Payment technology from a regulatory and compliance perspective: Experience from Nigeria

Shuru M. Kabiru

  • DM of Payment System Compliance
  • The Central Bank of Nigeria
Twitter Facebook-f Youtube Linkedin-in

The mobile payment industry in Nigeria is expected to record a CAGR of 25.6% to reach US$ 73,871.9 million by 2025. Understanding the regulatory demands in an ever-growing sector will be key, Mohammed Kabiru shares his expertise and insight with Digital Banker Africa.

The regulation of the payments system and its participants generally involves four (4) functions
by the regulator:

  • Development of regulations
  • Issuance of licences
  • Oversight of the payments system; and
  • Consumer protection

Regulations define the rules and standards that govern the various payments system operations, including granting powers to the regulator to licence companies. The licence grants legitimacy to a company to play in the payments system space in a jurisdiction. Routine oversight of the payments system by the regulator ensures that participants play by the rules and consumers are protected against the failures of these licensed companies.

There have been a lot of promotions for fintech and disruption as the panacea for financial exclusion and liberation of the consumer from the shackles of conventional banking, but little is highlighted about the enormity of the burden that comes with such disruption, particularly from the perspective of regulation and compliance. Without regulation and compliance, the so-called disruption could do more harm than good to the banking and payments industry.

While global standards and best practices have since been achieved for the banking industry, with the Basel Committee for Banking Supervision, issuing Guidelines and Standards, such has not been for financial technology operations, leaving a lot of room for arbitrage and systemic risks.

Let us look at 7 crucial areas of concern to the regulator on fintech operations.

Fintech is still a Buzzword

Let us start with the term Fintech. The term is still a buzzword that is yet to have a meaning that is generally accepted and uniformly understood across jurisdictions. Fintechs scope of operations and measures vary among companies. I have seen the implication of this in developing standards and licensing requirements in Nigeria. It is common to find 2 or more payment technology companies holding similar licences but providing different payment
services. It is easy to group them as payments system service providers (PSPs), but it is crucial for policy and licensing to be clear about common expectations among holders of the same licences, to hold them to an equal standard.

Technological delimitation of fintech makes them defy regulatory boundaries

As regulators, our greater interest is to ensure a safe, stable, sustainable, and reliable payment system that does not hurt financial system stability. One way of ensuring this is by setting boundaries for operations under a particular licence. But because the technology systems being used by fintech are often omnibus and scalable. it is easy to find a company licensed to provide gateway service, for example, doing card processing, acquiring, switching, issuing, or wallets not approved for it. In the interest of a safe and sustainable payment system, the regulator is concerned that a company, which had been prequalified to offer a specified payment service would end up providing other critical services for which the regulator had not assessed its capability to do.

What amount of capital is adequate for fintech operations

Fintech business is highly risky. An ultimate concern to the regulator is the potential loss of customer’s funds and confidential data due to corporate failures or data breaches. Deposit liabilities need to be matched with capital adequacy so that the business has sufficient funds to withstand a financial crisis. Payment companies also provide third-party services to banks based on service level agreements with liability claims for losses that may arise due to system failures. These liabilities are sometimes huge enough to sink a fintech that does not have adequate capital if such risk crystallises.

The absence of deposit insurance on fintech customers’ funds is a key concern

Bank deposits are insured by the deposit insurance authority of the government. This relieves the regulator of concerns around the fate of depositor funds when a bank goes bankrupt. In some jurisdictions, fintechs tend to also roll out products that require them to take deposits from customers in one form or the other, except that these deposits are not captured under the regulatory deposit insurance scheme. Hence, customers risk losing their life-savings if a fintech goes bankrupt. The wider economic implication of such an adverse event is usually catastrophic. In Nigeria, the Nigeria Deposit Insurance Corporation (NDIC) has a pass-through deposit insurance coverage for deposits being held by mobile money operators (MMOs) only.

Absence of international standards for fintech regulation

Unlike banks that have the Basel Accords, which provide a series of prudential guidance, fintech is not so guided. The Principles for Financial Market Infrastructures (PFMI) does not help, as it is focused on the wholesale aspect of the payments system, whereas the fintech operations focus on retail payments. An important aspect that I have concern about is the treatment of deposit liability in the balance sheet. In Nigeria, MMOs are not required by regulation to recognise depositor funds in their balance sheet as a component of current liabilities, which is required of banks.

Legal versus Regulatory Framework for the operations of fintech

Banking regulations are issued on the bedrock of banking laws, which grants power and strength to the application of the regulations made by appropriate authorities. Enabling laws, necessary to lay down the legal frameworks for fintech operations have not been enacted in many countries. This has left room for arguing the legality of fintech operations and the powers of the regulator to approve such or not, in certain situations.

Its harder to fight Money Laundering and counter the Financing of Terrorism

The KYC requirements for fintech customer's sign-up are minimal, compared to banks. Wallet deposits are normally held in a pool account domiciled in a bank. A single pool account holds funds belonging to thousands of wallet holders, which makes it challenging for the bank to screen the funds against money laundering. The bank will not be able to trace deposited funds to an individual and determine its source, leaving an exploit for money laundering.

My take

The fintech phenomenon is a game-changer and a veritable tool for financial inclusion, poverty alleviation, and economic development. However, global implementation and adoption currently vary and therefore leave a lack of international best practices for guidance and regulation. Financial regulators have had to play catch-up to understand the system and determine what fair-play rules should be developed and applied. Where operation precedes regulation, the regulator tends to have problems dealing with unprecedented issues that do arise.

It is high time that global stakeholders in general, and regulators in particular, formed an international working group on this fintech phenomenon and issue a white paper on what could be considered best practices with the view to:
● protecting customers funds
● mitigating systemic risks; and
● appropriating a definition for the term

In essence, fintech operations need to be categorised according to the specific payment services they intend to offer. Such services should be captured from incorporation into the objects of the company.

Operation licences should be granted based on the company’s incorporation documents, which specify its registered business activities. This marks the first stage of legitimacy to operate as a payment company. Payments services should be categorised, and licensed to companies according to their lines of service. This is important for developing regulations according to operations and will help to keep oversight and compliance functions of the regulator within scope per company.  It also makes it easier for the regulator to determine and set the appropriate capital that should be required of a payment company based on its category of operation. This is the current licensing regime for Nigeria.

In this regard, the financial statements of a fintech need to factor-in and recognise banking elements such as deposit liabilities and cash reserves in arriving at the true and fair view of their financial position as at the reporting date. A Special audit must be conducted on the pool account balances and reconciled with the e-float balance to verify the existence of the depositor’s funds at all times.

A framework for deposit insurance needs to be developed and required of licensed deposit-taking fintech. Although MMO wallets do have coverage in Nigeria under the NDIC pass-through deposit insurance policy, there are payment companies other than MMOs that offer certain services involving deposit-taking, which are not so covered. This is risky and dangerous for the customers.

It is time to put the focus of AML/CFT on fintech as done to banks across the globe. International remittances are fast-moving through fintech systems, making money laundering easier, faster, and more anonymous. Fintechs can move funds across borders, using technology without an appropriate licence from the regulator. It is common to see a remittance company operate in a jurisdiction without being present as a locally registered company. In such cases, local regulators become handicapped in ensuring that such a company plays by the rules.

Appreciating payment technology from a regulatory and compliance perspective has best been demonstrated recently with the events of the Wirecard demise (see:here), which was largely blamed on accounting and regulatory laxity on the parts of EY and the German Federal Financial Supervisory Authority (BaFin), respectively.

Related: