New guidelines from the Central Bank of Nigeria (CBN) place the burden of fraud on banks. This may stall contactless payment implementation by banks.
On June 30, 2023, the Central Bank of Nigeria (CBN) introduced new guidelines for the operations of contactless payments in the country. Per the new rules, such transactions will be limited to ₦15,000 for a single payment or ₦50,000 daily. However, Several banks who spoke to TechCabal said they are unsure of how to implement the guidelines. “Yes, we are aware of the guidelines but we are yet to get direction on the implementation process,” an Access Bank personnel told TechCabal. A Fidelity Bank source said the bank is working on an in-house implementation plan.
According to the CBN guidelines, users can tap or wave their devices—including smartphones and cards—that are enabled with contactless technology to make payments without inputting a PIN to confirm the transaction. Contactless payments are powered by radio frequency identification (RFID) or near-field communication (NFC) technology which allows enabled devices to initiate and authorise payment transactions without additional confirmation from the user.
But the primary problem with the use of contactless payments is the risk of fraud arising from the absence of authorization, meaning a serious cause of concern for banks and financial institutions involved. This YouTube video tells how scammers used contactless payment to steal from a Denver woman’s bank account.
However, the CBN is betting that its decision to cap the transaction amount on contactless payments will mitigate fraud risks. Why? It works. According to the data analytics company FICO, “data from UK Finance revealed that in 2020 there was a total of £574 million lost through card fraud. However, only £16 million of this figure represented contactless payment fraud.
A MasterCard staff who declined to be named because they were not authorised to speak to the media explained that the use case for contactless payments was tied to the need to collect small payments en masse at tolls and queues quickly. Even though the central bank stipulates an upper limit of N15,000, card issuers can offer lower-limit contactless cards depending on their risk appetite.
The big worry for banks is how to handle fraud
The guidelines also place the burden of fraud on acquirers (the bank of the payment recipient), issuers (the bank of the customers), and merchants (the business) who offer contactless payment channels. Placing the burden of managing fraud on merchants and banks would make it difficult for banks to seek to implement the new provisions, said Adedeji Olowe, founder of Lendrsqr, a software firm that enables digital lending businesses. “Abroad, where there are consequences for bad behaviour if your card was stolen and used for contactless, the bank covers the fraud. We both know nobody dares do that in Nigeria,” he commented.
While it remains to be seen how the banks will handle contactless payment implementation, they represent a new hurdle for their security architecture, especially in light of the recent reports of hacks targeted at traditional Nigerian banks and even fintechs. In 2019, Nigerian financial institutions spent a reported N200 billion on cybersecurity. Securing contactless payments is going to increase that budget. At the Digital PayExpo hosted by the Nigeria Deposit Insurance Corporation (NDIC) and the CBN in June 2023, Chinwe Uzoho, Regional Managing Director, West & Central Africa, of Network International, pointed out that it costs a lot to secure contact payment systems. “You have to choose between fraud and secure payments,” she said,
In June, Globus Bank reportedly lost N1.7 billion to hackers. TechCabal also reported how Glade, a Techstars-backed fintech, suffered an internal breach that cost over $200,000. Considering that some of Nigeria’s worst cyberattacks are underreported, chances are more hacks have possibly happened in recent times without public knowledge. So one thing is clear: for these guidelines to work, banks must brace up their security architecture as cybersecurity becomes more problematic in Nigeria.
