CBN REGULATORY FRAMEWORK FOR UNSTRUCTURED SUPPLEMENTARY SERVICE DATA (USSD)
In recent times, money transfer from one bank account to the other as well as several other bank transactions has become seamless especially with the inclusive and convenient offerings of internet banking. And just when bank customers thought banking couldn’t get easier, Unstructured Supplementary Service Data (USSD) was introduced. One interesting aspect of this technological revolution is that unlike the previous mode of transfer, it does not require you to have a token or generate a one time payment (OTP) code; you do not even require internet connection to perform transactions using the USSD. This has made banking services available across all GSM networks, on any type of handset or device, whether it is the high-tech phones or even simple-feature phones. Now, by simply sending a USSD code from one’s registered phone number linked to their bank account, one can transfer money from one account to the other either inter or intra-bank; buy airtime; check account balance and lots more. There is hardly a major commercial bank in the country now that does not have such USSD code. Even though there is no denying the fact that carrying out banking transactions via USSD code has its own risks, this practice has been going on unchecked and unmonitored for some time now.
Thankfully, the Central Bank of Nigeria (CBN), in furtherance of its mandate for the development of the electronic payments system in Nigeria, has come up with a regulatory framework for the use of Unstructured Supplementary Service Data (USSD) for the Nigerian Financial System. This was made known in a statement issued by the Director of Banking & Payments System Department- Mr. ’Dipo Fatokun on 7th of September and it has released an exposure draft of the proposed framework. The CBN is now calling for review and comment on the content of the proposed regulatory framework from all Deposit Money Banks, Mobile Money Operators, Payment Solution Service Providers and other Service Providers on or before 21st Sept, 2017.
CONTENT OF THE PROPOSED REGULATORY FRAMEWORK
While admitting that “The mobile phone has become a veritable tool for enhancing financial inclusion with the advent of mobile payments, m-commerce, m-banking and other implementation for financial transactions based on mobile telephony.”
It also noted that, “The providers of mobile-based financial services have options of adopting varying technologies for enabling access and transmitting data and that recently, providers of mobile telephony-based transactions are increasingly adopting the USSD technology while the range of services supported by their mobile transaction services using the USSD channel broadening rapidly.”
The USSD, sometimes referred to as “Quick Codes” or “Feature codes”, is explained in the Framework as “a protocol used by the GSM network to communicate with a service provider’s platform. It is a session based, real time messaging communication technology which is accessed through a string which starts normally with asterisk (*) and ends with a hash (#). It is implemented as interactive menu driven service or command service. It has a shorter turnaround time than SMS, and unlike SMS, it does not operate by store and forward which indicates that data are neither stored on the mobile phone or on the application. USSD technology is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.”
In as much as there are numerous advantages using the USSD, there are also inherent risks. In this regard, the CBN, being concerned about the likely exposure of its approved entities to the likely vulnerabilities in the technology and the ever growing threats, has issued this framework to reduce the risks entrenched in transactions through the USSD platform.
The objective of the Framework is therefore “to establish the rules and risk mitigation considerations when implementing USSD for financial services offering in Nigeria.”
The proposed framework seeks to restrict participants eligible to carry on USSD transaction in Nigeria to Banks, Payment Service Provider, Mobile Money Operators, Mobile Network Operators and Customers.
- Eligibility for Unique Short Code
According to the framework by the CBN, those eligible for unique short codes from the NCC are Mobile Money Operators upon meeting the necessary requirements of the NCC for the issuance of same. For those other than Mobile Money Operators, a letter of comfort from the CBN would be required before being considered for issuance of the short codes by the NCC.
- Vulnerabilities and Mitigation
According to the proposed framework, USSD based financial transactions will now require end-to-end encryption to protect the integrity of the financial information. Consequently, all providers of USSD based financial services shall put in place, a proper message authentication mechanism to validate that requests/responses are generated through authenticated users; use secure USSD communication channels with a strong encryption mechanism; not use the USSD service to relay details of other electronic banking channels (in case of banks) to their customers, to prevent compromise of other electronic banking channels through the USSD channel; implement masked PIN entry; ensure encryption at USSD Gateway by implementing the Hardware Security Module (HMS). Each financial institution key shall be securely loaded through an auditable process; implement end-to-end encryption by ensuring that, there is at least, radio encryption between users’ phones and base stations, using secure VPN layered with SSL or TSL to ensure secure transmission of USSD signals.
- Dispute Resolution
Where there is a complaint arising from the use of a financial Institution’s USSD based financial services, such financial institution shall be responsible for setting up dispute resolution mechanism to facilitate resolution of customers’ complaints. Further, the financial institutions shall treat and resolve any customer related issues within 48 hours failing which the financial institution shall be subject to penalty, as may be prescribed by the CBN, from time to time.
Where any financial institution fails to comply with the proposed Framework when it comes into force, the CBN shall impose appropriate sanctions.
Kindly make your contributions to this proposed Framework. Also, tell us what you feel about it.