CENTRAL BANK OF NIGERIA Central Business District P.M.B. 0187, Garki, Abuja. +234 - 0946238445 BANKING AND PAYMENTS SYSTEM DEPARTMENT April 17, 2018 BPS/DIR/GEN/CIR/05/002 To: All Deposit Money Banks, Switches, Mobile Money Operators, Payment Solution Service Providers, Micro Finance Banks & Others THE REGULATORY FRAMEWORK FOR THE USE OF UNSTRUCTURED SUPPLEMENTARY SERVICE DATA (USSD) IN THE NIGERIAN FINANCIAL SYSTEM The Central Bank of Nigeria (CBN), in furtherance of its mandate to deveiop and enhance the security of the electronic payments system in Nigeria, hereby releases the Regulatory Framework for the use of USSD in the Nigerian Financia! System.

The implementation of this Framework is with effect from 1st June, 2018.

Best regards, Director, Banking & Payments System Department REGULATORY FRAMEWORK FOR THE USE OF UNSTRUCTURED SUPPLEMENTARY SERVICE DATA (USSD) FOR FINANCIAL SERVICES IN NIGERIA

Table Of Content

1.0 Preamble.
2.0 Introduction.
	Objectives
3.0
4.0	Participants in the USSD ecosystem
5.0	Eligibility for Unique Short Code
6.0	Vulnerabilities and Mitigations .
	Dispute Resolution
7.0
8.0	Service Level Agreement .
9.0	Others
10.0	Penalties for Infractions .
11.0 Glossary of Terms.

1.0 Preamble

In exercise of the powers conferred on the Central Bank of Nigeria (CBN) by Section 47(2) of the CBN Act, 2007, to promote and facilitate the development of efficient and effective system for the settlement of transactions, including the development of electronic payment systems; and Pursuant to its mandate of promoting a sound financial system in Nigeria, the CBN hereby issues the following Regulatory Framework for the Use of Unstructured Supplementary Service Data (USSD) for Financial Services in Nigeria.

2.0 Introduction

The mobile phone has become a veritable tool for enhancing financial inclusion with the advent of mobile payments, m-commerce, m-banking and other implementation for financial transactions based on mobile telephony. The providers of mobile-based financial services have options of adopting varying technologies for enabling access and transmitting data including Short Messaging Service (SMS), Unstructured Supplementary Service Data (USSD), Interactive Voice Response (IVR) and Wireless Application Protocol (WAP), stand-alone mobile application clients and SIM Tool Kit (STK). Recently, providers of mobile telephony-based financial transactions are increasingly adopting the USSD technology while the range of services supported by their mobile transaction services, using the USSD channel, is broadening rapidly. Among services provided through the channel include, account opening, balance and other enquiries, money transfer, airtime vending, bill payment, etc The USSD technology is a protocol used by the GSM network to communicate with a service provider's platform. It is a session based, real time messaging communication technology, which is accessed through a string, which starts normally with asterisk (*) and ends with a hash (#). It is implemented as an interactive menu driven service or command service. It has a shorter turnaround time than SMS, and unlike SMS, it does not operate by store and forward which indicates that data are neither stored on the mobile phone nor on the application. USSD technology is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.

3.0 Objectives The vast applications of the USSD technology, in terms of available services have raised the issue of the risks inherent in the channel. In this regard, concerns have been expressed on the likely exposure of CBN approved entities to the possible breaching of the USSD accessed financial services in view of likely vulnerabilities in the technology and the ever growing threats.

Furthermore, the implementation in Nigeria has created multiple USSD channels to customers, thereby increasing their exposure to risk, without a common standard for all. This Framework therefore, seeks to establish the rules and risk mitigation considerations when implementing USSD for financial services offering in Nigeria.

4.0 Participants In The Ussd Ecosystem

Service providers that provide financial services through the use of USSD in Nigeria include the following: a. Financial institutions: Banks, Other Financial Institutions and Payment Service Providers, providing products and services using USSD protocol to their customers.

b. Mobile Money Operators (MMOs): MMOs are Deposit Money Banks or corporate entities, duly licensed by the CBN to provide mobile payment services to the banked and unbanked customers.

c. Mobile Network Operators (MNOs): MNOs utilize USSD to interact with, and provide services to their customers.

d. Value Added Service Providers/ Aggregators (NCC Licensees) - Any person or organization that engages in the provision of value added mobile/fixed Services, including premium rated services.

e. Customers: initiate financial transactions or sessions through a USSD string provided by their financial Institutions

5.0 Eligibility For Unique Short Code

5.1 Mobile Money Operators are eligible for the issuance of USSD short codes from the NCC after meeting the necessary requirements of the NCC for the issuance of same.

5.2 For CBN licensed entities, other than Mobile Money Operators, a letter of no objection/introduction from the CBN would be required before being considered for the issuance of the USSD short codes by the NCC, subject to meeting the requirements of the NCC.

6.0 Vulnerabilities And Mitigations

USSD based financial transaction requires encryption to protect the integrity of the financial information. To this end, Financial Institutions providing use of the USSD channel shall: 6.1 Put in place, a proper message authentication mechanism to validate that requests/responses are generated through authenticated users. Such authentication mechanism shall include a minimum combination of any of International Mobile Subscriber Identity (IMSI), Date of SIM Swaps, Date of Mobile Station International Subscriber Directory Number (MSISDN) Recycle, International Mobile Equipment Identity (IMEI), Date of device change, etc.

6.2 Ensure that the customer receives notification on the status of every transaction conducted through the channel.

6.3 Not use the USSD service to relay details of other electronic banking channels (in case of banks), to their customers, to prevent compromise of other electronic banking channels through the USSD channel.

6.4 Ensure encryption of USSD information within its environment by an auditable process.

6.5 Ensure at least, radio encryption between users' SIM-enabled device and base stations.

6.6 Ensure secure transmission of USSD signals between network operator & the USSD aggregators, and between the USSD aggregators & the bank.

6.7 Customer information that is logged by the USSD application as part of financial transactions should not include sensitive information such as customer PIN. Data stored by the USSD application at Financial Institutions shall be encrypted and the NCC shall define a minimum security standard for MNOs and aggregators, as may be required.

6.8 Avail the customers the option to opt in/out of the USSD channel for financial transactions.

6.9 Put a limit of N100,000.00 per customer, per day for transactions as may be required. However, customers desirous of higher limits shall execute documented indemnities with their banks or MMOs.

6.10 Mandate the use of an effective 2nd factor authentication (2FA) by customers for all transactions above N20,000. This shall be in addition to the PIN being used as 1st level authenticator, which applies to all transaction amounts.

6.11 Shall not send the 2FA to the customer's registered GSM number or device; and it shall not be generated or displayed on the USSD menu.

6.12 Install a Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, unusual transactions at weekends, etc. This shall be achieved by 31st October 2018.

7.0 Dispute Resolution

7.1 Financial Institutions shall be responsible for setting up dispute resolution mechanism to facilitate resolution of customers' complaints.

7.2 Financial Institutions shall treat and resolve any customer related issues within 3 (three) working days. Non-compliance shall be subject to penalty, as may be prescribed by the CBN, from time to time.

8.0 Service Level Agreement

8.1 There shall be Service Level Agreement between the Financial Institutions and MNOs/VAS & Aggregators, benchmarked against the NCC Quality of Service (QoS) regulation and service availability requirements of electronic payment services of the CBN.

9.0 Others

9.1 Service providers should put in place systems that enable users/subscribers to block their account from operating USSD service 9.2 No USSD Financial Service should be activated for customer unless the deactivation mechanism is put in place with effect from June, 2018.

10.0 Penalties For Infractions

The appropriate Regulator (CBN and/or NCC) as applicable shall impose appropriate sanctions for any contravention on any participant that fails to comply with this Framework.

11.0 Glossary Of Terms

Bank: A deposit taking institution duly licensed by the Central Bank of Nigeria. Mobile Money Operators: provide the infrastructure for the mobile payment systems for the use of participants that are signed-on to their scheme. Payment Service Providers: CBN licensed companies that employ the infrastructure of the scheme operator to provide services to end users. PIN means Personal Identification Number: A sequence of digits used to verify the identity of the holder of a token. The PIN is a kind of password.

Encryption is a method of protocol for data encryption ensuring secure transmission from point-to-point.

Financial institutions: Switches, Application vendors and Payment Service Providers providing products and services using USSD protocol. NCC: refers to the Nigeria Communications Commission with Regulatory powers over the Mobile Network Operators (MNOs) and the Value Added Service Providers MNOs: Mobile Network Operators. Mobile traffic passes through the mobile operator's network as voice, SMS, or USSD. VAS Providers Licensed by NCC: Any person or organization that engages in the provision of value added mobile/fixed Services, including premium rated services. The VAS provider leverage on the infrastructure of the network operator to provide the services.

USSD Channel: Unstructured Supplementary Service Data, it provides session-based communication. It is a technology used by the network to send information (usually text menus) between a mobile phone and an application on the network. It will allow the subscriber to request information in short codes (starting with * and ending with #), or menus from the network, via their cellphone Unique Short Code: are short digit sequences that are used to address messages in the systems of mobile network operators. GSM: Global System for Mobile Communications is a system used for mobile cellular communications.

SIM: Subscriber Identity Module. A mini-smartcard that is inserted into a mobile handset, It is used to authenticate the mobile to the mobile radio network The SIM may be programmed to provide security services on the mobile SMS: Short Message Service - A term used to refer to a text message sent to or from a handset. STK: Systems Tool Kit, It provides a set of commands which allow applications, existing in the SIM, to interact and operate with a mobile client which supports the specific command(s) required by the application. Using the SIM Toolkit, applications can be downloaded to the SIM in a secure manner.

OTP: One Time Password, the password (usually a random sequence of digits and or letters) sent from a bank to a customer's mobile handset for entry by the customer to authenticate themselves into the banking channel that they are using. It is considered as a second authentication factor.

IMSI: International Mobile Subscriber Identity (IMSI) is a unique number associated with all Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) network mobile phone users used for identifying a GSM subscriber IMEI: International Mobile Equipment Identity is the unique serial number of every GSM mobile cell phone. MSISDN: Mobile Station International Subscriber Directory Number: A number uniquely identifying a subscription in a GSM or UMTS mobile network. The mobile phone's telephone number by which it is known to the world