New obligations are in the pipeline for all Nigerian financial institutions that process instant payments instigated through an app on a customer’s phone or other device. Rules issued by the country’s central bank will add friction to the services provided by banks and payment providers but they can also be justified as simple ways to hamper crime. One of the most eye-catching new requirements gives customers the right to switch off the ability to make instant payments from their own account.
Customers shall have the option to opt-out of / opt-in to IP [instant payment] service at any time and for any given period. This process shall be subject to Multi-Factor Authentication (MFA) control. Default setting shall be Opt-in upon on-boarding a new customer.
In the opt-out mode, a customer shall not be able to carry out online instant transfer of funds (intra or inter) from his/her account to another customer. However, customer can physically visit the financial institution to effect transfer during this period.
Customers will only be able to run a bank’s app from a single device. The authorities refer to this as ‘mandatory device binding’.
Mandatory device binding: Mobile financial services applications (apps) shall only be enabled on one device at a time, and customers cannot operate the apps concurrently on multiple devices.
Switching phones will mean the customer will need to re-authenticate themselves to continue using the same app on a different device. Existing customers will only be able to withdraw NGN20,000 (USD15) from their account during the 24 hours that follow the activation of their app on a device. Customers who are also new to the bank will be limited to NGN20,000 for the combined value of receipts and withdrawals through their app during the first 24 hours. Banks will be free to impose lower limits if they choose.
Liveness checks will be required for accounts that are opened online. ‘Additional’ multi-factor authentication will be needed the first time that a user logs on to their service through a new device, though what this means in practice is not explained in the rules as stated. The opening or reactivation of an online account will require a real-time check of the customer’s Bank Verification Number (BVN) and National Identification Number (NIN), a pair of ID numbers that Nigerians have needed to start linking to their bank account since 2024.
These rules will come into effect on July 1. They are stated in a circular issued by the Central Bank of Nigeria which can be found here.
In parallel, the central bank has tightened related rules surrounding the access and use of the BVN. This includes the introduction of a watchlist for BVNs linked to suspected fraud, a minimum age of 18 years for Nigerians to obtain a BVN, and changes to the phone number associated with a BVN being allowed only once. Those new requirements are mandatory from May 1 and can be read here.
