Internet Banking in Nigeria: How Secure is your Data?
TInternet Banking he adoption of internet banking (also referred to as electronic banking) by Nigerians in recent years can be safely attributed to the desire of Nigerian Banks to offer world class banking services. Most of the major banks in Nigeria offer their customers this alternative platform for conducting their banking operations. A notable researcher has observed that electronic banking increases the speed of transactions which has created new competitors and services, changed banking operations and support functions, and expanded the reach of financial institutions. The truth is that although internet banking is attractive because of its speed and convenience, it is still not very popular among members of the public because of a dearth of supporting infrastructure.
One of the pertinent issues raised by internet banking is cybersecurity. A bank is obliged under its common law duty of confidentiality to ensure that the personal details of its customers are protected from third party use without their consent. This seems to be an area where our banks are seriously erring because customers regularly complain about receiving messages requesting for confidential information such as PIN Numbers and ATM Card numbers, sometimes the “Banker” goes as far as threatening to close the individual’s account until there is a registration. Customers even receive e-mails requesting for their BVNs. These are issues customers are confronted with on a daily basis. Although the banks have been good enough to send out messages warning their customers about that these scams, unsuspecting customers often end-up losing a lot of money.
What Legal Protection is Offered by Nigerian Banks?
The relevant laws on electronic banking are the Central Bank’s Directive on Electronic Banking, the Central Bank’s Directive on Card Issuance and Usage and the Cybercrimes Act 2015.
The Central Bank of Nigeria’s (CBN) electronic banking guidelines were developed from the findings of a Technical Working Committee set up by the Central Bank in 2003 to prescribe rules for the effective operation of electronic banking in Nigeria. The report of the committee stated that “CBN will monitor the technological acquisitions of banks and all other related investments, which exceed 10% of free funds, to subject such to approval. Where banks use third parties or outsource technology, they are required to comply with the CBN guidelines.” Section 1.3 paragraph 4 of the guidelines, emphasise that banks should put in place procedures for maintaining the bank's Web site, including the various security features needed for Internet banking services.
Despite its attempt to provide comprehensive protection for customers, the CBN guidelines have been criticised for not containing exhaustive provisions to safeguard customers from sophisticated cybercrime and internet fraud. Specifically, according to experts it falls short in four major areas namely “changing the traditional lines upon which existing regulatory structures are laid; handling concerns about existing public policy issues; changing the nature and scope of existing risks; and rebalancing regulatory rules and industry discretion.” More importantly, the guidelines did not include a very important recommendation of the Technical committee contained in paragraph 6.1 which recommended that all banks aiming to offer transactional services on the Internet/other e-banking services should obtain an approval from CBN before commencing these services.
If properly implemented, it is hoped that the Cybercrimes Act 2015 will fill in the lacuna created by the CBN guidelines notably section 37 (1) of the Act provides that a financial institution “shall verify the identity of its customers carrying out electronic financial transactions by requiring the customers to present documents bearing their names, addresses and other relevant information before issuing ATM cards, credit cards, debit cards and other related electronic devices”. An official or organisation who fails to obtain proper identity of customers before executing customer electronic instructions in whatever way commits an offence and is liable on conviction to a fine of N5, 000,000. This is provided for under section 37 (2) of the Act. Instructively Section 8 provides that any person who accesses without authorisation, any computer system or network for fraudulent purposes and also obtains data which is vital to national security, is liable on conviction to a term of not more than 5 years or to a fine of not more than N5,000,000,000 or both; any unlawful system interference for fraudulent purposes by deleting, transmitting, damaging or suppressing computer data which prevents the system from functioning, is liable on conviction to a fine of N5,000,000 or imprisonment for a term of not more than 2 years or both.
The CBN’s Guidelines for Card Issuance and Usage places a heavier burden on banks to guarantee the security of cards. It states that, “the issuer shall ensure full security of the payment card. The security of the payment card shall be the responsibility of the issuer and the losses incurred on account of breach of security or failure of the security mechanism shall be borne by the issuer, except the issuer establishes security breach on the part of the card holder. Issuers should ensure that the process of card issuance is completely separated from the process of PIN issuance, and done in accordance with best practices thus minimizing the risk of compromise.”
In the United Kingdom and the US there are more sophisticated rules for regulating electronic banking and data protection. These are the EU Data Protection Directive and the US Gramm-Leach-Bliley Act and regulations of the US Securities & Exchange Commission (SEC). Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Therefore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law. Furthermore, the EU's Data Protection Directive is seeking to develop specific rules for the transfer of personal data outside the EU. Notably, under the US Gramm-Leach-Bliley Act financial institutions are required to explain their information-sharing practices to their customers and safeguard sensitive data.
Conclusion Banks and other financial institutions should pay more attention to their internal data protection mechanisms to prevent the unathourised use of customers’ data. More importantly, there needs to be a revision of the Central Bank directives on electronic banking as they are slightly outdated, there have significant developments in electronic banking since they were initially developed. In carrying out this reform the Bank’s policy makers should consult the EU Directive on Data Protection and the US Gramm-Leach-Bliley Act.