Since the global financial crisis of 2007, several banking regulatory reforms have been instituted in a bid to increase trust in the Nigerian banking sector and maintain stability in the financial industry. These regulatory reforms, however, did not anticipate the intrusion of technology in the delivery of financial services.
'FinTech' is a contraction of the words 'financial' and 'technology', which is broadly used to describe any technological innovation in the delivery of financial services. It covers a wide range of areas including financial literacy, wealth/asset management, lending and borrowing, retail banking, fundraising, money transfers, payments, investment management, digital insurance, and cryptocurrency.
The absence of a direct and unified regulation on FinTech in Nigeria has engendered the erroneous notion that the Nigerian FinTech industry is uncharted territory. However, notwithstanding the inexistence of a cohesive FinTech regulation, the Central Bank of Nigeria (CBN) has issued several guidelines, which impacts various aspects of the FinTech industry, especially the digital payments sub-sector which has witnessed the highest amount of activity in recent times. These regulations seek to improve financial inclusion while allowing for continuous innovation.
The purpose of this paper is to identify and examine the existing regulations in Nigeria's FinTech industry and to canvass for a cohesive and comprehensive legislation for Fintech in Nigeria.
FinTech Regulatory Framework in Nigeria:
The Central Bank of Nigeria has issued the following guidelines which impact FinTech companies in Nigeria:
- Guidelines on Mobile Money Services in Nigeria
- Guidelines on Operations of Electronic Payment Channels in Nigeria
- Regulatory Framework for the Use of Unstructured Supplementary Service Data (USSD) for Financial Services in Nigeria.
- Guidelines on International Money Transfer Services
- Guidelines on International Mobile Money Remittance Service
- Exposure Draft of New CBN Licensing Regime for Payment Service Providers
- Regulation for Direct Debit Scheme in Nigeria
In addition to the above, the National Information Technology Development Agency (NITDA) recently issued the Nigerian Data Protection Regulation1 which impacts the use, transfer, and processing of data of Nigerian citizens. The Central Bank of Nigeria has also issued the Risk-Based Cyber-Security Framework and Guidelines for Deposit Money Banks and Payment Service Providers,2 which will be of importance to FinTech companies operating in Nigeria.
- Guidelines on Mobile Money Services
In 2009, the CBN issued the guidelines on mobile money services in Nigeria with the aim of ensuring a structured and orderly development of mobile money services in Nigeria. Basically, mobile money services are financial services offered over mobile devices, such as mobile payment, credit card payment, and QR code payment.
The guidelines identify two models for the implementation of mobile money services: Bank Led and Non-Bank Led.3 Under the Bank Led model, either a bank or a consortium of banks may act as a Lead Initiator in providing mobile money services as part of its banking services.4
A corporate organization (other than a deposit money bank or telecommunication company) specifically licensed by CBN to provide mobile money services in Nigeria may also act as a Lead Initiator of mobile money services under the Non-Bank Led model.5
The guideline also identifies the various participants in the mobile money industry – Banks, licensed corporate organizations, infrastructure providers, Mobile Network Operators (MNOs), and consumers – their roles and responsibilities6 and, the minimum technology standards7 and business rules.8
Mobile Money Operators (MMOs) are required to:
- Be licensed by the CBN.
- Be issued a unique Scheme Code by the Nigerian Inter-Bank Settlement System.
- Be issued unique short codes by the Nigerian Communications Commission (NCC).
- Ensure that all telecommunications equipment are of a type approved by the NCC.
- Register users of its scheme based on the technology standards and requirements of the guidelines.
- Ensure that the registration process fulfills the Know Your Customer (KYC) requirements specified in the guidelines.9
- Guidelines on Operations of Electronic Payment Channels
The electronic payment guidelines provide specific regulations on the use and operations of the following e-payment channels: Automated Teller Machine (ATM),10 Point of Sale (POS) machines,11 Mobile Point of Sale (MPOS) devices12 and the Internet.13
The guidelines are made to supersede the previous standards and guidelines on ATM operations and POS card acceptance services issued by the Central Bank of Nigeria (CBN).
The e-payment guidelines identify stakeholders in electronic payment, such as Acquirers, Issuers, Merchants, and Cardholders, and define their roles and responsibilities.14
It specifies the standards and specifications for ATM technology,15 guidelines for ATM deployment,16 minimum standards17 and specifications18 for POS terminals, minimum standards19 and technical specifications20 for MPOS devices, and minimum standards for gateway provider of web payment services.21
The guidelines also establish a settlement mechanism for POS and MPOS transactions22 with the Nigeria Interbank Settlement Systems (NIBSS) acting as the Payment Terminal Service Aggregator for the financial industry.23
- Regulatory Framework for the Use of USSD for Financial Services in Nigeria
Taking effect from October 2018, the guidelines seek to reduce the risks associated with the implementation and use of USSD technology for offering financial services in Nigeria.24
Therefore, only Mobile Network Operators (MNOs) and CBN licensed entities with a letter of no objection or letter of introduction from the CBN are eligible for the issuance of USSD short codes by the Nigerian Communications Commission (NCC).25
A transactional limit of N100, 000 per customer, per day, is placed on all transactions conducted through the USSD channel, and a customer desirous of a higher limit will be required to execute a documented indemnity.26
Furthermore, no USSD channel shall be deployed for financial services unless a deactivation mechanism, which allows users to block their account from operating USSD services, is put in place.29
- Guidelines on International Money Transfer Services
The guidelines on international money transfer are important for International Money Transfer Service Operators (IMTSOs) that offer digital international money transfer services.
Any person or institution that wishes to provide international money transfer services must be licensed by the CBN.30 Although deposit money banks are prohibited from operating as international money transfer service operators, they may act as agents.31
For the purpose of licensing requirements, the guideline makes provisions for four categories of international money transfer providers, to wit: Foreign International Money Transfer Operators, Indigenous International Money Transfer Operators, Foreign Technical Partners and Local Agents.
A foreign IMTO wishing to operate in Nigeria must have a minimum share capital of US$1 million in their home country32 and a list of Licensed Agents, who are Authorized Forex Dealers, to act as local agents.33 Furthermore, the foreign IMTO must pay a non-refundable application fee of N500, 000 (Five Hundred Thousand Naira), or such amount as the CBN may specify from time to time.34
On the other hand, an indigenous IMTO is required to have a minimum paid-up share capital of N2,000,000,000 (Two Billion Naira),35 and the primary object clause of the company's Memorandum of Association must indicate provision of money transfer services.36
An Indigenous IMTO may engage a foreign technical partner but must obtain the prior approval of the CBN before doing so.37 The foreign technical partner must:
- Be licensed in its home country to carry on international money transfer services.
- Have a minimum net worth of US$10 million as contained in its current audited financial statement
- Be well established and have a track record of operations in the money transfer services business.
- Sign a Memorandum of Understanding with its Indigenous IMTO partner that clearly delineates liabilities in the event of disputes and/or process failures.38
- Guidelines on International Mobile Money Remittance Services
These guidelines were issued to facilitate foreign exchange transactions over mobile applications. It states the minimum standards and requirements for the operation of international funds remittance over mobile devices in Nigeria.39
In order to provide inbound or outbound international funds remittance service in Nigeria, an institution must be approved by the CBN to carry out such services.
The requirements for obtaining such approval include:
- A licence in its home country to carry on money transfer services
- A net worth of US$1 billion
- A valid Mobile Money Operator's licence
- A presence in at least twenty countries with at least 10 years experience in the money transfer business40
The institution must also be in partnership with at least an Authorised Dealer bank licensed in Nigeria.41
The guideline identifies the participants in international money remittance as: banks, infrastructure providers, Mobile Network Operators and consumers, and states their roles and responsibilities.42 It also provides transaction security standards43 and risk management measures for operators.44
- Exposure Draft of New CBN Licensing Regime for Payment System Providers
In recognition of the growing level of acceptability of FinTechs and the attendant emerging risks within the financial system, the CBN recently proposed a new licensing regime for all categories of payment service providers and financial technology companies.
The regime proposes 3 licence categories of payment service providers: Super Licence, Standard Licence, and Basic Licence.
The Super Licence category, which has a tenor of 3 years, covers the following existing licence types:
- Payment Solution Service Provider (PSSP)
- Payment Terminal Service Provider (PTSP)
- Non-bank Merchant Acquiring
- Super Agency.
The Standard Licence category, which also has a tenor of 3 years, covers the following existing licence types:
- Mobile Money Operators (MMO)
- Super Agency
- Non-bank Merchant Acquiring.
The Basic Licence category has a tenor of 2 years and covers the following existing licence types:
- Super Agency
- Payment Solution Service Provider (PSSP)
- Payment Terminal Service Provider (PTSP)
Each of the three licence categories are required to have a minimum shareholder fund of N5, 000,000,000 (five billion naira), N3, 000,000,000 (three billion naira) and N100, 000,000 (one hundred million naira), respectively. However, the Super Agency licence under the Basic Licence category is required to have a minimum shareholder fund of N50,000,000 (Fifty Million Naira) and not N100,000,000 (one hundred million naira).
Although the new licence regime is yet to be implemented at the time of publishing, when it is implemented, companies shall be expected to notify the CBN before starting any new activity under their licence category. For example, a Super Licence holder who initially had been approved for only PSSP and Switching Operations must inform the CBN (for information purposes only) if it subsequently decides to commence PTSP operations.45
It is noteworthy that the Card Scheme service and Switching service, as well as, Mobile Money Operators service and Switching service, are mutually exclusive services, such that an entity rendering one of the services will not be licensed to render the other.46
7. Regulation for Direct Debit Scheme
By this regulation, a direct debit is a cashless form of financial settlement which facilitates a recurring payment. It permits the originator of the instruction, known as 'Biller' to collect amounts due from a 'Payer' through the Payer's bank by leveraging on instruction or mandate provided by the Payer.47
The regulation recognizes the existing and emerging multi-channel options applied for direct debiting and attempts to define the operational standards expected in the direct debiting process.
It identifies 5 participants: the Biller, the Biller's bank, the Payer, the Payer's bank and the Payment Service Provider, and states their roles in the debiting process.48
A Biller is required to be an entity incorporated or registered to carry on business in Nigeria.49 Both a Biller and Payer's Bank shall be members of the Nigeria Clearing System or integrated with Payment Service Providers that accept Direct Debit for processing.50
Furthermore, Payer's Banks, Billers, and Payment Service Providers shall keep records of all direct debit transactions for a period of not less than six years from the date of cessation of the Direct Debit Mandate.51
BLOCKCHAIN AND VIRTUAL CURRENCIES
In light of the emergence of virtual currencies and the risks associated with virtual currency exchanges and virtual currency activities, the Central Bank of Nigeria, by a circular,52 drew the attention of banks and other financial institutions to these risks and required them to take the following actions pending substantive regulation by the CBN:
- Ensure they do not use, hold, trade or transact in virtual currencies, such as Bitcoin, Ripples, Litecoin, Onecoin, etc.
- Ensure that existing bank customers that are virtual currency exchangers have effective Anti-Money Laundering/Combating Financing of Terrorism controls that enable them to comply with customer identification, verification and transaction monetary requirements.
- Where banks or other financial institutions are not satisfied with the controls put in place by the virtual currency exchange customers, the relationship should be discontinued; and
- Any suspicious transaction should immediately be reported to the Nigerian Financial Intelligence Unit (NFIU).
Any financial institution that ignores the above caution does so at its own risk.
In a further press release53, the CBN reiterated its position that cryptocurrencies and virtual Exchanges are neither licensed nor regulated in Nigeria, and dealers or investors in any kind of cryptocurrency in Nigeria are not protected by law.
DATA SECURITY AND CYBERSECURITY CONCERNS
The FinTech innovation cannot be separated from cybersecurity and privacy issues. Many FinTech companies collect and process a vast amount of data in order to provide financial services efficiently and inexpensively. Most of these data are highly sensitive information that can be misused if they fall into the wrong hands, thus, it behooves on FinTech companies to ensure compliance with data protection and cybersecurity laws54.
FinTech and Data Protection in Nigeria:
The Nigerian Data Protection Regulation55 issued by the National Information Technology Development Agency (NITDA) in January 2019 lays down regulations for the processing of data. These regulations apply to persons of Nigerian descent residing in or outside Nigeria. It provides that data may only be collected and processed for a specific lawful process upon the grant of consent by the Data Subject.56
Furthermore, data may only be stored for the period within which it is reasonably needed57 and must be secured against all foreseeable hazards.58 One of the numerous measures to protect data under the Regulation is data encryption, which is also a data protection requirement under the CBN regulatory framework for the use of USSD. The USSD regulation provides that USSD-based financial transactions and data stored by the USSD application at Financial Institutions shall be encrypted.59
The CBN Consumer Protection Framework for Banks and other Financial Institutions also regulates the protection of consumer assets and privacy. It provides that consumers' financial and personal information shall be securely stored at all times60 and shall not be released to a third party without the written consent of the consumer.61 A third party here includes a subsidiary or an associated company.62
In addition, the Nigerian Communications Commission (NCC) Draft Consumer Code of Practice Regulations63 requires Licensees to adopt and implement a Protection of Consumer Information Policy, which shall provide for the proper collection, use and protection of information64 and be made available to its consumers in a readily accessible form and easy to read manner.65
FinTech and Cybersecurity in Nigeria:
The general law on Cybersecurity in Nigeria is the Cybercrime (Prohibition, Prevention, Etc) Act66 which prescribes punishment for actions such as phishing, hacking, electronic theft, cyberstalking, cybersquatting, and cyber terrorism. The Act, however, is silent on mechanisms institutions need to put in place to strengthen their cyber defenses.
In response to this, the CBN recently issued the Risk-Based Cyber-Security Framework and Guidelines for Deposit Money Banks and Payment Service Providers,67 which took effect on 1 January 2019, to outline the minimum cybersecurity baseline to be put in place by Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) in order to enhance their cybersecurity resilience.
The guidelines make provision on Cybersecurity Governance and Oversight, Cybersecurity Risk Management System, Cyber Resilience Assessment, Cybersecurity Operational Resilience, Cyber-Threat Intelligence and Metrics, Monitoring and Reporting.
REGULATORY SANDBOX FOR FINTECH COMPANIES IN NIGERIA
In 2018, the Central Bank of Nigeria launched a regulatory sandbox for tech start-ups tagged 'Financial Industry Sandbox'.68 The purpose of the sandbox is to enable innovation by allowing for experimentation and rapid cycles of adjustments in a contained environment without full compliance with all regulations. However, the sandbox is yet to begin operation.69 The CBN is expected to compile a list of interventions for which a regulatory sandbox is necessary and define eligibility criteria for the interventions to be allowed to run in the sandbox.
Regulation has often been seen as an enemy of innovation and the challenge usually faced by regulators is how to regulate innovation without killing it. A school of thought has argued that since innovation precedes regulation, innovation should be permitted to develop without hindrances. However, government action can further facilitate innovation by fostering a supportive environment, through the use of regulatory measures, for innovation to thrive. It appears that the challenge is always where to draw the line; to what extent should government regulate innovation?
The FinTech innovation, while improving financial inclusion and market efficiency, also brings along cybersecurity and data protection concerns, amongst others. In response to these challenges, the Central Bank of Nigeria has issued several guidelines to regulate various aspects of the FinTech industry and promote financial inclusion. This paper has identified and examined these guidelines, as well as laws, which influence the FinTech landscape, such as the Cybersecurity Act and Data Protection Bill.
While the CBN's attempt to use regulation to drive financial inclusion is commendable, the piece-meal approach adopted by the Bank creates a fragmented regulatory framework. Although, it is conceded that this approach may have been adopted for regulation to progressively catch-up with the fast growing FinTech innovation and to avoid stymieing the nascent FinTech industry in Nigeria, yet it is this writer's view that the various guidelines and laws that affect the industry must be integrated and harmonized to form a unified FinTech policy. There is no gainsaying that a cohesive framework will increase the ease of doing business in the Nigerian FinTech ecosystem, promote regulatory certainty and boost investors' confidence in the industry. However, this framework must be flexible enough to accommodate further growth and stimulate innovation, rather than frustrate it.
Furthermore, it is suggested that the existing and proposed laws regulating the Nigerian FinTech ecosystem be aligned with the CBN's National Financial Inclusion Strategy (NFIS)70 to create a harmonized regulatory and policy thrust.
In addition, the long-awaited regulatory sandbox for FinTech start-ups is overdue and ripe for launch by the Nigerian government. The presence of a sandbox will help FinTech start-ups manage their regulatory risks, experiment with innovative financial products and contain the consequences of failure. A sandbox may also be used to test the effect of policies on FinTech companies before widespread application. Regulatory sandboxes have been adopted by other countries, including the UK, Singapore, Australia, Canada, Hong Kong and South Korea.
Innovation offices, which are more cost-effective than regulatory sandboxes, may also be set up to create a platform for innovators and regulators to collaborate. Through innovation offices, regulators are able to engage with and provide regulatory clarification to financial service providers that offer innovative products and services, while learning more about the industry and obtaining clarity for further regulation. Examples of innovation offices include the Estonian Financial Supervision Authority (EFSA) and Indonesia's OJK Innovation Centre for Digital Financial Technology.
The African tech landscape is attracting huge attention from investors across the globe. With a rising population and a large percentage of unbanked people, Nigeria is an attractive hive for FinTech innovation. However, innovation can only thrive within a nurturing environment and well-guided regulations and policies can play a huge role in creating this environment.
* Olayanju Phillips, Associate Intern, SPA Ajibade & Co., Abuja Office, Nigeria.
1 NITDA, Nigeria Data Protection Regulation, 2019 made pursuant to the powers granted to NITDA under sections 6(c) and 32 of the National Information Technology Development Agency (NITDA) Act, 2007.
2 Exposure Draft of the Risk-based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, 2018.
3 Paragraph 5.0, CBN Guidelines on Mobile Money Services in Nigeria, 2009.
4 Paragraph 5.0(a).
5 Paragraph 5.0(b).
6 Paragraph 8.0.
7 Paragraph 14.0.
8 Paragraph 7.0.
9 Paragraph 7.1, CBN Guidelines on Mobile Money Services in Nigeria, 2009.
10 Guidelines on Automated Teller Machine (ATM) Operations, Paragraph 1.0 of the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria.
11 Guidelines on Point of Sale (POS) Card Acceptance Services, Paragraph 2.0 of the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria.
12 Guidelines on Mobile Point of Sale (MPOS) Acceptance Services, Paragraph 3.0 of the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria.
13 Guidelines on Web Acceptance Services, Paragraph 4.0 of the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria
14 Paragraphs 2.4, 3.3 – 3.4, 4.4 – 4.5 of the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria.
15 Paragraph 1.1.
16 Paragraph 1.2.
17 Paragraph 2.3.
18 Paragraph 2.9.
19 Paragraph 3.2.
20 Paragraph 3.9.
21 Paragraph 4.3.
22 Paragraphs 2.5 and 3.5 of the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria.
23 Paragraphs 2.4.4 and 3.4.3.
24 Paragraph 3.0 of the CBN Regulatory Framework for the use of USSD for Financial Services in Nigeria.
25 Paragraph 5.0.
26 Paragraph 6.9.
27 Paragraph 6.4.
28 Paragraph 6.8.
29 Paragraph 9.1.
30 Paragraph 2.1 of CBN Guidelines on International Money Transfer Services.
31 Paragraph 2.7(i).
32 Paragraph 2.4(v).
33 Paragraph 2.4(ii).
34 Paragraph 2.4(i).
35 Paragraph 2.5(xvii).
36 Paragraph 2.5(iii).
37 Paragraph 2.6.
39 Paragraph 2.0(i).
40 Paragraph 5.0.
42 Paragraph 7.0 of CBN Guidelines on International Mobile Money Remittance Services.
43 Paragraph 10.0.
44 Paragraph 12.0.
45 Paragraph 2(a) of Exposure Draft of New CBN Licensing Regime for Payment System Providers.
46 Paragraph 3.
47 Preamble, CBN Regulation for Direct Debit Scheme in Nigeria (Revised), 2018.
48 Paragraph 2.0.
49 Paragraph 2.1.1.
50 Paragraphs 2.2.1 and 2.4.1.
51 Paragraph 3.1.2.
52 CBN, Circular to Banks and other Financial Institutions on Virtual Currency Operations in Nigeria, January 12, 2017.
53 CBN, 'Virtual Currencies not Legal Tender in Nigeria', Press Release, February 28, 2018.
54 See Cybercrime (Prohibition, Prevention, Etc.) Act, 2015, Nigeria Data Protection Regulation, 2019, NCC Draft Consumer Code of Practice Regulations 2018, NCC Consumer Bill of Rights, CBN Consumer Protection Framework for Banks and other Financial Institutions, 2016 and CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, 2018.
55 NITDA, Nigeria Data Protection Regulation, 2019
56 Paragraph 2.1(a) and 2.3(i) of the Data Protection Regulation 2019.
57 Paragraph 2.1(c).
58 Paragraph 2.1(d).
59 Paragraph 6.7 of the CBN Regulatory Framework for the use of USSD for Financial Services in Nigeria.
60 Paragraph 2.6.1(c) of the CBN Consumer Protection Framework for Banks and other Financial Institutions, 2016.
61 Paragraphs 2.6 and 2.6.2.
62 Paragraph 2.6.2.
63 Nigerian Communications Commission, Draft Consumer Code of Practice Regulations 2018.
64 Paragraph 44(1) of the General Consumer Code of Practice, Schedule to the NCC Draft Consumer Code of Practice Regulations 2018.
65 Paragraph 43(4).
66 Cybercrime (Prohibition, Prevention, Etc.) Act, 2015.
67 CBN, Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, 2018.
68 The regulatory sandbox is one of the activities to be executed between 2018 and 2020 by the CBN Banking and Payment System Department (BPSD) and Nigerian Inter-Bank Settlement System (NIBSS) PLC for the achievement of the National Financial Inclusion Strategy. See CBN, National Financial Inclusion Strategy (Revised), October 2018, pp. 41, 53.
69 CBN Financial Inclusion Newsletter, 1st Quarter (March 2019) Volume 4, Issue 1, p. 15.
70 CBN, National Financial Inclusion Strategy (Revised), 2018.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.