On October 12, 2021, the Central Bank of Nigeria (CBN) issued the Revised Regulatory Framework for BVN (Bank Verification Number) Operations and Watch-list For the Nigerian Banking Industry (‘Revised Framework’). The Revised Framework builds on the revision of the Framework in 2018 to further enhance the effectiveness of CDD (Customer Due Diligence) and KYC (Know Your Customer) processes which support the CBN’s strategy for promoting a safe, efficient banking and payment system. You can learn more about the Revised Framework here.
The BVN is a biometric identification system implemented by the Central Bank of Nigeria in 2014 to curb or reduce illegal banking transactions in Nigeria, and it was built by NIBSS (Nigeria Inter-Bank Settlement System). It is a modern security measure in line with the Central Bank of Nigeria Act of 1958 to reduce fraud in the banking system. The BVN is a unique identification number that is linked to your biodata and biological traits like fingerprints, facial photograph, names, phone numbers, address, and date of birth which you submitted during enrollment.
Before you can access financial services from financial institutions like banks and fintech companies, your BVN is needed to verify your identity. These institutions have access to the BVN database where they can validate your identity by searching for your information using your BVN.
iGree: The New BVN Consent Platform
A new consent management platform, iGree, has been built by NIBSS to protect customers’ data and improve privacy. With iGree, customers will have to give their consent before their BVN data can be accessed by approved institutions (banks, fintechs) electronically. The CBN introduced this consent management platform to curb the risk of fraud and identity theft because the BVN carries very important and personal information.
Before this change, approved institutions could validate a customer’s identity by searching the BVN database once they had the customer’s correct BVN. Now, when any approved institution wants to retrieve your BVN data, you will be notified and will need to give consent by providing an OTP (One Time Password) sent to your phone number or email address by NIBSS. It is important to note that the phone number and email address you submitted during your BVN enrollment are where the OTP will be sent to. If your phone number or email address has changed since you enrolled, visit your bank to update the information.
iGree and Flutterwave
We understand the importance of protecting user data and privacy at Flutterwave, it is one of our core values. This is why we have implemented iGree on our products as instructed by the Central Bank of Nigeria. From Friday, 31st of March 2023, every new user who signs up on Flutterwave will need to give us consent before we can verify and validate their BVN data. Similarly, all businesses who use our BVN Verification APIs will need to get consent from the BVN holders before they can get access to their data.
When setting up your Flutterwave for Business account, this is the new flow for BVN validation:
- The user provides BVN when onboarding on Flutterwave
- The user is redirected to iGree where they provide NIBSS with their BVN
- NIBSS sends OTP to the user’s email or phone number
- The user inputs the OTP on iGree to verify their BVN
- The user gives consent to Flutterwave accessing their BVN data
- The user is redirected back to the current onboarding step on Flutterwave
Frequently Asked Questions
We understand that you might have questions about this new update and we have tried to answer some of them below:
- Will this new BVN consent process replace my current KYC process?
The new BVN consent process is designed to ensure that only approved institutions will have to seek the consent of customers before accessing their information on the database. This consent process should be used in addition to the KYC process embedded in your customer verification exercise.
- When does this BVN consent process become active?
The current BVN validation system ends on Thursday, March 30th 2023 and the new consent process kicks off on Friday, March 31st 2023 and no, it’s not April Fool.
- What if the BVN holder has not received the OTP?
Two things can prevent delivery of OTP to enable the user to complete the consent process on NIBSS
- SMS delivery failure due to network provider issues. You should re-initiate the consent process when this happens.
- The phone number is no longer available. If the BVN holder is no longer in possession of any of the phone numbers they provided when registering the BVN, they will have to update their contact information at any branch of their bank to complete the consent process.
- How does this impact my existing Flutterwave integration?
To comply with regulations and ensure a seamless experience, only approved merchants on Flutterwave can access the BVN holder’s data. If you currently use our BVN Verification APIs to validate BVNs, customers will have to provide consent before you can retrieve their BVN data.
- What should I do with the existing BVN data?
Existing BVNs that have been verified as part of the merchant onboarding/KYC process will not be impacted. Only new BVN validation will go through the consent management process. However, BVNs point to sensitive customer information, so you should not store them in your database or anywhere in your app. Discard them once you’re done with verification.
- Is there a limit to the number of BVN requests I can make?
No. Every new customer that onboards your platform will be required to go through the consent process to validate their BVN.
- Will I have to pay a new fee for BVN requests?
There will be no change to the existing fee for BVN requests/calls.
If you have more questions about the new BVN consent management system, please reach out to us via email, we’d be happy to help.