Pre-authorization Policy by the Central Bank Of Nigeria: Online Transactions Just Got a lot Safer

NAKUDU LAW REVIEW

PRE-AUTHORIZATION POLICY BY THE CENTRAL BANK OF NIGERIA: ONLINE TRANSACTIONS JUST GOT A LOT SAFER

As part of its commitments to facilitate the development of the Nigerian payments system and deepen the adoption of various electronic payment options available to users, the Central Bank of Nigeria (CBN) on the 30^th of December, 2019, through its Payment System Management Department published a circular known as the ‘Pre-authorization of Cards in Nigeria’ (The circular), directed to all Merchants, Acquirers, Deposit Money Banks (issuers), Payment Service Providers and Card Schemes.

The CBN has identified the predominant use of single messaging format[1] for POS transactions as an obstacle to the use of pre authorization[2] as a mode of payment in Nigeria. The CBN also published on the 1^st of January, 2020, The Guidelines on Nigerian Payments System Risk and Information Security Management Framework (“The Framework”).

The main objective of the framework is to identify sources of system risk within the Nigerian Payment system landscape, mitigate the risks associated with payments system as this is important for the effective management of monetary policy and banking supervision. In the interconnected environment, the safety and efficiency of these systems may affect the stability and soundness of financial institutions and consequently the financial stability of the country. As a result, safeguarding the integrity of the payments system in Nigeria has acquired additional significance and calls for the upgrading of associated risk management procedures through concerted efforts by market participants and the relevant authorities, notably the CBN. It is therefore necessary to effectively manage the risks associated with payments system, as such will inherently create interdependence amongst financial institutions. These regulatory measures are geared towards achieving these objectives.

The Pre – Authorization Circular

Before delving into the Directives of the CBN Circular, it is pertinent, in the ensuing paragraphs, to give a detailed explanation on what is meant by ‘card pre–authorization’ (commonly referred to as ‘pre-auth’) and its importance to the digital banking multiverse.

A credit/debit card pre-authorization is much like any other charge to a credit/debit card, but it comes with a plot twist, instead of actually debiting funds from the cardholder, it puts a temporary “hold” on the funds that lasts for 5 days. At a technical level, the actual duration of the hold depends on the Merchant Classification Code (MCC)[3]. Some merchants may qualify for a longer hold than others, but in general, if you are going to capture a pre-authorized payment you should do it before the 5^th day to make sure certain the funds will be available. If you wait too long and the pre-auth has expired, the post-authorization capture will be declined and you’ll have to contact the cardholder to run the payment over again. Once a card has been pre-authorized, the cardholder cannot go and spend this money anywhere else. However, even as the charge doesn’t actually show up on the card statement, if the cardholder calls the card-issuing bank, the bank will confirm that a pre-authorization has a hold on certain funds in the cardholder’s account.

The merchant must go in and “capture” the funds within the 5-day period. If they do not, the pre-authorization will expire and the funds will be released by the card issuing bank back to the cardholder. The biggest advantage of a pre-authorization is that a cardholder cannot dispute a transaction or issue a chargeback if the funds have not been captured. This means that online merchants can process transactions without having to worry about fraudsters causing chargebacks when using stolen cards[4].

The CBN Directive on Pre–Authorization

In order to enable pre–authorization and sales completion of card transactions, the CBN hereby directed as follows:

1. All Merchants Acquirers are required to obtain device Validation Certification or the applicable testing completion notification from CBN licensed card schemes.
2. By this directive, all POS Terminals must have the capability for transaction pre–authorization and sales completion.
3. The Payment Terminal Service Aggregation (PTSA) of the Nigeria Inter-Bank Settlement System (NIBSS) is to ensure that only banks that have conducted and obtained POS terminal Validation Certificate for Pre- authorization and sale completion from the relevant card schemes have their POS terminals registered on the Central Terminal Management System.
4. All cards issuers are also required to provide online simulators for acquirers and issuers to test their systems when necessary.[5]

The Guideline on Nigerian Payments System Risk and Information Security Management Framework  

The objectives of this framework are to:

1. Identify and address sources of systemic risks within the Nigerian Payments System landscape;
2. Establish sound governance arrangements to oversee the risk management framework by ensuring that risks are identified, monitored and treated;
3. Establish clear and appropriate rules and procedures to carry out the risk management objectives;
4. Employ the resources necessary to achieve the payments system’s risk management objectives; and
5. Integrate risk management into the decision-making processes of the Scheme Boards and Working Groups.

The Framework is designed to guide the operators and users of the payment systems across Nigeria. These systems may be organized, located, or operated within Nigeria (domestic payments), outside Nigeria (offshore payments), or both (cross-border payments) and may involve currencies other than the Naira (non-Naira systems and multi-currency systems).

The scope of the Framework also includes any payment system based or operated in Nigeria that engages in the settlement of non-Naira transactions operating within Nigeria and those that operate across the Nigerian borders (cross-border payment systems); along with their infrastructure providers and the Payment Service Providers (PSPs) that make up these systems. This Framework does not apply to arrangements for the physical movement of cash or systems for settling securities nor apply to market infrastructures such as trading exchanges, trade-execution facilities, or multilateral trade-compression systems. It is also not intended to apply to bilateral payment, clearing, or settlement relationships, where a payment system is not involved, between financial institutions and their customers, such as traditional correspondent banking and government securities clearing services.

The Guideline Identifies the basic risks in payments systems include systemic risk, credit risk, liquidity risk, operational risk, legal risk, settlement risk and information security risk. It emphasizes that appropriate risk identification and assessment is the foundation of a sound risk management framework and consequently mandates systems operators to ensure that risk management objectives should be consistent with the objectives of this Framework, the system’s business purposes, and the type of payment instruments and markets for which the system clears and settles.

The Guideline adopts The Principles for Financial Market Infrastructures (PFMI) issued by the Committee on Payment and Settlement Systems (CPSS) and the Technical Committee of the International Organization of Securities Commissions (IOSCO) and it establishes minimum standards for addressing risk associated with Payments System that are systemically important.

It establishes a Risk Management Framework and shall maintain a general Risk Management Framework for the scheme while requiring all payment systems within the scheme to implement a risk-management framework appropriate for the risks the payment system poses to the scheme and the broader financial system. At a minimum, the risk management framework shall:

1. Establish sound governance arrangements to oversee the risk management framework;
2. Set sound risk management objectives and establish processes for identifying the key risks associated with the payment scheme;
3. Establish clear and appropriate rules and procedures to pursue the stated objectives;
4. Employ the resources necessary to achieve the system’s risk-management objectives and implement effectively its rules and procedures; and
5. Build resilience and security adequate to ensure the confidentiality, integrity and availability of the system.

The guideline mandates the establishment of sound governance arrangements to oversee the risk management framework, establish clear and appropriate rules and procedures to carry out the risk management objectives, employ the resources necessary to achieve the system’s risk management objectives and implement effectively its rules and procedures as well as build resilience and security adequate to ensure the confidentiality, integrity and availability of the system.

The guideline also provides some specific areas that should underscore any risk management framework chosen by any of the payment systems to avoid risks. These specifics include having a legal and regulatory body, a body to ensure business continuance and systems to ensure that the necessary level of probity and integrity in the members of the payment system’s board are met.

The guidelines make for specific risk requirements by system operators. They include:

1. Card payment risk requirement.
2. RTGS, payment scheme risk requirement.
3. ACH, cheque and instant payment scheme risk requirement.
4. Mobile payment scheme risk requirement.

Each scheme shall establish its dispute resolution mechanism to serve as an additional dispute resolution mechanism that will help participants resolve disputes in a timely and cost-effective manner. Disputes that arise between or across schemes may be referred through the Director, Payments System Management Department of the CBN to the PICC for resolution.

The respective Scheme Boards and Initiative Working Groups shall conduct on-going monitoring of risks inherent in the payment system, and communicate significant risk events to the Information Security and Risk Management Special Interest Working Group (ISRM SIWG) for aggregation and recommendation of remedial actions. Risk reports shall be provided to the CBN and PICC as appropriate. The reports shall contain key risk and remedial actions.

The CBN is vested with the responsibility of ensuring the compliance with the provisions of the framework as well as the Guidelines. It goes without saying that these regulatory measures are geared towards establishing a symbiotic interaction between the key stake holders and regulatory agencies in the quest to digitize the Nigerian Payment Systems.

EDITORIAL TEAM

1. Ikechukwu Nwakanma

(Senior Partner)

Ikechukwu.nwakanma@nakudulawpartners.com

2. Anthony Madukwe

(Senior Partner)

anthony.madukwe@nakudulawpartners.com

3. Emmanuel Omole

(Senior Associate)

emmanuel.omole@nakudulawpartners.com

4. Isimeme Andrew

(Associate)

Isimeme.andrew@nakudulawpartners.com

OUR OFFICES

1. 34, QUEEN ELIZABETH CRESCENT, ASOKORO, ABUJA.

2. NO. 13D, ISA DUTSE STREET, OFF UMARU BABURA ROAD, BOMPAI GRA, KANO, KANO STATE.

www.nakudulawpartners.com

DISCLAIMER: This article is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal services on specific circumstances.

---