Nigeria’s Central Bank has set a daily limit of N100,000 for mobile USSD transactions

From 1 June, the maximum daily transactions for mobile Unstructured Supplementary Service Data (USSD) in Nigeria will become N100,000 ($276).

This policy was concluded yesterday when Central Bank of Nigeria (CBN) announced concerns over the likely vulnerabilities and growing threats of the USSD technology. Due to the absence of set rules set on mobile phone USSD transactions, many customers who use the service have been exposed to many risks hence the N100,000 daily maximum peg.

“Vast applications of the USSD technology, in terms of available services have raised the issue of the risks inherent in the channel,” said Dipo Fatokun, CBN Director, Banking & Payments System Department. And a shift in policy was in furtherance of CBN’s mandate to develop and enhance security of the electronic payment system.

While installing rules that enhance the security of the electronic payment system, there is a caveat to the policy as said in the circular Fatokun sent to switches, Mobile Money Operators (MMOs), Payment Solution Service Providers and Microfinance banks. The circular noted that although the N100,000 limit per customer per day for transactions applies, customers desirous of higher limits shall execute documented indemnities with their banks or MMOs.

From inception of the USSD technology in Nigeria, different maximum limits ranging from N100,000 to N500,000-depending on customers’ risk absorption levels- have been set by commercial banks and because of this lack of coordination, many customers have lost billions to fraudsters.

But with the new policy, the CBN has mandated that all transactions above N200,000 ($552) must go through an effective second factor authentication in addition to the Personal Identification Number (PIN) being used as first level authenticator. All transaction amounts apply in the PIN authentication.

According to the framework, banks shall not send the second factor authentication to the customer’s registered GSM number or device; and it shall not be generated or displayed on the USSD menu. Also, Banks will by 31st October, be required to install a Behavioural Monitoring system with capability to detect SIM-Swap/Churn status, user location, un-usual transactions at weekends, among others.

New rules attached to the USSD policy change

  • Service providers are required to set up systems that enable users/subscribers block their account from operating USSD service except the subscriber wants otherwise. Also, no USSD financial service should be activated for customers without a deactivation mechanism being set up
  • Banks shall not send the required second factor authentication to the customer’s registered GSM number or device and the authentication shall not be generated or displayed on the USSD menu.
  • Banks are also required to install a behavioural monitoring system that can detect SIM-Swap/Churn status, user location, un-usual transactions at weekends.
  • Financial Institutions will be responsible for setting up mechanisms for dispute resolution that will facilitate resolution of customers’ complaints. Secondly, all customer related issues shat be treated and resolved within 3 working days if not a penalty prescribed by the CBN shall be meted out to the defaulter.
  • There shall be Service Level Agreement between the Financial Institutions and MNOs/VAS & aggregators, benchmarked against the Nigeria Communication Commission Quality of Service (QoS) regulation and service availability requirements of electronic payment services of the CBN

USSD works with GSM network that helps it communicate with a service provider’s platform is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic. It is a session based, real time messaging communication technology, which is accessed through a string, which starts normally with asterisk (*) and ends with a hash (#).