CBN Issues Approved Guidelines on Operations of e-Payment Channels

CBN Issues Approved Guidelines on Operations of e-Payment Channels
a. All ATM deployers/acquirers shall comply with Payment Card Industry Data Security Standards (PCI DSS)
b. All ATMs shall be able to dispense all denominations of Naira.
c. For deposit taking ATMs, acceptable denominations shall be displayed by the deployer.
d. All terminals shall be levels 1 & 2 EMV compliant at a minimum, and shall be upgraded from time to time, to comply with the latest version, within twelve months of release of the version.
e. All ATM systems shall have audit trail and logs capabilities, comprehensive enough to facilitate investigations, reconciliation and dispute resolution.
f. Card readers shall be identified by a symbol that:
i. represents the card;
ii. identifies the direction for which the card should be inserted into the reader
iii. All new ATMs shall accept card horizontally with the chip upwards and to the right
g. 2% of ATMs deployed by each acquirer shall have tactile graphic symbol for the use of visually impaired customers. Locations of such ATMs are to be visibly publicized on their corporate website at the minimum. This should be complied with within five years from the release of these standards.
The Guidelines
ATM deployment
a. All Banks or independent ATM deployers may own ATMs; however such institutions must enter into an agreement with a card scheme or a scheme operator or their designated settlement agent for acceptance and settlement of all the transactions at the ATM.
b. All ATM transactions in Nigeria shall be processed by a Nigerian company operating in Nigeria as acquirer-processor.
c. No card or payment scheme shall compel any issuer or acquirer to send any transaction outside Nigeria for the purpose of processing, authorization or switching, if the transaction is at an ATM or at any acceptance device in Nigeria and the issuer is a Nigerian bank or any other issuer licensed by the CBN.
d. All transactions at an ATM in Nigeria shall, where the issuer is a Nigerian bank or any other issuer licensed by the CBN be settled under a domestic settlement arrangement operated by a Nigerian Company. All collaterals for such transactions shall be in Nigerian National Currency and deposited in Nigeria.
e. No card scheme shall discriminate against any ATM owner or acquirer.
Every card-scheme must publish for the benefit of every ATM owner or acquirer and the Central Bank of Nigeria, the requirements for acquiring ATM transactions under the card scheme.
f. No ATM owner or acquirer shall discriminate against any card scheme or issuer.
g. Stand-alone or closed ATMs are not allowed.
h. ATMs should be situated in such a manner as to permit access at reasonable times. Access to these ATMs should be controlled and secured so that customers can safely use them.
i. Lighting should be adequate for safe access and good visibility. It should provide a consistent distribution and level of illumination, particularly in the absence of natural light.
j. ATMs should be sited in such a way that direct or reflected sunlight or other bright lighting is prevented from striking the ATM display, for example, through the use of overhead sun shelter
k. Privacy shall be provided by the design and installation features of the ATM so that in normal use the cardholder does not have to conspicuously take any protective action.
l. All ATMs shall accept all cards issued in Nigeria under CBN regulations for any card-based value added service made available on the machine.
ATM Operations
A bank or independent organization that deploys an ATM for the use of the
public shall ensure that:
a. The ATM downtime (due to technical fault) is not more than seventy-two (72) hours consecutively, where this is not practicable, customers shall be duly informed by the deployer;
b. The helpdesk contacts are adequately displayed at the ATM terminals. At the minimum, a telephone line should be dedicated for fault reporting and such telephone line shall be functional and manned at all times that the ATM is operational.
c. All ATM charges are fully disclosed to customers.
d. The ATMs issue receipts, where requested by a customer, for all transactions, except for balance enquiry, stating at a minimum, the amount withdrawn, the terminal identity, date and time of the transaction.
e. Receipt prints and screen display are legible. The dispensing deposit and recycling component of the machine is in proper working condition.
f. Cash retraction shall be disabled on all ATMs.
g. There is appropriate monitoring mechanism to determine failure to dispense cash.
h. There is online monitoring mechanism to determine ATM vault cash levels.
i. ATM vault replenishment is carried out as often as necessary to avoid cash-out.
j. ATMs are not stocked with unfit notes.
k. Cash is available in the ATMs at all time. The funding and operations of the ATM deployed by non-bank institutions should be the sole responsibility of the bank or institutions that entered into agreement with them for cash provisioning. In this regard, the Service Level Agreement (SLA) should specify the responsibilities of each of the parties.
l. Change of PIN is provided to customers, free of charge.
m. Acquirers monitor suspicious transactions and report same to CBN, based on the agreed format and timeframe.
n. Back-up power (inverter) is made available at all ATM locations, in such a way that the machine would not cease operation while in the middle of a transaction.
o. Paper disposal basket is provided at all ATM locations
p. A register of all their ATMs in Nigeria with location, identification, serial number of the machines, etc is maintained.
q. Provision is made for extending the time needed to perform a specific step by presenting a question, such as, “Do you need more time?”
r. Information sufficient to construct a usable card is not displayed on the screen or printed on a transaction record. This will guard against the possibility that such information may become accessible to another person should the cardholder leave the ATM while a transaction is displayed, or abandon a printed transaction record.
s. Precautions are taken to minimize the possibility of a card being left, by a message or voice, alerting the customer to take his card.
t. Cash out first before card is out of the ATM is adopted, to minimize the possibility of customers leaving cash uncollected at ATM.
u. ATM acquirers shall disable cash-retract and display such notice at the ATM or on the screen.
v. Acquirers shall reconcile and refund all funds in their possession, belonging to customers as a result of ATM’s non-dispense and partial dispense errors.
w. Acquirers shall also install appropriate mechanism to immediately initiate refunds without the prompting of the issuing bank or the customer.
ATM Maintenance
A bank or independent organization that deploys an ATM for the use of the public shall ensure that:
a. Notice is displayed at the ATM for planned maintenance period and disruption to service, due to maintenance for public.
b. An ATM maintenance register or log is kept properly.
c. All ATMs and cash in the machines are insured.
d. They physically inspect their ATMs, at least fortnightly.
ATM Security
a. Every ATM shall have cameras, which shall view and record all persons using the machines and every activity at the ATM, including but not limited to: card insertion, transaction selection, cash withdrawal, card taking, etc. However, such cameras should not be able to record the key strokes of customers using the ATM.
b. Where a surveillance camera is used, it should be kept secret to avoid illegal removal or damage or compromise.
c. Networks used for the transmission of ATM transactions must be demonstrated to have data confidentiality and integrity
d. All ATMs must be located in a manner that guarantees safety and security of users and confidentiality of their transactions.
e. ATMs should not be placed outside buildings, unless such ATM is bolted to the floor and surrounded by structures, to prevent removal.
f. Additional precaution must be taken to ensure that any network connectivity from the ATM to the bank or switch is protected, to prevent the connection of other devices to the network point.
g. Where the user of an ATM blocks his image for camera capture, the ATM shall be capable of aborting the transaction.
h. ATM key management processes must ensure that keys are changed regularly (every year) and the same keys must not be used at multiple ATMs.
i. ATMs shall be installed with Anti-Skimming devices that would ensure effective mitigation against fraud incidents.
Dispute Resolution
In the event of irregularities in the account of an ATM customer, arising from the use of card on ATM, the following shall apply:
a. All cardholders’ complaints should be treated within T + 3 from the date of receipt of the complaints; Acquirer must respond to Issuer’s request within 2 days.
b. Where records are falsified by any party, appropriate sanctions shall apply.
Regulatory Monitoring
a. Any institution which operates an automated teller machine shall file an updated list of such ATMs, including the detail location of their addresses with the Director, Banking & Payments System Department of the Central Bank of Nigeria for compliance monitoring.
b. The CBN shall conduct onsite checks of ATMs with a view to ensuring compliance with cash and service availability.
 c. Acquirers shall report volume and value of transactions on monthly basis to the Director, Banking & Payments System Department, CBN.
Sanctions, in the form of monetary penalties / or suspension of the acquiring/processing service (s) or both, would be imposed on erring institutions for failure to comply with any of the provisions of this Guidelines, or any other relevant Guidelines, issued by the CBN from time to time.