• Monday, December 23, 2024
businessday logo

BusinessDay

Technical loophole exposed in Nigeria’s largest consumer bank

Nigerians tap Opay, PalmPay, Moniepoint amid banks’ IT glitch

Haruna Oseni (not real name), a 32-year-old programmer, was not expecting his friend’s suggestion to turn up anything when he attempted to open an account using his mother’s name. His friend had told him it works on OPay.

According to his friend, all Oseni needed to do was download an OPay app and sign up with a phone number. After the phone number was verified, he was to choose ‘verify account’, the bank account option, and the bank (the person’s account that he wanted to use). He would then input the account number, and any random address, local government area, and state.

“Congratulations. You have an OPay account in your phone number but in another person’s name and account,” Oseni said, mimicking the voice of his unnamed friend. “That’s exactly what happened to me. I was able to open an account in my mother’s name using my phone number. I used another SIM to open an account in Shaffy Bello’s name. It was surreal because the numbers we used were not even registered; they were new SIMs.”

Read also: OPay debunks alleged activities as customers panic

Oseni made some videos, which BusinessDay has decided not to publish because of the risk of exposing the sources. However, the videos confirm the opening of accounts by males with the name of a female and a different male. The daily minimum account holders are permitted to transact is N50,000 and the weekly account holding is N300,000. This means the owner can collect up to N300,000 from a transaction.

On Thursday, BusinessDay sent the claims and the steps to play and requested a response. The company promised to respond as soon as possible. However, the response was yet to arrive as of the time of publishing this story.

Experts say these actions amount to impersonation of the identity of an account holder. They said it exposes a worrying trend in which people are exploiting loopholes in the implementation of Know Your Customer (KYC), adding that allowing people to sign up with any account puts other people at risk. However, fintech companies go ahead because they want to quickly onboard new customers. Some of them often come back to request for proper KYC and audit the customer base.

“Digital banks deal with lower transactions and make money from onboarding customers very quickly. You know, high transactions or high volume equals low transaction costs – the expense of KYC or address verification expense for Tier3 and also the delay of it makes it prohibitive and difficult for that to fit into their business model,” said Esigie Aguele, CEO of VerifyMe Nigeria.

“Because the government has not focused on regulation to establish proper compliance for things like addressing, and also close the gap between Tier1 and Tier3 accounts where a Tier1 account, you can just pretty much open it with any ID and that also creates loopholes,” Aguele said.

The usual practice is that the bank or financial institution is expected to match the Bank Verification Number (BVN) to the face being captured on the app before an account is opened.

In recent times, many Nigerians have narrated stories of how online criminals stole their identity to request money from their relatives and friends. Most of the requests are usually made on WhatsApp to friends and family of the person being impersonated.

Another source who has attempted the login said the implication is that if criminally minded individuals have trawled the internet and dark web for the account details of celebrities, they can go ahead and input the details and pass it off as theirs.

“So, they’ll have their phone number as the account number but in another person, say a celebrity’s name as the account holder’s name. What’s more, you can begin to make deposits and withdrawals immediately. Just like that. The impersonation is complete and your guess is as good as mine as to what could come next,” said the source who pleaded anonymity to speak freely.

Read also: OPay, PalmPay top most popular fintech apps among Nigerians – Report

The Central Bank of Nigeria (CBN) has recently implemented a pivotal amendment to Section 1.5.3 of the Regulatory Framework for BVN Operations and Watchlist for the Nigerian Banking Industry. “Effective immediately, the CBN mandates the linkage of either a Bank Verification Number or National Identification Number for all Tier 1 accounts and wallets belonging to individuals.”

On Friday, BusinessDay reported that the CBN was considering a corporate governance regulation targeted at fintech companies, to ensure the safety of their customers.

Experts believe that there is a responsibility on operators and stakeholders to collectively contribute towards a more secure and transparent financial ecosystem for all Nigerians. This fosters trust, mitigates risks, and paves the way for a thriving financial landscape.

Senior Analyst: Technology

Join BusinessDay whatsapp Channel, to stay up to date

Open In Whatsapp