Contactless Payments ("CPs"), aptly described as payments which involve the consummation of financial transactions without physical contact between the payer and the acquiring devices1, have been gaining momentum and widespread adoption in recent times. First introduced in the 1990s,2 CPs recorded a significant boost in adoption following the Covid 19 Pandemic in 2020.3 Today, CPs are the preferred choice of payment in many countries, with the CPs market set to reach a global value of
In
However, there are risks/security concerns inherent in the use and adoption of CPs. Some of the major risks include CPs fraud, hack of CPs networks, data privacy concerns for customers and implication of absence of authorization. For instance, in 2020, Ł16 million was lost to CPs fraud in the
It is therefore unsurprising that the
In this article, we review the Draft Guidelines and consider how it impacts the financial services market in
- STAKEHOLDERS IN CPs TRANSACTIONS
The Draft Guidelines identified 11 Stakeholders in CPs transactions. The Stakeholders and a brief description of their respective roles are set out below:
- Acquirer;12
- Issuer;13
- Payment schemes;14
- Card schemes;15
- Switching Companies;16
- Payment Terminal Service Provider;17
- Payment Terminal Service Aggregator;18
- Merchants;19
- Terminal Owners;20
- Customers; and
- Any other stakeholder/participant as designated by the CBN.
- HIGHLIGHT OF THE DRAFT GUIDELINES
The Draft Guidelines set out the framework for CPs transactions in
RESTRICTIONS ON CONTACTLESS PAYMENTS
The Draft Guidelines impose transaction limits for CPs transactions,21 and stakeholders may set a limit on par with or below the limit set by the CBN. CPs transactions below the transaction limits may not require customers' verification22 but CPs above the transaction limit (described as "Higher-value CPs payments") shall require customer verification.23 The obligation to ensure adherence to transaction limits is imposed on the Acquirer24 and the Issuer.25It is interesting to note that the Draft Guidelines seem to also impose this obligation on merchants. 26
The transaction limits in the Draft Guidelines do not envision/encompass transaction frequency, creating a risk. This omission can, for example, be contrasted with the framework in the
PRECONDITIONS FOR PARTICIPATION
The Draft Guidelines impose various preconditions to participation. For instance, only CBN-licensed institutions can serve as Acquirers31 and Issuers.32 Participants are required to comply with the standards subsequently discussed in this article as well as obtain and maintain the required certifications.
In any case, the contactless payments image, symbol, tactile, graphics and/or the words "contactless payments" (in Braille) shall be displayed on contactless payment instruments, contactless payment devices and locations where contactless payments are accepted.33 In addition, CPs cannot be activated by default, customers shall have the option to opt-in to CPs and they also have the right to withdraw from the CPs Agreement without prior notice to the issuer.34
STANDARDS FOR PARTICIPATION
All Stakeholders who process and/or store customers' information35 are mandated to ensure that their terminals, applications and processing systems comply with the following standards, at the minimum:
- PA DSS - Payment Application Data Security Standard;
- PCI PED - Payment Card Industry Pin Entry Device;
- PCI DSS - Payment Card Industry Data Security Standard;
- Triple DES - Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The triple DES algorithm is the minimum standard;
- AES - Advanced Encryption Standards;
- EMV - The deployed infrastructure must comply with the EMV requirements for contactless acceptance;
- ISO 27001 - information security management system;
- Standards specified by the various payment schemes; and
- Other standards as may be specified by CBN from time to time.36
Said participants are required to maintain valid certification to these standards, ensure they remain compliant with the standards at all times and execute contactless payments agreements/contracts with parties. Note that participants are required to obtain CBN's approval for CPs products and for innovative use cases and value-added services.37
CPs TRANSACTION PROCESSING
Participants are required to enter CPs agreements which clearly spell out the terms and conditions of the transaction38 and comply with minimum requirements set by the CBN.39 Prior to consummating a CPs transaction, the transaction value and associated charges must be communicated to the customer.40
CPs devices are required to be issuer/brand agnostic and neutral to the type of card or payment instrument used.41 All domestic contactless payments shall be switched through a Nigerian switch,42 all contactless devices must be connected to an account or wallet that has Bank Verification Number ("BVN")43 , and only accounts/wallets with BVN can be activated for CPs in
With respect to dispute resolution, PTSPs are required to onboard adequate support infrastructures that ensure 24/7 support coverages46 and prevent instrument clashes when multiple contactless payments are present,47 while all participants are required to work in conjunction to ensure the resolution of disputed transactions within the timeline specified by the CBN dispute resolution framework. With respect to financial crimes, Acquirers and Issuers are required to undertake measures to prevent the use of their network for purposes associated with money laundering and other financial crimes,48 conduct KYC on all customers49 and carry out periodic risk assessments of their processes and have effective measures to mitigate ML/TF/PF risks associated with CP.50 Similarly, all other participants except Customers and Merchants are required to implement a documented risk management process to identify and treat risks associated with contactless payments, while Customers and Merchants are required to exercise due diligence in carrying out CPs transactions.
In any case, Acquirers, Issuers, and Merchants will be held liable for fraudulent transactions on CPs arising from their negligence and/or connivance.51Stakeholders are also required to render monthly returns on CPs transactions (including value, fraud, data, and failed transactions) to the CBN in a format to be prescribed by CBN.
3.0 THOUGHTS AND CONCLUSIONS
We note that the Draft Guidelines are quite clear in setting standards and introducing a framework for the operation of CPs in
However, we have concerns regarding the absence of a transaction limit based on the number of consecutive CPs transactions. We also note that the Draft Guidelines were published on
We consider this timeline quite short and suggest that a more expansive timeline be given for subsequent drafts that are released by the CBN.
Footnotes
1 Exposure draft of the guidelines for contactless payments in
2 BanksAm, "History of contactless payments: from past century to the present day" available at https://banks.am/en/news/fintech/22668#:~:text=The%20first%20ever%20widespread%20use,making%20contactless%20payments%20for%20trips.
3 FinExtra, "WHO urges switch to contactless to slow virus transmission" available at https://www.finextra.com/newsarticle/35384/who-urges-switch-to-contactless-to-slow-virus-transmission#:~:text=The%20World%20Health%20Organisation%20is%20advising%20consumers%20to,which%20are%20known%20carriers%20of%20viruses%20and%20bacteria
4 Grand View research, "Global Contactless Payments Market" available at https://www.grandviewresearch.com/press-release/global-contactless-payments-market
5 Fintechnews, "Providus bank launches tap-to-pay service with
6 Available at https://nownow.ng/introducing-nownow-tap-and-pay/
7 Financial Nigeria, "NowNow raises 13 Million in seed funding" available at https://www.financialnigeria.com/nigerian-fintech-startup-nownow-raises-13-million-in-seed-funding-news-2537.html
8 Available at https://squadco.com/squad-pos/
9 Available at https://business.kuda.com/
10
11 Rule 3 Draft Guidelines
12 The Acquirer is the Merchant's financial institution. The Acquirer accepts deposits from the merchant's sales. Note that only CBN licensed institutions can serve as acquirers for contactless payments.
13 The Issuer is the Customer's financial institution. Issuer's issue cards to their Customers on behalf of card schemes. Only CBN licensed institutions can serve as issuers for contactless payments.
14 Payment scheme is a set of rules defining how payment transactions are processed with the use of payment instruments
15 Card schemes are entities like
16 Switching companies facilitate the exchange of value between financial service providers, merchants, customers and other stakeholders. They essentially facilitate communication between different payment service providers.
17 A payment terminal allows a merchant to capture required credit and debit card information and to transmit this data to the merchant services provider or bank..
18 A payment terminal service aggregator ensures the technical and operational standardization of all deployed POS devices through terminal certification.
19 The Seller or Service Provider who accepts CP
20 Issuers, acquirers, merchants and Payment Terminal Service Providers ("PTSPs") can be terminal/device owners.
21 Rule 9 Draft Guidelines. The CBN has specified an individual transaction limit of
22 Rule 9.2 Draft Guidelines
23 Rule 9.3 Draft Guidelines
24 Rule
25 Rule
26 Rule 6.8.2 Draft Guidelines
27 Article 11 Strong Customer Authentication and Common and Secure Methods of Communication. Available at https://www.handbook.fca.org.uk/techstandards/PS/2021/2021_01/chapter-iii/015.html
28 Ł100
29 Ł300 from the date of last application of strong customer authentication
30 No more than 5 consecutive CPS from the date of last application of strong customer authentication.
31 Rule 6.1.1 Draft Guidelines
32 Rule 6.2.1 Draft Guidelines
33 Rule 8 Draft Guidelines
34 Rule 6.10 Draft Guidelines. See also Rule 6.2.2 Draft Guidelines. It is unclear how this will work in practice.
35 This covers all stakeholders except the Customers themselves.
36 Rule 5 Draft Guidelines
37 Rule 7 Draft Guidelines
38 See Rule 6.1.4 and Rule 6.2.5 Draft Guidelines
39 Rule
40 Rule 6.8.4 Draft Guidelines.
41 Rule 6.1.6 Draft Guidelines. Similarly, all CPS instruments used in
42 Rule 6.1.5 Draft Guidelines. Such Acquirers and processing entities are expressly prohibited from oruting such transactions outside
43 Rule
44 Rule 6.2.6 Draft Guidelines
45 Rule 6.3.2 Draft Guidelines. See also Rule 6.4.2 Draft Guidelines. The obligation to ensure this is on Payment Schemes and Card Schemes.
46 Rule 6.6.2 Draft Guidelines. Terminals deployed are the be functional at all times and PTSPs are mandated to establish appropriate mechanism to detect device failure. Device failure must be rectified or replaced within 48 hours.
47 Rule 6.6.5 Draft Guidelines. This is very important because such terminals will likely work in proximity such as at the check-out point of supermarket/malls.
48 Rule 6.1.9 Draft Guidelines and Rule 6.2.9 Draft Guidelines
49 Rule
50 Rule
51 See generally Rule 6 of the Draft Guidelines
52 Comments are to be shared with the Director,
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
AELEX
4th Floor, Marble House
1,
Tel: 1279 3367
Fax: 1461 7092
E-mail: Doturu@aelex.com
URL: www.aelex.com
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source