Nigeria’s central bank is set to role out regulations and risk mitigation considerations in the implementation of unique short codes, especially the unstructured supplementary service data (USSD) protocol for all financial services offering in the country,
The financial regulator said regulation is necessary, in view of the multiple USSD channels to customers, which increase their risk exposure in the absence of a common standard.
In an exposure draft sent via a circular to all money deposit banks, mobile money operators, payment solution service providers, and other service providers Thursday, September 7, the CBN said the framework would seek to establish the rules and risk mitigation considerations when implementing USSD for financial services offerings.
The USSD technology is a protocol used by GSM networks to communicate with service providers’ platform. It is session-based, real time messaging, which is accessed through a string starting normally with (*) and ending with a hash (#).
The framework specifically list those eligible for use of unique short codes to include mobile money operators, who are eligible for issuance from the Nigeria Communications Commission (NCC) after meeting the necessary requirements of the NCC for the issuance; and others who would need a letter of comfort from the CBN before being considered for issuance of the short codes by the NCC.
“USSD based financial transaction requires end-to-end encryption to protect the integrity of the financial information,” the CBN noted, adding that all providers of USSD-based financial services shall put in place a proper message authentication mechanism to validate that requests/responses are generated through authenticated users in order to curb risks inherent in the use of short codes.
Other mitigation rules being advanced include providers using secure USSD communication channels with strong encryption mechanism; non-use of the USSD service to relay details of other electronic banking channels (in case of banks) to their customers, in order to prevent compromise of other electronic banking channels through the USSD channel; and implementation of masked PIN entry;
Others are ensuring encryption at USSD gateway by implementing the hardware security module (HMS), with each financial institution key securely loaded through an auditable process; and implementing end-to-end encryption by ensuring that, at least, radio encryption between users’ phones and base stations, using secure virtual private network (VPN) layered with secure sockets layer (SSL) or transport layer security (TSL) to ensure secure transmission of USSD signals.
The exposure draft also outlined that financial institutions shall be responsible for setting up dispute resolution mechanism to facilitate resolution of customers’ complaints and that they shall treat and resolve any customer related issues within 48 hours.
The CBN stated that non-compliance shall be subject to penalty as may be prescribed by it from time to time while imposing appropriate sanctions for any contravention on any financial institutions that fail to comply with the framework.