OoTheNigerian

sometimes, I make a lot of sense.

Nigeria’s BVN Policy and ONE Matter Arising

30 June 2015 by Oo Nwoye

Nigeria’s Central Bank instituted a policy that requires a SINGLE identifier (BVN – Bank Verification Number) for every banking customer in the Nigerian banking system. Today is the deadline for participation and after which, you will not be able to access your money without it.

On the surface, this is a GREAT idea and not different from the SSN (Social Security Number) system used in the US banking system. If you ask anyone the reason for this, they will list out the upsides to having a biometrically verified identity especially in the banking system.
They may also tell you that it helps in:

  • Prevention of fraud (using different identities to open accounts) which will help with
  • Ensuring a valid credit monitoring system (if you are banned from a bank for defaulting, another bank should have that information)
  • Ensuring tax compliance.

However I am VERY uncomfortable with it and that has to do with data protection in Nigeria or should I say a lack of it?

The strength of a chain is determined by its weakest link.

The system that makes it easy for FIRS to monitor all the accounts you have access to, also makes it easy for unscrupulous people to have the same access. My issue is, what systems are in place that prevents the unscrupulous access.

Let me try to illustrate

Before and After BVN

Before and After BVN


In the example above we have our Magnate, Tolu with 6 accounts in the Nigerian banking system. We all know him as Tolu Ogunlesi and as the Founder of AyeDee Limited. Maybe some have seen his passport and know his other name to be Chukwuma (it is)

Here are the ‘right’ use cases of the BVN as being sold to us

If Tolu Ogunlesi is found to be a member of any type of cabal and all his assets are to be seized, presently his ₦ 2 Million in GTB, ₦19k in Access and his $700 in Union Bank would be at risk. However, as we can see from his accounts opened with aliases, the man will still be balling.

or

When Tolu an Instagram Celebrity and Private jet hopper declares Personal Income Tax on the amounts in the previous paragraph, “nothing can happen” since the FIRS would not be aware of any other source of income. They have no idea who Chuks Ogunlesi is after all.

With the BVN system, all the accounts he is a signatory to are tied to a SINGLE identifier 234666419 . With a single query, the list of all his bank accounts would be pulled up. So there is no way to hide if the good guys come for the bad guy Tolu.

However, risk is not about when things go right. HOW about when they go wrong?

If some guys decide that “this Tolu sef too dey do sef” or wonder “what is this Tolu feeling like sef because he has over 100k Twitter followers” (Any thing can trigger anger over here) and decide to kpake him then wonder what his ransom should be, there will be no need for an ATM card to know how much he has. All they need to so is collect his BVN find out his worth and ask for the 50% of all his monies as their share.

Ransoms can be more scientific/formularized. “Make we collect only 50% of what that guy owns”

In theory, this should not happen but we all are aware that there is ZERO security on biometric data collected in Nigeria. Do I need to remind you how easy it is to access the SIM registration database? or how available our voter registration database is?

Think for a minute, did you see any form of security when you went to register for your BVN? Now when the database is synced, the adhoc 50k/month staff at GTBank Oshogbo has access to it. Likewise the chap in the Aguleri , Nguru, Otoueke or gasp BENIN!! branch.

I really do not have power to fight this BVN system however, if there is anyone out there who can, I’d like you to find out the following.

  1. Is there ANY system/person that can determine all your bank accounts with the BVN?
  2. Who has access to that system and what is the procedure to having that access?
  3. Has there been an external audit (preferably international) of the system as a whole to assess the security risks of the BVN system?

Right now, I no too hold so I am not really worried or affected. But one needs to prepare for one’s future :D.

BTW, I looked around and could not see any Data Protection Law for Nigeria although I came across a bill trying to establish the Data protection Office.

Thanks Boro for helping reduce the typos in this post.

Have You Read These?

I am a founder of Fonebase Labs, a Nigerian technology company. Our products are Fonenode - a telephony API, Callbase , a virtual contact center and WriteRack the best way to tweetstorm. Feel free to holla at me (ositanwoye@gmail) if need be.

10 comments | Categories: Commentary, Nigeria | Tags: , , ,

  • Ikechukwu Owoh

    Very bothersome points you raised here!

  • DataX

    Dude I must commend your writing and analysis. Good job

    • Thanks!

      • Enigma

        well said. But you should consider taking this further and put some more research into it. Perhaps something more can arise from this. We can’t continue this siddon look approach. You have the tools, use them!

        • Well said.

          But to be honest, I do not have the resources (time mostly) to pursue this to a logical end. Maybe I’ll think about writing a letter to CBN and that will be about it.

          @gbengasesan is one that has a lot of experience tacking such issues as this and I want to believe he is on it.

          Oo

          Co founder, Fonebase Labs
          http://fonebaselabs.com
          Callbase | Fonenode | WriteRack

  • segebee

    Poor article based on speculation and no research

    • Segun,

      I am assuming you have done a lot of research. So please educate me and others who may come across this article.

  • Adeoluwa Cole

    I believe this leans more towards an expository post. It is by no means a conclusive post. Rather, what it does is highlights the perceived risks associated with BVN with the hope that these can be addressed.

    Good write up Oo.

    @Segebee, in a rather ironic twist wouldn’t you say your conclusion was a bit rash?

    • Yup!

      My main goal for this post was to start a conversation. My banker friends called me and they saw my point after a long conversation. We need to understand that the people that play underhand would not be using this system “the right way”

      The idea of the BVN or more accurately a reliable identity system is not an issue at all. However, data protection is a MASSIVE issue and I hope the discourse is taken further.

  • ayo Dawodu ♛

    dead on arrival