Nigeria’s Central Bank instituted a policy that requires a SINGLE identifier (BVN – Bank Verification Number) for every banking customer in the Nigerian banking system. Today is the deadline for participation and after which, you will not be able to access your money without it.
On the surface, this is a GREAT idea and not different from the SSN (Social Security Number) system used in the US banking system. If you ask anyone the reason for this, they will list out the upsides to having a biometrically verified identity especially in the banking system.
They may also tell you that it helps in:
- Prevention of fraud (using different identities to open accounts) which will help with
- Ensuring a valid credit monitoring system (if you are banned from a bank for defaulting, another bank should have that information)
- Ensuring tax compliance.
However I am VERY uncomfortable with it and that has to do with data protection in Nigeria or should I say a lack of it?
The strength of a chain is determined by its weakest link.
The system that makes it easy for FIRS to monitor all the accounts you have access to, also makes it easy for unscrupulous people to have the same access. My issue is, what systems are in place that prevents the unscrupulous access.
Let me try to illustrate
In the example above we have our Magnate, Tolu with 6 accounts in the Nigerian banking system. We all know him as Tolu Ogunlesi and as the Founder of AyeDee Limited. Maybe some have seen his passport and know his other name to be Chukwuma (it is)
Here are the ‘right’ use cases of the BVN as being sold to us
If Tolu Ogunlesi is found to be a member of any type of cabal and all his assets are to be seized, presently his ₦ 2 Million in GTB, ₦19k in Access and his $700 in Union Bank would be at risk. However, as we can see from his accounts opened with aliases, the man will still be balling.
When Tolu an Instagram Celebrity and Private jet hopper declares Personal Income Tax on the amounts in the previous paragraph, “nothing can happen” since the FIRS would not be aware of any other source of income. They have no idea who Chuks Ogunlesi is after all.
With the BVN system, all the accounts he is a signatory to are tied to a SINGLE identifier 234666419 . With a single query, the list of all his bank accounts would be pulled up. So there is no way to hide if the good guys come for the bad guy Tolu.
However, risk is not about when things go right. HOW about when they go wrong?
If some guys decide that “this Tolu sef too dey do sef” or wonder “what is this Tolu feeling like sef because he has over 100k Twitter followers” (Any thing can trigger anger over here) and decide to kpake him then wonder what his ransom should be, there will be no need for an ATM card to know how much he has. All they need to so is collect his BVN find out his worth and ask for the 50% of all his monies as their share.
Ransoms can be more scientific/formularized. “Make we collect only 50% of what that guy owns”
In theory, this should not happen but we all are aware that there is ZERO security on biometric data collected in Nigeria. Do I need to remind you how easy it is to access the SIM registration database? or how available our voter registration database is?
Think for a minute, did you see any form of security when you went to register for your BVN? Now when the database is synced, the adhoc 50k/month staff at GTBank Oshogbo has access to it. Likewise the chap in the Aguleri , Nguru, Otoueke or gasp BENIN!! branch.
I really do not have power to fight this BVN system however, if there is anyone out there who can, I’d like you to find out the following.
- Is there ANY system/person that can determine all your bank accounts with the BVN?
- Who has access to that system and what is the procedure to having that access?
- Has there been an external audit (preferably international) of the system as a whole to assess the security risks of the BVN system?
Right now, I no too hold so I am not really worried or affected. But one needs to prepare for one’s future :D.
Thanks Boro for helping reduce the typos in this post.