The Central Bank of Nigeria (CBN) yesterday pegged maximum daily transactions through mobile phone- Unstructured Supplementary Service Data (USSD)— at N100,000. The implementation of the policy starts June 1.
Due to absence of set rules on USSD transactions, many commercial banks allow various limits, ranging from N100,000 to N500,000 and above in some cases, depending on customers’ risk absorption levels. This has exposed many customers’ transactions to high risk, with billions of naira lost to fraudsters.
The new framework signed by CBN Director, Banking & Payments System Department, ‘Dipo Fatokun said vast applications of the USSD technology, in terms of available services have raised the issue of the risks inherent in the channel.
The USSD technology is a protocol used by the GSM network to communicate with a service provider’s platform. It is a session based, real time messaging communication technology, which is accessed through a string, which starts normally with asterisk (*) and ends with a hash (#). It is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.
The framework noted concerns on the likely exposure of CBN approved entities to the possible breaching of the USSD accessed financial services in view of likely vulnerabilities in the technology and the ever growing threats.
Fatokun said the policy shift was in furtherance of CBN’s mandate to develop and enhance security of the electronic payment system. The implementation of the policy starts June 1, 2018.
Fatokun had in a circular to banks, switches, Mobile Money Operators (MMOs), Payment Solution Service Providers, Microfinance banks, among others, Fatokun said although the N100,000 limit per customer, per day for transactions applies, customers desirous of higher limits shall execute documented indemnities with their banks or MMOs.
The CBN, he said, has also mandated the use of an effective second factor authentication by customers for all transactions above N20,000. This, he said, shall apply in addition to the Personal Identification Number (PIN) being used as first level authenticator, which applies to all transaction amounts.
According to the framework, banks shall not send the second factor authentication to the customer’s registered GSM number or device; and it shall not be generated or displayed on the USSD menu.
Banks, it added, are also required to install a Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, un-usual transactions at weekends, among others. This shall be achieved by 31st October 2018.
The framework said financial Institutions shall be responsible for setting up dispute resolution mechanism to facilitate resolution of customers’ complaints and shall treat and resolve any customer related issues within three working days. Also, non-compliance shall be subject to penalty, as may be prescribed by the CBN, from time to time.
“There shall be Service Level Agreement between the Financial Institutions and MNOs/VAS & aggregators, benchmarked against the Nigeria Communication Commission Quality of Service (QoS) regulation and service availability requirements of electronic payment services of the CBN,” it said.
It said service providers should put in place systems that enable users/subscribers to block their account from operating USSD service and that no USSD financial service should be activated for customer unless the deactivation mechanism is put in place with effect from June, 2018.
On penalties for infractions, it said the appropriate Regulator (CBN and/or NCC) as applicable shall impose appropriate sanctions for any contravention on any participant that fails to comply with this framework.
The new framework is in exercise of the powers conferred on the CBN by Section 47(2) of the CBN Act, 2007, to promote and facilitate the development of efficient and effective system for the settlement of transactions.