Nigeria: An Appraisal Of The Central Bank Of Nigeria's Frameworks For Sandbox Operations And Quick Response Code Payments

INTRODUCTION

On 13^th January 2021, the Central Bank of Nigeria (CBN) released two regulations: the Framework for Regulatory Sandbox Operations ("Sandbox Framework") and the Framework for Quick Response (QR) Code Payments in Nigeria ("QR Code Framework").

The CBN stated that the frameworks are aimed at strengthening the payment systems space and the development of other disruptive technologies relating to financial services in Nigeria.

We will briefly consider the frameworks and their potential impact for the financial technology (fintech) industry in Nigeria.

• The Sandbox Framework

Owing to the growing interest in fintech), the CBN deemed it necessary to set up a regulatory sandbox, a closed testing environment designed for experimenting safely with innovative products, services and solutions. This, according to the CBN, would allow it "stay abreast of innovations while promoting a safe, reliable and efficient payments system to foster innovation without compromising on the delivery of its mandate".

To be eligible to participate in a sandbox, an applicant must have conducted adequate assessment to demonstrate the usefulness and functionality of its product, service or solution and have a business plan to show that the product, service or solution can be successfully deployed after exit from the sandbox.

The sandbox application process is open to both existing CBN licensees, local companies intending to test an innovative payments product or service deemed acceptable by the CBN, and innovators whose proposed solution involve technologies which are currently not covered under existing CBN regulations. As part of its bid to promote innovation, the CBN permits participants to leverage on the sandbox of other regulators if any aspect of their products, services or solutions fall within the jurisdiction of the other regulators.

There are several obligations imposed on participants in the sandbox including, putting in place testing parameters to limit risks to the financial system and consumers, ensuring proper maintenance of records during the testing period for a maximum of 5 years, submitting periodic reports to the CBN on the progress of the test and submitting a final report containing key outcomes and performance indicators against agreed measures for the success or failure of the test and also, findings of the test.

An application for participation in a sandbox must state the initial testing timeline (in months) for the proposed product, service or solution. A participant may, however, apply to the CBN for the extension of the testing period and, such an application may be granted by the CBN upon proof that, in general, the solution has tested positively and the extended testing is necessary to respond to specific issues or risks identified during initial testing. The CBN also has the power to withdraw the approval granted to an innovator to participate in a sandbox.

Upon completion of a sandbox test, the CBN would decide whether the product, service or solution should be introduced and may provide support to a successful participant for the purpose of obtaining any requisite licence(s).

The CBN intends to have one sandbox cohort/group per year. The number of innovators to be accepted into a cohort will be based on the CBN's resource capacity to support innovators.

• The QR Code Framework

The CBN, in furtherance of its mandate to promote innovation in the payments system space, issued the QR Code Framework which provides regulatory guidance for the operation of QR Code payment services in Nigeria.

QR Codes are a kind of matrix barcode ¹ representing information presented as square grids and made up of black squares against a contrasting background. They are read by using a digital device and can be used to present, capture and transmit payments information across payments infrastructure.

• QR Code payments in Nigeria are to be based on the EMV® QR Code specification for payment systems and the merchant-presented mode specification (e. where merchants present the QR Code for buyers to accept in order to conclude payment transactions). QR Codes are also required, at a minimum, to be encrypted (AES) and/or signed; and all applications, updates and patches must be duly certified by the Payments Terminal Service Aggregator.

The CBN may, however, also approve the implementation of any other QR Code standard, provided it meets prescribed security requirements, demonstrates interoperability with other existing implementation in the industry and/or provides cost benefits to end-users (i.e. merchants and customers).

The Framework imposes various obligations on merchants, customers, issuers, acquirers and payment service providers, who are the major participants in QR Code payment services. These obligations include the following:

• Merchants – required to use and display only approved QR Codes in Nigeria and comply with service agreements executed with an acquirer.
• Customers – required to use QR Code payments applications availed by an issuer without modifications and adhere to all minimum security guidelines as stipulated by the issuer.
• Issuers – required to provide QR Code payment applications to customers upon request and activation by customer; execute service agreement with their customers; determine and agree appropriate transaction limits with customers for QR Code payments based on the customers' risk profile assessment; and provide adequate training, support and security guidelines to customers on the use of QR codes for payments.
• Acquirers – required to execute service agreement with merchants; determine and agree appropriate transaction limits with merchants for accepting QR Code payments based on its risk profile assessment of the merchant; and ensure that appropriate security protocols are applied.
• Payment Service Providers – required to support the processing and settlement for all issuers and acquirers.

In addition to the above, issuers and acquirers are required to have clearly defined risk management policies and guidelines for the operation of QR Code payments; agree minimum due diligence guidance for merchant on-boarding; and ensure that behavioural monitoring and fraud management systems are implemented to prevent, detect and mitigate fraud and money laundering.

Issuers are also required to oversee the management of fraud risk and to this end, are required to provide quarterly risk management assessment reports to the CBN which shall include, among others, a fraud report, vulnerabilities assessment and risk mitigating measures introduced.

CONCLUDING THOUGHTS

The introduction of the QR Code and Regulatory Sandbox Frameworks are welcome developments, particularly with the increased roll-out of financial technology related products, services and solutions by innovators in Nigeria.

Although most banks and other payment service providers already allow payments to be made using QR codes, the QR Code Framework will serve to protect consumers who make use of such codes and provide guidance to the other relevant players in implementing and operating QR code payment schemes.

Similarly, the introduction of a regulatory sandbox is a positive step given the constant emergence of innovators in Nigeria and the global interest in the products, services and solutions developed by these innovators. The provision of support to successful participants by the CBN, especially in the obtaining of licences will also serve as an incentive for innovators to apply and participant in the sandbox.

Footnotes

1. A barcode is a machine-readable optical label that contains information about the item to which it is attached.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.