This article explores the concept of liability in digital financial services from a Nigerian law perspective and best practices for managing risk in this landscape.

Overview of liability in the Digital Financial Services industry
Liability in digital financial services refers to the legal responsibility that companies have to ensure that their services are secure and protected from fraud and other forms of financial crime. There are several aspects of liability in the digital financial services industry such as:

Cybersecurity: While one cannot deny that the Digital Financial Services industry has helped to drive the financial inclusion goal, the reality is that it brought along novel consumer risks, one of which is the rapid increase in the rate of cybercrimes. These attacks which occur in various ways like phishing scams, malware, and ransomware attacks have resulted in significant financial losses and reputational damage to companies. This has therefore made cybersecurity a critical aspect of risk management in digital financial services and as such companies are expected to protect their systems and customer data from cyber-attacks and data breaches.

Data Protection: This is another area that calls for concern, owing to the vulnerability in the digital financial services space. With several companies suffering negative Public Relations (PR) blowbacks due to unethical data processing, it is only reasonable that efforts are in top gear to safeguard customer data, ensure that it is used only for authorized purposes and that transactions involving personal data are conducted in a safe manner.
Fraud: Fraud is a significant risk for digital financial services companies and can occur in various forms including skimming, interception of cards, loan frauds, money laundering, and even cases where scammers demand customers’ security details via phone calls. Companies, therefore, have a responsibility to implement measures like transaction monitoring and Know Your Customer (KYC) checks, and also educate customers on risks associated with digital financial services and how to protect themselves.

Of a truth, not only are the regulations in the DFS space simply complicated, the regulatory bodies involved are far from powerless.

Insider fraud: Customers have had reasons to believe that employees within the industry collude with fraudsters through a process known as wrong account mapping. The use of insider information to steal customer information, manipulate financial transactions, or misappropriate funds has been described as a major risk in the industry due to the attendant difficulty in detecting and even preventing such. This becomes prevalent in the absence of effective internal controls that are capable of fostering adequate access controls and exonerating companies from liability for losses occasioned by such to customers and third parties.

Compliance with regulatory guidelines and industry standards: Of a truth, not only are the regulations in the DFS space simply complicated, the regulatory bodies involved are far from powerless. Hence operators in the space who are wary of failure must not ignore even the littlest of the compliance aspect of the business. Violations of relevant regulations such as the Payment Card Industry Data Security Standard (PCI DSS) can result in significant financial and reputational damage for companies.

Examination of the legal framework for liability in Digital Financial Services in Nigeria
In Nigeria, digital financial services are governed by a combination of laws, regulations, guidelines, and policies that define the legal responsibilities of individuals and entities involved in digital financial services in Nigeria and provide a framework for managing liability and mitigating risks associated with these services.

The Central Bank of Nigeria (CBN), for instance, has issued guidelines on risk management, also outlining the rights and responsibilities of consumers and service providers in the Nigerian financial sector, including liability for losses and damages incurred as a result of digital financial services. Examples include The CBN Consumer Protection Framework, the CBN Risk-Based Supervision Guidelines, CBN Guidelines on Mobile Money Services in Nigeria, etc.

This is similar to the Nigerian Deposit Insurance Corporation (NDIC) Guidelines which mandate banks and other financial institutions to have in place strategies to protect depositors’ funds from fraud and other financial crimes. An example is The Enterprise Risk Management (ERM) Framework for Deposit Insurance Institutions (DIIs) which provides guidance on the development and implementation of risk management practices for DIIs, including risk identification, assessment, monitoring, and reporting.

There is also the Nigerian Data Protection Regulation (NDPR), 2019, with provisions for the collection, use, and protection of personal data in Nigeria, including liability for any breaches of data protection regulations.

Finally, Nigerian law provides for civil and criminal liability for financial services providers in cases of breach of contract, fraud, and other financial crimes. Customers who suffer any loss or damage as a result of negligence or breach of contract by financial services providers can therefore seek legal recourse through the courts.

It is however worth noting that the liability of financial services providers to customers is not absolute. Financial services providers may be exempted from liability if the loss or damage suffered by the customer was not a result of their negligence or breach of contract. For instance, financial services providers may not be liable for losses suffered by customers as a result of a force majeure event, such as natural disasters or acts of terrorism.

Best practices for risk management in the Digital Financial Services industry
To effectively manage risk in digital financial services, the importance of collaboration between the management and the operational team cannot be over-emphasized. Companies must implement best practices that address the various aspects of liability and are in compliance with the Regulations. These include:
Appointment of a Risk Management Officer who provides internal risk management oversight on customer data.
Conducting Regular Risk Assessments: Companies should regularly evaluate their systems, identify vulnerabilities, and develop strategies to identify and mitigate potential security breaches before they occur.
Implementing Strong Cybersecurity Measures: Companies should implement strong security measures, such as encryption and multi-factor authentication, to protect against cyber-attacks and data breaches.
Establishing Data Protection Policies and Procedures: It is crucial to have policies in place to safeguard customer data and ensure that it is used only for authorized purposes. These policies should address how customer data is collected, stored, and transmitted. Companies should also ensure to maintain a robust capacity development plan for their management and employees. It is therefore advised that companies should consult a Data Protection Compliance Organisation(DPCO). As such, they are armed with sound legal advice on data privacy and protection-related compliance issues.
Implementing fraud detection and prevention measures which may include transaction monitoring and customer education on how to protect their accounts.
Maintaining an Insider Register or Fraud Reporting Template: This serves as a tool for identifying patterns and trends in fraud and can help financial service providers to identify areas of weakness in their systems and controls. It can also provide valuable insights into the nature and scope of fraud risk, identify areas for improvement, help detect potential incidents, and ensure compliance with regulatory requirements.
Maintaining Compliance with Regulations and Industry Standards: To avoid legal liability and maintain the trust of their customers, companies must adhere to and ensure a regular review of their policies and procedures. To ensure regulatory compliance, it is recommended to seek the services of a lawyer in this regard. Having a system in place to report suspected fraudulent activities to relevant authorities also goes a long way in deepening the trust.
Developing Incident Response Plans: Companies should have plans in place to respond to security incidents and they should include best practices for creating strong passwords, avoiding phishing scams, and reporting suspected fraudulent activities.

The Digital Financial Services landscape in Nigeria is rapidly evolving, and with it comes increased risks and liabilities, whose consequences are capable of significantly impacting the entire organization. There is no doubt that technology if handled strategically, is a potent and advantageous tool in the Financial Services Industry. However, companies must implement effective risk management strategies to protect their customers’ data and assets and stay abreast of the latest regulatory and international industry standards to ensure that those strategies remain effective and up-to-date to absolve them from needless culpability. This, therefore, makes it crucial for companies in this industry to consult lawyers adept at regulatory compliance services and risk management to help them stay on top of regulatory requirements and mitigate potential risks, ultimately providing them with a competitive advantage and leading to better business outcomes.

Amala Umeike is a Partner at Stren & Blan Partners and supervises the Firm’s Financial Sector, while Chidinma Anuforo is an Associate in the Firm’s Corporate Services Unit.

Stren & Blan Partners is a full-service commercial Law Firm that provides legal services to diverse local and international Clientele. The Business Counsel is an initiative of Stren & Blan

Connect with Stren & Blan: