Despite rising fraud concerns, Nigerian financial technology company OPay has continued to adopt lax registration processes that make its digital platform vulnerable to bad actors, checks by TechCabal have revealed.
Since it launched in 2018, OPay has become one of the biggest mobile money services in Nigeria and has pursued an elaborate marketing campaign to win over new customers, particularly unbanked people who do not have a bank account. To draw in unbanked customers, the company joined other fintechs and commercial banks to simplify the registration process for new users, including removing strict requirements for identity verification for the most basic bank account type with limited features.
However, in recent months, these lax standards have drawn criticism following rising concerns over financial fraud in the country. Now, checks by TechCabal show that OPay continues to allow new users to sign up to its platform without proper verification.
After submitting basic personal information to the Chinese-owned fintech app, new customers can verify their identity using a phone number, a National Identification Number (NIN), a bank account number or a bank verification number (BVN). Users must also submit a real-time facial verification to confirm their identity. OPay uses a tiered verification process — ranging from tier 1 to 4 — allowing users to access a larger suite of services once they submit a BVN or an NIN.
However, multiple tests show that OPay’s basic account verification process for tier 1 is weak, and the facial identity system is porous, which could allow bad actors to register for the service and begin carrying out transactions within 60 seconds. In one test, OPay allowed a user to sign up on the service using basic personal information, name and birthday, about a celebrity to register. While OPay requires users to submit either a bank account or phone number for verification, the app did not proceed to verify the details.
Although OPay claims to require facial recognition to complete the registration process, perhaps to match the record to the bank account, the app merely took a picture and approved the user. A man completed the facial recognition while the newly created account was female. OPay’s system did not flag this anomaly, even days after creating the account.
The checks show the weaknesses in OPay’s account management processes, which could make it a haven for bad actors looking to impersonate and defraud unsuspecting victims.
“Face verification is not solving for anything if it does not match the BVN details,” said a KYC expert who asked not to be named so they could speak freely. The expert suggested that OPay should collect a user’s BVN before verifying their face.
OPay did not immediately respond to TechCabal’s request for comments.
Under OPay’s basic account type, tier 1, users can deposit up to N300,000 in their mobile money wallets, and make transactions of up to N50,000. While these transaction limits are restricted, the ease of creating dozens of fraudulent OPay accounts raises concerns about security practices at the company.
In the first week of December, the Central Bank of Nigeria (CBN) warned against such a weak verification process. The banking regulator tasked all financial services to implement stricter know-your-customer (KYC) processes and disable bank accounts or mobile money wallets that have not been verified with a BVN or a NIN. Financial services are expected to comply before the deadline in April 2024.
*Additional reporting by Faith Omoniyi