Contactless Payments ("CPs"), aptly described as payments which involve the consummation of financial transactions without physical contact between the payer and the acquiring devices1, have been gaining momentum and widespread adoption in recent times. First introduced in the 1990s,2 CPs recorded a significant boost in adoption following the Covid 19 Pandemic in 2020.3 Today, CPs are the preferred choice of payment in many countries, with the CPs market set to reach a global value of USD164.15 billion by 2030.4
In September 2022, Interswitch, in partnership with ProvidusBank, Mastercard and Thales Group, announced the introduction of a new Tap-to-Pay service in Nigeria. This CPs service allows cardholders to make fast, secure, and convenient in-store payments by tapping their Near Field Communication-enabled smart device at any contactless-enabled payment terminal.5 In addition, Now-Now, another Nigerian Company that offers Tap-and-Pay services6, recently raised USD 13 Million seed and is expected to increase the adoption of CPs in Nigeria.7 Similarly, Squad8 and Kuda9 have introduced softPOS solutions, which are expected to drive the adoption of CPs further. In summary, it appears the private sector is gearing up to participate in the CPs space.
However, there are risks/security concerns inherent in the use and adoption of CPs. Some of the major risks include CPs fraud, hack of CPs networks, data privacy concerns for customers and implication of absence of authorization. For instance, in 2020, £16 million was lost to CPs fraud in the UK.10 However, it must be stressed that the referenced CPs fraud accounts for only 2.9% of overall card fraud losses, while 55% of all card transactions were CPs transactions. This strongly suggests that, where adequate standards are adhered to and best practices kept, CPs are not only smoother for participants, but also significantly safer across board.
It is therefore unsurprising that the Central Bank of Nigeria ("CBN"), in anticipation of the use/adoption of CPs in Nigeria, has introduced the Draft Guidelines to implement minimum standards and requirements for the operation of CPS in Nigeria as well as specify the roles and responsibilities of stakeholders.11
- STAKEHOLDERS IN CPs TRANSACTIONS
The Draft Guidelines identified 11 Stakeholders in CPs transactions. The Stakeholders and a brief description of their respective roles are set out below:
- Payment schemes;14
- Card schemes;15
- Switching Companies;16
- Payment Terminal Service Provider;17
- Payment Terminal Service Aggregator;18
- Terminal Owners;20
- Customers; and
- Any other stakeholder/participant as designated by the CBN.
- HIGHLIGHT OF THE DRAFT GUIDELINES
The Draft Guidelines set out the framework for CPs transactions in Nigeria. In addition to prescribing minimum standards to be met by participants, the Draft Guidelines specify the individual role and responsibility of each participant as well as conditions for participation. Some of the significant provisions of the draft guidelines are examined below.
RESTRICTIONS ON CONTACTLESS PAYMENTS
The Draft Guidelines impose transaction limits for CPs transactions,21 and stakeholders may set a limit on par with or below the limit set by the CBN. CPs transactions below the transaction limits may not require customers' verification22 but CPs above the transaction limit (described as "Higher-value CPs payments") shall require customer verification.23 The obligation to ensure adherence to transaction limits is imposed on the Acquirer24 and the Issuer.25It is interesting to note that the Draft Guidelines seem to also impose this obligation on merchants. 26
The transaction limits in the Draft Guidelines do not envision/encompass transaction frequency, creating a risk. This omission can, for example, be contrasted with the framework in the UK27 where there is an individual transaction limit,28 cumulative transaction limit,29 and consecutive transaction limit.30 The absence of a cumulative transaction limit creates a risk whereby CP frauds can be long-drawn by simply adhering to the daily/individual limits. In addition, it is unclear why Acquirers and Merchants are obliged to respect transaction limits.
PRECONDITIONS FOR PARTICIPATION
The Draft Guidelines impose various preconditions to participation. For instance, only CBN-licensed institutions can serve as Acquirers31 and Issuers.32 Participants are required to comply with the standards subsequently discussed in this article as well as obtain and maintain the required certifications.
In any case, the contactless payments image, symbol, tactile, graphics and/or the words "contactless payments" (in Braille) shall be displayed on contactless payment instruments, contactless payment devices and locations where contactless payments are accepted.33 In addition, CPs cannot be activated by default, customers shall have the option to opt-in to CPs and they also have the right to withdraw from the CPs Agreement without prior notice to the issuer.34
STANDARDS FOR PARTICIPATION
All Stakeholders who process and/or store customers' information35 are mandated to ensure that their terminals, applications and processing systems comply with the following standards, at the minimum:
- PA DSS - Payment Application Data Security Standard;
- PCI PED - Payment Card Industry Pin Entry Device;
- PCI DSS - Payment Card Industry Data Security Standard;
- Triple DES - Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The triple DES algorithm is the minimum standard;
- AES - Advanced Encryption Standards;
- EMV - The deployed infrastructure must comply with the EMV requirements for contactless acceptance;
- ISO 27001 - information security management system;
- Standards specified by the various payment schemes; and
- Other standards as may be specified by CBN from time to time.36
Said participants are required to maintain valid certification to these standards, ensure they remain compliant with the standards at all times and execute contactless payments agreements/contracts with parties. Note that participants are required to obtain CBN's approval for CPs products and for innovative use cases and value-added services.37
CPs TRANSACTION PROCESSING
Participants are required to enter CPs agreements which clearly spell out the terms and conditions of the transaction38 and comply with minimum requirements set by the CBN.39 Prior to consummating a CPs transaction, the transaction value and associated charges must be communicated to the customer.40
CPs devices are required to be issuer/brand agnostic and neutral to the type of card or payment instrument used.41 All domestic contactless payments shall be switched through a Nigerian switch,42 all contactless devices must be connected to an account or wallet that has Bank Verification Number ("BVN")43 , and only accounts/wallets with BVN can be activated for CPs in Nigeria.44 Note that all CPs transactions are required to be processed online or/and submitted via current processing specifications.45
With respect to dispute resolution, PTSPs are required to onboard adequate support infrastructures that ensure 24/7 support coverages46 and prevent instrument clashes when multiple contactless payments are present,47 while all participants are required to work in conjunction to ensure the resolution of disputed transactions within the timeline specified by the CBN dispute resolution framework. With respect to financial crimes, Acquirers and Issuers are required to undertake measures to prevent the use of their network for purposes associated with money laundering and other financial crimes,48 conduct KYC on all customers49 and carry out periodic risk assessments of their processes and have effective measures to mitigate ML/TF/PF risks associated with CP.50 Similarly, all other participants except Customers and Merchants are required to implement a documented risk management process to identify and treat risks associated with contactless payments, while Customers and Merchants are required to exercise due diligence in carrying out CPs transactions.
In any case, Acquirers, Issuers, and Merchants will be held liable for fraudulent transactions on CPs arising from their negligence and/or connivance.51Stakeholders are also required to render monthly returns on CPs transactions (including value, fraud, data, and failed transactions) to the CBN in a format to be prescribed by CBN.
3.0 THOUGHTS AND CONCLUSIONS
We note that the Draft Guidelines are quite clear in setting standards and introducing a framework for the operation of CPs in Nigeria. We also applaud the transaction limits specified by the CBN, particularly in light of the economic realities of the majority of Nigerians.
However, we have concerns regarding the absence of a transaction limit based on the number of consecutive CPs transactions. We also note that the Draft Guidelines were published on October 17 2022, and had set November 5 2022 as the deadline for sharing comments on the Guidelines with CBN.
We consider this timeline quite short and suggest that a more expansive timeline be given for subsequent drafts that are released by the CBN.
1 Exposure draft of the guidelines for contactless payments in Nigeria ("Draft Guidelines") available at https://www.cbn.gov.ng/Out/2022/CCD/Draft%20Guidelines%20for%20Contactless%20Payments%20in%20Nigeria.pdf accessed 13 November 2022
2 BanksAm, "History of contactless payments: from past century to the present day" available at https://banks.am/en/news/fintech/22668#:~:text=The%20first%20ever%20widespread%20use,making%20contactless%20payments%20for%20trips.
3 FinExtra, "WHO urges switch to contactless to slow virus transmission" available at https://www.finextra.com/newsarticle/35384/who-urges-switch-to-contactless-to-slow-virus-transmission#:~:text=The%20World%20Health%20Organisation%20is%20advising%20consumers%20to,which%20are%20known%20carriers%20of%20viruses%20and%20bacteria
4 Grand View research, "Global Contactless Payments Market" available at https://www.grandviewresearch.com/press-release/global-contactless-payments-market
5 Fintechnews, "Providus bank launches tap-to-pay service with Mastercard, Interswitch and Thales" available at https://fintechnews.africa/41118/fintech-nigeria/providusbank-launches-tap-to-pay-service-with-mastercard-interswitch-and-thales/#:~:text=Nigerian%20financial%20services%20company%20ProvidusBank,payment%20service%20in%20the%20country
6 Available at https://nownow.ng/introducing-nownow-tap-and-pay/
7 Financial Nigeria, "NowNow raises 13 Million in seed funding" available at https://www.financialnigeria.com/nigerian-fintech-startup-nownow-raises-13-million-in-seed-funding-news-2537.html
8 Available at https://squadco.com/squad-pos/
9 Available at https://business.kuda.com/
10 UK Finance, "Fraud- The Facts 2021" available at https://www.ukfinance.org.uk/system/files/Fraud%20The%20Facts%202021-%20FINAL.pdf. It must however be stressed that CPS fraud accounts for only 2.9% of overall card fraud losses, while 55% of all card transactions were CPS transactions.
11 Rule 3 Draft Guidelines
12 The Acquirer is the Merchant's financial institution. The Acquirer accepts deposits from the merchant's sales. Note that only CBN licensed institutions can serve as acquirers for contactless payments.
13 The Issuer is the Customer's financial institution. Issuer's issue cards to their Customers on behalf of card schemes. Only CBN licensed institutions can serve as issuers for contactless payments.
14 Payment scheme is a set of rules defining how payment transactions are processed with the use of payment instruments
15 Card schemes are entities like Mastercard, Verve etc.
16 Switching companies facilitate the exchange of value between financial service providers, merchants, customers and other stakeholders. They essentially facilitate communication between different payment service providers.
17 A payment terminal allows a merchant to capture required credit and debit card information and to transmit this data to the merchant services provider or bank..
18 A payment terminal service aggregator ensures the technical and operational standardization of all deployed POS devices through terminal certification.
19 The Seller or Service Provider who accepts CP
20 Issuers, acquirers, merchants and Payment Terminal Service Providers ("PTSPs") can be terminal/device owners.
21 Rule 9 Draft Guidelines. The CBN has specified an individual transaction limit of NGN5,000.00 and daily cumulative limit of NGN30,000.00
22 Rule 9.2 Draft Guidelines
23 Rule 9.3 Draft Guidelines
24 Rule 6.1.12 Draft Guidelines
25 Rule 6.2.11 Draft Guidelines
26 Rule 6.8.2 Draft Guidelines
27 Article 11 Strong Customer Authentication and Common and Secure Methods of Communication. Available at https://www.handbook.fca.org.uk/techstandards/PS/2021/2021_01/chapter-iii/015.html
29 £300 from the date of last application of strong customer authentication
30 No more than 5 consecutive CPS from the date of last application of strong customer authentication.
31 Rule 6.1.1 Draft Guidelines
32 Rule 6.2.1 Draft Guidelines
33 Rule 8 Draft Guidelines
34 Rule 6.10 Draft Guidelines. See also Rule 6.2.2 Draft Guidelines. It is unclear how this will work in practice.
35 This covers all stakeholders except the Customers themselves.
36 Rule 5 Draft Guidelines
37 Rule 7 Draft Guidelines
38 See Rule 6.1.4 and Rule 6.2.5 Draft Guidelines
39 Rule 6.2.14 Draft Guidelines. See also Rule 6.1.15 Draft Guidelines
40 Rule 6.8.4 Draft Guidelines.
41 Rule 6.1.6 Draft Guidelines. Similarly, all CPS instruments used in Nigeria shall be neutral and agnostic as to CPS devices. In essence, such devices should not promote or favor any brand over another. This is part of the effort aimed at achieving interoperability.
42 Rule 6.1.5 Draft Guidelines. Such Acquirers and processing entities are expressly prohibited from oruting such transactions outside Nigeria in any circumstance.
43 Rule 6.1.11 Draft Guidelines
44 Rule 6.2.6 Draft Guidelines
45 Rule 6.3.2 Draft Guidelines. See also Rule 6.4.2 Draft Guidelines. The obligation to ensure this is on Payment Schemes and Card Schemes.
46 Rule 6.6.2 Draft Guidelines. Terminals deployed are the be functional at all times and PTSPs are mandated to establish appropriate mechanism to detect device failure. Device failure must be rectified or replaced within 48 hours.
47 Rule 6.6.5 Draft Guidelines. This is very important because such terminals will likely work in proximity such as at the check-out point of supermarket/malls.
48 Rule 6.1.9 Draft Guidelines and Rule 6.2.9 Draft Guidelines
49 Rule 6.1.10 Draft Guidelines and Rule 6.2.10 Draft Guidelines
50 Rule 6.1.17 Draft Guidelines, Rulea 6.2.16 Draft Guidelines. This obligation is also imposed on Switching Companies.
51 See generally Rule 6 of the Draft Guidelines
52 Comments are to be shared with the Director, Payments System Management Department of CBN
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.