In August 2014, Nigeria’s former president Goodluck Jonathan launched a new national identity project. The new e-ID card was supposed to be the super app of civil registers and traditional ID cards, combining digitally verifiable identification with the ability to make electronic payments, and even withdraw cash at ATMs.
Long story short, it flopped. As had a previous attempt made 10 years prior.
A 2019 court order finally put a temporary halt to new card issuance after a paltry 1.2 million cards had been issued. NIMC then switched attention from e-cards to simply issuing paper-printed National Identification Numbers (NINs). So far, NIMC has successfully registered over 71 million Nigerian residents and citizens, representing roughly 35% of the population.
Now Nigeria’s identity management office is rolling out the next phase of its ambitious digital ID programme, a virtual e-ID that anonymises the personally identifiable information used for KYC verification.
On the one hand, it’s a long-overdue milestone, and on the other hand, it is a confidence signal that the government is serious about digitally ID-ing Nigerians.
Why are digital IDs important?
Generally speaking, legal identification is important. People have the right to be recognised legally by their government for social protection, financial inclusion, and migration. Identification is how people prove that recognition. Theoretically, what digital IDs do is simply replace paper records with digitally stored and accessible ID databases.
Of course, today’s digital IDs do much more than simply recognise and authenticate identity claims. Some governments want them to serve as intermediaries between the population and access to basic services.
India’s Aadhaar number is a good example of a widely successful digital identity project. Aadhaar now covers 99% of Indian adults, a huge feat in itself, given the country’s huge population. According to K. Sudhir and Shyam Sunder, both faculty members at Yale, “Because of Aadhaar, many have gained access to public services they had long been entitled to. Banks and mobile phone companies have enrolled poor people who previously had been seen as too risky and cost-prohibitive to be viable customers.”
Subsidies and food aid, which used to be diverted through “ghost” recipients, now go to the people who need them, and rural-urban migrants are able to access an entire suite of services that would otherwise be challenging to access. In Malawi, fingerprinting for credit disbursement helped reduce loan default rates and supported repayment behaviour.
However, untokenised unique identifying numbers (UINs), like Nigeria’s NIN, can leave people vulnerable to privacy abuses since the individual has one identifying number which follows them across every database they interact with. For example, NIMC recommends that Nigerians not share their NIN, but the same NIN is one of the channels for verifying customer identity.
A digital token is that crucial additional layer that prevents personally identifiable information (PII) from being recorded while allowing a company to securely verify the user’s identity. My earlier example, India’s Aadhaar, is tokenised in a similar way as NIMC intends. What is more? India’s Reserve Bank has even asked all service providers to tokenise card and card-on-file storage, but that’s a story for another day. The point is, tokenisation is an important component of privacy protection.
Improving data privacy
In 2019, following the footsteps of Europe, Nigeria’s National Information Technology Development Agency (NITDA) issued the Nigerian Data Protection Regulation (NDPR). The NDPR was largely based on the European example, but some analysts argue that it is inadequate and lacks sufficient legal status, as it is not a law. That flaw, combined with the fact that a proposed data protection bill was abandoned by the federal government late last year, has allowed a legal grey zone for how data is handled in Nigeria.
For example, private companies might handle, store, or even sell personal data in ways that are not only unethical but legally grey. A NIN token prevents that from even happening instead of simply relying on the honor code illusion.
By tokenising the authentication process, NIMC is helping to prevent users’ personally identifiable information from being accessed and stored unethically by private companies.
Now NIMC has asked service providers to only verify NIN tokens, not the actual NINs. This KYC policy update means that startups, telcos, and the organisations that use NIN will need to update their onboarding processes and app interfaces to be able to verify NIN tokens. NIMC says using tokens to verify user identities will be cheaper for private companies’ KYC.
What happens now?
Users can create NIN tokens from NIMC’s mobile application or generate the tokens via USSD (*346*3*Your NIN*AgentCode#). Agent codes are like unique merchant numbers that identify the service provider requesting the verification. This means that tokens generated for merchant X can only be used for that merchant and remain valid for only 72 hours.
What does this mean for service providers?
In general terms, nothing much changes. Service providers can still use the Bank Verification Number (BVN) or any other KYC verification channel to authenticate users’ identities. The only big change applies to startups that require NIN for KYC. Such companies will have to apply as enterprises to get unique merchant keys with which they can verify virtual NINs or tokens. Or use KYC verification services to access NIMC’s API. NIMC also says using the service will be cheaper than using BVNs for KYC.
NIMC launched the NIN tokens in January, and while telcos and Nigeria’s National Pension Commission (PENCOM) have begun dry runs of the new process, Usman Abiola, Principal Product Manager at one of Nigeria’s KYC verification companies, says they were yet to try the product and expected to get access later in February. NIMC has issued over 70 million NINs despite debilitating trust issues and a generally poor service infrastructure. A lot of that success comes from the mandated linking of NINs to individual SIM cards. Tokenisation will protect people’s personal data, for sure, but that is only one part of the enormous work needed to fix data protection and enforcement in Nigeria.
If you enjoyed reading this article, please share it in your WhatsApp groups and Telegram channels.