Wednesday, October 13, 2021 / 03:55 PM / CBN / Header Image Credit: Channels
The Central Bank of Nigeria (CBN) in line with its objective of promoting financial system stability hereby issues the Revised Regulatory Framework for Bank Verification Number (BVN) Operations and Watch-List for the Nigerian Banking Industry.
The Framework enhances effectiveness of customer due diligence and Know Your Customer processes as part of the overall strategy for promoting a Safe and efficient banking and payment system.
The CBN will continue to monitor industry developments and issue further guidance as may be appropriate.
Regulatory Framework for Bank Verification Number (BVN) Operations and Watch-List for the Nigerian Banking Industry
In exercise of the powers conferred on the Central Bank of Nigeria (CBN), under the Central Bank of Nigeria Act, 2007 (CBN Act), and the Banks and Other Financial Institutions Act (BOFIA) 2020, the CBN hereby issues the revised Regulatory Framework for the Bank Verification Number (BVN) Operations and Watch-list for the Nigerian Banking Industry ("the Framework").
1.0 Regulatory Framework For Bank Verification Number (BVN) Operations
The Central Bank of Nigeria, in collaboration with the Bankers' Committee, deployed a centralised Bank Verification Number (BVN) System in February 2014. This is part of the overall strategy of ensuring effectiveness of Know Your Customer (KYC) principles, and promotion of safe, reliable and efficient payments system. The BVN system gives each customer in the Nigerian banking industry, a unique identifier number.
This Framework defines the operations of BVN as well as the establishment and operations of a Watch-list for the Nigerian Banking Industry, to address increasing incidence of frauds and to enhance public confidence in the banking industry.
This Framework, without prejudice to existing laws, is a guide for the operations of the Watch-list in the Financial System. The Watch-list is a database of customers identified by their BVNs, who have been involved in confirmed cases of breaches, as defined within the framework.
The objectives of the Regulatory Framework for BVN and Watch-list Operations in Nigeria are to:
i. Define roles and responsibilities of participants in the BVN system;
ii. Define Bank Verification Number (BVN) operations in Nigeria;
iii. Define access, usage and management of the BVN system;
iv. Outline operations of the BVN Watch-list process;
v. Define sanction regime for breaches in BVN operations; and
vi. Deter fraud incidences in the Nigerian Banking Industry.
The Framework provides regulations for BVN operations and Watch-list for the Nigerian Banking Industry.
1.4 BVN Operations
BVN operation comprises all activities leading to the management of the unique banking identification of customers in the BVN database.
1.4.1 Participants in BVN Operations and Watch-list
This Regulatory Framework shall guide the activities of the participants in the provision of BVN Operations and Watch-list. Participants include:
i. Central Bank of Nigeria (CBN);
ii. Nigeria Inter-Bank Settlement System Plc (NIBSS);
iv. Other Financial Institutions (OFIs); and
1.5 Roles and Responsibilities
1.5.1 Central Bank of Nigeria
The Central Bank of Nigeria has the regulatory and oversight function on the BVN system in Nigeria. Therefore, the CBN shall:
i. Review and approve the regulatory Framework and the Standard Operating Guidelines;
ii. Approve eligible users for access to the BVN information;
iii. Approve access to the BVN information;
iv. Ensure that the objectives of the BVN initiatives are fully achieved;
v. Monitor stakeholders to ensure compliance;
vi. Apply appropriate sanctions for non-compliance;
vii. Through the Director, Payments System Management Department, conduct oversight and operate the BVN system in the Bank (including update and request for information);
viii. Through the Director, Risk Management Department, approve requests for delisting from the Watch-list;
ix. Through the Director, Risk Management Department, in collaboration with relevant departments, mediate on issues arising from the Watch-list between participants;
x. Through, the Director, Consumer Protection Department, handle consumer complaints on BVN.
1.5.2 Nigeria Inter-Bank Settlement System Plc (NIBSS)
i. Collaborate with other stakeholders to develop and review the Standard
Operating Guidelines of the BVN (BVN SOG);
ii. Ensure seamless operations of the BVN system;
iii. Maintain the BVN database;
iv. Manage access to the BVN information by the approved users;
v. Ensure recourse to the CBN on any request for BVN information by any party;
vi. Ensure adequate security of the BVN information;
vii. Update the Watch-list with the BVNs of enlisted individuals by participants;
viii. Use the Watch-list report submitted by participants and duly endorsed by the MD/CEO of the bank, with clearance from the Director, Risk Management Department of CBN to delist the BVN from the watch-list;
ix. Provide participants with a portal for the verification of watch-listed BVN;
x. Provide Application Programming Interface (API) for eligible institutions to integrate their systems to the BVN database for online validation of watchlisted BVN;
xi. Keep audit trail of activities on the Watch-list;
xii. Put in place a Service Level Agreement (SLA) with relevant stakeholders;
xiii. Provide CBN access to the Watch-list;
xiv. Comply with the International Organisation for Standardisation (ISO) standards for security and business continuity;
xv. Maintain a Watch-list Portal; and
xvi. Perform any other role assigned or incidental to the BVN operations.
1.5.3 Banks and Other Financial Institutions (OFIs)
Banks and Other Financial Institutions shall be involved in the BVN operations as approved by CBN including the following:
i. Ensure proper capturing of the BVN data (including BVN captured by their agents) and validate same before the linkage with customers' accounts/wallets (except Tier 1) in line with the provisions in the SOG;
ii. Ensure all operated accounts/wallets (except Tier 1) (including accounts/wallets (except Tier 1) opened through agents) are linked with the signatories' BVNs within 24 hours of NIBSS making BVN available;
iii. Enroll all mobile money wallets (except Tier 1) subscribers on the BVN database and link their wallets (except Tier 1) with their BVNs within one hundred and eighty days (180) days of the issuance of this framework;
iv. Ensure that BVN details of all signatories, Directors, and Beneficial owners are linked to their respective non-individual accounts/wallets (except Tier 1). This is also mandatory for Non-resident Non-Nigerian Directors (NRNND) of corporate accounts;
v. Ensure customer's name on the BVN database is the same in all of his/her accounts/wallets (except Tier 1) across the Banking Industry;
vi. Report the BVNs of individuals in breach to NIBSS for update on the Watch-list within 1 business day of breach;
vii. Report the BVNs of confirmed deceased customers to NIBSS for designation as "DECEASED" on the BVN database within 24hrs of confirmation;
viii. Use the Watch-list report submitted by participants and duly endorsed by the MD/CEO of the Institution, with clearance from the Director, Risk Management Department of CBN to delist the BVN from the watch-list.
x. Notify NIBSS for enlisting individuals involved in established breaches signed by the Chief Audit Executive;
x. Where a participant needs to watch-list a customer of another bank, the Chief Audit Executive of the customer's bank shall be notified;
xi. The Chief Audit Executive of the customer's bank, upon notification of a breach, shall investigate within one (1) month and after confirmation of the breach, request for the watch-list of the customers' BVN within two (2) business days. The investigating bank shall inform the requesting bank of its action on the customer. A copy of the finalized report of the internal investigation should be sent to CBN, through the Director, Risk Management Department;
xii. Request for the Delisting of individuals from the Watch-list, after clearance from the CBN;
xiii. Integrate the banking application to the Watch-list, for online identification/verification of watch-listed individuals as transactions occur;
xiv. Enforce appropriate sanctions on customers' accounts/wallets (except Tier 1) as stipulated in the sanctions grid;
xv. Update the terms and conditions of account/wallet opening forms with the following disclaimer for new accounts and communicate the update to existing customers:
'If a breach is associated with the operation of your account/wallet, you agree that we have the right to apply restrictions to your account/wallet and report to appropriate law enforcement agencies in line with extant laws';
xvi. Use the BVN API only for account opening, maintenance and validation in order to ensure full compliance with relevant data privacy laws; and
xvii. Perform any other role assigned or incidental to the BVN operations, as may be applicable.
i. Provide accurate biometrics and biodata. Customers role and responsibilities shall also include the reporting of any changes in their biometric (e.g. loss of a finger) and biodata;
ii. Abide by the Regulatory Framework for BVN Operations and Watch-list;
iii. Report all suspicious or unauthorized activities on their accounts/wallets (except Tier 1) to their banks /OFIs;
1.6 BVN Operational Processes and Procedures
i. Enrollment: This is the process where individuals have their biometric and demographic data captured in the BVN database.
ii. Identification: This refers to the comparison of an individual's biometrics against the BVN database to confirm the individual had not been previously enrolled and a BVN generated.
iii. Verification: This refers to the process of authenticating the customer by matching his/her biometric template with what had been captured in the database.
iv. Issuance: Following the generation of the BVN, the customer shall be notified of the BVN by the capturing institution through any of the following: card, voucher, email, SMS, letter, etc.
v. Linking of Customer's BVN to all related accounts/wallets (except Tier 1):
This is a process of using the customer's BVN generated after his/her enrolment to link accounts/wallets (except Tier 1) to which he or she is a signatory, after validation. No new account/wallet (except Tier 1) shall be allowed to operate without BVN (except inflows), however, any account/wallet (except Tier 1) without BVN shall be closed within 30 days.
vi. Delinking of Customer's BVN from accounts/wallets (except Tier 1): This is the process of removing the BVN of a signatory (except for Directors/
Beneficial owners) that is linked to an account/wallet (except Tier 1). The BVN shall be delinked upon the approval of the Chief Audit Executive of the customer's bank. This delinking process is for corporate or joint accounts and for activities not associated with breaches. Returns on delinked accounts/wallets (except Tier 1) shall be rendered to the Director, Payments System Management Department on a monthly basis. Where there is no linked account a nil report should be submitted.
vii. Fraud Management: This is a process aimed at using BVN to deter, prevent, detect and mitigate the risks of fraud in the banking industry.
viii. Customer Information Update: This is the process by which the customer's information can be updated on the BVN database.
1.7 Access to the BVN Database*
Except for Tier 1 users of the BVN database i.e. banks, Other Financial Institutions and Mobile Money Operators (who have direct access), access** to the BVN database shall be approved by the CBN and guided in line with the following grid:
* Details of operational procedures guiding the access to the BVN database shall be as contained in the BVN SOG.
** Foreign entities shall not be allowed access to the BVN database.
1.8 Request for BVN Information
Without prejudice to the extant laws of Nigeria, the following entities may be granted BVN information upon presentation of valid Federal High
i. Law Enforcement Agencies;
ii. National Pension Commission;
iii. Pension Fund Administrators; and
iv. Other entities as may be approved.
***Individuals are not eligible to access BVN information, other than their own.
1.9 Restrictions on the Use of BVN
The use of BVN shall be restricted only to purposes specified by the CBN.
The following shall constitute abuse of the BVN:
i. Use of BVN to sanction individuals for non-financial offences;
ii. Use of BVN for identification outside the banking system; and
iii. Any other misuse, as may be designated by the CBN.
1.10 Access Fees
The CBN shall determine fees payable for accessing information from the BVN database.
1.11 Security and Data Protection
i. Parties involved in the BVN operations, shall put in place, secure hardware, software and encryption of messages transmitted through a secured network;
ii. BVN data shall be stored within the shores of Nigeria and shall not be routed across borders without the consent of the CBN;
iii. Users of the BVN information shall establish adequate security procedures to ensure the safety and security of its information and those of its clients, which shall include physical, logical, network and enterprise security;
iv. Access to BVN information by customers shall be obtained through secured channels with appropriate authentication;
v. BVN participants shall ensure that BVN information is treated as confidential; and
vi. All stakeholders shall comply with Nigeria Data Protection Regulation (NDPR) or any regulation of the Bank on data protection and relevant extant laws.
1.12 Risk Management
BVN participants shall ensure that risk mitigation measures are in place to minimise operational risks. The BVN operations shall not be susceptible to sustained operational failures.
1.13 Consumer Protection and Dispute Resolution
All consumer complaints shall be resolved in accordance with the CBN Consumer Protection Regulation.
1.14 Updating Customer's BVN Records
Change of customer records shall be allowed as follows:
i. Correction of date of birth on BVN record shall be allowed once, with supporting documents, evidencing the correct date of birth;
ii. Change of Name due to marriage/divorce/religion shall only be allowed with supporting documents, such as marriage certificate/divorce certificate/affidavit, newspaper adverts, etc.;
iii. Minor correction of name, due to misspelling shall only be allowed, with supporting documents and regulatory forms of identification such as international passport, driver's licence and NIMC ID, showing the correct name;
iv. Change of names that are totally different or partially different shall only be allowed after the customer has produced supporting documents to the change of the name, and this shall be reported to the Nigerian Financial Intelligence Unit (NFIU) as a suspicious act by the participant. The NFIU shall issue appropriate clearance in the case of a totally different name before effecting the change;
v. The customer's name on the BVN database shall be the same in all his/her accounts, across the banking industry;
vi. Customers who wish to close their accounts/wallets (except Tier 1) shall be allowed to do so. Where the account/wallet (except Tier 1) is not linked with the BVN, a payment instrument shall be issued in the same name in which the account/wallet was opened. In cases where the balance on the account/wallet(except Tier 1) is more than what is legally allowed on a paper instrument (i.e. N10 million) the bank shall seek and obtain clearance from the NFIU before such accounts/wallets(except Tier 1) can be closed and the balance transferred electronically to another account;
vii. Timeline for the resolution of BVN issues shall be 5 working days from the date the customer submits all the required documents; and
viii. Following corrections/updating of details, the customer shall be notified by the institution that made the changes through any of the following: email, SMS, letter, etc.
2.0 Watch-List for the Nigerian Banking Industry
A Watch-List shall be maintained for the banking industry. The Watch-List contains BVN records of individuals that have been confirmed to be involved in breaches outlined within this Framework (see Appendix I).
In determining what constitutes a breach, participants shall adhere to the following procedures:
2.1 Identify Nature of Breach
Upon receipt of a report of an alleged breach, the participants shall, within one (1) month, investigate the alleged breach with a view to determining the nature of the breach, where and when it occurred.
2.2 Fair Hearing
Once a breach is established, in the process of investigation/fair hearing, a customer's account shall be placed on Post-No-Debit (PND), the customer shall be notified through verifiable means within five (5) business days:
i. At a minimum, the notification shall clearly state the breach and the consequences which include watch-listing;
ii. The customer(s) shall be given the opportunity to present documentary evidence that may affect the decision within three (3) business days; and
iii. Where decision to watch-list the BVN is reached, the customer shall be notified through verifiable means.
2.3 Categories of Breaches
Breaches include, but not limited to, the list in Appendix I. For watchlisting, the participants shall use 'Table 1' below to classify/categorise breaches:
2.4 Watch-List Stakeholders
Watch-list stakeholders include:
ii. Nigeria Inter-Bank Settlement System Plc (NIBSS)
iii. Banks/Other Financial Institutions (OFIs)
2.5 Delisting from Watch-List
All aggrieved individuals whose BVNs were watch-listed shall make formal request for delisting through the initiating participant. Only a participant that placed an individual's BVN on the Watch-list can request for delisting.
2.6 Conditions for Delisting
i. Expiration of term in the Watch-List.
ii. Erroneous listing of a BVN on the Watch-List.
2.7 Process for Delisting
The processes for delisting are automatic or manual.
2.7.1 Automatic delisting
Once a watch-listed BVN has served its term in the Watch-List, the NIBSS system shall automatically delist the BVN and notify the participant, who shall in-turn notify the customer.
2.7.2 Manual delisting
i. Where it is established that a customer's BVN should be delisted, the initiating participant shall apply in writing with supporting documents to the CBN for approval to delist. The supporting documents shall be duly authorised by the MD/CEO and the Chief Audit Executive.
ii. Upon approval from CBN, the initiating participant shall be notified while Risk Management Department, CBN shall forward same to NIBSS for delisting within one (1) business day. NIBSS shall effect the delisting within one (1) business day of receiving the letter.
iii. The initiating participant shall immediately notify the customer.
3.0 Sanctions and Penalties
3.1 Breach of Framework
Any participant who fails to perform its stipulated responsibilities shall be penalised by the Central Bank of Nigeria.
3.1.1 Sanctions for customers with BVNs on Watch-list
The following penalties shall apply to customer whose BVN is on the Watch-list:
i. They shall not be allowed to enter new relationship with any participant.
ii. A participant may choose not to continue business relationship with account/wallet (except Tier 1) holder on the Watch-list.
iii. Where a participant chooses to continue an existing business relationship with holders of account/wallets(except Tier 1) on the watch-list, the account/wallet(except Tier 1) holder shall be prohibited from all electronic channels such as but not limited to ATM, POS, Internet Banking, Mobile Banking, USSD including issuance of thirdparty cheques. However, inflows may be allowed, provided these are from legitimate sources.
iv. A customer with watch-listed BVN shall not reference accounts, access or guarantee credit facilities.
v. A customer shall remain on the Watch-list for a period as specified in 'Table 2: Watchlist Penalties' below.
vi. In the event of a recurrence of breach, the penalty period shall run consecutively.
vii. Subject to the provision of Section 1.9, penalties associated with a watch-listed BVN shall apply to all accounts/wallets (except Tier 1) the BVN is linked to.
3.1.2 Sanctions for Participants
The following infractions by participants shall attract appropriate penalties:
i. Misuse of the BVN watch-listing process for victimisation;
ii. Improper linking of accounts/wallets (except Tier 1); and
iii. Other infraction(s), as may be determined by CBN.