In Section 6, sub-section a (iv), of the Central Bank of Nigeria (Customer Due Diligence) Regulations, 2023, Financial Institutions (FIs) have been mandated to identify their customers by obtaining the telephone number, e-mail address and social media handle of the customer for all potential and existing customers.
This requirement applies to both individuals and legal entities and seeks to promote an enhanced culture of customer identification.
These regulations, in Section 2, says ” — (a) complement the relevant provisions of the Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), Countering Proliferation Financing (CPF) Regulations on customer due diligence measures and additional customer due diligence measures for specific customers and activities; and (b) shall be read in conjunction with the CBN AML, CFT and CPF Regulations.”
Meanwhile, the CBN AML, CFT, and CPF regulations 2013 Regulations states that financial institutions must implement internal controls and other procedures to stop criminals from using its facility for money laundering and terrorism financing.
Hence, the ‘introduction’ of social media handles to identify customers.
So, in the CBN CDD Regulations 2023, financial institutions have been directed to conduct CDD on existing customers on the basis of materiality and risk and must continue this during the course of the relationship.
The penalties for the failure to undertake CDD measures on customers range from a minimum of ₦200,000 for DMBs/PSPs to as high as ₦10 million, and a minimum of ₦100,000 for other financial institutions.
In Section 7 of the CDD Regulations which focuses on customer identity verification, however, the CBN failed to describe how social media handles will be verified.
“FIs shall verify the identity of individuals by confirming the…contact details provided by the customer through positive feedback from a phone call, email or physical letter to the residential address…phone numbers, particularly for wallet providers, through independent process, including validation against the NCC database or geo-mapping.”
Then, in Section 15, the CBN notes that the application of the CDD measures may be standard, simplified or enhanced depending on the risks therein after a customer risk assessment.
This means that when a customer is certified low-risk because the transaction volume is low, the customer is exempted from an enhanced CDD measure, but “simplified CDD measures shall be forwarded to the CBN for approval before implementation by the FI.” And, the customer is not exempt from ongoing monitoring other CDD measures.
The document only mentions “social media” once like it was a control v moment even when a small percentage of the population is on social media, but what may have been the intention?
Social media handle submission as a KYC requirement is not new for financial institutions.
To reduce fraud, anti-money laundering, and other risks associated with bad actors, you can use this recipe to establish an automated process that confirms whether social media profiles exist that are linked to a new customer’s provided email address and phone number. This will help you minimise your fraud risk in a scalable way.
But, that is not what the CBN is saying and thankfully are already receiving the heat for it.
In an attempt to enhance customer verification, this regulation will force the hands of banks to demand that all account holders have social media accounts – even those in rural areas, and the elderly.
The regulation also usurps the powers of the Nigeria Data Protection Commission (NDPC), and Vincent Olatunji, the National Commissioner of Nigeria Data Protection Bureau (NDPB), has said this will be contested.
Speaking on Channels Television, Olatunji said “We have done a letter to the CBN about what they have done, because, in data protection and privacy issues, there are some basic principles to follow when you want to collect citizens’ data.
“One, there is what is called data minimisation. That is, you don’t collect data more than for the purpose for which you want to use it. There is a limit to the level of data you must collect.
“Two, purpose limitation: what purpose? Why do you actually need somebody’s data? In this case, it is for financial transactions. The issue of asking for their social media is not really necessary.”
Meanwhile, the Data Protection law recently signed by President Bola Tinubu stipulates in Section 25, that “a data controller [such as banks/financial institutions] or data processor shall ensure that personal data is collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”
You would be reminded of how the CBN used social media users’ information to locate their banks and freeze their accounts.
According to a Sun Newspaper report, finance experts and bank depositors have challenged the decision by the CBN to include the social media handles of customers on the list of mandatory Know-Your-Customer (KYC) requirements.
Dr Muda Yusuf,, the CEO of the Centre for the Promotion of Private Enterprise (CPPE), according to the report, says “The banks already have the National Identification Number (NIN), Biometric Verification Number (BVN) Utility bills and other basic information to identify and monitor customers with. If you want more information and surveillance on any customer, you have the Nigerian Financial Intelligence Unit (NFIU). You use intelligence to track crimes.
“What will you do with those in the informal sector? We have over 30-40 million people we are trying to bring into the financial net. Many of them have no social media handles. These are old and ageing traders and entrepreneurs.
“We need the regulator to do more rigorous thinking and not this approach in fighting terrorism and other crimes.”
Also, the Socio-Economic Rights and Accountability Project (SERAP) has urged Folashodun Shonubi, acting governor, CBN, to immediately delete the provisions in the CDD Regulations.
SERAP, in a letter signed by Kolawole Oluwadare, SERAP deputy director, also urged Shonubi to withdraw the circular number FPR/DIR/PUB/CIR/007/076 of June 20, 2023, “the mandatory requirement of social media handles or addresses of customers does not serve any legitimate aim. Such information may be used unjustifiably or arbitrarily to restrict the rights to freedom of expression and privacy.”
Again, just like during the EndSARS period.
Thankfully, the regulation was signed by the ousted governor, Godwin Emefiele, so possibly Shonubi sees a reason to edit social media out.