14, 2021 / 8:26 AM / by CBN / Header Image Credit: Retail4Growth
In furtherance of its mandates to, ensure the safety and stability of the Nigerian Financial System, promote the use and adoption of electronic payments and foster innovation in the payments system, the Central Bank of Nigeria hereby issues the Framework for Quick Response (QR) Code Payments in Nigeria.
Quick Response (QR) Codes are a kind of matrix barcode representing information presented as square grids, made up of black squares against a contrasting background, that can be scanned by imaging device, processed and transmitted by appropriate technology.
These codes can be used to present, capture and transmit payments information across payments infrastructure. The technology further enables the mobile channel to facilitate payments and presents another veritable avenue for promoting electronic payments for micro and small enterprises.
2.0 Scope and Objectives
This framework provides regulatory guidance for the operation of QR Code payment services in Nigeria. It aims to ensure the adoption of appropriate QR code standards for safe and efficient payments services in Nigeria. The framework therefore stipulates:
i. Acceptable QR Code Standards for implementing QR Payments in Nigeria;
ii. Interoperability of QR Payments in Nigeria;
iii. Roles and Responsibilities of Participants in QR Payments in Nigeria;
iv. Risk management principles for QR code Payments in Nigeria
3.0 QR Code Specifications for Payments in Nigeria
Implementation of QR Code for payments in Nigeria shall be within the following specifications:
3.1 QR Code Payments in Nigeria shall be based on the EMVÂ® QR Code Specification for Payment Systems;
3.2 The Bank may also approve the implementation of any other QR Code Standard, provided it meets the prescribed security requirements within the framework, demonstrates interoperability with other existing implementation in the industry and/or cost benefits to end-users (merchants and customers);
3.3 QR Code Payments implementation in Nigeria shall support account, wallet, card and token based QR Code Operations;
3.4 Implementation of QR Code for payments in Nigeria shall be based on the Merchant-presented mode (where merchants present the QR Code for buyers to accept in order to conclude payment transactions) specification;
4.0 Participants in QR Code Payment in Nigeria
Participants in QR Code Payment in Nigeria include;
iii. Issuers (Banks, MMOs and Other Financial Institutions)
iv. Acquirers (Banks, MMOs and Other Financial Institutions)
v. Payments Service Providers
5.0 Responsibilities of Participants in QR Code Payments in Nigeria
i. Merchants shall
a. Use and display only approved QR Codes in Nigeria;
b. Comply with service agreements executed with the acquirer;
c. Cooperate with acquirer to investigate any reported fraudulent transaction;
d. Report suspicious use of QR Codes for payments to the acquirer;
e. Conform with the rules and regulation of the acquirer;
f. Be guided by the extant CBN Guidelines on Electronic Payments Channels in Nigeria, Guide to charges by banks, other financial and non- bank financial institutions, and other applicable regulation as may be issued by the Bank.
ii. Customers shall;
a. Use QR Code payments applications availed by the issuer and for intended purpose without modifications, at merchant locations/websites/applications;
b. Consumer shall adhere to all minimum security guidelines as stipulated by the issuer;
c. Report inappropriate/unauthorised QR Code Payment transaction on their accounts/wallets.
iii. Issuers (Banks, MMOs and Other Financial Institutions) shall:
a. Provide QR Code Payment application to customers upon request and activation by customer;
b. Execute service agreement with their customers;
c. Comply with Card Scheme Rules (where applicable);
d. Determine and agree appropriate transaction limits with customers for QR Code Payments based on their customers' risk profile assessment;
e. Ensure appropriate configurations on QR Code Payment application that use QR codes for payments in conformity and compliance with requirements of QR Code regulations;
f. Deploy necessary updates and patches on its QR Code Payment application and ensure the customer is unable to initiate transaction through the older version of the application where the customer fails to apply the update within 14 days of the availability of the update or patch;
g. Without prejudice to (f) above, issuers may induce an automatic update of the customer's application where applicable;
h. Provide adequate training, support and security guidelines to customers on the use of QR code for payments;
i. Ensure security of QR Code payment application for QR Code payments;
j. Resolve customers dispute in accordance with the CBN Consumer Protection Regulation.
k. Be guided by the extant CBN Guidelines on Electronic Payments Channels in Nigeria, Guide to charges by banks, other financial and nonbank financial institutions, and other applicable regulation as may be issued by the Bank.
iv. Acquirers shall
a. Execute service agreement with merchants;
b. Determine and agree appropriate transaction limits with merchants for accepting QR Code Payments based on its risk profile assessment of the merchant;
c. Ensure appropriate configurations and use of QR codes at Merchant location/website/applications in conformity and compliance with requirements of QR Scheme(s) and QR Code regulations;
d. Ensure that appropriate security protocols are applied.
e. Provide adequate training, support and security guidelines to merchants on the use of QR code for payments;
f. Ensure that hardware, software, protocols used for QR Code for payments are in conformity with the requirements of operations of QR Code payments regulations;
g. Give merchants value for QR Code transaction within T+1 or as may be agreed with the merchant;
h. Be guided by the extant CBN Guidelines on Electronic Payments Channels in Nigeria, Guide to charges by banks, other financial and nonbank financial institutions, and other applicable regulation as may be issued by the Bank.
v. Other Payments Service Providers (Switches & PSSPs) shall;
a. Support processing and settlement for all issuers and acquirers;
b. Facilitate interoperability of QR Code Payments for all issuers and acquirers;
c. Ensure full compliance with this Framework and other extant guidelines on electronic payments and transaction processing.
All issuers, acquirers, switches, processors and other participants in QR payments in Nigeria shall ensure full interoperability of QR Code Schemes in Nigeria.
7.0 Risk management and compliance
The following risk management principles shall guide the operations of QR Code Payments in Nigeria:
a. Issuers and acquirers shall clearly define risk management policy and guidelines for the operation of the QR Code Scheme. The risk management guidelines shall include detailed stipulation of the responsibilities of all participants for managing risk;
b. QR Codes shall, at a minimum, be encrypted (AES) and/or signed;
c. QR Codes Payments applications, updates and patches shall be duly certified by the Payment Terminal Service Aggregator (PTSA);
d. Issuers and Acquirers, shall agree minimum due diligence guidance for merchant on-boarding without prejudice to the KYC/AML requirements of the Bank;
e. Issuers and Acquirers shall ensure that only PTSA certified QR Code shall be utilised;
f. Issuers and Acquirers shall ensure behavioural monitoring and fraud management systems are implemented to prevent, detect and mitigate fraud and money laundering;
g. Issuers shall have the overall responsibilities for managing fraud risk and shall coordinate all participants towards managing fraud in its scheme;
h. Issuers shall provide quarterly risk management assessment report to the Director, Payments System Management Department. The risk management assessment report shall include among others fraud report, vulnerabilities assessment and risk mitigating measures introduced.
8.0 Dispute Resolution
All consumer complaints shall be resolved in accordance with the CBN Consumer Protection Regulation.
9.0 Infringements and Sanctions
All parties shall comply with the provisions of this framework and other relevant guidelines issued by the CBN. The Bank shall apply appropriate sanctions to any party that fails to comply accordingly