CENTRAL BANK OF NIGERIA Central Business District P.M.B. 0187, Garki, Abuja.

+234 - 0946238445 BANKING AND PAYMENTS SYSTEM DEPARTMENT February 13, 2014 BPS/DIR/GEN/CIR/01/001 To: All Deposit Money Banks, Mobile Money Operators, Switches and Payment Service Providers EXPOSURE DRAFT ON GUIDELINES FOR CARD ISSUANCE AND USAGE IN NIGERIA The Central Bank of Nigeria (CBN), in furtherance of its mandate for the development of electronic payments system in Nigeria hereby releases the Exposure Draft on the Guidelines for Card Issuance and Usage in Nigeria for your review and comments.

Kindly forward your inputs on or before February 27, 2014 to the Director, Banking & Payments System Department, Central Bank of Nigeria, Abuja and pspo@cbn.gov.ng.

Thank you for usual cooperation.

'Dipo Fatokun Director, Banking & Payments System Department

central bank of nigeria Guidelines for Card Issuance and Usage in Nigeria

Guidelines For Card Issuance And Usage In Nigeria

A. Preamble

In exercise of the powers conferred on the Bank by Section 47 (3) of the Central Bank of Nigeria Act 2007 (as amended), to issue guidelines for the maintenance of adequate and reasonable financial services for the public and to ensure high standards of conduct and management throughout the banking system; and pursuant to its inherent powers, the Central Bank of Nigeria (CBN) hereby issues the following Guidelines for the Regulation of Card Issuance and Usage in Nigeria.

B. Objectives

l.

II.

III.

IV.

v.

These guidelines have been developed to provide minimum standards and requirements for the issuance and usage of payment cards in Nigeria It will enable issuing banks, financial institutions, processors and cards schemes upgrade and maintain their card operations to ensure optimum security, efficiency, cost effectiveness and customer friendliness Serve as a tool for banks and other financial institutions to assess their card issuance portfolio Ensure that consumers that carry Nigerian issued cards operate within acceptable standards Encourage the use of Nigerian issued cards locally and internationally

C. Scope

l.

To all licensed banks and other financial institutions that participate in the issuance and processing of debit, credit, stored value/prepaid, virtual cards, either directly or through their subsidiaries, affiliated companies or third party associated companies.

SECTIONS/TABLE OF CONTENTS
1.0	Preambles	2
2.0	Minimum Standards	4
3.0	General Requirements	4
4.0	Roles and Responsibilities of Card Issuers	6
4.1 General	6
4.2 Transaction Processing	7
4.3 Settlement	8
4.4 Fraud and Risk Management	8
5.0	Specific Requirements for Stored Value Cards (Individual and Corporate)	9
6.0	Specific Requirements for Prepaid Cards (Individual and Corporate)	10
7.0	Specific Requirements for Debit Cards	10
8.0	Specific Requirements for Credit Cards	10
9.0	Dispute Resolution	11
9.1 Domestic Transactions	11
9.2 International Transactions	11
10.0	Submission of Statutory Returns	11
11.0	Annual Reporting	12
12.0	Powers of the CBN over Card Issuers and their agents	12
13.0	Remedial Measures	12
14.0	Sanctions	12
15.0	Amendment to the Guidelines	12
16.0	Previously released Guidelines	13
17.0	Definition of Terms	14

2.0 Minimum Standards

All industry stakeholders who process, transmit and/or store cardholder information shall ensure that their terminals, applications and processing infrastructure comply with the minimum requirements of the following Standards and Best Practices. In addition, all terminals, applications and processing infrastructure, should also comply with the standards specified by the various card schemes. Each vendor must provide valid certificates showing compliance with these standards, and must regularly review status of all its terminals to ensure they are still compliant, as standards change.

There will be a continuous review and recertification of compliance with these and other global industry standards from time to time.

2.1 2.2 2.3 2.4 PA DSS -Payment Application Data Security Standard.

PCI PED - Payment Card Industry Pin Entry Device.

PCI DSS - Payment Card Industry Data Security Standard ( Triple DES - Data Encryption Standards should be the benchmark for all data transmitted and authenticated between each party. The triple DES algorithm is the minimum standard.

EMV - The deployed infrastructure must comply with the minimum EMV requirements.

2.5 3.0 General Requirements 3.1 Only banks licensed by the CBN with clearing capacity shall issue payment cards to consumers and corporations in Nigeria. Banks without clearing capacity can issue in conjunction with those with clearing capacity.

3.2 All banks shall seek approval from the CBN for each card brand and type they wish to issue.

3.3 The payment cards to be issued can be a "pay now" such as debit and prepaid or a "pay later" such as credit. These can be operated in different forms, including but not limited to: plastic cards; virtual card numbers (VCN).

3.4 The usage channels, limits and frequencies shall be defined by the issuing banks.

3.5 The cardholder shall, in agreement with the issuing bank, have the flexibility to customize the usage limits, select transaction channels and other customizable features to suit their personal risk preferences.

3.6 All payment cards transactions shall be subject to current Nigerian Financial Intelligence Unit (NFIU) reporting requirements.

4 | Page

3.7 A payment card holder or his/her estate shall, upon request, be entitled to receive a cash refund of the outstanding balance in the card account from the issuing bank or institution.

3.8 All payment cards shall be EMV-compliant (i.e. Chip and PIN enabled). The use of magnetic stripe cards is prohibited.

3.9 Cards may be issued in Nigerian Naira or in any other convertible currency.

3.10 The international usage limits and frequencies for Naira denominated cards shall be defined by each participating bank. However these limits shall not exceed the total combined amount of Foreign Currency that each individual can access via BTA and PTA per annum - which is currently $150,000 per annum 3.11 All card issuers shall render monthly returns to the CBN on the volume of transactions and gross amount of transactions done internationally using their cards, for inclusion in the national statistics on payments.

3.12 The issuer, its agent and card association must maintain an AML/CFT program, reasonably designed within the context of laws and regulations, to prevent the Card Association system from being used to facilitate money laundering or the financing of terrorist activities.

3.13 An issuer should have risk-management framework in place that enables it to identify, measure, monitor, and manage the range of risks that arise in or are borne by its operations.

3.14 In the application of customer fees for services rendered, Issuers shall be guided in their operations by the CBN Guide to Bank Charges.

3.15 lssuers are expected to continuously educate cardholders on the following, amongst other things: I.

Security tips for safeguarding cardholder information II.

Costs and charges associated with owning and using a payment card 3.16 lssuers shall not levy any charge that was not explicitly indicated to the cardholder.

3.17 Unsolicited cards should not be issued. Where, an unsolicited card is issued and activated without the written consent of the recipient and the latter is billed for the same, or fraudulent activity occurs, the card issuer shall not only reverse the charges forthwith, but also pay a penalty, without objection to the recipient, amounting to twice the value of the charges reversed.

5 | Page

3.18 The written consent of a customer shall be required before issuing a payment card or other products offered along with the card. Information to the customer has to be explicit and not implied.

3.19 Card issuers shall continue to furnish cardholders with details of the contractual terms and conditions, prior to activation. Such terms shall include at a minimum: I.

Fees and charges; II.

Withdrawal limits; III.

Billing cycles; IV.

Termination procedures; and V.

Consequences of Default/theft/misuse of cards 3.20 No card issuer or its agent shall deliver any card to a customer in a fully-activated state.

3.21 A card issuer shall keep internal records over a sufficient period of time, in line with existing CBN guidelines, to enable easy tracking of card-related transactions.

3.22 The issuer shall ensure full security of the payment card. The security of the payment card shall be the responsibility of the issuer and the losses incurred by any party on account of breach of security or failure of the security mechanism shall be borne by the issuer.

3.23 lssuers should ensure that the process of card issuance is completely separated from the process of PIN issuance.

3.24 All card transactions must be settled within a T+1 basis and as maybe defined and reviewed by the settlement agent.

3.25 All failed transactions must be reversed immediately by all banks.

4.0 Roles and Responsibilities of Card Issuers 4.1 General 4.1.1 In order for a card to be used abroad, the issuing bank must have done full KYC on the customer, as reflected in the CBN KYC Manual and Money Laundering (Prohibition) Act.

4.1.2 Issuers shall implement a risk-based approach to setting volume and transaction limits. The risk attached to a customer will be based on KYC due diligence carried out during the customer on-boarding process.

4. 1.3 Issuers shall ensure that they understand the respective rules for the acceptance of their cards internationally and shall ensure that they make customers aware of any information that would be necessary in taking a decision on the card to use, when going overseas.

5. 1.4 Issuers shall give customers the opportunity to request for cards within the range of the bank's card products. For instance, if an issuer offers brand of cards such as Verve, Visa, MasterCard, Union Pay, etc), customers shall be free to choose any brand of cards issued.

6. 1.5 Issuers shall also provide customers with a choice to specify limits for the volume and value of transactions that they would perform; such limits cannot be higher than the maximum limits, as specified in this guideline 4. 1.6 Issuers shall provide customers with the ability to specify when their cards should work abroad, and when it should not, as well as which countries they would like their cards to work in, at any particular time 4.1.7 It is the responsibility of the issuing bank to work with the card schemes in providing the settlement and clearing facility for cards used outside Nigeria.

4.2

Transaction Processing 4.2.1 lssuers shall ensure that their card information are hosted and processed within the PCIDSS certified environment.

4.2.2 Issuers shall implement systems that ensure that Exchange control and transaction limits are complied with, and Issuers shall provide monthly reports that demonstrate that this is being complied with.

4.2.3 An Issuer must provide authorization services.

4.2.4 An Issuer must provide Authorization Responses and: A. Meet the assured Transaction response standards for national and international cards B. Participate in the Card Verification Service operated by the Card Association C. Not systematically or permanently send a Decline Response to an Authorization Request for any of the following: I. Mail/Phone Order Transactions II. Electronic Commerce Transactions III. Transactions from a specific country 7 | Page 4.2.5 An issuer must process a Chargeback for a Transaction in accordance with the Card Association Operating Regulations. An Issuer sending Chargeback documentation must do so within the time period specified in the Card Association Operating Regulations.

4.3 Settlement

4.3.1 4.3.2 Settlement of transactions shall be done within the standards defined by the CBN (T+1).

Foreign currency shall be sourced from the autonomous FX market and Issuers shall leverage their foreign exchange licenses to access, buy or transfer foreign exchange to remit to international card schemes. Domestic card schemes shall appoint a domestic Settlement bank whom shall leverage its license as a regulated authority to buy and transfer the required volume of foreign exchange to international acquirers.

4.4 Fraud And Risk Management

4.4.1 Issuers shall establish Board or senior management approved AML program/policy that includes: i. ii.

iii. iv. v.

Assessment of money laundering Appointment of a Compliance Officer; Annual Internal Audit/Independent testing of the AML program; Periodic AML training for employees; Investigating and filing any reports of suspicious activity required under the Nigerian law.

4.4.2 Issuers shall implement processes/reports/alerts to monitor potential instances of money laundering or terrorist financing.

4.4.3 lssuers shall ensure that they issue cards from only the card schemes that have demonstrable fraud management systems.

4.4.4 Liability shift rules shall apply when the fraudulent use of Nigerian issued EMV cards are used on EMV compatible terminals where magnetic stripe fallback is enabled, or at non-EMV compatible terminals where the transactions is read as a fully magnetic stripe transaction.

4.4.5 In the event that the acquirer operates in an environment where EMV compatibility is not enforced, the Nigerian Issuer must set limits, in order to reduce the issuer and the cardholder's exposure.

lssuers are required to monitor their card production procedures to ensure that their 4.4.6 EMV cards are properly produced. The issuer shall take full liability for any fraud from a fall back transaction that occurred as a result of improperly produced chip cards.

4.4.7 The Card Issuer should implement system validation to detect potentially suspicious transactions. The Card Issuer may refuse to carry out a transaction or to allow the Cardholder to make a payment into the card account if: l.

The Cardholder has exceeded an account limit (either aggregate or daily limit) The transaction seems unusual compared with normal Card usage (such as unusual locations and spending patterns) II.

The Card Issuer reasonably believes that: III.

A. the Cardholder has used or obtained, or may use or obtain, a service or money illegally or fraudulently B. A third party may have rights over money in the Cardholder account 4.4.8 For card not present transactions, the minimum of 200 level authentication for internet based transactions is mandatory.

lssuers are expected to deploy robust fraud monitoring tools that have the capacity to monitor customer transaction trends, real-time operations and option of blocking suspicious transactions.

4.4.9 Specific Requirements for Stored Value Cards (Individual and Corporate) 5.0 No stored value card shall be issued to a person without obtaining the minimum KYC.

5.1 The maximum amount that can be loaded on the stored value card shall not exceed N50,000 per day.

5.2 The fee for loading salary payments unto a payment card shall be paid separately by the salary payer and not deducted from the balance value of the stored value card.

5.3 The maximum balance on the stored value card shall not exceed N250,000 at any time 5.4 The limits specified for stored value cards shall also apply to cards linked to mobile money wallets, where least KYC (Phone Number and Name) has been performed on the mobile money customer 5.5 lssuers can offer stored value products for the following segments: 5.6 9 | Page i.

Consumers: General Purpose Reloadable (GPR), Travel, Student, loyalty/reward and On-line ii.

Corporations: Payroll, Incentives, Per Diem, Corporate Travel and Healthcare Public Sector: Social Benefits, Payroll, Procurement, Meal Vouchers, Disaster iii.

Relief 6.0

Specific Requirements For Prepaid Cards (Individual And Corporate)

6.1 Prepaid cards issued will operate at least within the minimum KYC requirements prescribed by the CBN. However, loadable limits (in Naira and Foreign currency) and daily balances shall be determined by the issuing bank or financial institution.

6.2 No prepaid card shall be issued beyond the limits of a stored value card to a person or a corporate organization. Where a customer desires to do transactions beyond the limits prescribed above, full KYC would be required. Please, refer to CBN KYC Manual and Money Laundering (Prohibition) Act.

6.3 The maximum withdrawal and spending limits for the Prepaid Cards will be determined by the issuing bank.

6.4 The limits specified for Prepaid Cards shall also apply to cards linked to mobile money wallets, where full KYC has been performed on the mobile money customer.

7.0 Specific Requirements for Debit Cards 7.1 Debit cards shall be issued to customers having Savings /Current Accounts but not to credit/ loan account holders.

8.0

Specific Requirements For Credit Cards (Individual And Corporate)

8.1 Credit card refers to a payment cards assigned to a cardholder, usually with a credit limit, that can be used to purchase goods and services on credit or obtain cash advances. Credit cards allow cardholders to pay for purchases made over a period of time, and to carry a balance from one billing cycle to the next.

8.2 An issuer should identify sources of credit risk, routinely measure and monitor credit exposures, and use appropriate risk-management tools to control these risks and minimize credit card defaults.

8.3 Credit cards to be issued in Nigeria include but are not limited to the following: l: General purpose cards - Issued under the trademark of credit card associations (Verve, Visa, MasterCard, etc.) accepted by all merchants II.

Private label cards: accepted by specific retailers (e.g. a departmental store) 8.4 Change(s) in charges (other than interest) may be made only with prospective effect giving notice of at least one month. If a credit cardholder desires to surrender his credit card on account of any change in credit card charges to his disadvantage, he may be permitted to do so without the bank levying any extra charge for such closure. Any request for closure of a credit card has to be honoured immediately by the credit card issuer, subject to full settlement of dues by the cardholder.

8.5 lssuers should not unilaterally upgrade credit cards and enhance credit limits. Prior consent of the borrower should invariably be taken whenever there are any change(s) in terms and conditions.

8.6 In the matter of recovery of dues, banks should ensure that they or their appointed agents conduct themselves in a manner that is courteous, ethical and professional.

9.0 Dispute Resolution

9.1 Domestic Transactions

Where a customer has a dispute to resolve, the customer shall report it to the Issuer.

The issuer, working with the respective Card Scheme shall ensure that disputes are resolved within internationally acceptable timeframes for disputed international transactions. The timeline for the resolution of local transaction disputes are: 24 hours for responding to the customer, 7 working days for resolution of domestic transactions.

9.2 International Transactions

The timeline for dispute resolution for international transactions shall be as specified by the card scheme.

10.0 Submission Of Statutory Returns

lssuers shall, at the end of every month, and not later than the 10th day of the next month, submit data and other information on card transactions to the CBN. The following are the minimum information that must be included in the Returns: i) Type, value and volume of transactions, on a monthly basis.

ii) Separation of the type, value and volume by transaction type, card type (by card scheme and by debit, credit stored value and prepaid card), channel (internet, POS, ATM), local and foreign transactions.

11 | Page iii) Incidents of fraud, theft or robbery on cards, card data, etc.

iv) Reports of foreign exchange remitted to international card schemes and international acquirers, respectively iii) Type and number of customer complaints and remedial measures taken This reporting format may be changed from time to time, as specified by the CBN.

11.0 Annual Reporting

Card Issuers shall include in its annual reports and accounts in the prescribed form all activities of its card operations.

12.0 Powers Of The Cbn Over Card Issuers And Their Agents.

In addition to any other power conferred on the CBN, the Bank shall have power to: Request for any information from any card issuer at any time, as the Bank may deem i) necessary; ii) Carry out spot or scheduled inspection of the books and premises of the issuer or its agent; iii) Direct a Card Issuer or its agent to take such actions or desist from such conduct as the CBN may find necessary.

13.0 Remedial Measures

If a Card Issuer fails to comply with these Guidelines, the CBN may take any corrective action against the Card Issuer, as may be considered appropriate.

14.0 Sanctions

In addition to the use of remedial measures, the Bank may take any or all of the following sanctions against the Card Issuer, its board of directors, officers or agents: i.

Prohibition from issuing new cards to its customers; ii.

Revocation of approval to issue a specified card brand to its customers; iii.

Monetary Penalties; iv.

Any other regulatory sanction that may be deemed appropriate.

15.0 Amendment To The Guidelines

These guidelines may be amended by the CBN from time to time, in whole or in part, as it is deemed necessary.

16.0 Previously Released Guidelines

Unless expressly overwritten in this document, all previously released CBN Guidelines that detail the issuance and usage of payment cards in Nigeria still subsist.

BANKING AND PAYMENST SYSTEM DEPARTMENT FBRUARY, 2014

1.0 Definition Of Terms

a) ATM - Automated Teller Machine b) AML/CFT - Anti-Money Laundering/Combating the Financing of Terrorism c) CBN - Central Bank of Nigeria (also referred to as the Bank) d) Banks - Commercial, specialized, merchant and other licensed financial institutions d) EMV (Europay, MasterCard, Visa) - The global standard that ensures smart (Chip-and- PIN) cards, terminals and other systems can interoperate.

e) Stored-value cards - Payment cards where money is on deposit with the issuer, but the card account is not linked to a current or savings account. Funds and data on a stored value card are metaphorically 'physically' stored on the card. Stored value cards are usually anonymous in nature and issued outside of banking halls.

f) Prepaid cards - Payment cards where money is on deposit with the issuer, but the card account is not linked to a current or savings account. Funds and data are maintained on computer systems affiliated with the issuer.

g) PIN - Personal Identification Number h) VCN - Virtual Card Numbers i) NFIU - Nigerian Financial Intelligence Unit j) NDIC - Nigerian Deposit Insurance Corporation BTA - k) Business Travel Allowance n PTA - Personal Travel Allowance m) KYC - Know Your Customer n) FX - Foreign Exchange o) GPR - General Purpose Reloadable p) PoS - Point-of-Sale