Online payments reached record heights in Nigeria in the third quarter of 2020, when the value of transactions increased to $116 billion from $68.3 billion in the same period in 2019. But this welcome jump came with a staggering increase in financial fraud.
Between January and September 2020, fraudsters made over 46,000 attempts on customer accounts, three times the level for the same period the year before. 91% of those attempts succeeded. In the 9 months between January and September 2020, fraudsters stole 5 billion naira ($12 million) from customer accounts (pdf), the equivalent of 173,000 Nigerian workers’ minimum wage for a month.
The trend sets Nigeria back as it pivots to a cashless financial system that was, among other things, motivated by a desire to prevent financial fraud. In response, Nigeria’s central bank has published new guidelines this week to tighten the screws around the system behind the unique 11-digital bank verification numbers (BVNs) that identify bank customers.
And by doing so, the regulator is upgrading its watchlist to more easily track offenders.
CBN is safeguarding a crucial fintech backbone
Since Nigeria introduced BVNs in 2014, every bank customer has been mandated to get one, except for entry-level accounts that have a N50,000 (about $100) maximum deposit limits. Customers provide personal biodata, and biometrics at a bank branch or through an agent to a BVN.
As of April 2020, there were 41 million BVNs in Nigeria. Since a customer can only have one regardless of how many bank accounts, it is the best proxy for knowing how many Nigerians are included in the formal financial system. BVNs are arguably the foundational identity instruments that have enabled Nigeria’s fintech boom, especially because no trusted digital identity standard existed before them.
But the CBN and other key actors responsible for managing the BVN database—namely banks, and the Nigeria Inter-bank Settlement Scheme (NIBSS)—appear to have been lax in managing the BVN database over the years.
Anecdotes and at least one research study suggest that fraudsters have used customer BVNs to steal money from unsuspecting customers. Fraud was so pervasive that some fintechs, including Paystack, were cut off from having access to the database in April. With the new guidelines, the CBN clarifies the kind of companies with access to the database and under what terms.
Banks are central to Nigeria’s financial watchlist
Banks, and other Nigerian financial institutions that are not payment service providers can access the BVN database, without the CBN’s approval. This covers digital banking startups like Carbon, Fairmoney, and Kuda which have requisite banking licenses that qualify them. But payment service providers like Paystack, and credit bureaus need access from NIBSS, and even then customers’ consent is required.
If a breach is associated with the operation of your account/wallet, you agree that we have the right to apply restrictions to your account/wallet and report to appropriate law enforcement agencies in line with extant laws.
But for the privilege they are given, banks will have to be central to populating the CBN’s watchlist, which is basically a record of the BVNs of customers who have been involved in confirmed cases of breaches.
Banks have to report such customers’ BVNs to the watchlist within one business day, the CBN said. In addition, bank apps will be plugged to the watchlist so that anyone who wants to run a check during a transaction can know the status of an account.
In fact, banks will start showing a disclaimer along these lines to customers:
“If a breach is associated with the operation of your account/wallet, you agree that we have the right to apply restrictions to your account/wallet and report to appropriate law enforcement agencies in line with extant laws.”
What counts as a breach?
Because the CBN has shut down accounts this year for reasons like trading cryptocurrency or enabling dollar-denominated stock investing, a watchlist that punishes customer offenses raises some eyebrows.
It is probably why the CBN lists 23 so-called breaches in the new guidelines. The list includes obviously problematic acts like using forged documents, identity theft, extortion, receipt of fraudulent proceeds, and refusing to reverse payments received in error when asked to. Some others are more nebulous, like “dishonest acts.”
When banks report customers for any of these, NIBSS will host and secure the database of offending BVNs.
Sign up to the Quartz Africa Weekly Brief here for news and analysis on African business, tech, and innovation in your inbox.