The Central Bank of Nigeria (CBN) yesterday pegged maximum daily transactions through mobile phone- Unstructured Supplementary Service Data (USSD)— at N100,000. The implementation of the policy starts June 1.

Due to absence of set rules on USSD transactions, many commercial banks allow various limits, ranging from N100,000 to N500,000 and above in some cases, depending on customers’ risk absorption levels. This has exposed many customers’ transactions to high risk, with billions of naira lost to fraudsters.

The new framework signed by CBN Director, Banking & Payments System Department, ‘Dipo Fatokun said vast applications of the USSD technology, in terms of available services have raised the issue of the risks inherent in the channel.

The USSD technology is a protocol used by the GSM network to communicate with a service provider’s platform. It is a session based, real time messaging communication technology, which is accessed through a string, which starts normally with asterisk (*) and ends with a hash (#). It is considered cost effective, more user-friendly, faster in concluding transactions, and handset agnostic.

The framework noted concerns on the likely exposure of CBN approved entities to the possible breaching of the USSD accessed financial services in view of likely vulnerabilities in the technology and the ever growing threats.

Fatokun said the policy shift was in furtherance of CBN’s mandate to develop and enhance security of the electronic payment system. The implementation of the policy starts June 1, 2018.

Fatokun had in a circular to banks, switches, Mobile Money Operators (MMOs), Payment Solution Service Providers, Microfinance banks, among others, Fatokun said although the N100,000 limit per customer, per day for transactions applies, customers desirous of higher limits shall execute documented indemnities with their banks or MMOs.

The CBN, he said, has also mandated the use of an effective second factor authentication by customers for all transactions above N20,000. This, he said, shall apply in addition to the Personal Identification Number (PIN) being used as first level authenticator, which applies to all transaction amounts.

According to the framework, banks shall not send the second factor authentication to the customer’s registered GSM number or device; and it shall not be generated or displayed on the USSD menu.