Navigating The Nigerian Fintech Regulatory Landscape

By Damilola Oyebayo

 2.0  Overview of the Nigerian Fintech Sector

2.1. To begin with, the Nigerian Fintech sector comprises a suite of digital financial products, services and offerings. Therefore, reference to Digital Financial Services (“DFS”), include a wider suite of services and products. The key unifying factor is that such financial services are primarily accessed and delivered through “digital channels”, including, but not limited to, payments, credit, savings, investments, remittances and insurance. Connected to this is also the concept of mobile financial services (“MFS”). Thus, DFS and other infrastructure make up the Nigerian fintech sector.

2.2. In reality, there is no standard definition of DFS, but there are some key elements which most people agree that it covers all products, services, technology and/or infrastructure which allow people to process payments, access to savings and investments as well as credit facilities without (i) the need to visit a bank branch; and/or (ii) interacting directly with the financial service provider.

2.3 According to a research conducted by EFINA in 2019, the Nigerian Fintech ecosystem comprises;

• about 210-250 Fintechs (offering different payment and financial services ranging from payment processing, mobile money and wallet, agent banking, payment terminal, switches, etc.);
• 3 stakeholders (the regulators, the financial institutions and the telcos);
• 4 enablers and funding partners (who have invested over $250m since 2014 and most Fintechs leverage API technology. It is worthy to mention that between the period when EFInA published this report, the Fintech sector has recorded investments worth over $400m (Interswitch, Opay, Flutterwave and Okra are some of the recent investments driving these numbers)); and
• the consumers.

2.4. Furthermore, the 4 main technologies in the Fintech sector include; Distributed Ledgers (used for digital retail payments, investment, and trading infrastructure); Artificial Intelligence (used for personalization, credit scoring, risk assessment and fraud detection); APIs (financial marketplace and aggregation, banking platforms and trading infrastructure); and Biometrics (authentication, identity and security). 80% of the Fintech market is made up of digital retail payment (36%); lending (36%) and payment infrastructure firms (19%).

2.5 Current market trends in the Fintech Sector

a) Surge in lending and savings players: We have witnessed an increase in number of players offering lending and saving solutions. Increasing partnerships with banks: Cooperation, rather than disruption appears to be the aim of the game, with the banks becoming more receptive to FinTechs and partnering with them.

b) Competition from Telcos: This has always been a threat, but the recent regulation by CBN will allow telcos enter the space through the acquisition of a payment services bank license. There is anticipation that major telco providers such as MTN and Airtel will enter the space creating new competition for smaller fintechs.

c) Technological innovation: We are also witnessing more innovative and new solutions leverage on deep learning and AI to provide new services. Widening skills gap: The market is losing technical specialists and experts to more mature/ developed markets thus widening the existing skills gap.

2.6 Key Gaps that exist in the Fintech Sector

• Access to funding: Limited funding sources available especially for start-up FinTechs who have to rely on family and friends for initial funding.

• Appropriate regulation: Need for a harmonized regulatory framework that allows innovation and flexibility specific to Nigerian context.

• Adequate information: Lack of established database to leverage and provide supplementary information.

• Establishing strategic partnerships: Difficulty in forming strategic partnerships especially by early stage FinTechs.

• Corporate governance limitations: Excessive focus on innovation with little attention paid to management aspect of running a successful company.

• Intellectual property rights: Intellectual property law complications to establish rights and patents.

In summary, the participants in the Nigerian fintech sector include traditional financial institutions, infrastructure providers, payment processors, mobile money operators, third party processors, payment terminal service providers, switches, etc. All these companies play different roles in the Fintech sector under the primary regulatory supervision of the Central Bank of Nigeria.

3.0 Regulatory Landscape of the Fintech Sector

3.1.      Ministries

a) The Federal Ministry of Finance

Responsibility

They oversee the provision of digital financial services by commercial banks and institutions in Nigeria.

b) The Federal Ministry of Communications

Responsibility

It has oversight over telecoms and other network infrastructure providers in Nigeria.

3.2. Departments and Agencies

a) The Central Bank of Nigeria (CBN)

Responsibility

In its role as the apex financial services regulator in Nigeria, it provides overall monitoring activities for the entire fintech sector.

b) The Nigerian Communications Commission (NCC)

Responsibility

It regulates the operations of the telecoms infrastructure providers that operate in the fintech sector and the provision of mobile and digital financial services across several platforms.

c) The Corporate Affairs Commission (CAC)

Responsibility

It regulates the incorporation of and official record-keeping for companies in Nigeria.

 d) The Securities & Exchange Commission (SEC)

It regulates the use of tech and digital channels in providing securities and capital market operations and services to consumers.

e) The National Insurance Commissions

Responsibility

It provides a framework for the regulation of insurers, including fintech companies engaged in insurance activities.

f) The National Deposit Insurance Commission (NDIC)

Responsibility

It is responsible for ensuring the insurance of the deposits of consumers in the fintech sector, specifically, the mobile money operators through the NDIC Pass Through Insurance Scheme.

g) The Nigerian Interbank Settlement System (NIBSS)

Responsibility

It is jointly owned by the CBN and all licensed commercial banks in Nigeria. NIBSS is responsible for developing modern world-class infrastructure for handling inter-bank payments in order to remove potential bottlenecks associated with inter-bank funds transfer and settlement.

h) National Information Technology Development Agency (NITDA)

Responsibility

It regulates data protection.

4.0 Key Legislations in the Fintech Sector

• The CBN Act
• The Banks and Other Financial Institutions Act (BOFIA)
• The Investments and Securities Act (ISA)
• National Deposit Insurance Commission Act
• The Nigerian Communications  Act
• The Patent and Designs Act
• NITDA Act
• The Money Laundering (Prohibition) Act
• AML/CFT Regulations (2013 and subsequent amendments)
• Foreign Exchange (Monitoring & Miscellaneous Provisions Act)
• The Federal Competition and Consumer Protection Act
• Moneylenders Act, etc.

It is important to state at this point that there is currently no single legislation in Nigeria today that covers the provision of digital financial services. However, the CBN, has in its capacity published several regulations, circulars and guidelines to regulate the fintech sector.

5.0 Key Regulations in the Nigerian Fintech Sector

a) Guidelines on Mobile Money Services in Nigeria: this regulates mobile money services and electronic wallet operators in Nigeria (which is further divided into bank-led and non-bank led) e.g. Etranzact, Cellulant, Chams Mobile, MKudi, Pagatech, etc.

b) Guidelines on Transaction Switching in Nigeria: this provides standard of conformity for operators of switching services in Nigeria, including switching companies. e.g. Chams Switch Limited, ARCA Networks Ltd, Interswitch Nigeria Ltd, etc.

c) Guidelines on Operations of Electronic Payment Channels in Nigeria: this provides minimum standards for the operation of electronic payment services within Nigeria, this identifies several payment channels, including payment gateways, POS terminals, etc. Payment Terminal Service Providers (PTSPs) include Xpress Payments Solutions Ltd, Interswitch, Etop Nigeria Ltd, etc.

d) Guidelines on Electronic Payments and Collections for Public and Private Sectors in Nigeria: this regulates PSSPs and other payment providers, e.g. Paystack, Flutterwave, Global Accelerex, etc.

e) Guidelines for the Regulation of Card Issuance and Usage in Nigeria: the guidelines were developed to regulate the issuance of cards in Nigeria, examples of card schemes are Mastercard, Verve, Visa, etc.

f) Guidelines for the Regulation of Agent Banking and Agent Relationships in Nigeria.

g) Guidelines on International Mobile Money Regulations.

h) Framework for the licensing of Super-Agentsg. Kudi

i) Guidelines for licensing and Regulating Payment Service Banks

The above list is not exhaustive, but is an indication as to; (i) the minimum licensing requirements that companies must satisfy; (ii) operational guidelines; and (iii) other regulatory obligations. In other words, the regulatory and compliance of fintech companies in Nigeria today are derived from these regulations, guidelines and other applicable legislations.

6. Regulatory and Compliance Obligations of Fintech Companies

The implication of the regulation highlighted above is that only licensed entities can provide those services, in other words, any entity providing the services listed above must be duly licensed by the CBN to provide the services.

The licenses come with additional compliance and regulatory obligations which must be met on an ongoing basis by licensed entities.

• Permissible Activities: At the point of procuring the applicable license from the CBN, CBN would typically issue licensing conditions stating clearly the financial services or activities the licensed entity is allowed/permitted/licensed to render, accordingly, the provision of services not listed in the permissible activities is a breach of the CBN regulations by such licensed entity. For instance, a payments processor is not permitted to provide mobile money services unless the PSSP has procured the MMO license from the CBN. I should also state that this requirement is a very strict one and regardless of the technology capabilities or infrastructure of  a licensed entity, they are generally prohibited from providing financial services not included in the list of their permissible activities. There are instances where the CBN has imposed penalties or even threatened to revoke the license of certain Fintech companies for providing services not listed in their licensing conditions. Furthermore, beyond procuring the applicable license, the CBN prohibits certain license holders from providing other financial services, for instance, deposit money banks in Nigeria cannot provide be licensed as an International Money Transfer Operator or International Mobile Money Remittance service provider, etc. Therefore, lawyers should have a good understanding of what the permissible activities of the applicable licenses are to avoid sanctions from the CBN.

• Capital Requirements: while this may be a pre-license condition, the different regulations provide capital obligations that must be satisfied by licensed entities prior to procuring the license. These capital requirements vary, for instance, PSSP and PTSP require a N100m capital, international mobile money remittance services license requires a net worth of US$1b, etc.

• AML/CFT, KYC/CDD: Given that Fintech companies also provide financial services, these companies are typically required to maintain all relevant AML/CFT thresholds set by the CBN, and also perform relevant KYC/CDD checks while initiating and executing transactions. In order to fulfil these AML/CFT and KYC obligations, fintech companies partner with other third party agencies to carry out these checks. Notwithstanding these partnerships, the primary obligation is on the licensed entity, therefore, in case of a breach, the licensed entity would be primarily responsible and not the third party. Beyond partnerships, fintech companies are also required to put in place internal procedures and appoint relevant employees to oversee these obligations. Fintech companies also rely on automation and other regulatory technology (regtech) products to satisfy these obligations.
• Reporting and Disclosure: most of the licensed CBN entities also have reporting and disclosure obligations at the CBN. For instance, PSSPs, Super Agents, MMOs, PTSPs all have monthly and quarterly reporting obligations across several data points. They are often required to provide quarterly report on transactions processed, complains and resolution status, nature and volume and value of transactions and any other information that will be used in measuring their performance as a licensed entity. Beyond the regular reporting obligations, Fintech companies also have disclosure obligations to the CBN, they are required to report all suspicious transactions to the Nigerian Financial Intelligence Unit (NFIU), including attempted transactions regardless of the amount involved.

• Data Protection or Localisation: the Nigerian Data Protection Regulations (NDPR) generally governs the protection of the privacy and the personal information of data subjects (i.e. Nigerian residents or Nigerians in diaspora). Accordingly, by the NDPR and other specific CBN Regulations and Frameworks, entities licensed by the CBN are generally required to safeguard the privacy of customers’ data, adopt data protection measures and implement staff training programmes to prevent unauthorized disclosure of data. It is important to emphasise that NDPR stipulates penalties for breach of the NDPR. The NDPR also sets out the procedure for the transfer of personal data of data subjects outside Nigeria. Furthermore, the Central Bank of Nigeria in the Guidelines on Point of Sale (POS) Card Acceptance Services (the CBN Guidelines), also provides for data localisation. In this regard, by clause 4.4.8 of the CBN Guidelines, all domestic transactions including but not limited to POS and ATM transactions in Nigeria must be switched using the services of a local switch and shall not under any circumstances be routed outside Nigeria for switching between Nigerian issuers and acquirers.

• Consumer Protection: by the provisions of the Federal Competition and Consumer Commission (FCCPC) Act, companies (including Fintech companies) are generally required to comply with the competition objectives and obligations of the FCCPC Act. Furthermore, the CBN issued the Consumer Protection Framework and the Consumer Protection Regulations which both set out the consumer protection principles that financial institutions (including fintech companies) must comply with. The objectives of the Consumer Protection Regulations are to protect consumers: (i) From unfair and exploitative practices by institutions in their dealings with the consumers; (ii) From unethical and predatory practices that undermine consumer confidence in the use of financial products and services; (iii) Against the provision of inadequate and misleading information and/or failure to disclose material information; (iv) By ensuring access to complaint redress mechanisms that are free, fair, timely, transparent, accessible and independent; and (v) By encouraging transparency of institutions in their dealings with consumers.

• Audits and Examination: licensed fintechs are required to put in place policies that will cover periodic audit of control systems of the financial institution to ascertain adequacy and effectiveness to guard against breaches. Furthermore, CBN has an obligation to set minimum standards for the operations of the various complaints handling channels, including electronic and non-electronic channels of financial institutions and periodically, the CBN shall carry out audits or checks of the availability and adequacy of these channels, as well as a comprehensive evaluation of financial institutions’ compliance with the minimum standards set.

Other compliance obligations include: insurance, and cybersecurity.

The above are some of the regulatory and compliance obligations imposed on Fintech companies in Nigeria. Lawyers are trusted by fintech companies to guide and advise on the applicability and relevance of some of these obligations, therefore, lawyers interested in Fintech should have a good understanding of these laws vis-a-vis the operations of their clients (in the fintech sector). Relatedly, in-house counsel  are to also advise their respective companies on the relevance of these obligations and put in place all necessary internal checks, controls, procedures and policies for meeting these obligations.

Case Study:

Jack and Mary recently graduated from one of the top universities in Nigeria as computer scientists, they both decided to come together to explore as a business, their final year projects i.e. the commercialization of the API they both developed which allows them to integrate with commercial banks in Nigeria and process payments on behalf of merchants. Jack suggested to Mary that since they have been able to process one payment with the API, they could go ahead to incorporate a company, open a bank account and commence their business operations.

They reached out to their mutual lawyer friend (Lex) who assisted them in incorporating LifePayments Nigeria Ltd, and they commenced their operations. They also actively marketed their payment products, and were able to get some merchants to patronize them; the product began to gain significant traction. Three months down the line, Lex called Mary to inform her that he stumbled on some regulations issued by the CBN which covers the processing of payments and that LifePayments may be playing in a regulated field without a license, Mary informed Jack who dismissed the idea and said they need not obtain any approval. After so many arguments, they decided to approach the CBN for a license and the obtained a PSSP licence. Another year down the line, Jack decided they would begin to offer POS terminals and they commenced this business without obtaining the relevant license, the CBN became aware, revoked their PSSP license and imposed other fines on the company.

From the above, tease out the regulatory issues applicable to LifePayments Nigeria Ltd and determine whether the company crossed the line at any point. 

Answer – Regulatory Approvals: the starting point really is that they should not have commenced business operations (with LifePayments Nigeria Ltd) prior to procuring the PSSP license. I have seen instances where a company prior to obtaining license from the CBN commenced operations as a fintech company, when they eventually submitted their application, CBN almost denied the company the license because they provided a regulated activity without the relevant license.

Furthermore, as rightly indicated above, the company should have applied for the PTSP license before providing the PTSP services as these are separate regulated activities (thereby making the company in breach of its permissible activities).

Understanding of Fintech Laws: Lex should have also advised them at the point of incorporation that the provision of payments processing services is a regulated activity and he should have assisted them in procuring the applicable license.

Acronyms used

AML- Anti-Money Laundering

CFT- Combatting the financing of Terrorism

KYC- Know Your customer

CDD- Customer Due Diligence

This article was facilitated by and written under the auspices of the Nigerian Fintech Lawyers (NFL). All rights are reserved. No part of this article shall be used without the express consent of NFL admin group and the author.

Sponsored post.