The Cybersecurity, Capacity Development, and Financial Inclusion project, or CyberFI, brings together a robust, transparent community of practitioners and researchers working on digital financial inclusion. This series focuses on understanding financial inclusion ecosystems on their own terms—what countries are doing, what is working, and what isn’t. Six country case studies help capture the diversity of financial markets on the African continent: South Africa, Nigeria, Cameroon, Uganda, Ghana, and Zimbabwe

Introduction

The Nigerian digital financial ecosystem has witnessed remarkable growth in the past few years. According to McKinsey, Nigeria is home to over 200 fintech organizations, not counting fintech solutions provided by banks and mobile network operators.1 New service providers range from mobile money operators and payment service providers to fintech firms and other financial services providers, a trend that is increasing the need to ensure consumer security and trust. These services come with numerous important digital components, including mobile applications, digital tokens, Unstructured Supplementary Service Data, and digital ledgers, all of which involve potential vulnerabilities. It is increasingly important for the country’s financial industry to prioritize cybersecurity as it is the most targeted sector for cyber attacks.2

Elizabeth Kolade
Elizabeth Kolade is a Nigeria-based multidisciplinary cybersecurity professional with experience spanning the private sector, government service, and nonprofits. She is adept at helping organizations make sound decisions on risk management, policy development and implementation, forestalling cyber attacks, and handling and recovering from cyber incidents.

The Central Bank of Nigeria (CBN) is the leading domestic regulator for financial services, charged with overseeing and administering the federal government’s monetary policy and financial sector regulations. It issues licenses to banks and other financial institutions. The CBN, in line with its regulatory powers and oversight functions under its establishing act (the CBN Act) and the Banks and Other Financial Institutions Act, has taken salient steps toward regulating this space by striving to strengthen the cybersecurity defenses of banks and nonfinancial institutions.

The instruments for doing so include documents like the Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (OFI), the Regulatory Framework for Mobile Money Services in Nigeria, and the Nigerian Payments System Risk and Information Security Management Framework.3 The CBN also collaborates with relevant stakeholders such as the Securities and Exchange Commission to develop market regulations for cryptocurrencies and the Nigerian Communications Commission—the telecommunications sector’s regulator—to regulate mobile money operations.

Cybersecurity is a crucial pillar in Nigeria’s National Digital Economy Policy and Strategy, which outlines a vision for diversifying the country’s economy.4 The 2021 Nigerian National Cybersecurity Policy and Strategy (NCPS) identifies the banking, finance, and insurance sector as one of its thirteen critical information infrastructure sectors.5 The NCPS presents the Nigerian government’s approach to protecting these kinds of critical information infrastructure. The NCPS, as stated in Chapter 6.2, also aims to safeguard Nigeria’s digital economy by strengthening the country’s legal and regulatory framework and harmonizing legislation related to e-business and online consumer protections among other topics.

The CBN established the Consumer Protection Department in April 2012 to develop and implement an effective consumer protection framework and promote consumer confidence in the financial system. The department performs three primary functions, namely complaints management, market conduct and development, and consumer education and financial literacy. Additionally, in January 2019, the National Information Technology Development Agency issued the Nigeria Data Protection Regulation aimed at protecting Nigerians’ right to privacy, fostering the right environment for digital transactions, creating jobs, and improving information management practices in Nigeria.

The Diversity of Nigeria’s Digital Financial Space

Nigeria’s digital financial space is furnished with an array of digital financial products, services, and service providers (see figure 1).6 It features more than thirty deposit money banks, about 200 fintech firms, more than 900 microfinance banks, and numerous other financial institutions. The 2020 Access to Financial Services in Nigeria Survey by an organization called Enhancing Financial Innovation and Access reports that 45 percent of Nigeria’s adult population use banks and that 33 percent use informal financial services such as savings groups, village associations, and cooperatives.7 The CBN recognizes informal payment systems as drivers of financial inclusion and the need to incorporate these tools into formal systems.

Historically, the CBN framework on mobile money services in Nigeria blocked mobile network operators such as MTN Nigeria and Airtel Africa from being mobile money operators even though they are major infrastructure providers. In November 2021, however, the CBN issued an approval in principle for MTN Nigeria and Airtel Africa to operate payment service banks.8 They are allowed to provide financial services to Nigeria’s unbanked population through subsidiaries, which they are required to set up. Although similar to traditional banks, these service providers have a license that restricts them from engaging in credit risk and conducting foreign exchange operations.

On October 25, 2021, the Nigerian government, through the CBN, unveiled Nigeria’s central bank digital currency, known as the eNaira.9 The eNaira serves as both a medium of exchange and a store of value, offering better payment prospects in retail transactions compared to cash payments. Its intended function is to give customers speedy, safe, and simple trading tools for financial transactions.

Its launch has, however, elicited mixed reactions from Nigerians. While some have applauded the initiative, others have questioned its necessity and whether sufficient effort has gone toward sensitizing the general public. Barely forty-eight hours after the launch and a call for citizens to use the eNaira platform, the app suddenly vanished from Google Play in Nigeria, further raising skepticism among users. The app was eventually restored, and the CBN later explained that it had disappeared because it needed to undergo some maintenance.10 Early users of the platform complained of glitches and raised concerns about why the platform was asking them to input details on their existing bank accounts. The need to link to existing bank accounts also goes to show that the eNaira platform does not yet serve Nigeria’s unbanked population.11

A Snapshot of Nigeria’s Cyber Financial Regulatory Frameworks

An increase in the number and sophistication of threats targeting deposit money banks, payment service providers, and financial institutions in general led to the promulgation of the CBN’s Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers. The guidelines, which came into effect on January 1, 2019, outline minimum requirements for enhancing the cybersecurity of banks and payment service providers so that they remain resilient and proactively seek to secure their critical information assets and online customer information.12 This document also outlines the responsibilities of various entities within deposit money banks and payment service providers to achieve this goal. The framework, among other guidelines, directs them to integrate cybersecurity into their business functions and overall risk management processes. It also directs deposit money banks and payment service providers to conduct regular risk assessments, vulnerability assessments, and threat analysis to detect and evaluate risk to their information assets and determine the appropriateness of security controls for managing these risks. These institutions are also required to evaluate their cybersecurity posture and work toward achieving a target cybersecurity profile as outlined in the framework.

The draft version of the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions was released on August 13, 2021, for public comments and feedback. It aims to help prevent and combat cybercrimes in the OFI subsector, promote the adoption and implementation of cybersecurity best practices, create a safer and more secure cybersecurity environment to support OFI operations, and ultimately promote and maintain public trust in the OFI subsector.13

The Nigerian Payments System Risk and Information Security Management Framework addresses information security risk among others. This framework directs payment service providers and operators to implement information security policies in line with ISO 27001 standards on managing information security and to ensure the confidentiality, integrity, and availability of all information, systems, and networks that are critical to operational success. It also directs payment service providers to conduct annual information security assessments, including penetration tests and vulnerability assessments, to ensure awareness and implementation of adequate steps to address current and ongoing issues.

Consumer trust is essential in financial services, and it is, therefore, important that service providers not only earn such trust but also strive to retain it. Through its Consumer Protection Department, the CBN issued the Consumer Protection Regulations, which direct all financial institutions to develop internal policies to comply with regulatory efforts to enhance consumer confidence in the financial services industry and promote financial stability, growth, and innovation.14 Clause 3.2.6 in Part Two of the Consumer Protection Regulations mandates that banks must respond to customers’ inquiries within five working days of receiving the requests, and Clause 5.4 in Part Four highlights measures aimed at ensuring user protection and privacy. Accordingly, Nigeria’s Data Protection Regulation, issued and enforced by the National Information Technology Development Agency, makes provisions for the consumer rights of data subjects, data security, and the safe conduct of transactions involving personal data.15

Section 19 (3) of the Cybercrimes (Prohibition, Prevention Etc) Act, 2015 makes a strong statement for financial institutions to combat fraud in a bid to safeguard consumer information.16 Additionally, Sections 30 and 33–36 of the act outline guidelines and related sanctions for abuse of electronic transactions and related fraud. Sections 37–40 highlight the duties of financial institutions to identify their customers, retain records, and protect customer data, among others. Some of these duties include applying Know Your Customer principles before executing electronic transactions and verifying customers’ identities.17 These sections also outline penalties for individuals or organizations who fail to verify the identity of a customer before executing electronic instructions and for unauthorized debits and a failure to reserve such debits within the specified period. As part of the measures designed to ensure accountability and mitigate threats, Section 21 of the act requires operators of computer systems or networks, whether public or private, to report incidents to the National Computer Emergency Response Team Coordination Center for appropriate action. Banks and OFIs are also required to have operational resilience to help reduce cybercrime and strengthen cybersecurity defenses within the finance sector.

Through the NCPS, Nigeria additionally strives to create an online environment that is safe, resilient, and trusted by individual users and businesses within and beyond its borders. A thriving digital economy for Nigeria would mean a transformed, user-friendly digital environment where the security of personal and sensitive information is assured; the safety of online activities is guaranteed; and the rights of users, businesses, and service providers are protected. This can be achieved when trust and confidence are built. The strength of any financial system or institution is in the confidence and trust that customers and ordinary people place in it; thus, it is critical that systems and institutions appropriately manage the risks and challenges that they face.18

All these guidelines, frameworks, and regulations have outlined measures meant to ensure a safe and secure digital environment so that Nigerian citizens can efficiently and routinely use online tools, including financial services. A significant trend on implementation can be observed in the financial sector. Though organizations are at different levels of implementing cybersecurity measures, digital financial service providers and banks now have cybersecurity teams, units, or departments, and the CBN is actively functioning as the lead agency for the financial sector. The CBN also houses the sectoral Computer Emergency Response Team to identify and respond to risks, threats, and trends involving the financial sector.

Even with all these measures, consumers still lack confidence in these institutions, specifically commercial banks. Despite the existence of the Consumer Protection Department and help desks, for instance, some customers have instead resorted to engaging private entities in the event of financial disputes with banks. A conversation with an individual private entity who assists customers in seeking redress revealed that, since he started working on incidents, the Consumer Protection Department has never responded to any emails or complaints reported via its official email address, despite being copied on correspondence with banks.19 However, banks seem to be responsive and take action when the Consumer Protection Department is copied in such email correspondence—a signifier of banks’ compliance with legal provisions. A CBN representative stated that 22,173 complaints, or 94 percent of the total complaints, from bank customers had been resolved as of June 2021. According to this representative, “the CBN has [also] ensured that banks [have] refunded a total of 89.2 billion [naira] to various customers based on resolved complaints, since 2012.”20

Although consumers exhibit low trust in brick-and-mortar banks, it seems that users of financial services would rather stick with the familiar than chance new uncertainties. Frequent fraud and phishing attempts, unclear fees, hidden charges, and poor track records on redressing disputes also have a direct impact on customers’ decision to use digital financial services, according to a recent survey on consumer protection in the country.21 These perceived threats may also be responsible for Nigerian customers having reservations about readily adopting emerging digital financial service products. Others have also resolved never to own an ATM card or activate digital banking services because of personal experiences or secondhand accounts of scams.

While there has been significant progress in Nigeria on bolstering traditional cybersecurity (particularly for digital financial services), there also are notable challenges. These include repeated failures to report cybersecurity incidents, the inadequate capacity of cybersecurity teams in financial institutions, and low levels of consumer awareness, all of which directly and indirectly affect consumer trust and confidence in these systems.22 Such challenges can be tied to the need to better gauge how cybersecurity guidelines, frameworks, and regulations in the financial sector are being implemented.

A Way Forward

The Nigerian financial sector has made commendable strides toward enhancing cybersecurity resilience in digital financial services. However, more needs to be done to effectively implement these associated instruments to enhance and retain consumer trust and confidence in the country’s digital financial services ecosystem. Some areas of improvement are outlined below.

  • Continuous and regular cybersecurity awareness for consumers should be prioritized. As customers become more dependent on digital channels for financial transactions, the rate and number of cyber threats will continue to increase. A document published by the Nigeria Inter-Bank Settlement System on fraud in Nigeria’s financial sector reveals that 56 percent of fraud attempts in the first three quarters of 2020 were conducted via social engineering, a consumer-facing threat.23 Proactive efforts are necessary to alert consumers to such risks and inform them how to thwart such attacks. Nigeria’s NCPS suggests that the National Cybersecurity Coordination Center, nongovernmental organizations, and professional bodies should conduct consumer sensitization campaigns. With this in mind, the CBN in collaboration with the Committee of Chief Information Security Officers of the Nigerian Financial Industry and the CyberSafe Foundation recently launched a cybersecurity awareness campaign.24 The use of local media and awareness campaigns using local languages could help ensure that consumers in rural areas are also reached. To assess the effectiveness and helpfulness of such awareness efforts, follow-up public surveys could be conducted.
  • Financial institutions should invest significantly in and have a robust capacity development plan for their information technology and cybersecurity teams and top executives. The financial sector is highly susceptible to cyber attacks, and new kinds of attacks are launched regularly, so capacity building must be frequent and consistent. The Cyber Resilience and Financial Organizations web tool by the Carnegie Endowment for International Peace is a robust resource that can help institutions enhance their organizational cybersecurity resilience.25
  • Financial institutions, corporations, and the Cybercrime Advisory Council should collaborate effectively to combat cybercrime. An amendment to the Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 to strengthen such collaboration and partnerships would pave the regulatory pathway while ensuring due consideration to trust, consumer rights, and privacy protections.
  • The implementation of existing regulations should be further enhanced. Additional measures should be undertaken by the CBN and related stakeholders to ensure that regulations are working effectively and being implemented and complied with.
  • Cybersecurity is a collective responsibility. Consequently, the Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers outlines the respective responsibilities held by parties ranging from the board of directors (at the executive administrative level) to incident response teams (at the operational level). Negative incidents greatly affect an entire organization, so top executives must not leave the task of developing cybersecurity resilience solely to their operational teams. Rather, all units must work in unison to build an effective cybersecurity defense, while working to earn and keep consumer trust.

Notes

1 Topsy Kola-Oyeneyin, Mayowa Kuyoro, and Tunde Olanrewaju, “Harnessing Nigeria’s Fintech Potential,” McKinsey, September 23, 2020, https://www.mckinsey.com/featured-insights/middle-east-and-africa/harnessing-nigerias-fintech-potential.

2 Limor Kessem, “Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing and Energy,” Security Intelligence, March 31, 2021, https://securityintelligence.com/posts/threat-actors-targeted-industries-2020-finance-manufacturing-energy.

3 “Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers,” Central Bank of Nigeria, June 25, 2018, https://www.cbn.gov.ng/Out/2018/BSD/RISK%20BASED%20CYBERSECURITY%20FRAMEWORK%20Exposure%20Draft%20June.pdf; Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions,” Central Bank of Nigeria, August 13, 2021, https://www.cbn.gov.ng/Out/2021/OFISD/Exposure%20draft%20of%20the%20risk-based%20cyber-security%20framework_August%202021%20PDF.pdf; “Regulatory Framework for Mobile Money Services in Nigeria,” Central Bank of Nigeria, July 2021, https://www.cbn.gov.ng/Out/2021/CCD/Framework%20and%20Guidelines%20on%20Mobile%20Money%20Services%20in%20Nigeria%20-%20July%202021.pdf; and “Nigerian Payments System Risk and Information Security Management Framework,” Central Bank of Nigeria, 2020, https://www.cbn.gov.ng/Out/2020/PSMD/Nigerian%20Payments%20System%20Risk%20and%20Information%20Security%20Management%20Framework.pdf.

4 “National Digital Economy Policy and Strategy (2020 – 2030),” Nigerian Federal Ministry of Communications and Digital Economy, https://www.ncc.gov.ng/docman-main/industry-statistics/policies-reports/883-national-digital-economy-policy-and-strategy/file.

5 “National Cybersecurity Policy and Strategy,” Nigerian Government, February 2021, https://cert.gov.ng/ngcert/resources/NATIONAL_CYBERSECURITY_POLICY_AND_STRATEGY_2021.pdf.

6 “List of Deposit Money Banks as at September 30, 2021,” Central Bank of Nigeria, September 30, 2021, https://www.cbn.gov.ng/Out/2021/FPRD/Deposit%20Money%20Banks%20300921.pdf; Kola-Oyeneyin, Kuyoro, and Olanrewaju, “Harnessing Nigeria’s Fintech Potential”; “List of Financial Institutions – Micro-Finance Banks,” Central Bank of Nigeria, https://www.cbn.gov.ng/Supervision/Inst-MF.asp; and “Financial Institutions,” Central Bank of Nigeria, https://www.cbn.gov.ng/Supervision/finstitutions.asp.

7 “EFInA Access to Financial Services in Nigeria 2020 Survey Report,” Enhancing Financial Innovation and Access, June 3, 2021, https://a2f.ng/wp-content/uploads/2021/06/A2F-2020-Final-Report.pdf.

8 Uto Ukpanah, “The Central Bank of Nigeria Grants Approval in Principle for the Proposed Momo Payment Service Bank Limited,” MTN Nigeria Communications, November 5, 2021, https://doclib.ngxgroup.com/Financial_NewsDocs/34548_MTN_NIGERIA_COMMUNICATIONS_PLC%20THE_CENTRAL_BANK_OF_NIG.pdf; Simon O’Hara, “Approval in Principle for Service Bank Licence in Nigeria,” Airtel Africa, November 5, 2021, https://doclib.ngxgroup.com/Financial_NewsDocs/34549_AIRTEL_AFRICA_PLC%20APPROVAL_IN_PRINCIPLE_FOR_PAYMENT_SE.pdf; Adegoke Oyeniyi, “MTN and Airtel Get “Approval in Principle” to Launch Mobile Money Services in Nigeria,” Tech Cabal (blog), November 5, 2021, https://techcabal.com/2021/11/05/mtn-and-airtel-get-approval-in-principle-to-launch-mobile-money-services-in-nigeria.

9 Osita Nwanisobi, “President Buhari To Unveil eNaira on Monday, 25 October 2021,” Central Bank of Nigeria (press release), October 23, 2021, https://www.cbn.gov.ng/Out/2021/CCD/eNaira%20Launch%20Press%20release%20%20231021.pdf.

10 Ogochukwu Anioke, “Breaking: Why e-Naira Went Missing on Google Playstore, by CBN,” Nation Online, November 2, 2021, https://thenationonlineng.net/breaking-why-e-naira-went-missing-on-google-playstore-by-cbn.

11 Nzekwe Henry, “The Inside Story of How Nigeria’s eNaira Digital Currency Vanished for 24 Hours,” WeeTracker, November 2, 2021 https://weetracker.com/2021/11/02/nigeria-enaira-glitches.

12 “Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers,” Central Bank of Nigeria.

13Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions,” Central Bank of Nigeria.

14 “Consumer Protection Regulations,” Central Bank of Nigeria, December 20, 2019, https://www.cbn.gov.ng/out/2019/ccd/cbn%20consumer%20protection%20regulations.pdf.

15 “Nigeria Data Protection Regulation,” Nigerian National Information Technology Development Agency, January 25, 2019, https://ndpr.nitda.gov.ng/Content/Doc/NigeriaDataProtectionRegulation.pdf.

16 “Cybercrimes (Prohibition, Prevention, Etc) Act, 2015,” Nigerian Computer Emergency Response Team, https://www.cert.gov.ng/ngcert/resources/CyberCrime__Prohibition_Prevention_etc__Act__2015.pdf.

17 James Chen, “Know Your Client (KYC),” Investopedia, April 17, 2021, https://www.investopedia.com/terms/k/knowyourclient.asp.

18 Oludare Senbore, “CBN Issues Draft Guidelines to Address Cybersecurity in Financial Sector,” Aluko and Oyebode, December 2018, https://web.archive.org/web/20210422104648/https://www.aluko-oyebode.com/insights/cbn-issues-draft-guidelines-to-address-cybersecurity-in-financial-sector/.

19 Author interview with private individuals who assist consumers with financial disputes seeking redress (via Zoom), November 3, 2021.

20 Catherine Agbo, “Bank Customers Get N89bn Refund on Failed Transactions in 9 Years – CBN,” Twenty-First Century Chronicle, August 6, 2021, https://21stcenturychronicle.com/banks-customers-get-n89bn-refund-on-failed-transactions-in-9-years-cbn.

21 William Blackmon, Rafe Mazer, and Shana Warren, “Nigeria Consumer Protection in Digital Finance Survey,” Innovations for Poverty Action, March 2021, https://www.poverty-action.org/sites/default/files/Nigeria-Consumer-Survey-Report.pdf.

22 Abubakar Idris, “Why Some of Nigeria’s Worst Cyberattacks Are Not Reported,” Tech Cabal (blog), July 21, 2020, https://techcabal.com/2020/07/21/why-some-of-nigerias-worst-cyberattacks-are-not-reported.

23 “Fraud in the Nigerian Financial Services,” (2nd edition), Nigerian Inter-Bank Settlement System, https://nibss-plc.com.ng/media/PDFs/post/NIBSS%20Insights%20Fraud.pdf.

24 “CBN, Stakeholders Launch Cybersecurity Campaign #NoGoFallMaga,” Punch, July 20, 2021, https://punchng.com/cbn-stakeholders-launch-cybersecurity-campaign-nogofallmaga.

25 Tim Maurer, Kathryn Taylor, and Taylor Grossman, “Cyber Resilience and Financial Organizations: A Capacity-building Tool Box” Carnegie Endowment for International Peace, December 2020, https://carnegieendowment.org/specialprojects/fincyber/guides.