Follow Us on Google
From George Onyejiuwa, Owerri
Dr Kingsley Chibuzor Aguoru is a United Kingdom Chartered Engineer and expert in Information Security with a keen focus on security of financial services and payment systems.
Having both a Masters of Science in Information Security from University of Liverpool, and Doctor of Information Security from the University of East London, and with over 20 years of experience in software engineering and cybersecurity, he is an advocate for strengthening Nigeria’s financial regulatory infrastructure.
Recently, he submitted a petition to the Central Bank of Nigeria (CBN) and the Economic and Financial Crimes Commission (EFCC), highlighting the need for an independent regulatory body to supervise Nigeria’s financial market infrastructure and payment systems.
What inspired you to specialise in information security within the financial services sector?
My journey into information security was driven by a personal experience as a victim of card-not-present (CNP) fraud back in 2005. At the time, I was running a business similar to PayPal, offering third-party payment processing to help companies accept online payments. The security standards then – like Visa’s 3D Secure and MasterCard’s SecureCode relied on static passwords, which were vulnerable to phishing, keylogging, and other types of attacks. Unfortunately, an Egyptian-owned hosting company used stolen card information to buy hosting services from its own site connected to my payment gateway, causing me to unknowingly wire funds to Egypt. This fraudulent activity cost my business tens of thousands of pounds and forced me to rethink my career. I was pursuing a Masters in Information Technology at the University of Liverpool and had intended to focus on Software Engineering. However, this incident led me to shift my focus to Information Security, specifically researching CNP fraud. Back then, CNP fraud in the UK had ballooned from £4.6 million in 1995 to £183.2 million in 2005, as reported by “Fraud The Facts 2004 and 2005” (an APACS publication). Although Visa and MasterCard guaranteed the security of in-person transactions with PIN verification, they did not offer the same protection for CNP transactions, leaving merchants to bear the risk. For my thesis, I proposed using dynamic, one-time passwords (OTPs) instead of static ones to secure CNP transactions, a solution I called SMSVerify. This was before the advent of smartphones and banking apps, so the OTP was delivered via SMS, with an offline solution based on XY-coordinate geometry to accommodate regions like Africa, where Internet access was limited. Though at this time, Nigeria does not know what card payment is and does not have any card issuer, none of the commercial banks have Internet banking.
Unfortunately, Visa and MasterCard, via UK’s APACS, declined my proposal. This led me to develop an independent alternative to their systems, which became Paymenex, where I successfully implemented my security solution. Since then, I have been an advocate for secure financial services systems, committed to improving security standards, technologies, and policies in the industry.
Could you briefly explain why you believe Nigeria should unbundle the Central Bank of Nigeria (CBN) to create a new Financial Services Authority?
Certainly, the Central Bank of Nigeria is over-extended, managing responsibilities across monetary policy, currency issuance, and banking regulation, while also attempting to oversee payment systems and financial market infrastructure. With the rapid growth in fintech and the increasing complexity of our financial landscape, it’s crucial to have a specialised authority, like the Financial Services Authority (FSA), focused solely on regulating financial market infrastructure and payment systems. This approach is already adopted in countries like the UK, where the Financial Conduct Authority (FCA) handles these aspects, allowing the Bank of England to concentrate on its core functions. I believe Nigeria needs a similar arrangement to meet modern financial demands effectively.
You mentioned some specific issues in your petition to the CBN and EFCC. Could you elaborate on the key issues that led you to propose the FSA?
Certainly, in my petition, I highlighted three main issues: First , the misuse of the National Identity Card, where a corporate logo was placed on a government-issued ID card. This partnership compromises the card’s purpose as a sovereign document and raises ethical questions about public-private boundaries. Second, the practice of allowing card PINs for online or card-not-present (CNP) transactions, which is practically non-existent in other countries. Using Card PIN online is the same as using a static password – the Visa and Mastercard trending solution in 2005, Card PINs are intended solely for physical transactions where in-person verification is possible. Using them in online transactions exposes Nigerians to unnecessary fraud risks. This prompted my “Urgent Call to Ban Card PIN Usage for Online Payments in Nigeria” petition, submitted to both the CBN and EFCC. Third, Nigeria’s lack of Strong Customer Authentication (SCA) protocols for online transactions, which are essential to reduce fraud risk and enhance transaction security. SCA is a two-factor authentication requirement adopted in the EU that has significantly lowered fraud cases.
What would be the primary responsibilities of the FSA, and how would it work alongside the CBN?
The FSA would primarily focus on the supervision of financial market infrastructure and payment systems, taking over functions that require specialised oversight. This agency would hold rule-making, investigative, and enforcement powers, specifically within the financial services industry, allowing it to address emerging security and compliance concerns directly. Meanwhile, the CBN would retain its primary responsibilities, such as monetary policy, currency services, and banking regulation. By working together, both bodies would ensure that Nigeria’s financial markets are secure, transparent, and consumer-oriented.
How do you envision the FSA collaborating with the EFCC?
The EFCC’s mandate is to prevent and enforce laws against financial crimes. Just like the UK’s National Crime Agency. The FSA would work closely with the EFCC by sharing information, jointly investigating suspicious financial activities, and enforcing regulations within Nigeria’s payment and financial market infrastructure. This partnership would allow the NFSA to leverage the EFCC’s enforcement powers, creating a safer financial environment by preventing fraud and prosecuting those engaged in economic and financial crimes.
One of the concerns raised in your petition was the use of Nigeria’s National Identity Card for corporate branding. Why do you see this as a problem?
The National Identity Card is meant to serve as a symbol of national identity and a tool to verify citizenship, not to act as an advertising space for private corporations. Adding a corporate logo, like MasterCard’s, compromises the document’s purpose, blurring the line between national identity and private branding. This is not something we see in other nations, where government-issued IDs maintain a purely sovereign character. This partnership raises ethical questions and underscores why we need a regulatory body like the FSA to ensure public assets remain free from commercial influence.
Can you explain why allowing PINs for online transactions is problematic and how this impacts Nigerian consumers?
Using PINs in online or card-not-present transactions is unusual and risky. Globally, PINs are intended only for physical transactions, where the cardholder’s presence can be confirmed. Allowing PINs for online payments in Nigeria significantly increases the risk of fraud. My petition to the CBN and EFCC, entitled “Urgent Call to Ban Card PIN Usage for Online Payments in Nigeria,” outlines these risks in detail, highlighting that Nigerian consumers are more vulnerable to fraud and unauthorised transactions because of this practice. This exposure makes Nigerian consumers susceptible to risks that other countries have actively protected against.
Why is using a card PIN at a POS terminal more secure than using it for online transactions?
When you use your card PIN at a POS terminal, there are two main layers of authentication, online and offline, that add significant security. In the offline method, the PIN you entered is matched directly with data embedded in the chip on your smart card. The card’s microprocessor verifies the PIN immediately, using a secure, public-key encryption process. This keeps the PIN validation within the chip, making it highly resistant to tampering or interception. In the online method, your PIN is transmitted from the POS to the card issuer, but is protected by strong encryption, making it extremely difficult for fraudsters to intercept or manipulate. In contrast, when you use your PIN online, especially through a web browser, there’s far less control over security. The payment provider cannot secure the input device (like your keyboard) or protect against potential eavesdroppers on the network. This lack of control opens up the possibility of interception through methods like keylogging, network sniffing, and other cyberattacks, making it far riskier than using a PIN in a controlled POS environment.
What is Strong Customer Authentication (SCA), and why do you believe it’s necessary in Nigeria?
Strong Customer Authentication or SCA is a security protocol requiring two-factor authentication for electronic payments, and it’s legally mandated in the European Union. SCA helps reduce fraud by requiring users to verify their identity through multiple steps. In Nigeria, where digital payments are on the rise, implementing SCA would greatly enhance transaction security and protect consumers. With a regulatory body like the NFSA in place, we could mandate these protocols, aligning Nigeria with international security standards.
If Nigeria implements the FSA, how would it benefit the overall financial landscape in the country?
Creating the FSA would bring Nigeria closer to international standards, fostering a more transparent, competitive, and secure financial environment. Consumers would be better protected, fraud would be reduced, and financial markets would be more resilient. An NFSA would have the independence to respond to the rapid evolution of fintech, setting policies that protect the public while encouraging innovation. This structure would help Nigeria modernise its financial regulatory framework, ultimately promoting economic stability and confidence in our financial systems.
Now , what do you hope to achieve with your petition, and what’s your message to Nigerian regulators?
My goal is to see a Nigeria where our financial regulations protect consumers, encourage competition, and uphold the highest security standards. By unbundling the CBN and creating the FSA, we can achieve a more effective regulatory environment. My message to Nigerian regulators is to prioritise the security, transparency, and sovereignty of our financial systems and identity assets. I believe Nigeria has the potential to lead in financial innovation, but we must have a strong regulatory foundation in place to ensure that growth is safe, sustainable, and beneficial for all Nigerians.
