This article provides an overview of the new law, it considers the objectives, application, principles guiding the processing of personal data, cross-border transfer of personal data and other key provisions.

Application of the Nigeria Data Protection Act

The Act applies to data controllers or data processors domiciled, resident or operating in Nigeria and the processing of personal data that occurs within Nigeria. It also applies to situations where the data controllers or data processors are not domiciled, resident or operating in Nigeria but are processing the personal data of data subjects in Nigeria.

The Act does not apply to the processing of personal data which is done solely for personal or household purposes by one or two more persons. The Act also does not apply to the processing of personal data necessary for the investigation, detection or prosecution of crimes or the prevention or control of a public health emergency, etc.

Objectives of the Act

The Act seeks to achieve the following objectives:

1. Safeguard the fundamental rights, freedoms and interest of data subjects as guaranteed under the Constitution.
2. Regulate the processing of personal data and ensures that personal data is processed in a fair, lawful and accountable manner.
3. Protect data subjects’ rights and provide means of recourse and remedies in the event of breach.
4. Ensure that data controllers and data processors fulfill their obligations to data subjects.
5. Establish an impartial, independent and effective regulatory Commission to superintend over data protection and privacy issues and supervise data controllers and data processors.

Establishment and Functions of the Nigeria Data Protection Commission

The Act established the Nigeria Data Protection Commission (“the Commission”) for the purposes of achieving the objectives of the Act. Thus, the Commission has the core functions of regulating the deployment of technological and organizational measures to enhance personal data protection, accredit, licence, and register suitable persons to provide data protection compliance services, register data controllers and data processors, receiving complaints relating to violations of the Act or any subsidiary legislations.

Principles of Processing Personal Data

Data controllers and data processors process personal data on the basis of care and accountability to data subjects. Accordingly, data controllers and data processors must act in a fair, lawful and transparent manner, collect data only for specified and legitimate purpose, hold and retain the data accurately, not longer than necessary, and generally ensure appropriate security measures are taken to secure the personal data.

Consent and Lawful Basis for the Processing of Personal Data

Consent of a data subject is very important for processing personal data. A data subject is a person whose information or data is being processed or sought to be processed. A data controller or data processor must obtain the consent of a data subject before processing his/her data, and it lies on the data controller or processor to prove that the data subject has given consent. The request for consent must be in a clear simple language and format with information that the data subject reserves the right to withdraw the consent at any time.  The consent must be freely and intentionally given either in writing, orally or through electronic means. Silence or inactivity does not amount to consent. In the case of a child, or person lacking legal capacity), the consent of a parent or guardian will suffice. The need to obtain consent of parent or guardian, may however not apply where the processing of personal data is necessary to protect the vital interests, or for the purpose of the education, medical or social care of such child or person lacking legal capacity, or where it is necessary for proceedings before a court.

The consent must be given for the specific purpose(s) for which personal data is processed, or where the processing is necessary for the following purposes:

1. For the performance of a contract to which the data subject is a party
2. For compliance with a legal obligation to which the data controller or data processor is subject
3. To protect the vital interest of the data subject or another person
4. For the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or data processor
5. For the purposes of the legitimate interest pursued by the data controller or data processor, or by a third party to whom the data is disclosed.

Obligations of a Data Controller

• Obligation to Provide Information: A data controller has the obligation to provide certain necessary information to a data subject before collecting his personal data. The information which the data controller must provide to the data subject include the following:

1. Identity, residence or place of business and means of communication with the data controller and its representative.
2. Recipients or categories of recipients of the personal data
3. Existence of the rights of the data subject
4. Retention period for the personal data, etc.

The data controller shall make this information available by means of a privacy policy which should be expressed in a clear, concise, transparent, intelligible and easily accessible format.

• Data Privacy Impact Assessment Obligation: The assessment is a process designed to identify the risks and impact of processing personal data. A data controller is required to conduct a data privacy impact assessment where the processing of personal data may result in high risk to the rights and freedom of a data subject. This is to be conducted before the processing of personal data.
• Obligation to Erase Personal Data: A data controller has the obligation to erase the personal data of a data subject without undue delay where it is no longer necessary or where the data controller has no other lawful basis to retain the personal data.

Obligations of a Data Processor

Data controllers are engaged by data processors to process personal data. These data processors are also mandated to comply with the principles for the processing of personal data, assist the data controller to fulfill its obligation, implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of personal data. Where a data processor engaged by a data controller further engages another data processor, the data processor directly engaged by the data controller is obliged to notify the data controller of its engagement with another data processor.

Data Protection Officers

Data controllers that process significant personal data are required to designate a person as a Data Protection Officer (DPO). The DPO may be an employee of the data controller or a person engaged by a service contract and must possess expert knowledge on data protection laws and practices. A DPO advises data controller, monitors compliance with the Act and related data protection policies of the data controller. The DPO also act as the contact point for the Commission on data processing issues.

Rights of Data Subjects

A data subject has the following rights with respect to the processing of his personal data by a data controller.

1. Right to Confirmation from a Data Controller. A data subject has the right to obtain from a data controller without constraint or unreasonable delay, confirmation as to whether the data controller or a data processor operating on its behalf is storing or otherwise processing personal data relating to the data subject and if so, the purpose of the processing, the recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, etc.
2. Right to receive a copy of his personal data in a commonly used electronic format.
3. Right to correction or deletion of the data subject’s personal data where correction is not possible where the personal data is inaccurate, out of date, incomplete or misleading.
4. Erasure of personal data of the data subject without undue delay
5. Right to restrict the processing of personal data
6. Right to withdraw consent to the processing of personal data at any time.
7. Right to object to the processing of personal data relating to the data subject.
8. The right to reject being subject to a decision based solely on automated processing of personal data.
9. The right to receive personal data in a structured, commonly used and machine-readable format and be able to transmit it to another data controller without any hindrance.

Data Security

Data controllers and data processors are required to implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in the possession. They must ensure that personal data are protected against accidental or unlawful destruction, loss, misuse, alteration, unauthorized disclosure or access.

The security measures that may be implemented to ensure personal data security include encryption, periodic assessments of risks to processing systems and services, regular testing, assessing and evaluation of the effectiveness of the measures, regular updating of the measures and introducing new measures to address shortcomings, etc.

Personal Data Breaches

Personal data breach is the breach of the security of a data controller or data processor which leads to or may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or processed.

Data processors are required to notify data controllers or engaging data processors of personal data breaches which the data processors store or process upon becoming aware of it by describing the nature of the personal data breach and the number of data subjects and personal data records concerned and also respond to all information requests from the data controllers or the engaging data processors.

Data controllers should also notify the Commission of personal data breaches which are likely to result in a risk to the rights and freedoms of individuals within 72 hours of becoming aware of such breach. Data controllers are also to communicate the personal data breach to the data subjects in a plain and clear language including measures that could be taken by the data subjects to mitigate any possible adverse effects.

Data controllers and data processors are also required to keep a record of all personal data breaches, facts relating to the breaches, its effects and remedial actions taken.

Cross-border Transfers of Personal Data

Data controllers and data processors are not allowed to transfer or permit the transfer of personal data from Nigeria to another country unless:

1. The recipient is subject to a law, binding corporate rules, contractual clauses, code of conduct or certification mechanism that affords an adequate level of protection.
2. meets one of the lawful basis for transfer of personal data outside Nigeria.

The level of protection considered adequate must uphold the principles that are substantially similar to the conditions for processing personal data provided by the Act. An adequate level of protection is assessed by taking into account the existence of an effective data protection law, access of public authority to personal data, existence of an independent supervisory authority, etc.

Registration of Data Controllers and Data Processors

Data controllers and data processors of major importance are mandated to register with the Commission within six months after the commencement of the Act or upon becoming a data controller or data processor of major importance. Data controllers or data processors of major importance are data controllers or data processors that process personal data of particular value or significance to the economy, society or security and are resident or operating in Nigeria.

The Commission is required to maintain and publish a register of duly registered data controllers and data processors of major importance on its website. A data controller or data processor of major importance shall be removed from the register where it ceases operation.

Enforcement and Penalties

A data subject who is aggrieved by the action, inaction or decision of a data controller or processor may lodge a complaint with the Commission and it may investigate the complaint where it is not vexatious or frivolous.

The Commission may also issue a compliance order once it is satisfied that any requirement of the Act or subsidiary legislation has been violated or likely to be violated by a data controller or data processor. The order may be a warning, order to comply with the request of a data subject or a cease-and-desist order. The Commission may also issue an enforcement order or impose a sanction for violation of the Act or a subsidiary legislation.

The penalty or remedial fee for violation of the Act or subsidiary legislation is:

1. Higher maximum amount, which is the greater of N10,000,000 and 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor of major importance.
2. Standard maximum amount, which is the greater of N2,000,000 and 2% of its annual gross revenue in the preceding financial year, in the case of a data controller or data processor not of major importance.

Conclusion and Remarks

The Nigeria Data Protection Act, 2023 is an important piece of legislation and has been long in coming. It provides for the basic principles and the lawful bases for the processing and transfer of personal data in Nigeria and applies to both resident and non-resident data processors. It provides for the responsibilities of data controllers and data processors while also providing for the rights of data subjects. The processing of sensitive personal data and the personal data of children and persons lacking legal capacity to consent must follow the applicable principles as provided by the Act. Data security measures which are robust are expected to be put in place by data controllers and data processors to protect against the risk of personal data breaches. The Act creates the Nigerian Data Protection Commission which has the overall responsibility to ensure compliance and impose penalties where necessary. Both resident and non-resident data processors are advised to pay particular attention to this new legislation as they are now required to take specific steps to ensure compliance with the Act.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post Better Late than Never: Nigeria Finally Passes the Data Protection Act first appeared on Goldsmiths Solicitors.

A Payment Solution Service Providers (PSSP) licence is a financial licence within the payments system which is issued by the Central Bank of Nigeria (CBN). A PSSP licence authorizes the licensee to provide and operate payment processing gateway and portals, solution/application development, and merchant service aggregation and collections services. A  PSSP license does not provide the authorization to hold customers’ funds or create and issue wallets. PSSPs are predominantly Financial Technology (FinTech) companies that enable  and facilitate  online and offline payments solutions which include collections, check-out, biller aggregation and payout services.

The CBN is the regulatory authority that issues PSSP licenses in Nigeria. The CBN also provides constant regulatory oversight over the activities of PSSP licensees in Nigeria.

Who can Apply for a PSSP Licence in Nigeria

Only a company that is duly registered with the Corporate Affairs Commission (CAC) in Nigeria and also meets the minimum share capital requirements and other regulatory requirements of the CBN can apply for a PSSP licence in Nigeria.

The Process of Obtaining a PSSP Licence from the CBN in Nigeria

A PSSP licence is processed in two stages viz:

• Approval-in-Principle (AIP): This is the preliminary stage of obtaining a PSSP license. During this stage, an application is to be made to the CBN for the grant of the license and they are expected to give an Approval-in-Principle or reject the application. Where an AIP is given, it is only valid for a period of six months. The AIP does not authorize the applicant to commence operation but only allows the applicant to take steps towards obtaining the final licence.
• Final Licence: The applicant is required to consolidate the AIP stage by taking steps to ensure its readiness for commencement of operation, notifying the CBN of its readiness to commence operation, by paying and applying for final licence. Upon the grant of the final licence, the applicant can commence its operations.

The process of obtaining a PSSP licence from the AIP stage to the final licence stage involves the following:

1. Write an application letter for a PSSP license which is addressed to the Director, Payments Systems Management Department of the CBN.
2. The application letter is accompanied with the required documents which include:

• Certificate of incorporation of the company with the Corporate Affairs Commission (CAC), with a share capital of N100,000,000 (One Hundred Million Naira)
• Memorandum and Articles of Association of the company
• Form CAC 2A (Return of Allotment of shares)
• Form CAC 7A (Particulars of Directors)
• Tax Clearance Certificate (TCC) and Tax Identification Number (TIN) of the Company
• Company’s profile
• Details of ownership
• Board structure
• Business plan
• Information Technology policy
• Dispute resolution framework
• Necessary certifications such as Payment Card Industry Data Security Standard (PCIDSS), Payment Terminal Service Aggregator (PTSA), etc.
• Evidence of payment of the non-refundable application fee of N100,000 (One Hundred Thousand Naira).
• Evidence of the deposit of the refundable minimum capital of N100,000,000 (One Hundred Million Naira). This is required to be made in full (one lump sum) and in the name of the applicant.

3. The CBN assesses the application for the PSSP licence and the accompanying documents and if it is satisfied with the application, it proceeds to grant an Approval-in-Principle.

4. Upon obtaining AIP from the CBN, the applicant then makes payment of the licence fee of N1,000,000 (One Million Naira) to the CBN designated account and proceeds to apply for a final licence within six months of obtaining AIP.

5. The CBN inspects the registered place of business of the applicant company and its readiness to commence operation and proceeds to issue the final licence if it is satisfied with the outcome of its inspection.

Validity and Renewal of PSSP Licence

PSSP licence validity period is as determined by the CBN and renewable if the operations of the PSSP licensee is satisfactory to the CBN. Recently, CBN renewed Cellulant’s PSSP licence and this shows the satisfaction of the CBN with the services of the company in providing payment solutions in Nigeria. Thus, the renewal of a PSSP licence by the CBN is a vote of confidence on the operation of a PSSP licensee.

Conclusion

A Payment Solution Service Providers (PSSP) licence is an important licence within the Nigerian payment systems which enables the provision of financial services such as the operation of payment processing gateway and portals which is utilized by merchants to accept debit or credit card purchases from customers. A PSSP licensee provides both online and offline payment solutions. A PSSP licence is obtainable from the CBN by submitting an application to the CBN and paying the required application and license fees within the stipulated timelines.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post How to Obtain a Payment Solution Service Providers Licence in Nigeria first appeared on Goldsmiths Solicitors.

By a Circular dated 7^th March 2023, the Central Bank of Nigeria (CBN) released the “Operational Guidelines for Open Banking in Nigeria” (‘the Guidelines’). The Guidelines set out rules for sharing the data/information of customers between participants in the open banking system. Although not defined in the Guidelines, open banking system may be defined as the exchange of the data of an entity’s customers with other entities for the purpose of providing innovative financial services. Thus, the Guidelines recognize the right of customers to privacy and data protection and set out the rules for engaging in open banking in Nigeria. It among other things, stipulates technical requirements/considerations for operating in the open banking system, identifies the risks associated with open banking to include cyber security, data privacy and integrity, product management, money laundering and regulatory compliance, and outlines the rules to manage these risks.

In this article, we highlight some salient provisions of the Guidelines such as who the participants in open banking are, the obligations of participants, regulatory oversight functions, policies/frameworks to be formulated by participants, reporting obligations, intellectual property issues and risk management.

Participants in Open Banking Operations

These are the organizations/persons who may engage in the exchange of customers’ data for the purpose of providing/receiving innovative financial services. Participants in open banking are classified based on the roles and the services they provide as follows:

1. API Providers;
2. API Customers; and
3. Customers.

API providers (APs) are those who use Application Programming Interface (API) to avail data or service to another participant. They can be licensed financial institutions, fast-moving consumer goods (FMCG) companies such as cosmetics, beverages, drugs, etc. companies, retailers, payroll service bureau, etc.

API Customers (ACs) are those that use API released by APs to access data or service. They are the recipients of API containing the data or service of other customers.

Customers as participants are the data owners who shall be required to provide consent for the release of their data for the purpose of accessing financial services. They may provide consent whilst filling out a form, etc.

Open Banking Registry

By the Guidelines the CBN is expected to maintain and provide an Open Banking Registry (‘the Registry’). The Registry is charged with regulatory oversight functions for participants in open banking. Participants in open banking are required to be registered with the Registry and their details are to be held by the Registry. The Registry is also to maintain an API interface which would serve as the primary means by which API providers manage the registration of their API customers.

Responsibilities of API Providers and API Consumers

The Guidelines set out several responsibilities which APs and ACs are expected to comply with. These responsibilities provide rules for ensuring accessibility of open banking systems and procedures, transparency, cybersecurity, privacy protection, etc.  Some of these responsibilities are:

1. Configuration management: APs and ACs are required to keep detailed inventory of open banking system configuration items in accordance with current Information Technology Infrastructure Library (ITIL) Standards. They are also to have automated configuration management (CM) processes and a configuration management policy.
2. Execution of a Service Level Agreement (SLA): They are required to execute an SLA which is to contain provisions on accounting and settlement, fee structure, reconciliation of bills, registration, and sponsorship responsibilities. The fee structure is also to be publicly disclosed on their websites and applications.
3. They are to ensure that all systems required for open banking are available, functioning optimally and meet up with the minimum standards on service monitoring, incident management, performance monitoring and event logging.
4. They are to ensure that they meet the minimum performance standards for open banking systems. The Guidelines outlines several key performance indicators (KPIs) to ascertain compliance with the minimum performance standards. One of such KPI is that where the average API total processing time is less than 3 seconds, it would be considered as ‘operational’, where it is less than or equal to 7 seconds, it would be considered as ‘suspect’, and where it is greater than 7 seconds, it would be considered as ‘critical’.
5. APs and ACs are required to maintain Business Continuity Plan (BCP) which are to among other things, indicate the architecture of the Online Transaction Processing (OLTP) and Online Analytical Processing (OLAP) infrastructure, trigger events, processes for failover and fail-back, and includes quarterly failover exercises and review of processes. The Guidelines also sets the threshold for failover and fail-back procedures as ’30 minutes of downtime’. They are also required to implement Disaster Recovery Plans (DRP) which may also be entrenched in the BCP. The plans are to be tested every 6 months. Whilst CBN is to oversee testing procedures, it is the responsibility of ACs and APs to provide the facilities for testing.
6. They are to ensure that they have problem management systems in place. The problem management system is aimed at managing incidents known to be recurring and which are not resolved under the SLAs. APs and ACs are to maintain a Problem Register which is to be made available to regulators, auditors, risk, and control teams within the organization. The problem management system is to be always electronic, or cloud based.
7. They are to ensure compliance with interface requirements. Some of these requirements are ensuring that interfaces between APs and ACs are 100% electronic, the data interchange format must be JavaScript Object Notation (JSON) and ensuring that the data standard for financial transactions are model based on ISO 20022 or any other global applicable minimum standard.
8. ACs and APs are to ensure that they maintain best competition practices. They are to comply with the provisions of section 2 of the Code of Conduct for the Nigerian Banking Industry which guards against unethical practices/unprofessional conducts by persons in the banking industry.
9. They are to ensure that the data in their possession is well protected and are to set up effective information security management systems and are to ensure compliance with technical security standards and minimum-security principles as contained in US NIST CSRC.
10. Change management obligations. They are required to collate change requirements and plan the changes for the next month. Changes to be made, whether pre-emptive or responsive are to be reported with sufficient details and in accordance with the prescribed notifications to be sent to all stakeholders that may be affected by such changes. The notifications are to be made in the following order:

• 24 hours before the intended change
• 1 hour before the intended change.
• Immediately the change has been completed and the services have been confirmed restored.
• 30 minutes after the change should have been completed but has been prolonged or failed.
• At the point of commencing a change rollback.
• When the services have been restored.

11. APs and ACs are required to have secure real-time communication platforms for first level incident responders within their organizations and respective ACs/APs for incident notification, investigation, and resolution. Emails are however not sufficient communication channels for incident management in open banking. The communication platforms are to accommodate text voice and video conferencing as effective modes of communication.

Termination of Agreement between Participants.

Any participant desirous of terminating a relationship is required to give the other party 20 business days’ notice of such termination. Where the relationship is terminated without notice due to fraud, abuse of service, etc. the AP is required to provide the AC with a report justifying the termination within 2 business days.

Policies/Frameworks to be Formulated under the Guidelines

ACs and APs are required to formulate the following policies:

1. Data Governance Policies. These policies are to govern the way APs and ACs handle the data of customers. They are to be approved by a committee of its Board of Directors or at minimum, an executive management committee.
2. Data Ethics Framework. The Data Ethics Framework is to provide the principles for collecting, collating, storing, analyzing, processing, etc. data. The Framework is also to provide consistent procedures for the documentation, verification, etc. of data to ensure compliance with extant laws and regulations.
3. Data Breach Policy. This policy is aimed at preventing, managing, assessing, reviewing, etc. data breach.
4. Configuration Management Policy. This Policy is to be approved by the AP’s or AC’s executive or board level information technology steering committee or an equivalent body not less than executive level.
5. Risk Management Framework. This Framework is to set out guiding principles for the management and mitigation of risks. Participants are to have a risk management committee which is to consist of at least three members of senior management cadre.

Rendition of Returns/Reporting Obligations

One of the ways CBN safeguards the privacy rights of customers and ensure data security under the Guidelines is by mandating ACs and APs to render periodic returns to the CBN. The returns are to state the volume and value of transactions, the number of users, success and failure rates, security and fraud incidents, downtime reports and any other information as CBN may require from time to time.

Participants are also required to introduce an incident reporting portal to enable easy, efficient, and fast reporting of cybersecurity breach incidents.

ACs and Aps are to provide monthly API Consumers Reports to each other indicating among other things, statistics of incidents/problems, SLA compliance and aggregate impact in downtime or loss of service, the number and category of Fraud and Disputes with accompanying SLA performance, and the excerpts of the problem register indicating new, existing, and resolved problems.

ACs and APs are also required to make ‘Customer Reports’ to customers who have subscribed to one or more ACs stating among other things, transcript of ACs activities on the use of customer-permissioned data shall be provided to the customers at the minimum every month or for a period less than a month as may be requested by a customer, a transcript of each AC’s activities against the customer’s account/wallet for at least the last 30 days, etc.

Data Sharing

The Data of individuals is an intangible yet sensitive asset. The Guidelines provide for rules for data sharing with other (outsourced) service providers as well as between APs and ACs. Before APs share the data of a customer with ACs, they are to obtain the consent of the customer and authenticate the consent to ensure it emanates from the customer. This is to be done by putting in place Two Factor Authentication (2FA). The AC on the other hand is also required to furnish the customer with certain information such as its legal name, CAC registration number, means of identification in the open banking registry, access type and duration, means of withdrawal of consent, etc. for the consent obtained to be valid.

Intellectual Property

The Guidelines make provisions on IP issues and stipulates that the IP rights in any data or other information would always remain with the participant/party whom such data emanated from. Thus, parties are to be mindful of this provision while drawing up Agreements to ensure that no clause runs contrary to this stipulation.

Resolution of Complaints

By the Guidelines, participants are to stipulate how customers can lodge their complaints during the customer’s onboarding. Where there is a complaint, participants are required to acknowledge receipt of the complaint within 24 hours and are to resolve the complaint within 48 hours of its receipt.

Conclusion

It is important to emphasize that the Guidelines only applies to the exchange of data for the purpose of providing innovative financial services in Nigeria. Any organization that controls the data of its customers is now allowed to exchange it with other entities for the purpose of providing innovative financial services in Nigeria. However, before the information of customers are shared, their consents must be obtained, authenticated by API provider, and validated by the API customer. The Guidelines provides minimum security measures and risk management systems to be put in place to protect the information of customers. It sets out rules that would guard against the violation of the privacy rights of customers while promoting efficiency, financial inclusion, healthy competition, and customers’ access to services available to them in the financial service industry.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post An Overview of CBN’s Operational Guidelines for Open Banking in Nigeria first appeared on Goldsmiths Solicitors.

2022 has been an incredibly busy and exciting year in the Nigerian legal and regulatory environment. There were major and far-reaching changes ushered in by the regulatory authorities particularly the Central Bank of Nigeria (CBN). There were also major developments relating to Banking and Finance, Competition and Consumer Protection, Startups, Capital Markets, Insolvency, etc. In this article, we have highlighted some of the major legal, regulatory, and judicial changes that occurred in 2022. This article is divided into four parts representing four quarters of the year. In each quarter, we deal with all the major legal changes that occurred therein.

1^st Quarter (January – March 2022)

A remarkable feature of the first quarter was the issuance of regulations/guidelines by the CBN. Within this period, the Electoral Act 2022 was also signed into law by the President. The new Electoral Act introduced important changes to the conduct of elections Nigeria. Below are some of the highlights of the 1^st quarter:

• The Central Bank of Nigeria (CBN) Guidelines on the Introduction of E-evaluator, e-invoicing for Import and Export in Nigeria. Although the Guidelines were issued in January, it became operative on 1 February 2022 and requires the submission of an electronic invoice authenticated by the Authorised Dealer Bank for all import and export operations. The electronic invoice replaces the usual hardcopy final invoice.
• On 11 January 2022, President Muhammadu Buhari approved the establishment of the Nigerian Diaspora Investment Trust Fund, a private sector investment window for Nigerians in the diaspora to support direct investments in the country.
• On 18 January 2022, the Lagos State Government introduced the Consolidated Informal Transport Sector Levy to harmonize the taxes paid by transporters to the state government.
• On 26 January 2022, the Federal High Court in the case of Attorney General of Rivers State v. Attorney General of Federation and 3 Others, invalidated deductions by the Federal Government from the Federation Account for funding the Nigeria Police Trust Fund.
• The Central Bank of Nigeria Operating Guidelines for RT200 Non-Oil Export Proceeds Repatriation Rebate Scheme. This is a programme designed and introduced by the CBN to incentivize exporters in the non-oil export sector with the goal of raising $200 billion in FX over the course of the next three years.
• The Central Bank of Nigeria Guidelines for Regulation and Supervision of Credit Guarantee Companies in Nigeria. The Guidelines seeks to ensure a conducive environment for Micro, Small and Medium Enterprises (MSMEs) to be able to access credit at low interest rates from banks and financial institutions. The requirements for obtaining a license and also the activities which are permitted and not permitted by the license are contained in the Guidelines.
• On 7 February 2022, the Lagos State Governor signed the Lagos State Real Estate Regulatory Authority Bill into Law. The law introduced significant changes to the real estate landscape in Lagos State by mandating the registration of real estate practitioners.
• Electoral Act (Amendment) Act 2022 (the Electoral Act). The new Electoral Act was signed into law on 25 February 2022 by President Muhammadu Buhari. The Electoral Act empowers the Independent National Electoral Commission (INEC) to transmit election results electronically. Section 84 (12) of the Act, prohibits appointees of government, government officials from holding office while vying or contesting at party primaries.
• On 4 March 2022, the CAC stated in a circular that schools and other institutions would no longer be registrable as business names. This means they can now only be registered as a company pursuant to the Companies and Allied Markets Act 2020.
• On 23 March 2022, the Nigerian Communications Commission (NCC) issued the License Framework for the Establishment of Mobile Virtual Network Operators in Nigeria.

2^nd Quarter (April – June 2022)

This quarter witnessed a high level of enactment of laws and the issuance of regulations by the regulatory authorities. Importantly, three laws were passed to deal with the issues of corruption and terrorism in Nigeria. One of these laws (Money Laundering [Prevention and Prohibition] Act 2022) prompted the issuance of a guidelines by the CBN to bring its AML/CFT regulations in compliance with the requirements of the new law. The Securities and Exchange Commission (SEC) also issued a guideline to regulate digital and virtual assets. Below are some of the highlights of the 2^nd quarter:

• On 6 April 2022, the President signed Executive Order 11 which mandates government to institutionalize maintenance of public buildings. The National Biotechnology Development Agency Act, 2022 was also signed on the same day. The law provides the legal framework for the established agency to carry out research and create public awareness in biotechnology to encourage private sector participation.
• On 24 April 2022, the Corporate Affairs Commission announced the approval of the Insolvency Regulations 2022 by the Minister of Industry, Trade and Development. The regulations govern insolvency proceedings under the Companies and Allied Matters Act 2020.
• On 12 May 2022, the President signed the Money Laundering (Prevention and Prohibition) Act, 2022, the Proceeds of Crime (Recovery and Management) Act, 2022, and the Terrorism (Prevention and Prohibition) Act, 2022.
• The Central Bank of Nigeria Exposure Draft Guidelines for Open Banking in Nigeria. These Guidelines are aimed at enhancing competition and innovation in the banking system. It established the principles for data sharing across the banking and the payments system and broadened the range of financial products and services available to bank customers.
• The Central Bank of Nigeria Guidelines for the Registration and Operation of Bank Neutral Cash Hubs (BNCH) in Nigeria. The Guidelines are aimed at  reducing the risks and cost borne in the course of cash management and to also enhance cash management efficiency. The registration of a BNCH is to be undertaken in two stages of obtaining CBN Approval-in-Principle and final approval. The BNCH are to be licensed to take deposit and disburse high volume cash on behalf of financial institutions but cannot carry out lending activities, receive or disburse foreign currency or sub-contract their operation.
• Revised Guidelines for the Operation of Non-Interest Financial Institutions’ Instruments by the Central Bank of Nigeria. These Guidelines replaced the 2012 Guidelines and were issued to regulate the issuance of non-interest instruments by Non-Interest Financial Institutions (NIFIs) while also stipulating the requirements and terms of operation for NIFIs.
• The Central Bank of Nigeria (Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations, 2022. The CBN issued the Regulations to bring its regulations on anti-money laundering and combatting the financing of terrorism to be in compliance with the Money Laundering (Prevention and Prohibition) Act, 2022 and safeguard the financial institutions from being used for financial crimes.
• The Securities and Exchange Commission issued the Rules on the Issuance, Offering Platforms and Custody of Digital Assets. The Rules were issued by SEC on 13 May 2022 and provide for the issuance of digital assets, registration requirements for Digital Assets Offering Platforms (DAOPS) and Digital Assets Custodians (DAC) among others.
• On 25 May 2022, the Federal High Court in the case of Femi Davies v. National Broadcasting Commission, nullified the National Broadcasting Code (6^th Edition) through which the National Broadcasting Commission (NBC) sought to regulate the practice of advertising in Nigeria. The court held that it was beyond the power of the NBC to regulate advertisement.

3^rd Quarter (July – September 2022)

The regulatory authorities in the banking and finance sector, particularly the CBN, were very active in issuing one form of guidelines or the other. The Federal Competition and Consumer Protection Commission (FCCPC) issued a guideline to regulate the activities of digital money lenders after a series of predatory practices by many digital money lenders. There was also a judgement of the Court of Appeal which re-affirmed the power of the Federal Inland Revenue Service to collect VAT from hoteliers. Below are some of the highlights of the 3^rd quarter:

• The Central Bank of Nigeria Review of the Industry Quick Response (QR) Code Presentment Options. The review was done by the CBN to enhance the flexibility offered by the use of QR codes in payments. The review provides that the implementation of the QR code for payments shall be based on either merchant-presented or consumer-presented modes.
• The Central Bank of Nigeria Exposure Draft on the Digital Financial Services Awareness Guidelines. This was developed to address gaps in consumer knowledge and practices with Digital Financial Services (DFS). The Guidelines provides for a set of principles and expectations for financial service providers to integrate in the provision of DFS to ensure consumer understanding, good treatment and positive outcomes.
• On 1 July 2022, the Court of Appeal set aside the judgement of the Federal High Court in the case of The Registered Trustees of Hotel Owners and Managers Association of Lagos v. Attorney General of Lagos State which invalidated the powers of the Federal Inland Revenue Service (FIRS) to collect Value Added Tax (VAT) from hoteliers and held that the collection of the tax is in the purview of the state government. The Court of Appeal has now held that it is the FIRS that has the authority to collect VAT. See Federal Inland Revenue Service v. The Registered Trustees of Hotel Owners and Managers Association of Lagos.
• Limited Interim Regulatory/Registration Framework and Guidelines for Digital Lending 2022. The regulations were issued by the FCCPC on 18 August 2022 to provide the FCCPC’s approach to regulating the digital lending space and makes provisions for the requirements for approval/registration to carry out the business of digital lending in Nigeria. Thus, by this Framework and Guidelines, institutions engaged in digital lending activities are to be registered with the FCCPC.
• The Revised Handbook on Expatriate Quota Administration 2022 (the Revised Handbook). On 31 August 2022, the Federal Ministry of Interior announced the issuance of the Revised Handbook. The Handbook increased the minimum share capital requirement of a company wishing to apply for business permit from N10,000,000 to N100,000,000. It also reduced the lifespan of Expatriate Quotas (EQs) from ten to seven years. However, the provisions of the Handbook are yet to be operational.
• The Advertising Regulatory Council of Nigeria (ARCON) banned the use of foreign voice-over artists and models on any advertisement which targets the Nigerian advertising space. The ban took effect on 1 October 2022.

4^th Quarter (October – December 2022)

The Nigeria Startup Act was enacted during this quarter, and it represents a remarkable achievement towards incentivizing startups in Nigeria through the incentives and programmes dedicated to spur the growth of startups in Nigeria. A sport policy was also developed and approved with the motive to position the sport sector to generate revenue while standardizing it. The CBN was also active with the issuance of several guidelines and regulations to regulate players in the Nigerian financial services sector. Below are some of the highlights of the 4^th quarter:

• Exposure Draft Guidelines for the Regulation of Representative Offices of Foreign Banks in Nigeria. The Guidelines stipulate how a representative office of foreign banks can be licensed in Nigeria. It enumerates the activities they can validly engage in in Nigeria such as marketing the products and services of their foreign parent or affiliate and states that they cannot engage directly in any financial transaction.
• Exposure Draft Guidelines on Contactless Payments in Nigeria. The Guidelines provide the minimum standards and requirements for the operation of contactless payments and specified the roles of stakeholders such as acquirers, issues, payment schemes, merchants, etc.
• Nigeria Startup Act 2022. On 19 October 2022, the Nigeria Startup Act, 2022 was signed into law. The law aims to provide an enabling environment for the establishment, development, and operation of startups in Nigeria and to position Nigeria’s startup ecosystem as the leading digital technology centre in Africa.
• National Sports Industry Policy (NSIP) 2022 – 2026. On 2 November 2022, the Federal Executive Council (FEC) approved the National Sports Industry Policy (NSIP) 2022 – 2026. The policy contains provisions on governance regulations, infrastructure development plans, incentives for private investors, etc. aimed at standardizing the Nigerian sport sector and thereby generating revenue.
• CBN Naira Redesign Policy – Revised Cash Withdrawal Limits. Citing the need to combat fraud, corruption, terrorism and to ensure that most of the money in circulation are within the banking vault, the CBN issued the policy document on 6 December 2022 to reduce the daily and weekly cash withdrawal limit and also to introduce certain requirements for withdrawing across the counter beyond the set limit at the rate of 5% fee for individuals and 10% for corporate organizations. The revision of the cash withdrawal limits was done by the CBN pursuant to the recent redesign of the Nigerian currency i.e. N200, N500 and N1,000 notes. Coming less than three months before the next general elections in Nigeria, this policy has received a lot of resistance from the political class.

Conclusion

2022 has been a remarkable year in the Nigerian legal and regulatory space and saw the enactment of the Start Up Act, the redesign of the Naira and the introduction of far-reaching regulations especially by CBN aimed and tackling corruption, fraud and financial crimes.

We use this opportunity to wish all our clients a very Merry Christmas and best wishes for the New Year 2023. Thank you all for your support.

Please note that the contents of this Article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post Goldsmiths Solicitors – Legal Recap for the Year 2022 first appeared on Goldsmiths Solicitors.

This article provides an insight into the provisions of the Guidelines.

What is Contactless Payment?

According to the Guidelines, contactless payment is a payment system that involves the use of contactless technology that enables an alternative payments method whereby payment instruments such as pre-paid, debit and credit cards, stickers, fobs, wearable devices, tokens and mobile electronic devices are used without physical contact with devices.

Aims of the Guidelines

The guidelines aim to provide the minimum standards and requirements for the operations of contactless  payments in Nigeria, and also specify the roles and responsibilities of the stakeholders involved in contactless payments in Nigeria.

Who are the Participating Stakeholders?

The participating stakeholders in contactless payments in Nigeria are:

1. Acquirers
2. Issuers
3. Payment Schemes
4. Card Schemes
5. Switching Companies
6. Payments Terminal Service Providers (PTSPs)
7. Payments Terminal Service Aggregator (PTSA)
8. Merchants
9. Terminal Owners
10. Customers
11. Any other stakeholder/participant(s) as may be designated by the CBN.

The stakeholders are required to obtain CBN’s approval for contactless payments products and for innovative use cases and value-added services.

Minimum Standards for Contactless Payments in Nigeria

The participating stakeholders that process and/or store customers’ information are obliged to ensure that their terminals, applications and processing systems comply with the below standards at the minimum:

1. PA DSS – Payment Application Data Security Standard
2. PCI PED – Payment Card Industry Pin Entry Device
3. PCI DSS – Payment Card Industry Data Security Standard
4. Triple DES – Data Encryption Standards shall be the benchmark for all data transmitted and authenticated between each party. The Triple DES algorithm is the minimum standard.
5. AES – Advanced Encryption Standards
6. EMV – the deployed infrastructure must comply with the minimum EMV requirements for Contactless acceptance
7. ISO27001 – Information Security Management System
8. Other standards as may be specified by CBN from time to time.

Each participating stakeholder (operator) is mandatorily required to maintain valid certification to the above standards and regularly review the status of its systems, applications, networks and devices, to ensure they remain compliant.

Roles and Responsibilities of Stakeholders

The Guidelines provide for the separate roles and responsibilities of the stakeholders as follows:

Acquirers

Some of the roles and responsibilities of acquirers with respect to contactless payments in Nigeria include:

1. Only CBN licensed institutions can serve as acquirers for contactless payments.
2. Acquirers shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
3. Acquirers shall execute contactless payments agreements with parties for utilizing contactless platforms for payments.
4. Acquirers shall be able to accept all cards or payments instruments used in Nigeria.

Issuers

Some of the roles and responsibilities of Issuers with respect to contactless payments in Nigeria include:

1. Only CBN licensed institutions shall serve as Issuers for contactless payments.
2. Issuers shall ensure that activation of contactless payment is at customer’s instance, and with full consent.
3. Issuers shall ensure that their applications, instruments, tokens and devices meet current standards and specifications for contactless payments.
4. Issuers shall activate only accounts and wallets with Bank Verification Number (BVN).
5. Issuers shall ensure that transaction limits are strictly adhered to.

Payment Schemes and Card Schemes

Payment Schemes and Card schemes have the same roles and responsibilities with respect to contactless payments in Nigeria. These roles and responsibilities include:

1. Ensuring that all contactless transactions are processed online or submitted via current processing specifications.
2. Implement a documented risk management process to identify and treat risks associated with contactless payments.

Switching Companies

Switching companies have the responsibility of ensuring that contactless transactions consummated by all payment instruments issued in Nigeria are successfully switched between acquirers and issuers.

Payment Terminal Service Providers (PTSPs)

Some of the roles and responsibilities of PTSPs with respect to contactless payments in Nigeria include:

1. Ensuring that all their terminals for contactless payments are functional at all times.
2. Ensure they have adequate support infrastructure that support coverage for merchants.
3. Ensure all deployed devices and terminals have support service contact information.
4. Prevent instrument clashes even when multiple contactless payments devices are present.

Payment Terminal Service Aggregator (PTSA)

The PTSA shall, on an annual basis, or more frequently, certify POS terminals for contactless payments to ensure POS terminals meet the approved standard for the industry and also put in place a risk management process.

Merchants

Some of the roles and responsibilities of merchants with respect to contactless payments in Nigeria include:

1. Ensuring that deployed devices and applications are available for contactless payments of goods and services.
2. Merchants shall be held liable for fraudulent contactless payments arising from negligence/connivance.
3. Contactless payment transaction value and associated charges shall be clearly communicated to the customer prior to consummation of the transaction.
4. Display the contactless symbol

Terminal Owners

Terminal owners are to ensure that all terminals and devices are compliant with appropriate minimum specifications and also ensure the implementation of a documented risk management process.

Customers

Customers have the option to opt-in by applying and consenting to applicable terms and conditions and can withdraw without prior notice to the issuer. Customers are also obliged to authenticate contactless payments transaction as may be required, exercise due diligence in carrying out contactless payments transactions and protect their payments instruments from unauthorized use.

Transaction Limit

The CBN is to determine the appropriate transaction and cumulative daily limits for contactless payments from time to time. However, stakeholders are permitted to set limits in line with CBN’s limits.

Contactless payment transactions below stipulated daily limits may not require customers’ authorization such as token, biometrics, pin, etc. while higher-value contactless payments shall require customer verification such as pin, mobile code, biometric, etc.

Sanctions and Penalties

Stakeholders are required to comply with the provisions of the Guidelines and other relevant regulations of the CBN. Failure to comply attract appropriate sanctions and penalties as may be determined by the CBN.

Conclusion

The Exposure Guidelines provides a regulatory framework for the activities and conduct of affairs of the stakeholders in the contactless payments system in Nigeria. When the Guidelines become operational, all stakeholders will be required to conduct their affairs and carry out their roles in accordance with the minimum set standards under the Guidelines.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post An Overview of the Central Bank of Nigeria Exposure Draft Guidelines on Contactless Payments in Nigeria first appeared on Goldsmiths Solicitors.

What is a Startup?

A Startup is defined in the Act as “a Company in existence for not more than 10 years, with its objectives being the creation, innovation, production, development or adoption of a unique digital technology innovative product, service or process”.

Regulatory Authorities and Structures under the Nigerian Startup Act.

The Act introduces several Authorities and structures which are responsible for the administration and development of startups in Nigeria. These established regulatory Authorities are distinct from other regulatory bodies which regulate the various sectors in which a startup may operate in Nigeria. Some of these Authorities and structures are:

• The National Council for Digital Innovation and Entrepreneurship (the ‘Council’).

The Act establishes the Council and empowers it to formulate policies for the realization of the objectives of the Act. The Council consists of about 13 members including the President and Vice President of Nigeria who are to respectively serve as Chairman and Alternate Chairman of the Council. The Council is also to appoint a Council Agent who is to submit reports on the status of programmes implemented to the Council.

• The National Information Technology Development Agency (NITDA)

The NITDA functions as Secretariat and is the operational arm of the Council. It is to be chaired by the Director General of NITDA. As part of its duties, the Secretariat is required to manage the process of startup labelling and establish a Startup Support and Engagement Portal to provide support to startups.

• The Startup Support and Engagement Portal (the ‘Portal’).

The Portal is to serve as a platform and may be described as a one-stop shop through which startups conduct their registration process with the relevant Ministries, Departments and Agencies (‘MDAs). The activities of the Startup Portal are to be administered by a Coordinator to be appointed by the Secretariat with the approval of the Council.

• The Startup Consultative Forum (the ‘Forum’).

The Forum is to be set up on the Startup Portal to provide a platform for information sharing and collaboration among startups. It is to comprise of industry stakeholders including representatives from labelled startups, venture capitalists and angel investors.

• Accelerators and Incubator and Innovation Hubs.

The Secretariat is to establish accelerator and incubator programmes for startups. An accelerator is a fixed-term cohort programme designed to provide startups with mentorship and educational assistance, while an incubator on the other hand is a company, partnership or NGO whose primary object is to support the establishment and development of startups, promotion of innovation, and related activities through the offer of dedicated physical spaces and services. The Council is also to issue a framework for the establishment and operation of startup innovation clusters, hubs, physical and virtual innovation parks in each state of the Federation. The Hub is to promote collaboration among startups and between startups and big companies.

Startup Labelling

A company, sole proprietorship or partnership may be issued a certificate by the Secretariat labelling it as a startup and thus, making it entitled to incentives provided under the Act. To be eligible for startup labelling, the following conditions must be met:

1. In the case of a company, the company ought to be in existence for not more than 10 years from the date of its incorporation;
2. Its objects ought to be that of innovation, development, production, improvement and commercialization of a digital innovative product or process;
3. It is to be a holder or repository of a digital technology product or process, or the owner or author of a registered software;
4. At least one of its founders or co-founder is to be a Nigerian who would share from the profit or revenue from the sale of shares.

It is vital to note that the provisions of the Act including the startup labelling will not apply to an organization that is a holding company or a subsidiary of a company which is not registered as a startup.

Procedure for the application for a Startup Label

A startup desirous of being so labelled is required to make an application in the prescribed form on the Startup Portal which is to be established by the Secretariat with the approval of the Council. This application is to be supported by documents and fee to be prescribed by the Secretariat.

Validity/Duration of the Startup Label

The startup label when issued is valid for 10 years from the date of issuance. Startups so labelled are expected to comply with specified obligations. Where a labelled startup fails to comply with its obligations, the Coordinator may notify the startup of its default and the startup is expected to rectify the default within 30 days of being notified. Where the startup remains in default after the 30-days period, its label may be withdrawn.

A startup whose label has been withdrawn may only re-apply to the Secretariat for re-issuance once the default has been rectified.

Obligations of Startups under the Act

Startups are to fulfil specific obligations to enable them enjoy the benefits and incentives granted under the Act. They are to:

1. Comply with extant laws governing businesses in Nigeria, such as the Companies and Allied Matters Act, 2020;
2. Comply with obligations set out by the coordinator after the issuance of the startup label;
3. Notify the Coordinator of any changes in its structure or objects within a month from the date of such change;
4. Provide information annually on the number of human resources, total assets and annual turnover achieved from the period the startup label was granted;
5. Maintain proper book of accounts in accordance with reporting obligations under extant laws and regulations;
6. Provide an annual report on incentives received and advancements made by virtue of the incentives.

Incentives provided under the Act

The Act makes provision for various tax and fiscal incentives to labelled startups. These incentives cuts across reliefs for the labelled startups, their employees, service providers and investors. They are:

1. The Pioneer Status Incentive Scheme.

Labelled startups that fall within industries provided under the list of Pioneer industries and products as provided under the List of Pioneer Industries and Products, 2017 or any subsequent law may apply to the Nigerian Investment Promotion Commission (NIPC) for the grant of reliefs and incentives under the scheme. An example of startups that may benefit from this Scheme are companies involved in the development of ready-made software. A startup qualified to benefit from this scheme may enjoy a renewable 3-year tax holiday.

2. Four years tax holiday.

Labelled startups may be exempted from any form of income taxation for a period of four (4) years from the date of the issuance of the startup label. The Ministry of Finance is expected to provide simplified requirements for startups to benefit from this incentive.

3. 5% tax relief on assessable profits.

To benefit from this additional tax relief, the labelled startups is to have at least 10 employees of which 60% are employees without any form of work experience and who are within 3 years of graduating from school or any vocation within the assessment period. This tax relief is valid for a maximum period of five years.

4. Export incentives for labelled startups involved in exportation of products and services.

Startups deemed eligible under the Export (Incentives and Miscellaneous Provisions) Act are also entitled to export incentives and financial assistance from the Export Development Fund, Export Expansion Grant, and the Export Adjustment Scheme Fund.

5. Investment Credit Tax.

This relief is applicable to angel investors, venture capitalists, private equity fund, accelerators or incubators of a labelled startup and entitles them to tax credit equivalent to 30% of their investment.

6. Exemption from Capital Gains Tax (CGT) on disposal of assets by investors.

The Act exempts investors from taxation upon the disposal of its assets in a startup.

7. Exemption on the Personal Income Tax of employees.

The Act exempts eligible employees from remitting 35% of their personal income for a period of 2 years from the date of engagement by the labelled startup. However, the Act does not provide the requirements for eligibility but gives the Secretariat and the Joint Tax Board the responsibility of determining  the requirements for eligibility.

8. Reduction of withholding tax for foreign entities who are service providers of labelled startups.

Foreign entities that provide technical, consulting, professional or management services to a labelled startup is required to pay 5% withholding tax as opposed to the 10% withholding tax applicable to service providers. This tax shall be the final tax to be paid by the foreign entity.

Funding for Startups under the Act

Some of the funding arrangement provided under the Act are:

1. The Startup Investment Seed Fund (‘the Fund’).

The Act establishes the Fund which is to be managed by the Nigeria Sovereign Investment Authority (‘the Fund Manager’). A sum of at least N10,000,000,000 (Ten Billion Naira) is to be paid annually into the Fund which would be utilized to provide financial support to startups and reliefs to accelerators, incubators and hubs.

2. Access to Government funds and the Credit Guarantee Scheme (CGS).

The Act establishes the CGS with the primary objective of providing accessible financial support to labelled startups. The Act also directs the Secretariat to ensure that labelled startups have access to grants and loan facilities administered by the Central Bank of Nigeria (CBN) and other bodies empowered to assist MSMEs.

The Startup Portal as a One-stop Shop for Labelled Startups.

The major function of the Startup Portal to be set up by the Secretariat is to act as a one-stop shop for startups to register with the MDAs regulating some sectors in Nigeria. The Act charges the Secretariat to collaborate with some regulatory bodies in setting up sections on the startup portal for the registration and administration of the activities of labelled startups with these bodies. These regulatory bodies are the Corporate Affairs Commission (CAC), the National Office for Technology Acquisition and Promotion (NOTAP), the National Copyright Commission and the Trademark, Patent and Designs Registries, the Nigeria Export Processing Zone Authority, the Central Bank of Nigeria (CBN) and the Securities Exchange Commission (SEC). The aim of this exercise is to ensure swift and seamless registration processes for startups. For instance, the Secretariat is to work with CBN and SEC to create a section on the startup portal to ease the licensing procedure for financial technology (Fintech) companies. The Secretariat in conjunction with the NEPZA is also to establish a Technology Development Zone to spur the development of startups, accelerators and incubators.

The startup portal is also to have a section through which labelled startups who intend to participate in CBN’s sandbox or SEC’s regulatory incubator or in any other sandbox may fast track their application process. The labelled startup must however meet all the requirements to participate in the sandbox or regulatory incubator.

Repatriation of Capital and Profits.

In order to encourage foreign investments in startups, the Secretariat is to work with the CBN to ensure the repatriation of the proceeds of investments by foreign investors through an authorized dealer at the prevailing CBN rate. The repatriation is to be done on freely convertible currency of dividends or profits attributed to the foreign investor net all applicable taxed; and the proceeds in the event of sale or liquidation of the labelled startup, net all applicable taxes. To benefit from this arrangement, the investor would be required to present its Certificate of Capital Importation (CCI) as proof of injection of funds into the labelled startup.

Conclusion

The signing of the Nigerian Startup Act is no doubt a welcome development in Nigeria.  The provisions of the Act when implemented would encourage innovation and investment in the Nigerian startups especially in the FinTech space. There are many tax and fiscal incentives that are available to labeled startups including investors, foreign entities and employees. There are however concerns that this Act is yet another layer of bureaucracy in the already over regulated Nigerian business environment.

Please note that the contents of this article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact:

The post The Nigerian Startup Act, 2022, Nigeria’s Bold Step to Encourage Innovation? first appeared on Goldsmiths Solicitors.

Definition of Credit Guarantee Companies

According to the Guidelines, a CGC is an institution licensed by the CBN with the primary objective of providing guarantees to banks and other lending financial institutions against the risk of default by obligors.

An example of a Credit Guarantee Company in Nigeria providing guarantees for MSMEs to access credit is Impact Credit Guarantee Limited.

Objectives of the Credit Guarantee Scheme

The objectives of the scheme include the following:

1. Improve access to credit for MSMEs
2. Reduce credit risk in lending by providing guarantees to PFIs
3. Stimulate lower interest rates on loans
4. Promote flexible collateral requirements
5. Encourage new business formation, development and expansion
6. Foster sustainable and inclusive growth
7. Improve risk management in the financial sector.

Powers and Duties of the Central Bank of Nigeria

The Central bank of Nigeria shall have regulatory and supervisory powers and duties over CGCs in addition to the following:

1. Grant and revoke licence.
2. Determine minimum capital requirements.
3. Approve the appointment of board members and senior management staff.
4. Remove board members and senior management staff.
5. Approve the appointment of external auditors.

Permissible Activities

The activities which CGCs may legally engage in include:

1. Provide guarantee for risk assets.
2. Render advisory services for financial and business development.
3. Invest surplus funds in government securities.
4. Maintain and operate various types of accounts with banks in Nigeria.
5. Engage in the recovery of guaranteed sum from defaulting borrowers post claims payment.
6. Other activities as may be prescribed by CBN from time to time.

Non-permissible Activities

The non-permissible activities for CGCs include the following:

1. Provision of guarantee to entities outside Nigeria.
2. Provision of credit to customers.
3. Acceptance of demand, savings and time deposits or any other deposits.
4. Management of pension funds or schemes.
5. Foreign exchange, commodity and equity trading.
6. All forms of trading in derivatives and swaps, etc.

Licensing Procedure and Requirements

The application for licence is made by the promoters of the CGC and addressed to the Governor of CBN. The application for licence shall be processed in two stages namely: Approval-in Principle and final licence.

Requirements for Approval-in-Principle

The requirements for obtaining Approval-in-Principle for CGC include:

1. Apply to the Governor of the CBN in writing together with the following:
2. A non-refundable application fee of N100,000.
3. Evidence of the deposit of the specified minimum capital requirement of N10,000,000,000 into a CBN designated account.
4. Evidence of capital contribution made by each shareholder.
5. Evidence of name reservation with Corporate Affairs Commission.
6. Detailed business plan or feasibility report.
7. Draft copy of the Memorandum and Articles of Association of the company.
8. Shareholders agreement.
9. Detailed manuals and policies.
10. Upon receipt of the application and satisfactory documentation, the CBN shall verify the capital contributions of the promoters of the CGC.
11. Where CBN is satisfied with capital contribution of the promoters, it shall issue Approval-in-Principle to the promoters of the CGC.
12. The CBN shall communicate its decision to the promoters within 90 days of the receipt of the application.
13. The proposed CGC shall not register or incorporate its name with Corporate Affairs Commission until an Approval-in-Principle has been obtained from the CBN.

Requirements for Final Licence

Not later than six months after obtaining the Approval-in-Principle from CBN, the promoters of a proposed CGC shall submit an application for the grant of final licence. The application shall be accompanied with the following:

1. Non-refundable licensing fee of N1,000,000 (One Million Naira)
2. Certified True Copy (CTC) of certificate of incorporation of the CGC.
3. CTC of the Memorandum and Articles of Association.
4. CTC of CAC form 1.1.
5. Evidence of payment of stamp duties.
6. Internal control policy.
7. Business continuity plan, etc.

However, before the final licence is granted, CBN shall inspect the premises and facilities of the proposed CGC.

Corporate Governance Structure for CGCs

The board is to be responsible for the affairs of the CGC and its performance. The board shall be made up of both executive and non-executive directors whose number is to be more than executive directors’. The board is to be composed of 5 members minimum and 7 members at the maximum. It should be noted that the appointment of the members of the board is subject to CBN’s approval.

There shall be the positions of a Managing Director and Chief Executive Officer. The two positions are not to be merged but to be occupied by different individuals.

The board is to be appraised annually by an independent consultant on aspects of board’s structure, composition, responsibilities and performance.

Sources of Funds of CGCs

CGCs can access funds from any source approved by CBN. These sources include:

1. Paid-up share capital.
2. General reserves.
3. Long-term loans from international organisations and sponsors.
4. Funds from development partners.
5. Loans from governmental bodies.
6. Preference shares.
7. Bonds.
8. Grants and donations from sources approved by the CBN, etc.

Compliance, Sanctions, and Revocation of Licence

CGCs are required to comply with all laws, rules and regulations. One of the directives is for CGCs to be prudent and not to guarantee more than 75% of the credit provided to any MSME. Where the CGC fails to comply, it shall be met with administrative sanctions. The sanction could be suspension of its operation, monetary penalties, prohibition from declaring dividends, or revocation of licence, etc.

The licence of a CGC may also be revoked where it is insolvent, misuses the licence or ceases operation for a continuous or aggregated period of six months within 12 months.

Conclusion

The issuance of the Guidelines is aimed at facilitating MSMEs access to credit at low interest rate. This is a step in the right direction by CBN. It will ensure that credit loans are guaranteed by minimizing credit risks that banks and other financial institutions are reluctant to take up. It would potentially also lead to business and economic growth for Nigeria especially in the MSME sector.

In applying for approval in principle and license, CGCs are to be prudent by ensuring that all CBN’s requirement for CGC’s licensing are met.

Please note that the contents of this Article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com  or contact us.

The post Overview of the Central Bank of Nigeria Exposure Draft Guidelines for Credit Guarantee Companies in Nigeria first appeared on Goldsmiths Solicitors.

What are Mobile Money Services (MMS)?

Mobile Money Services (MMS) are Services through which mobile phones and other mobile devices are used to access financial services such as money transfers, purchase airtime, make payments online, etc.

Models for the Implementation of MMS in Nigeria

1. The Bank led model – consisting of a bank or a consortium of banks leveraging on the mobile payment system to deliver banking services.
2. The Non-bank led model – consisting of corporate organisations duly licensed by the CBN to provide mobile money services.

Those prohibited from providing Mobile Money Services in Nigeria.

The following are prohibited by the Guidelines from providing mobile money services in Nigeria. They include: Deposit Money Banks, National Primary Mortgage Banks, National Microfinance Banks, and Telecommunication Companies and/or their subsidiaries.

Participants in the Mobile Money System

The following are participants in the Mobile Money System. They include: They are the Regulators, the Mobile Money Operators, Infrastructure Providers, Mobile Network Operators, other Service Providers, Consumers and Mobile Money Agents.

The main regulatory bodies for Mobile Money Services and Systems in Nigeria?

The CBN and the Nigerian Communications Commission (NCC) are the main regulatory bodies for mobile money services in Nigeria. The CBN grants license to Mobile Money Operators (MMOs) and generally regulates financial services rendered. The NCC grants approvals and issues unique short codes to the MMOs.

Mobile Money Operators

Mobile Money Operators are CBN licensed entities such as banks, consortium of banks, or corporate entities that provide the infrastructure for the mobile payment systems for the use of participants that are signed-on to their scheme.

Rules guiding Mobile Money Operators

The Guidelines stipulates the rules which MMOs are to abide by while transacting their business. They include rules on licensing, permissible and non-permissible activities, transactions, activation, operation of mobile payment transfer, their settlement accounts, operation of saving wallet, etc. Some of these rules are:

1. MMOs are to be issued a unique scheme code by the Nigerian Inter-Bank Supplementary System (NIBSS) as a unique short code by the NCC;
2. They are to ensure that their telecommunication equipment are type-approved by the NCC;
3. They are to insure the total outstanding (unspent) balance which represents Mobile Money Subscribers’ unspent funds up to the applicable coverage level by the Nigeria Deposit Insurance Corporation (NDIC).
4. They are to engage in only permissible activities such as wallet creation and management, e-money issuance, non-bank acquiring, card acquiring, pool account management, agent recruitment, etc.
5. They are to ensure that registered users activate the service before the commencing transactions with a security code.
6. Transactions initiated and concluded within their mobile payment system is required to contain detailed information and have a unique transaction reference issued by the system.
7. They are to appoint and notify CBN of their settlement banks.
8. They are to settle all obligations arising from mobile payment transactions into settlement accounts held with Deposit Money Banks and they are to maintain separate accounts for their other business activities.
9. The settlement account will be a non-interest bearing account, will have no right of set-off and no form of bank charges.
10. They are to ensure compliance with rules for the operation of Bank, Card and Store Value Account Based mobile payment transaction.
11. They are to put in place detailed processes that cover the entire solution delivery, from user registration and management, agent recruitment and management, Consumer protection, dispute resolution procedures, Risk management processes, to transaction settlement.
12. If an MMO intends to provide a savings wallet service, it is to notify the CBN and obtain its approval
13. Scheme operators (MMOs that are Banks) are required to maintain a minimum shareholder funds of N2,000,000,000.00 (Two Billion Naira Only) unimpaired by losses at all times or such other amount as may be prescribed by the CBN from time to time
14. A risk management officer tasked with providing internal risk management oversight is to be assigned by the MMO
15. They are to have, well documented and tested business continuity plans (BPC) approved by the board, that address all aspects of the mobile money business, to take care of business disruptions and ensure system availability and recoverability.
16. They are to ensure that the Mobile Money infrastructure BCP is tested through a fail-over process, at least twice a year and that the fail-over is tested, at least quarterly, and enterprise wide BCP is tested on yearly basis
17. They are to ensure that a channel of communication is in place 24/7 to entertain enquiries and complaints in a language understood by customers.
18. Resolve customer complaints within a reasonable time and not later than 48 hours from the date of reporting or lodging the complaint with the MMO.

Non-permissible activities for MMOs

Mobile Money Operators are not permitted to carry out the following activities:

1. Grant any form of loans, advances and guarantees (directly or indirectly)
2. Accept foreign currency deposits;
3. Dealing in the foreign exchange market except when carrying out payments and remittances (including inbound cross-border personal remittances) services through various channels within Nigeria and, the sale of foreign currencies realized from inbound cross-border personal remittances to authorized foreign exchange dealers
4. Insurance underwriting;
5. Accept any closed scheme electronic value (e.g. airtime) as a form of deposit or payment;
6. Establish any subsidiary;
7. Undertake any other transaction which is not prescribed by these Guidelines

Dispute Resolution

The Guidelines provides that MMOs are to take the lead in resolving any dispute between it and its consumer. Any dispute that arises within institutions in the Mobile Money Scheme are to be resolved internally within 14 days and where it fails, it is to be resolved in accordance with the provisions of the Arbitration and Conciliation Act, 2004.

Reporting Obligations.

All licensed Mobile Money Operators have the following reporting obligations:

Weekly returns

MMOs are required to reconcile daily, the balances in their pool accounts and make weekly returns to the Director, Payments System Management Department of the CBN.

Monthly reports

• Not later than the 14^th of every month, MMOs are to submit data and information including the Nature, value and volume of transactions, Nature and number of customer complaints and remedial measures taken, and incidents of fraud to the CBN.
• Non-bank MMOs are to submit monthly assessment report on the performance in prescribed format, and the submission of same to the Director, Payments System Management Department of the CBN.

Annual reports

• MMOs are to make available to the CBN their audited annual returns within the first three months after the year end or 31st of March.
• A copy of the External Auditor’s Report of the MMOs reviewing the Business Continuity Plan is to be forwarded to the CBN latest March 31st of the following year.

Record keeping

• MMOs are to keep record of transactions emanating from the organization’s Mobile Money System for at least, seven (7) years.
• MMOs are to maintain audit trails and settlement logs for at least, seven (7) years.
• MMOs are to maintain a log online containing the electronic summary of transaction and the electronic receipt for at least, three (3) months and it is to be archived subsequently for at least, seven (7) years.
• Scheme operators are to ensure that all settlement information details are preserved for reference for at least, seven (7) years.

Sanctions

Some of the sanctions for the failure/refusal to comply with provisions of the Guidelines are:

1. Withholding Corporate approvals
2. Financial penalties
3. Suspension from mobile money operation
4. Revocation of the mobile money operation license.

Cessation of Mobile Money Operator

MMOs wishing to exit from the mobile payments system are to notify the CBN in writing regarding the intention for the discontinuation, 120 days before ceasing its operations.

Conclusion.

The Guidelines provide the minimum standards required of MMOs to ensure secure mobile money transactions and ensure fair and healthy competition in the Nigerian financial sector.

These Guidelines are very far reaching and have severe sanctions for non-compliance. MMOs should therefore ensure compliance with the provisions of the Guidelines and Framework.

Please note that the contents of this Article are for general guidance on the Subject Matter. It is NOT legal advice.

For further information or to see our other service offerings, please visit www.goldsmithsllp.com or contact:

The post The New Central Bank of Nigeria Regulatory Framework and Guidelines for Mobile Money Services in Nigeria first appeared on Goldsmiths Solicitors.

There is no doubt that FinTech operations in Nigeria have continued to gain enormous grounds.  In order to keep up with the pace of developments in that space, regulators such as SEC have continued to update their rules and regulations in order to effectively regulate the FinTech space without compromising market integrity and investor confidence.

The RI programme is to be launched in the third quarter of 2021 and will only admit identified FinTech business models for a one-year period.

What is the Regulatory Incubator?

There has been growing concern among FinTech operators in Nigeria regarding new FinTech business models whose kinds of operations, though may have semblance of business to be regulated by SEC are not specifically designated to be regulated by SEC. As a result, this SEC Regulatory Incubation will allow these FinTech companies operate under some prescribed basic but limited provisions for a specified period.

This practice will enable SEC to have a first-hand supervision of these new models of providing Capital Market services before it becomes fully established either by proposing amendment to existing Rules or by making new ones.

These requirements apply to Fintech seeking registration and whose function or operations have been reviewed and deemed requiring an amendment to existing Rules or the creation of completely new ones.

Who will qualify for Admission into the RI Programme?

The programme applies to all FinTech businesses who consider that there is no specific regulation governing their business models or who require clarity on the appropriate regulatory regime that would apply to their businesses.

It also applies to all new business models and processes that require regulatory authorisation from SEC to continue carrying out full or ancillary technology-driven Capital Market activities. For instance, this will be a good opportunity for any digital asset exchanger.

There are certain pre-qualification requirements which applicants must meet to qualify for admission. These pre-qualification requirements include:

1. Applicant shall be using innovative technology to offer a new type of product or service, or applying innovative FinTech to an existing product or service;
2. Applicant shall be ready to take-off with live customers and operate within the purview of the SEC Regulatory Framework;
3. The product or service shall be one that addresses a problem (compliance or supervision) or brings potential benefits to consumers or industry; and
4. Applicant shall complete the FinTech Assessment Form and discuss the proposal with the Commission at an early stage.

Participation will involve two stages. The Initial Assessment Phase and the Regulatory Incubation Phase.

The above category of FinTech business can participate by submitting the relevant assessment forms provided by SEC for SEC’s assessment.

Depending on SEC’s assessment of each form together with meeting every other pre-qualification requirement, SEC will communicate with the FinTech companies selected for the programme ahead of each take-off-date.

Regulatory Incubation Operations Requirement

There are guidelines provided for certain operation requirements which must be met by the FinTech operator for regulatory incubation operations. These include that the FinTech operator shall:

1. have an office in Nigeria;
2. undertake to comply with AML/CFT requirements;
3. be deemed fit and possess relevant skills in financial services and/or technology; and
4. undertake to provide full disclosure to the Commission on the business through an incubation implementation plan etc.

Restrictions and Conditions

Please note that there are conditions attached for participating in the RI. All participating FinTech operators must among other conditions and restrictions comply with the following

1. must not conduct any other investment business except as presented to the Commission;
2. shall be under regulatory incubation only for a maximum period of one-year after which they shall apply for registration if found eligible or discontinue the activity.
3. shall have the capacity to on-board a maximum of 100 clients who shall be fully informed of the service or product prior to onboarding. Subject to the Commission’s appraisal and approval, the firm may on-board additional clients if the need arises. Firms that are already in operation shall maintain their existing clients and cease on-boarding new ones.

A FinTech operator participating in the RI can be terminated upon failure to abide by any of the above conditions and restrictions in addition to any other grounds which SEC deems fit.

As has been mentioned above, an interested FinTech operator shall first and foremost prepare and file an assessment form with SEC together with an application form and a processing fee of ₦200,000.00.

CONCLUSION

The introduction of this RI presents a good opportunity for FinTech operators who need clarity on whether or not SEC can regulate their innovative business model. This helps in answering their questions of whether they would be required to obtain any relevant licences from SEC in order to comply with regulatory requirements.

FinTech operators who fall under this category will first and foremost be pre-qualified before they are admitted for the RI. These FinTech operators are advised to fill SEC’s assessment forms together with an application fee and forms and submit to SEC for their initial assessment.

Please note that the content of this Article is for general guidance on the Subject Matter. It is NOT and is not to be taken as giving legal advice.

The post All you need to know about Nigerian Securities and Exchange Commission’s Regulatory Incubation Guidelines first appeared on Goldsmiths Solicitors.

This publication no doubt reinforces Goldsmiths Solicitors as a leading law firm in the Nigerian FinTech space.

Key Contributor:

The post Goldsmiths Solicitors FinTech Webinar – Regulatory Conversations first appeared on Goldsmiths Solicitors.