Introduction
Digital payments have continued to experience exponential growth and acceptance which is particularly accentuated by Financial Technology (FinTech) companies in Nigeria. The Central Bank of Nigeria (CBN) has also issued regulatory policies promoting the adoption of cashless transactions consummated through mobile banking and internet banking channels, unstructured supplementary service data (USSD), payment gateways, etc. The growth of digital payments has consequently led to increase in electronic and digital frauds which could negatively impact the integrity of the Nigerian digital payment system without effective regulatory directions on preventing, detecting or mitigating fraud to financial institutions. As part of the measures to preserve the integrity of the financial system, the CBN requires financial institutions to conduct proper Know Your Custom (KYC) due diligence on customers, report suspicious transactions and place restrictions on suspicious bank accounts, etc.
The adoption of digital payments in Nigeria has also led to an increase in Authorised Push Payment (APP) fraud leading to direct financial losses for individuals and institutions therefore reducing public trust in the financial system. To tackle electronic fraud, the CBN has taken a step further with the issuance of the Draft Guidelines for Handling Authorised Push Payment Fraud (hereinafter “the Guidelines”) for the prevention, detection, reporting and resolution of APP fraud facilitated on any digital payment system in Nigeria and safeguarding the integrity of the payment system.
This article discusses the key provisions of the Guidelines on reporting, investigating and resolving APP fraud cases, obligations of financial institutions and APP Fraud governance.
Understanding APP Fraud
APP fraud occurs when a customer is manipulated, persuaded or misled to voluntarily initiate payment to a third-party’s account by impersonating a legitimate individual/entity or willfully refused to fulfill an obligation by exploiting the customer’s trust.
In particular, the Guidelines state that APP fraud includes but not limited to the following:
- Inducement, coercion or misleading of a user/customer into authorising a payment via WhatsApp, SMS, email and any other communication channel to a third-party’s account or wallet.
- Facilitation, negligence or non-compliance by financial institutions, such as failure to act on red flags, weak KYC or fraud controls, staff collusion, delayed resolution, and use of accounts for fraudulent purposes.
Resolution of APP Fraud with Financial Institutions
APP fraud investigations are to be initiated through a report by the customer within a total allowable timeframe of seventy-two (72) hours of the occurrence of the fraud unless there exists a reasonable justification of circumstances beyond the customer’s control which may include illness, force majeure events, time of becoming aware of the fraud, etc. which made him unable to report within the allowable timeframe. Clear reporting channels are to be established by financial institutions to enable affected customers initiate reports for investigations and resolutions.
Upon a financial institution receiving a report from a customer, investigation into the alleged APP fraud must be initiated immediately and an acknowledgement and issuance of case reference number must be communicated to the customer within 24 hours of the report. APP fraud cases are required to be fully investigated and concluded by banks and Other Financial Institutions (OFIs) within 14 working days and a clear decision (whether reimbursement is approved or denied) communicated to the affected customer.
Reimbursement must be made to eligible customers within forty-eight (48) hours of the completion of investigations. Exchange of information between two or more financial institutions for the investigation and resolution of an APP fraud report must comply with data protection obligations as provided by the Nigeria Data Protection Act, 2023 failing which the financial institutions may be exposed to data privacy breach law suit. Read our previous article on Enforcing Your Rights to Data Privacy and Protection in Nigeria.
Obligations of Financial Institutions in Preventing APP Fraud
Banks and OFIs are required to put in place measures for the prevention, timely detection and mitigation of APP fraud. These obligations include the following:
- Implement Early Warning System (EWS) for the timely detection and mitigation of APP fraud incorporating red flagging of accounts suspected of fraudulent activities.
- Flagged accounts must be subject to enhanced monitoring and/or restriction pending a full investigation.
- Financial institutions must have a unit responsible for fraud data analytics.
- Establish a framework for EWS and Red flagging of Accounts (RFA) for APP fraud. The effectiveness of financial institutions’ EWS must be tested half-yearly.
- Conduct quarterly APP fraud awareness campaigns and ensure that customers are aware of available fraud reporting channels.
Mandatory APP Fraud Governance
Financial institutions must have an APP Fraud Policy formulated and implemented by their Boards who have the responsibility for the governance of APP fraud risk management. The APP Fraud Policy must contain actions defined as APP fraud, recovery procedures, reimbursement, confidentiality, reporting procedures, etc. The policy is to be reviewed at least once every two years.
Conclusion
Digital payment systems have revolutionized payments in the Nigerian financial sector which has seen the CBN issued regulatory policies over the years. However, digital payments have been faced with the challenge of electronic fraud including APP fraud which the Guidelines are issued to address.
Financial institutions are therefore mandated to ensure the prevention, detection and mitigation of APP fraud so as to preserve the integrity of the payment system. Reports on occurrence of APP fraud are to made by customers within a total allowable time of 72 hours and must be resolved within 14 working days by the investigating financial institutions. Exchange of information between two or more financial institutions for the purposes of investigating and resolving APP fraud must comply with data privacy and protection obligations imposed by the Nigeria Data Protection Act, 2023.
Financial institutions must also have APP Fraud Policy which governance is a responsibility of the board of the financial institutions. They must also put in place Early Warning Systems and organize awareness campaigns for customers. Failure to comply with the Guidelines attracts sanctions and penalties.
