FW: Why did the CBN limit USSD transactions?

This article is part of our #FirstWord series to provide context on trending news.

The Central Bank of Nigeria (CBN)’s new USSD framework stated that the daily limit of transfer of funds from mobile phones via short codes will be restricted to N100,000 a day, effective June 2018. In a circular released on Thursday, 26th April 2018, the Director, Banking and Payment System department of the CBN said that the decision was made because of the risks associated with financial transactions using USSD codes.
 
What is USSD?

Every Nigerian with a bank account has access to USSD (Unstructured Supplementary Service Data). It is pretty much a short code (differs per bank) that allows customers check their account balance, purchase airtime, or pay for services, all on their phones by dialing.
 
Bank accounts can be linked to a user’s phone number, allowing the user to make sim related transactions on the registered number without entering a bank.
 
Why is it problematic?

“Most people password their phones but not sim cards. So, I take out the sim and put it in my phone and get the last digits of the person’s BVN to make a transfer. I dial the short code for obtaining the BVN number of any user and then make a transfer all of the money in the user’s account to mine”
 
One of the primary reasons why USSD is problematic is because of certain elementary risks around it. Thieves can now exploit USSD to defraud Nigerians. Phones are now being stolen for their sim cards, which are usually connected to some bank accounts. If they figure out the bank a user makes use of, they can sometimes generate the Bank Verification Number (BVN) and use the mobile USSD of the bank to empty the account.
 
CBN to the rescue...

“The vast applications of the USSD technology, in terms of available services have raised the issue of the risks inherent in the channel. In this regard, concerns have been expressed on the likely exposure of CBN approved entities to the possible breaching of the USSD accessed financial services in view of likely vulnerabilities in the technology and the ever growing threats” - CBN
 
In order to lessen the risks mentioned above, the Central Bank starts by limiting the amount that can be transferred via USSD to N100,000 a day. The circular also points out that transactions over N20,000 will require a pin and a soft token. These restrictions are relevant because they mean that thieves who exploit these codes do not have full access to a user’s bank account. Although not a completely comprehensive solution, it is a step in the right direction.
 
In addition, banks are to allow customers who don’t want to make financial transactions using USSD the option of opting out of the service. This gives a consumer the option of managing how the want to carry out their transactions.
 
Finally, the framework places emphasis on the need to protect the financial integrity of information through encryption. To this end, financial institutions providing the use of USSD channel have to ensure that the user receives notifications on the status of every transaction conducted.
 
All of the rules set in the framework are to promote and facilitate the development of an effective system for the settlement of transactions, a welcome development away from risks currently associated with the USSD channel.

Related