Use the Lexology Getting The Deal Through tool to compare the answers in this article with those from other jurisdictions.
How would you describe the regulatory policy for fintech products and services in your jurisdiction?
Nigerian regulators have adopted a pro-innovative stance. With the establishment of the Fintech Association of Nigeria, the various circulars and guidelines issued by the Central Bank of Nigeria (CBN), and other regulators, the fintech market in Nigeria continues to grow at a rapid pace.
Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?
There are no fintech-specific laws in Nigeria. However, several regulations and enactments of regulatory laws that could affect the fintech market are envisaged. The guidelines and regulations that have already been issued by the CBN include:
- the CBN Guidelines on Mobile Money Services in Nigeria 2015;
- the CBN Guidelines on Operations of Electronic Payment Channels in Nigeria 2016;
- the CBN Regulation for Bill Payments in Nigeria 2018;
- the CBN Regulatory Framework for the Use of Unstructured Supplementary Service Data (USSD) for Financial Services in Nigeria 2018;
- the CBN Guidelines on International Mobile Money Remittance Service in Nigeria 2015;
- the CBN Regulation for Direct Debit Scheme in Nigeria 2018;
- the CBN Guidelines on International Money Transfer Services in Nigeria 2014; and
- the CBN draft Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers 2018, which is to provide a framework for managing cybersecurity.
These regulations seek to promote and ensure an effective and sound financial system for the settlement of transactions, including the development of electronic payment systems in Nigeria. These regulations also leverage technology to promote financial inclusion and enhance access to financial services among low-income earners and those that are financially excluded from society.
The apex financial regulatory bodies – the CBN and the Securities Exchange Commission (SEC) – have taken steps to include fintech in the existing laws. New laws which are specifically tailored to the development of fintech are also in the process of being enacted. These new laws include:
- the Companies and Allied Matters Bill;
- the Proposed Regulatory Framework for Crowdfunding Activities by the SEC;
- the Proposed Electronic Transactions Bill; and
- the Payment Systems Management Bill.
These bills seek to promote e-commerce in Nigeria and consolidate the regulation of electronic payments.
Which government authorities regulate the provision of fintech products and services?
Depending on the services provided by the fintech company, the following authorities regulate the activities:
- the CBN;
- the SEC;
- the Nigerian Stock Exchange;
- the Corporate Affairs Commission; and
- the Nigerian Communications Commission (NCC).
Financial regulatory framework
Which laws and regulations governing the provision of financial services apply to fintech businesses?
Nigerian financial services legislation applies to most fintech products and service providers, although there are no laws specifically tailored to the fintech sector. This legislation includes:
- the Bank and Other Financial Institution Act 2004;
- circulars and guidelines issued by the CBN;
- the Foreign Exchange (Monitoring and Miscellaneous) Provision Act;
- the Investment and Securities Act;
- the SEC Rules 2013; and
- the Cybercrimes Act 2015.
These laws and regulations provide regulatory and supervisory requirements and spell out the permissible and prohibited activities of financial institutions in order to promote efficient and sustainable financial services in Nigeria.
Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?
There are no specific fintech licensing requirements in Nigeria. However, under the Nigerian framework, fintech companies may be licensed only if they provide fintech-based products or services similar to a regulated financial product or service. For example, in the financial sector, a banking licence must be obtained from the CBN before a fintech company can engage in lending operations.
Under the Guidelines for the Operation of International Money Transfer Services in Nigeria 2014, the CBN sets out a detailed legal framework requiring, among other things, international money transfer operators to obtain licences from the CBN before engaging in money transfer services or otherwise be sanctioned. Under the CBN Guidelines on International Mobile Money Remittance Service in Nigeria 2015, foreign international money transfer operators that wish to operate in Nigeria must apply to the CBN for a licence and show evidence of possession of a licence in their home country. In addition to the CBN guidelines, payment services involving mobile telephone infrastructure are regulated under the NCC Licence Framework for Value-Added Service. Under this framework, mobile payment service providers must obtain a five-year renewable licence from the NCC.
Additionally, the general provisions of the law in relation to the registration and incorporation of businesses and companies must be complied with if the business intends to take full advantage of the law in Nigeria. Where a foreign entity intends to supply fintech products in Nigeria, it must comply with certain requirements in addition to incorporating a company, such as obtaining a business permit and expatriate quota from the Ministry of Interior. Technology transfer agreements between foreign companies and fintech entities in Nigeria must be registered with the National Office for Technology Acquisition and Promotion.
The CBN has also proposed a bill that would provide a licensing framework to guide the operation of payment providers and fintech companies.
Are any fintech products or services prohibited in your jurisdiction?
Certain fintech products and services are prohibited in Nigeria. As stated previously, the CBN – via its 12 January 2017 Circular to Bank and Other Financial Institutions on Virtual Currency Operations in Nigeria – issued a warning to all financial institutions to desist from transacting in virtual currency as this is not recognised as legal tender in Nigeria. Under the circular, the CBN prohibits the holding of, and entry into transactions in cryptocurrencies by licensed banks and other financial institutions. However, while banking operations in virtual currencies are discouraged, transactions in virtual currencies are not prohibited in Nigeria.
As regards crowdfunding, in August 2016 the SEC issued a statement banning crowdfunding activities until specific and comprehensive regulations on the subject have been established.
Data protection and cybersecurity
What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
The Nigeria Data Protection Regulation 2019 – which is the only specific data protection regulation in Nigeria – issued by the Nigerian Information Technology Development Agency provides that all personal data notwithstanding the means through which the data was obtained can be processed only where the data subject gives their consent directly or indirectly or where it relates to a task carried out in the interest of the public.
The CBN Consumer Protection Framework 2016 made pursuant to the CBN Act 2007 imposes a burden on financial institutions to maintain the confidentiality and privacy of all financial services customers. Companies must ensure that the appropriate data protection measures and employee training programmes are in place to prevent unauthorised access to or alteration, disclosure, accidental loss or destruction of customer data. Service providers must also obtain written consent from consumers before their data is shared with third parties or used for promotional offers.
Data processing is also regulated by the NCC Consumer Code of Practice Regulations 2007, which provide that all licensees must take reasonable steps to protect consumer information against “improper or accidental disclosure” and ensure that such information is securely stored. The CBN Regulatory Framework for the Use of USSD for Financial Services in Nigeria, which came into force in June 2018, also imposes security and customer data protection requirements, including data encryption.
Section 9 of the Credit Reporting Act 2017 requires credit bureaus to ensure the rights of data subjects to privacy, confidentiality and protection of their credit information and prescribes the preconditions under which data subjects’ credit may be disclosed.
What cybersecurity regulations or standards apply to fintech businesses?
Currently, there are no cybersecurity laws that specifically apply to or provide a framework for dealing with fintech businesses. However, the existing framework includes the following standards, which may apply from a cybersecurity perspective:
- The Cybercrime (Prohibition Prevention) Act 2015 requires a financial institution to:
- verify the identity of customers carrying out electronic financial transactions;
- observe adequate know-your-customer procedures;
- ensure that it obtains proper authorisation before debiting accounts; and
- keep all traffic data and subscriber information as may be required by the NCC.
The act also prohibits the interception of electronic messages, e-mails and electronic money transfers, computer-related forgery and fraud, unauthorised modifications of computer systems, network data and system interference, and the manipulation of automated teller machines and point of sale terminals.
- The NCC Consumer Code of Practice Regulations 2007 provide that all licensees must take reasonable steps to protect consumer information against “improper or accidental disclosure” and ensure that such information is securely stored.
- The Terrorism (Prevention) (Amendment) Act 2013 provides that where any person solicits or renders support to any association for the commission of a terrorist activity, including through the Internet or electronic means, such a person will be liable to a minimum of 20 years’ imprisonment.
- The Advance Fee Fraud and Other Fraud-Related Offences Act 2006 provides that a person who conducts a financial transaction which involves the movement of money by wire or the use of a financial institution engaged in activities which affect commerce with the intent to promote a specified unlawful activity has committed a crime and will be liable to a fine and imprisonment.
What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?
There is no specific financial crime law governing the provision of fintech products and services. However, some financial crime laws or regulations may apply to specific fintech services depending on the sector to which they relate.
The CBN Anti-money Laundering and Combatting the Financing of Terrorism in Banks and Other Financial Institutions in Nigeria Regulations 2013 require all financial institutions to adopt a policy on anti-money laundering and to combat the financing of terrorism. Fintech companies fall under this category. They must also have policies and procedures to address any risks for customers in relation to anti-money laundering and the financing of terrorism. In addition, the following financial crime laws apply to fintech companies:
- the Money Laundering (Prohibition) Act 2011 (as amended);
- the Economic and Financial Crimes Commission (Establishment) Act Cap E1, LFN 2004;
- the Terrorism (Prevention) Act 10/2011;
- the Corrupt Practices and Other Related Offences Act Cap C31 LFN 2004; and
- the Federal Competition and Consumer Protection Act 2019.
What precautions should fintech businesses take to ensure compliance with these provisions?
Fintech businesses are encouraged to discuss their proposals with legal counsel in Nigeria who are experts in the related field for a full understanding of the applicable requirements and the appropriate measures to be taken in order to ensure compliance. Nigerian authorities follow a strict approach when it comes to the enforcement of anti-money laundering and financial crimes provisions.
What consumer protection laws and regulations apply to the provision of fintech products and services?
Several consumer protection laws and regulations are applicable to the fintech industry in Nigeria, including:
- the Treaty on the UN Guidelines on Consumer Protection, which has been domesticated by the Nigerian government;
- the Federal Competition and Consumer Protection (FCCP) Act 2019, which established the FCCP Commission and charged it with the responsibility of protecting consumers by taking both preventive and remedial measures with regard to consumer products and services;
- the CBN Consumer Protection Framework 2016, which applies to various types of financial institution under the regulatory purview of the CBN, including fintech entities;
- the NCC Act 2003, which applies to the provision and use of all communications services and networks, in whole or in part, in Nigeria or on ships or aircrafts registered in Nigeria;
- the NCC Consumer Code of Practice Regulation 2007, which provides a minimum standard by which all licensees in the telecoms industry must abide in the provision of services; and
- the Release of Consumer Protection Framework for Banks and Other Financial Institutions issued by the CBN.
These laws and regulations seek to protect consumers from the purchase and use of sub-standard products.
Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?
Fintech can be viewed as pro-competitive in the financial services market. The recently passed Federal Competition and Consumer Protection Act 2019 provides for the establishment of the FCCP Commission whose function includes the identification of anti-competitive products, anti-consumer protection and restrictive agreements and practices which may adversely affect the economy. The aim of the act is to encourage healthy competition among service providers.
One area which will apply to fintech companies is merger control. The FCCP must be notified when a fintech company acquires or merges with another. The SEC must also be notified if the fintech company is a public company.
Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?
The general provisions of the Companies and Allied Matters Act apply with respect to foreign fintech companies doing business in Nigeria. The following requirements, among others, will apply to a foreign company:
- the requirement to be incorporated in Nigeria (unless the company falls within a limited set of exceptions);
- the requirement to obtain certain permits from the Ministry of Interior before it can begin operations; and
- the requirement to obtain an electronic certificate of capital importation issued by an authorised dealer.
In terms of money transfer services, the CBN has released its Guidelines on International Mobile Money Remittance Service in Nigeria. These apply to foreign fintech entities providing such services in Nigeria. Foreign international money transfer operators that wish to operate in Nigeria must apply to the CBN for a licence and show evidence of possession of a licence in their home country.
There may also be tax and exchange control implications where fintech products and services are brought into Nigeria on a cross-border basis. Further, where there are technology transfer agreements between foreign companies and fintech companies in Nigeria, the companies must register with the CBN and the National Office for Technology Acquisition and Promotion.