Overview of the Guidelines for Contactless Payments in Nigeria

Nigeria has experienced significant growth and development in its financial sector, driven in large part by the integration of technology.

Technology has revolutionised the way banks operate in Nigeria, enhancing their efficiency, expanding their reach, and transforming the customer experience. The growth of fintech companies has further entrenched the relevance of technology and its potential to redefine the Nigerian financial services ecosystem.

The financial services sector has been at the forefront of leveraging technology to address challenges, enhance services, and stimulate economic growth. With banks and fintech companies in Nigeria embracing innovative solutions such as mobile banking, online platforms, and electronic payment systems to offer convenient and accessible financial services to a wider population, it is clear that there is a recognition of the potential inherent in technology to reshape financial services.

A case in point which highlights the efforts being put into building a more innovative financial ecosystem is the introduction of contactless payments. The COVID pandemic and the resultant lockdown triggered significant changes in the payment industry. Specifically, it amplified the need for contactless payments and ushered in a wave of unprecedented innovation and product development in the payment industry globally.

Given the record traction in the Nigerian payment market, the Central Bank of Nigeria (CBN), recognising the need for a tailored regulatory framework to support the burgeoning growth in the sector, issued the Framework for Quick Response (QR) Code Payments in Nigeria in January 2021, and the Exposure Draft of the Guidelines for Contactless Payment in Nigeria in October 2022.

On June 27 2023, the CBN, in furtherance of its efforts to standardise operations in payment systems, while encouraging the deployment of innovative products, released the Guidelines for Contactless Payments in Nigeria (the Guidelines).

Contactless payments – also referred to as touch-free, tap-and-go, or proximity payments – are wireless financial transactions in which the customer makes a purchase by moving a security token in close proximity to the vendor's point-of-sale reader. Popular security tokens for contactless payments include chip-enabled bank cards and smartphone digital wallet apps.

Contactless payment cards and authorised mobile devices rely on radio frequency identification (RFID) and near-field communication (NFC). RFID consists of tags and readers that passively identify an object (credit card) using radio waves. NFC is a short-range wireless technology that connects smartphones, tablets, wearables (e.g., an Apple Watch), and payment cards.

The process can be broken down into five simple steps:

• Step 1 – the merchant prompts a customer to make a payment;

• Step 2 – the customer hovers their card over the contactless payment system;

• Step 3 – information transmits via microchip to the customer’s bank;

• Step 4 – the system accepts (or denies) the transmission; and

• Step 5 – acceptance confirmation is usually signalled with a green light, checkmark, or noise.

In line with the push for the transition to a cashless economy, and to ensure a safer and more stable Nigerian financial system and promote innovation in the financial services system, the CBN released the Guidelines pursuant to its powers under Section 2(d) of the Central Bank of Nigeria Act, 2007, and Section 56(2) of the Banks and Other Financial Institutions Act, 2020, to provide minimum standards and requirements for the operation of contactless payments in Nigeria.

The Guidelines define contactless payments as “the consummation of financial transactions without physical contact between the payer and the acquiring devices”. This means that secure payments can be made with debit/credit cards, stickers, fobs, wearable devices, tokens, and mobile electronic devices that use NFC, radio frequency, or QR codes.

The Guidelines, among other things, provide for:

• The roles and responsibilities of various stakeholders within the contactless payment ecosystem;

• The minimum standard/specification for all contactless payment terminals, applications, and processing systems;

• The transaction limit to be adopted within the contactless payment ecosystem;

• Guidelines for the provision of value-added services; and

• The power of the CBN to prescribe and enforce sanctions and penalties for breach of the Guidelines.

The Guidelines clearly articulate the roles and responsibilities of the various stakeholders in the contactless payment ecosystem, prescribing standards and specifications for all forms of market technology and systems, while also prescribing processes and principles that will govern their relationship with each other.

An acquirer is a CBN-licensed institution that facilitates the acceptance of payments from customers to merchants through contactless payment means such as point-of-sale terminals, mobile applications, and QR codes. An acquirer will typically be the account bank of a merchant that is utilising the contactless payment system for fee collection from its customers.

The Guidelines require all acquirers to:

• Ensure that all contactless payment devices, applications, and instruments deployed are certified by the CBN and meet prescribed specifications/standards;

• Operate an agnostic acceptance policy such that all cards, capable of contactless payment, issued in Nigeria shall be accepted irrespective of the issuer;

• Conduct customer KYC (know your customer) procedures and train customers in compliance with the applicable regulations;

• Take measures to prevent the use of their networks and devices in violation of anti-money laundering laws; and

• Execute a contactless payment agreement with all customers prior to granting access to the acquirer’s contactless payment platform.

In a bid to protect unwary or naive customers from the perpetuation of fraud, the Guidelines restrict acquirers from admitting or profiling agent banking terminal operators to their platforms or facilitating contactless transactions on their behalf.

As with acquirers, only CBN-licensed institutions are permitted to act as issuers for contactless payments. An issuer is responsible for issuing contactless payment-enabled cards, tags, or mobile applications to consumers (consumers being people who procure cards, tags, tokens, or contactless payment-enabled mobile apps to facilitate payments to merchants or other service providers). Examples of CBN-licensed institutions in Nigeria that already issue contactless payment-enabled cards and devices include First Bank of Nigeria, United Bank for Africa, and Providus Bank.

These cards have embedded RFID technology which communicates with card readers to enable payment transfers. Issuers are required to ensure that all tokens and devices issued by them for payment by customers meet prescribed standards and specifications.

Furthermore, issuers are required to obtain and properly document a customer’s consent prior to enabling a customer’s device for contactless payment. Specifically, the Guidelines prohibit unsolicited activation of a contactless payment service on any payment-enabled device owned by any customer. Relatedly, prior to activating a contactless payment service for any customer, an issuer is required to verify and identify such customers by their Bank Verification Number.

Payment/card scheme administrators are operators of card and payment systems (such as Mastercard, Visa, Remita, and Flutterwave). While issuers are responsible for issuing cards and other enabled devices to customers, the payment/card system administrators oversee the administration and use of issued cards for payment.

Payment system and card system administrators are required to comply with the Guidelines generally and act in accordance with prescribed processing specifications, while ensuring that their systems and schemes are interoperable.

Switching companies are CBN-licensed institutions that oversee the routing of transaction data, inter-bank payment clearing and settlement, payment authentication and authorisation, and risk management. The Nigeria Inter-Bank Settlement System (NIBSS) is the central switch for the Nigerian financial market. Interswitch, eTranzact, and Flutterwave are some of the other licensed switching companies.

The Guidelines mandate switching companies to ensure that contactless transactions via approved payment instruments issued in Nigeria are successfully switched between acquirers and issuers, and to undertake periodic risk assessment to mitigate money laundering and the financing of terrorism within the system.

Payment terminal service providers (PTSPs) are CBN-licensed institutions that deploy contactless payment-enabled payment terminals (point-of-sale terminals) for use within the financial ecosystem.

PTSPs are, according to the Guidelines, required to assure the quality and functionality of all contactless payment-enabled terminals issued by them through optimal maintenance and availability of a 24/7 support infrastructure. It is recommended that the response time for repair or replacement should not exceed 48 hours from the time of escalation.

A payment terminal service aggregator (PTSA) oversees the interconnectivity of all payment terminals deployed with the Nigerian payment ecosystem. NIBSS is the sole PTSA in Nigeria. It ensures that all terminals used in the e-payment ecosystem and all devices deployed in Nigeria are brand-agnostic and would accept all cards issued by any bank or other licensed card schemes without discrimination.

NIBSS ensures the standardisation of technical and operational specifications of all devices deployed within the Nigerian financial system. The Guidelines require the PTSA to certify that all point-of-sale terminals used for contactless payments meet the required standards for the payment industry. It is also required to implement a documented risk management process to identify and address risks associated with contactless payments.

These include businesses (large institutions or SMEs) that employ contactless payment devices as a means of receiving payments from customers. Merchants are required to ensure that devices deployed for contactless payments are of the required specification. They must also exercise due diligence in effecting all payment transactions as they remain liable for any fraud resulting from negligence or connivance during a contactless payment transaction.

The Guidelines further require all merchants that accept contactless payments to display the contactless payment symbol visibly in their location. They are also required to undertake second-level authentication for transactions of a value which is higher than the stipulated limit per day via the customer’s personal identification number (PIN) or token code.

These include issuers, acquirers, merchants, and PTSPs that own terminals or devices used for contactless payment. The Guidelines require such entities to ensure that all terminals and devices procured by them are compliant with the minimum requirements for contactless payment terminals and devices.

The Guidelines also require terminal owners to implement a risk management process to identify and address risks associated with contactless payments.

A customer is anyone making a payment through a contactless payment method. The Guidelines require customers to exercise due diligence during contactless payment transactions, while leaving them in full control to opt in or out of any contactless payment service.

The Guidelines, in paragraph 9.0, set the transaction limit, and indicate that the CBN shall determine appropriate transaction and daily cumulative limits for contactless payments from time to time. In line with this, and in recognition of the risks associated with contactless payments, the CBN issued another circular in which it set the transaction limit at NGN 15,000 (approximately $19) for each transaction, and a daily cumulative limit of NGN 50,000.

The Guidelines provide that contactless payment transactions below the stipulated limits may not require the authorisation of the customer. However, where they exceed the stipulated limits, considered to be higher-value contactless payments, there shall be a requirement to make use of a PIN, mobile code, biometric identifier, etc. to authenticate or authorise such payment.

Also, because the Guidelines provide for the adoption of a risk-based approach to setting transaction limits, the customer has the option of specifying the value of transactions they wish to undertake, but such limits should fall within the limits specified by the CBN from time to time. Where the customer wishes to perform transactions outside the specified limit, they would be required to do the following:

• Send a request in writing to the CBN indicating that they want to operate outside the specified limits; and

• Provide an indemnity that reflects the risks involved.

The CBN is then required to approve the transaction, subject to its internal risk management policies.

Paragraphs 10 and 11 of the Guidelines make provisions as regards dispute resolution and sanctions. The Guidelines provide that disputes should be resolved in line with the existing payments industry dispute resolution system. They also set forth that where stakeholders or parties are unable to resolve a dispute, the matter may be escalated to the CBN in line with the extant CBN Dispute Resolution Guidelines.

In addition, and to ensure compliance, the Guidelines provide that regulated stakeholders shall be the subject of sanctions and penalties as may be prescribed by the CBN where they fail to adhere to the provisions of the Guidelines and other relevant regulations.

The general adoption of contactless payments will have a far-reaching effect on the economy as it will create a smarter, faster, more efficient, and easy-to-use mode of payment which requires less manpower.

It is also necessary to mention that the posture of the Guidelines is generally user-centric, as the CBN mandates that the use of a contactless payment service must be elective, while holding all participants within the value chain to regulatory service levels.

Without doubt, the benefit of the Guidelines is enormous, yet a big impediment remains the introduction of a transaction limit for contactless transactions. The Guidelines provide for a NGN 15,000 transaction limit for a single transaction and a cumulative daily transaction limit of NGN 50,000 per user. Transactions that fall outside these limits require an additional layer of authentication.

It is maintained that while the intention of the limits is noble and driven by the need to protect users from significant impact should fraud, theft, impersonation, or funds misappropriation occur, the existing thresholds seem too low considering the commercial realities in present-day Nigeria. To guarantee that the contactless payment system remains a viable alternative for users, therefore, it is imperative for the CBN to consider an upward review of the prescribed limits.

Finally, the Guidelines envisage growth and innovation in the contactless payment ecosystem and therefore provide a protocol for innovative use cases. Where any stakeholder intends to offer a novel or value-added service falling within the contactless payment niche, it is required to procure and obtain the prior approval of the CBN.

Contactless payment is fast becoming a preferred mode of payment across the globe, with reports indicating that the global market size is expected to reach $164.15 billion by 2030. The issuance of the Guidelines is indicative of Nigeria’s desire to not be left behind in the advancement of this technology, as the Guidelines are expected to expand the contactless payment ecosystem and consequently accelerate the speed of its adoption in Nigeria.

It is therefore expected that the introduction and implementation of the Guidelines shall foster public trust, and prove relevant in redefining the Nigerian electronic payments system.