BACKGROUND
The Draft Guidelines on Contactless Payment in Nigeria (the Draft Guidelines) were recently issued by the Central Bank of Nigeria (CBN) via a circular to Banks, Other Financial Institutions (OFIs) and Payments Service Providers1 . The Draft Guidelines were issued to set out minimum standards and requirements for the operations of contactless payments in Nigeria and to foster a standardised, robust and reliable payment system.
Contactless payment, also referred to as "Tap to Pay", is the system by which credit and debit cards, smartcards, tags, mobile devices and any other devices that have radio-frequency identification or near-field communication (NFC), are used for making secure payments.
The key highlights of the Draft Guidelines and the implications for stakeholders who engage in contactless payment operations are considered in succeeding paragraphs.
HIGHLIGHTS OF THE DRAFT GUIDELINES
Stakeholders in Contactless Payments – Roles and Responsibilities
Just as with every other technology in the payments system, there are various participants/stakeholders on the front and back end. The stakeholders2 in the contactless payment ecosystem include:
1. Acquirers
These are CBN-licensed institutions3 that facilitate payment acceptance and, in contactless payments, would serve as the financial institutions for Merchants. Some of the roles and responsibilities of Acquirers include: (x) ensuring that their applications, instruments, tokens and devices meet current standards and specifications for contactless payment and must be duly certified to process contactless payment transactions; 4 (y) executing contactless payment contracts with parties for utilising contactless platforms for payments; 5 (z) switching domestic contactless payments6 through a Nigerian switch and ensuring that transactions are not routed outside Nigeria. 7 One noteworthy provision is that devices enabled to accept contactless payments are required to be issuer agnostic – that is, they must accept and be neutral to all cards or payment instruments without favouring one brand over another. 8
2. Issuers
They are CBN-licensed institutions9 that issue cards with contactless payment functionalities and are required to obtain a customer's consent before activating the contactless payments functionality10 . Under the Draft Guidelines, Issuers are imbued with similar responsibilities as Acquirers, including ensuring that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments11 , among others. Other roles and responsibilities of the Issuers include: (x) notifying customers of their rights and responsibilities in the use of contactless payment instruments; (y) confirming the identity of customers; 12 (z) ensuring that disputed contactless transactions are resolved within the timeline specified by CBN. 13
3. Payment Schemes
Payment Schemes are primarily charged to comply with the provisions of the Draft Guidelines and other relevant CBN-issued guidelines and circulars. They are to ensure that contactless transactions are processed online through extant processing specifications. Payment Schemes must also ensure that systems and schemes are interoperable. They are duty-bound to implement a documented risk management process to identify and treat risks associated with contactless payments. 14
4. Card Schemes
These are generally payment networks that manage payment transactions, using credit and debit cards to process payments. Like Payment Schemes, Card Schemes are required to comply with the Draft Guidelines and other CBN instruments and must ensure that contactless transactions are processed online through extant processing specifications. 15
5. Switching Companies
These are independent entities that assist in communication between various payment service providers and perform payment and settlement processing. Local switching companies in Nigeria must ensure that contactless transactions completed by all payment instruments issued in Nigeria are successfully switched between acquirers and issuers. They are also required to carry out periodic risk assessments of their processes and have necessary measures to mitigate money laundering risks associated with contactless payments. 16
6. Payment Terminal Service Providers (PTSPs)
These are entities licensed by the CBN and charged with ensuring the deployment and effectiveness of Point of Sale (POS) terminals and operations. Terminals deployed by PTSPs to accept contactless payments must be made functional at all times and PTSPs must establish appropriate mechanisms to remotely detect device failures which must be rectified or replaced within forty-eight hours. 17 PSTPs must also put in place adequate support infrastructure which ensures support coverage for merchants and users at all times. 18
7. Payment Terminal Service Aggregators (PTSAs)
These are entities that ensure the technical and operational standardisation of deployed POS devices through terminal certification19 PTSAs are required to certify POS terminals for contactless payments annually or more frequently as may be required to ensure that the POS terminals follow industry standards. 20 In order to identify and address risks related to contactless payments, they must also create a procedure for documented risk management. 21
8. Merchants
These are service providers who request and accept contactless payments. Merchants are to ensure that deployed devices and applications are available for contactless payments of goods and services. 22
Merchants shall (x) exercise due diligence when processing contactless payments; 23 (y) communicate to customers, the value of the contactless payment transaction and any associated charges before the transaction is completed; 24 and (z) be held liable for fraudulent contactless payments that result from negligence or connivance; 25 and (xx) request the customer's authorisation where the transaction amount exceeds the set restrictions per transaction/day. 26
9. Terminal Owners
Issuers, Acquirers, Merchants and PTSPs may be "terminal/device owners". 27 Terminal Owners are responsible for ensuring that all terminals and devices procured by them are compliant with the appropriate minimum specifications for contactless payments terminals and devices. 28 They are also required to put in place a documented risk management procedure. 29
10. Customers
Customers may opt for contactless payments by applying for and accepting the terms and conditions for products and services. 30 They may also opt-out of a contactless payments agreement without giving prior notice to the Issuer. 31 In addition, customers are charged with conducting due diligence when carrying out contactless payment transactions and safeguarding their payment instruments from unauthorised use. 32
Minimum Standards for Industry Stakeholders
The Draft Guidelines provide the minimum standards that industry stakeholders must ensure that their terminals, applications and processing system comply with. They include: (x) Payment Application Data Security Standard; (y) Payment Card Industry Pin Entry Device; (z) Payment Card Industry Data Security Standard; (xx) Data Encryption Standards; (xy) Advanced Encryption Standards; (xz) Information Security Management System; and (yx) such other standards as may be prescribed by the CBN from time to time.
In addition to meeting the minimum standards, operators are required to obtain valid certification to these standards and continually review and recertify their compliance status from time to time. 33
Other Provisions
The prior approval of the CBN is required for contactless payments products, innovative use cases and value-added services required to promote an efficient payment system.
From time to time, the CBN shall determine the appropriate transaction and cumulative daily limits for contactless payments. Stakeholders are also permitted to set limits in line with the CBN limits. While contactless payment transactions below the stipulated limits may not require Customer authorisation, higher-value contactless payment transactions will require appropriate verification and authorisation.
Regulated stakeholders are obliged to provide the CBN with monthly reports on all contactless payment transactions (including volume, value fraud, data, failed transactions, etc.) in a prescribed form.
CONCLUSION
The CBN had already set the tone for the regulation of contactless payment when it issued the Framework for Quick Response (QR) Code Payments in Nigeria, in January 2021, which governs the use of QR codes as payment methods. Given the increased adoption of cutting-edge payment technologies to manage both small and large volumes of payments safely and effectively, the introduction of the Draft Guidelines is laudable and timely.
Footnotes
1. The circular was issued on 17 October 2022
2. Paragraph 4.0 of the Draft Guidelines
3. Paragraph 6.1.1 of the Draft Guidelines
4. Paragraph 6.1.3 of the Draft Guidelines
5. Paragraph 6.1.4 of the Draft Guidelines
6. Switch or Payment Switch is an infrastructure that facilitates communication between different payment service providers
7. Paragraph 6.1.5 of the Draft Guidelines
8. Paragraphs 6.1.6 and 6.1.7 of the Draft Guidelines
9. Paragraph 6.2.1 of the Draft Guidelines
10. Paragraph 6.2.2 of the Draft Guidelines
11. Paragraph 6.2.3 of the Draft Guidelines
12. Paragraph 6.2.9 of the Draft Guidelines
13. Paragraph 6.2.16 of the Draft Guidelines
14. Paragraph 6.3 and 6.4 of the Draft Guidelines
15. Paragraph 6.4.1 and 6.4.2 of the Draft Guidelines
16. Paragraph 6.5 of the Draft Guidelines
17. Paragraph 6.6.1 of the Draft Guidelines
18. Paragraph 6.6.2 of the Draft Guidelines
19. https://nibss-plc.com.ng/services/payment-terminal-service
20. Paragraph 6.7.1 of the Draft Guidelines
21. Paragraph 6.7.2 of the Draft Guidelines
22. Paragraph 6.8.1 of the Draft Guidelines
23. Paragraph 6.8.3 of the Draft Guidelines
24. Paragraph 6.8.4 of the Draft Guidelines
25. Paragraph 6.8.6 of the Draft Guidelines
26. Paragraph 6.8.2 of the Draft Guidelines
27. Paragraph 6.9.1 of the Draft Guidelines
28. Paragraph 6.9.2 of the Draft Guidelines
29. Paragraph 6.9.3 of the Draft Guidelines
30. Paragraph 6.10.1 of the Draft Guidelines
31. Paragraph 6.10.2 of the Draft Guidelines
32. Paragraph 6.10.4 of the Draft Guidelines
33. Paragraph 5.1 of the Draft Guidelines
34. Paragraph 7.1 of the Draft Guidelines
35. Paragraph 7.2 of the Draft Guidelines
36. Pursuant to a CBN Circular on "Transaction Limits on Contactless Payments" dated 30.10.2022, the transaction limit without verification is ₦5,000, while the daily cumulative limit without verification is ₦30,000.
37. Paragraph 9.1 of the Draft Guidelines
38. Paragraph 9.3 of the Draft Guidelines
39. Paragraph 12.0 of the Draft Guidelines
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
