A consideration of CBN’S guidelines on contactless payments
CONTACTLESS Payments (“CPS”), aptly described as payments which involve the consummation of financial transactions without physical contact between the payer and the acquiring devices, have been gaining momentum and widespread adoption in recent times. First introduced in the 1990s, CPS recorded a significant boost in adoption following the Covid 19 Pandemic in 2020. Today, CPS are the preferred choice of payment in many countries, with the CPS market set to reach a global value of USD 164.15 billion by 2030.
In September 2022, Interswitch, in partnership with Providusbank, Mastercard and Thales Group, announced the introduction of a new Tap-to-pay service in Nigeria. This CPS service allows cardholders to make fast, secure, and convenient in-store payments by tapping their Near Field Communication-enabled smart device at any contactless-enabled payment terminal. In addition, Now-now, another Nigerian Company that offers Tap-and-pay services, recently raised USD 13 Million in seed and is expected to increase the adoption of CPS in Nigeria. Similarly, Squad and Kuda have introduced softpos solutions, which are expected to drive the adoption of CPS further. In summary, it appears the private sector is gearing up to participate in the CPS space.
However, there are risks/security concerns inherent in the use and adoption of CPS. Some of the major risks include CPS fraud, hacking of CPS networks, data privacy concerns for customers and implication of absence of authorization. For instance, in 2020, £16 million was lost to CPS fraud in the UK. However, it must be stressed that the referenced CPS fraud accounts for only 2.9% of overall card fraud losses, while 55% of all card transactions were CPS transactions. This strongly suggests that, where adequate standards are adhered to and best practices kept, CPS are not only smoother for participants, but also significantly safer across board.
It is therefore unsurprising that the Central Bank of Nigeria (“CBN”), in anticipation of the use/adoption of CPS in Nigeria, has introduced the Draft Guidelines to implement minimum standards and requirements for the operation of CPS in Nigeria as well as specify the roles and responsibilities of stakeholders.
In this article, we review the Draft Guidelines and consider how it impacts the financial services market in Nigeria.
Stakeholders in CPS Transactions
The Draft Guidelines identified 11 Stakeholders in CPS transactions. The Stakeholders and a brief description of their respective roles are as follows: Acquirer; Issuer; Payment schemes; Card schemes; Switching Companies; Payment Terminal Service Provider; Payment Terminal Service Aggregator; Merchants; Terminal Owners; Customers; and any other stakeholder/participant as
designated by the CBN. Highlight of the draft guidelines
The Draft Guidelines set out the framework for CPS transactions in Nigeria. In addition to prescribing minimum standards to be met by participants, the Draft Guidelines specify the individual role and responsibility of each participant as well as conditions for participation. Some of the significant provisions of the draft guidelines are examined below.
i. Restrictions on contactless payment
The Draft Guidelines impose transaction limits for CPS transactions, and stakeholders may set a limit on par with or below the limit set by the CBN. CPS transactions below the transaction limits may not require customers’ verification but CPS above the transaction limit (described as “Higher-value CPS payments”) shall require customer verification. The obligation to ensure adherence to transaction limits is imposed on the Acquirer and the Issuer. It is interesting to note that the Draft Guidelines seem to also impose this obligation on merchants.
The transaction limits in the Draft Guidelines do not envision/encompass transaction frequency, creating a risk. This omission can, for example, be contrasted with the framework in the UK where there is an individual transaction limit, cumulative transaction limit, and consecutive transaction limit. The absence of a cumulative transaction limit creates a risk whereby CP frauds can be long-drawn by simply adhering to the daily/ individual limits. In addition, it is unclear why Acquirers and Merchants are obliged to respect transaction limits.
ii. Preconditions for participation
The Draft Guidelines impose various preconditions to participation. For instance, only Cbnlicensed institutions can serve as Acquirers and Issuers. Participants are required to comply with the standards subsequently discussed in this article as well as obtain and maintain the required certifications.
In any case, the contactless payments image, symbol, tactile, graphics and/or the words “contactless payments” (in Braille) shall be displayed on contactless payment instruments, contactless payment devices and locations where contactless payments are accepted. In addition, CPS cannot be activated by default, customers shall have the option to opt-in to CPS and they also have the right to withdraw from the CPS Agreement without prior notice to the issuer.
iii. Standards for participation
All Stakeholders who process and/or store customers’ information are mandated to ensure that their terminals, applications and processing systems comply with the following standards, at the minimum:
•PA DSS – Payment Application Data Security Standard;
•PCI PED – Payment Card Industry Pin Entry Device;
•PCI DSS - Payment Card Industry Data Security Standard;
•Triple DES – Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The triple DES algorithm is the minimum standard;
•AES – Advanced Encryption Standards;
•EMV – The deployed infrastructure must comply with the EMV requirements for contactless acceptance;
•ISO 27001 – information security management system;
•Standards specified by the various payment schemes; and
•Other standards as may be specified by CBN from time to time.
Said participants are required to maintain valid certification to these standards, ensure they remain compliant with the standards at all times and execute contactless payments agreements/ contracts with parties. Note that participants are required to obtain CBN’S approval for CPS products and for innovative use cases and value-added services. iv. CPS transaction processing
Participants are required to enter CPS agreements which clearly spell out the terms and conditions of the transaction and comply with minimum requirements set by the CBN. Prior to consummating a CPS transaction, the transaction value and associated charges must be communicated to the customer.
CPS devices are required to be issuer/brand agnostic and neutral to the type of card or payment instrument used. All domestic contactless payments shall be switched through a Nigerian switch, all contactless devices must be connected to an account or wallet that has Bank Verification Number (“BVN”), and only accounts/wallets with BVN can be activated for CPS in Nigeria. Note that all CPS transactions are required to be processed online or/and submitted via current processing specifications.
With respect to dispute resolution, PTSPS are required to onboard adequate support infrastructures that ensure 24/7 support coverages and prevent instrument clashes when multiple contactless payments are present, while all participants are required to work in conjunction to ensure the resolution of disputed transactions within the timeline specified by the CBN dispute resolution framework. With respect to financial crimes, Acquirers and Issuers are required to undertake measures to prevent the use of their network for purposes associated with money laundering and other financial crimes, conduct KYC on all customers and carry out periodic risk assessments of their processes and have effective measures to mitigate ML/ TF/PF risks associated with CP. Similarly, all other participants except Customers and Merchants are required to implement a documented risk management process to identify and treat risks associated with contactless payments, while Customers and Merchants are required to exercise due diligence in carrying out CPS transactions.
In any case, Acquirers, Issuers, and Merchants will be held liable for fraudulent transactions on CPS arising from their negligence and/or connivance. Stakeholders are also required to render monthly returns on CPS transactions (including value, fraud, data, and failed transactions) to the CBN in a format to be prescribed by CBN.
CPS are the preferred choice of payment in many countries, with the CPS market set to reach a global value of USD 164.15 billion by 2030
“Thoughts and Conclusions”
We note that the Draft Guidelines are quite clear in setting standards and introducing a framework for the operation of CPS in Nigeria. We also applaud the transaction limits specified by the CBN, particularly in light of the economic realities of the majority of Nigerians.
However, we have concerns regarding the absence of a transaction limit based on the number of consecutive CPS transactions. We also note that the Draft Guidelines were published on October 17 2022, and had set November 5 2022 as the deadline for sharing comments on the Guidelines with CBN.
We consider this timeline quite short and suggest that a more expansive timeline be given for subsequent drafts that are released by the CBN.
AELEX Notes is a dedicated column, managed by AELEX Legal Practitioners and Arbitrators, featuring legal developments and insights.