NIBSS wants to tighten security around Nigeria’s Bank Verification Number (BVN) system. But there are concerns about fair competition.
On the 29th of March this year, the Nigeria Interbank Settlement Scheme (NIBSS) published an important document.
The “Approved Standard Operating Guidelines for BVN Matching System Version 2.0” document is Nigeria’s BVN operations manual. It explains how banks should enrol and verify customers for BVNs, and how institutions can access the BVN system.
BVNs – unique identification numbers for bank customers – were launched in 2014 by the Central Bank of Nigeria (CBN) and the Bankers’ Committee as a “Know Your Customer” (KYC) infrastructure for the financial sector.
The ambition was noteworthy: to create a biometric-based standard for verifying client identity and enabling safe, seamless electronic payments. That standard was actually supposed to be the National Identification Number (NIN) but banks floated BVNs following several government delays on the NIN project.
Combating fraud in the system
BVN has become a core pillar of Nigeria’s anti-money laundering and combating of financial terrorism (AML/CFT) framework. It has driven the rise of Nigerian fintech; payments, savings, lending and even cryptocurrency startups have relied on it.
Among its other powers, NIBSS determines who can and cannot have access to BVNs. Some weeks ago, they showed this power by cutting some fintechs off the BVN system.
Reactions swirled that it was a move by deposit money banks (who co-own NIBSS) to protect themselves against competition from fintechs. But according to a highly placed source at a bank, the move was a necessary response to “alarming proportions” of fraud that have been traced to December 2020.
The short version of the fraud story is that when an individual at virtually any commercial bank in Nigeria opened an account, a fraudster who has got access to their BVN and account number would call them on the phone.
It is not clear how fraudsters get remote access to customer information but the problem only affected customers who opened or reactivated bank accounts from around the middle of December.
The fraudster would have downloaded the customer’s bank app. To take control of the account, they would ask the customer to hand over a one-time password sent by the bank.
The scam was being attempted on anyone including some bank staff, the source said. But banks were alarmed because a major target group was serving members of Nigeria’s National Youth Service Corps (NYSC).
NYSC mobilises about 250,000 Nigerian graduates each year and is a source of new accounts for banks.
In that framing, NIBSS’s new 49-page document clarifies and tightens the BVN system for the safety of Nigeria’s financial system.
Access to the BVN database
Banks and fintechs access the BVN database through Application Programming Interface (API) calls. The CBN approves groups who can access BVN information, while NIBSS manages the security of the APIs.
There are two tiers of access: tier 1 and tier 2. Both are differentiated by the need for CBN approval and the number of data fields they can access.
Esigie Aguele, CEO of VerifyME, explains that NIBSS gives different levels of access to cater to different use cases. Banks have access to more demographic data because their operating license imposes strict KYC and AML requirements.
Apart from banks, any organisation that wants to access customers’ information must first get customers’ consent.
This consent is split into two; one for demographic data and another for details like account number and names in different banks. When an organisation needs any of these details, NIBSS will notify customers, indicating what their consent is being asked for.
Fintechs cannot store BVN data on their database for later use. So if there is downtime at NIBSS, there will be no alternative way to do verifications with vendors until the service is back up.
Aguele says this is a reasonable requirement for data security in line with Nigeria’s Data Protection Regulation. But he thinks there should be more clarity from NIBSS on how fair the playing field will be under the guidelines.
“The fact of the matter is that NIBSS is a private institution and should not be regulating data access to companies that could potentially be their competitor.”
“Many of these fintechs are releasing products that will compete with what NIBSS offers to banks; CBN still needs to update the framework to cater to this reality.”
VerifyMe offers a facial recognition service that is in competition with NIBSS’s product. With NIBSS in control of some of the data useful for that purpose, Aguele believes an antitrust issue arises which should be clarified by the CBN.
“Ideally, NIBSS should not be treated as an agency. There needs to be an independent committee that handles these responsibilities.”
What are the alternatives?
On a phone call, a spokesperson for NIBSS said fintechs will find all answers they need for compliance to the BVN system within the new guidelines.
Fintech startups like Carbon, Fairmoney and Branch that have licenses that allow them to take user deposits continue to enjoy BVN matching access.
But the new guidelines might push some fintechs to begin using NIN as a substitute for BVN for their verification purposes. QuickCheck, a digital lending app, now requests NIN from users who want to sign up.
Aguele says VerifyMe can be a channel for fintechs without direct access, though the identity technology startup will first have to secure a license from the CBN to provide that service.