Regulatory Alerts2017-09-07 | BPS/DIR/GEN/CIR/04/008Exposure Draft Of Regulatory Framework For Unstructured Supplementary Service Data (USSD) For The Nigerian Financial System
This document is an introduction and regulatory framework for the use of Unstructured Supplementary Service Data (USSD) in Nigeria's financial services. It aims at providing guidelines on the proper implementation, vulnerability management, and dispute resolution processes associated with USSD-based financial transactions within Nigeria's banking system. The framework focuses on eligible participants such as banks, payment service providers, mobile money operators, and customers; outlines rules for issuing unique short codes; emphasizes secure communication channels with strong encryption mechanisms; highlights the importance of end-to-end encryption and masked PIN entry; and includes provisions for prompt dispute resolution and appropriate sanctions for non-compliance.
BANKING AND PAYMENTS SYSTEM DEPARTMENT CENTRAL BANK OF NIGERIA Central Business District P.M.B. 0187, Garki, Abuja.
+234 - 0946238445 BPS/DIR/GEN/CIR/04/008 September 7, 2017 To: All Deposit Money Banks, Mobile Money Operators, Payment Solution Service Providers and other Service Providers EXPOSURE DRAFT OF REGULATORY FRAMEWORK FOR UNSTRUCTURED SUPPLEMENTARY SERVICE DATA (USSD) FOR THE NIGERIAN FINANCIAL SYSTEM The Central Bank of Nigeria (CBN), in furtherance of its mandate for the development of the electronic payments system in Nigeria hereby releases the Exposure Draft of Regulatory Framework for Unstructured Supplementary Service Data (USSD) for the Nigerian Financial System for your review and comments. Kindly forward your inputs on or before September 21, 2017 to the Director, Banking & Payments System Department and pspo@cbn.gov.ng.
Thank you for your usual cooperation.
Dipo Fatokun Director, Banking & Payments System Department on and entire REGULATORY FRAMEWORK FOR UNSTRUCTURED SUPPLEMENTARY SERVICE DATA (USSD) e and the
Table Of Content
Introduction 3
| Eligibility . |
|---|
| Participants |
|---|
| Objectives |
|---|
e. 5 Vulnerabilities and Mitigation ......
... 5 Dispute Resolution ..........................
Remedial Measures ...
........ 6 ................. 6
Introduction
The mobile phone has become a veritable tool for enhancing financial inclusion with the advent of mobile payments, m-commerce, m-banking and other implementation for financial transactions based on mobile telephony. The providers of mobile-based financial services have options of adopting varying technologies for enabling access and transmitting data including Short Messaging Service (SMS), Unstructured Supplementary Service Data (USSD), Interactive Voice Response (IVR) and Wireless Application Protocol (WAP), stand-alone mobile application clients and SIM Tool Kit (STK).
Recently, providers of mobile telephony-based financial transactions are increasingly adopting the USSD technology while the range of services supported by their mobile transaction services using the USSD channel is broadening rapidly. Among financial services provided through the channel include, account opening, balance and other enquiries, money transfer, airtime vending, bill payment, internet/mobile banking detail retrieval and one-time password.
The USSD technology is a protocol used by the GSM network to communicate with a provider's platform. It is a session based, real time messaging service communication technology which is accessed through a string which starts normally with asterisk (*) and ends with a hash (#). It is implemented as interactive menu driven service or command service. It has a shorter turnaround time than SMS, and unlike SMS, it does not operate by store and forward which indicates that data are neither stored on the mobile phone or on the application. USSD technology is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.
Objectives
The vast applications of the USSD technology in terms of available services have raised the issue of the risks inherent in the channel. In this regard, concerns have been expressed on the likely exposure of CBN approved entities to the possible breaching of the USSD-based financial services in view of likely vulnferabilities in the technology and the ever growing threats.
Furthermore, the implementation in Nigeria has created multiple USSD channels to customers, thereby increasing their exposure to risk, without a common standard for all.
This Framework therefore, seeks to establish the rules and risk mitigation considerations when implementing USSD for financial services offering in Nigeria.
3.0
Participants Service providers that provide financial services through the use of USSD in Nigeria include the following: Banks Banks provide USSD strings and menu-driven apps to facilitate a.
banking services to their customers.
Payment Service Provider: Switches, Application vendor and Value Added Service Providers provide product and services using USSD protocol.
Mobile Money Operators: MMOs are able to reach the unbanked in rural communities where there are no financial touch points, through USSD services.
d.
Mobile Network Operators: MNOs and aggregators utilize USSD to interact with and provide services to their customers.
e.
Customers, initiates transaction through a USSD string
3.1 Eligibility For Unique Short Code
3.1.1 Mobile Money Operators are eligible for the issuance of short codes from the NCC after meeting the necessary requirements of the NCC for the issuance of same.
3.1.2 For those other than Mobile Money Operators, a letter of comfort from the CBN would be required before being considered for issuance of the short codes by the NCC. Vulnerabilities and Mitigation 4.0 USSD based financial transaction requires end to-end encryption to protect the integrity of the financial information.
To this end, all providers of USSD-based financial services shall: 4.1 message authentication mechanism to validate that Put in place, a proper requests/responses are generated through authenticated users, Use secure USSD communication channels with a strong encryption mechanism 4.2 4.3 Not use the USSD service to relay details of other electronic banking channels (in case of banks), to their customers, to prevent compromise of other electronic banking channels through the USSD channel.
4.4 Implement masked PIN entry 4.5 Ensure encryption at USSD Gateway by implementing the Hardware Security Module (HMS). Each financial institution key shall be securely loaded through an auditable process.
4.6 lmplement end-to-end encryption by ensuring that, at least, radio encryption between users' phones and base stations, using secure VPN layered with SSL or TSL to ensure secure transmission of USSD signals
5.0 Dispute Resolution
Financial Institutions shall be responsible for setting up dispute resolution 5.1 mechanism to facilitate resolution of customers' complaints.
The Financial Institutions shall treat and resolve any customer related issues within 5.2 48 hours. Non- compliance shall be subject to penalty, as may be prescribed by the CBN, from time to time 6.0 Remedial Measures The CBN shall impose appropriate sanctions for any contravention on any financial Institutions that fails to comply with this Framework.