Photo: the guardian |
The Central Bank of Nigeria, in a bid to reduce the incidence of fraud, has put a cap on mobile money transactions via Unstructured Supplementary Service Data (USSD) to N100,000 ($278) per day.
This announcement was made via a directive from the apex bank dated 17th April 2018. The directive was titled “Regulatory Framework For The Use Of Unstructured Supplementary Service Data (USSD) For Financial Services In Nigeria.”
The USSD technology is a protocol used by the GSM network to communicate with a service provider’s platform. It is a session based, real time messaging communication technology, which is accessed through a string, which starts normally with asterisk (*) and ends with a hash (#). It is implemented as an interactive menu driven service or command service. It has a shorter turnaround time than SMS, and unlike SMS, it does not operate by store and forward which indicates that data are neither stored on the mobile phone nor on the application. USSD technology is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.
According to the bank, “providers of mobile telephony-based financial transactions are increasingly adopting the USSD technology while the range of services supported by their mobile transaction services, using the USSD channel, is broadening rapidly.”
The bank continues with the objective of the framework as thus “The vast applications of the USSD technology, in terms of available services have raised the issue of the risks inherent in the channel. In this regard, concerns have been expressed on the likely exposure of CBN approved entities to the possible breaching of the USSD accessed financial services in view of likely vulnerabilities in the technology and the ever growing threats.”
“Furthermore, the implementation in Nigeria has created multiple USSD channels to customers, thereby increasing their exposure to risk, without a common standard for all. This Framework therefore, seeks to establish the rules and risk mitigation considerations when implementing USSD for financial services offering in Nigeria.”
The bank set a limit of N100,000 for USSD transactions but also stated that, customers desirous of higher limits shall execute documented indemnities with their banks or MMOs.
It also mandated the use of an effective 2nd factor authentication (2FA) by customers for all transactions above N20,000. This shall be in addition to the PIN being used as 1st level authenticator, which applies to all transaction amounts.
CBN also stated that financial institutions providing use of the USSD channel shall:
- put in place, a proper message authentication mechanism to validate that requests/responses are generated through authenticated users. Such authentication mechanism shall include a minimum combination of any of International Mobile Subscriber Identity (IMSI), Date of SIM Swaps, Date of Mobile Station International Subscriber Directory Number (MSISDN) Recycle, International Mobile Equipment Identity (IMEI), Date of device change, etc.;
- ensure that the customer receives notification on the status of every transaction conducted through the channel;
- not use the USSD service to relay details of other electronic banking channels (in case of banks), to their customers, to prevent compromise of other electronic banking channels through the USSD channel;
- ensure that customer information that is logged by the USSD application as part of financial transactions should not include sensitive information such as customer PIN. Data stored by the USSD application at Financial Institutions shall be encrypted and the NCC shall define a minimum security standard for MNOs and aggregators, as may be required;
- avail the customers the option to opt in/out of the USSD channel for financial transactions;
- install a Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, unusual transactions at weekends, etc. This shall be achieved by 31st October 2018.
The implementation of this directive is to take effect as from 1st of June 2018.
No comments:
Post a Comment