

Osita has been called to the Nigerian Bar with a widening experience in corporate/commercial and transactional practice that include handling transactions for Individual and Institutional Clients as well as Foreign Investors in Institutional investment, acquisitions and, establishment of Nigerian companies; continual interface with Federal and State Government Agencies and MDGs, among others.

Contact him : oenwe@srjlegal.com

Featured Articles

Legal Treatment of Occupational Safety and Health in Nigeria

It is necessary for compliance officers and programmers to use a Checklist to ensure that USSD banking applications comply strictly with the USSD Regulatory Framework.

  • Feb 29, 2020
  • Osita Enwe
The Role of Legal Employers in Identifying preventing and managing mental health in the Nigerian Legal Industry

The legal employers together with Nigerian bar associations (“NBA”) and other associations of lawyers should strive to develop clearer guidelines for preventing, identifying and managing mental health in the workplace.

  • Oct 16, 2019
  • Osita Enwe
Extent of Banks’ Liabilities for USSD Banking Services in Nigeria

The CBN acknowledged in the introductory paragraph of the USSD Regulatory Framework that “mobile phone has become a veritable tool for enhancing financial inclusion” in view of the advent of mobile payments,

  • Nov 15, 2019
  • Osita Enwe
Cross Subsidy Regime Under The Electric Power Sector Reform Act And The Burden Of Implementation

The Interpretation section of the Electric Power Sector Reform Act 2004 (the Act) in Section 100 subsection 1 defines cross subsidy as the subsidization

  • Sept 12, 2019
  • Osita Enwe
Consumers' Rights Under The Nigerian Electric Power Sector Reform Act

Electric Power Sector Reform Act 2004 (the Act) provides legal framework for the ongoing efforts of the Federal Government of Nigeria to deepen the ...

  • Sept 10, 2019
  • Osita Enwe
Challenges of Resolving task Disputes in Nigeria

One features of a tax is that it is a compulsory payment for which no direct benefit is received in return by any tax payer.

  • On Oct 13, 2017
  • Michael Dugeri