[Nigeria] CBN moves to mitigate risk in USSD transactions
As part of efforts to mitigate risk by bank customers that carry out transactions through Unstructured Supplementary Service Data (USSD), the Central Bank of Nigeria (CBN) has unveiled to members of the public an exposure draft on the regulatory framework for banking platform.
The central bank stated this in the draft framework that was posted on its website thursday.
It pointed out that the implementation of the system in Nigeria has created multiple USSD channels to customers, thereby increasing their exposure to risk, without common standard for all.
The proposed framework, according to the CBN, therefore seeks to establish rules and risk mitigation considerations when implementing USSD for financial services offering in Nigeria.
It noted that USSD based financial transactions require end-to-end encryption to protect the integrity of the financial information.
The mobile phone has become a verifiable tool for enhancing financial inclusion with the advent of mobile payments, m-commerce, m-banking and other implementation fforei nancial transactions based on mobile money.
The providers of mobile-based financial services have options of adopting varying technologies for enabling access and transmitting data including SMS, USSD, interactive voice response (IVR) and wireless application protocol.
The central bank pointed out that recently, providers of mobile telephony-based financial transactions are increasingly adopting USSD technology while the range of services supported by their mobile transactions services using the USSD channel is broadening rapidly.
“Among financial services provided through the channel include account opening, balance and other enquiries, money transfer, airtime vending, bill payment, internet/mobile banking detail retrieval, and one-time password,” it added.
The USSD technology is a protocol used by the GSM network to communicate with a service provider’s platform. It is a session based, real time messaging communication technology which is accessed through a string which starts normally with asterisk (*) and ends with gas (#). It has a shorter turnaround time than SMS and unlike SMS, it does not operate by store and forward which indicates that data are neither stored on the mobile phone or on the application. USSD technology is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.
“The vast applications of the USSD technology in terms of available service have raised the issue of risks inherent in the channel. In this regard, concerns have been expressed on the likely exposure of CBN approved entities to the possible breaching of the USSD-based financial services in view of likely vulnerabilities in the technology and the ever growing threats.
“Furthermore, the implementation in Nigeria has created multiple USSD channels to customers, thereby increasing their exposure to risk, without common standard for all.
“This framework therefore seeks to establish rules and risk mitigation considerations when implementing USSD for financial services offering in Nigeria.
USSD based financial transactions requires end-to-end encryption to protect the integrity of the financial information,” it stated.
To this end, it stated that all providers of USSD-based financial services shall among other things, put in place a proper message authentication mechanism to validate that request/responses are generated through authenticated users; use secure USSD communication channels with a strong encryption mechanism; and not use USSD service to relay details of other electronic banking channels (in case of banks), to their customers, to prevent compromise of other electronic banking channels through the USSD channel.