"A needle in a Paystack"

A Bizarre Scam That Evaded Paystack Haunts Nigerian Fintech Startups

By  |  April 9, 2021

In the latter hours of Thursday, April 8, the bubbly fintech startup scene in Nigeria got hit with a bit of a double whammy.

Of the two issues that are currently the newest headaches to local fintechs in Nigeria, the more-talked-about matter is the circular from the Securities and Exchange (SEC) that effectively prohibits the sort of business done by Nigerian investment-tech fintechs (such as Bamboo, Trove, Rise, and Chaka), which enables locals to invest in foreign stocks.

But the less-talked-about matter is no less inflammatory. As the clampdown on the investment-tech niche sparked outrage online, the wider fintech startup community suffered a collective bummer.

Late evening on Thursday, one of the continent’s most recognised payments processors, Paystack, sent out an email to its customers which reads thus in part:

“We’ve recently been made aware of a regulatory directive from the primary custodian of Nigeria’s BVN service to all their partners to suspend the provision of the BVN validation service to their third-party partners. This directive affects every non-bank in Nigeria that offers BVN validation services. In light of this news, we’re hereby informing you that the BVN Resolve service will be temporarily unavailable starting at midnight, today, April 8.”

Cross-Border Money Transfer In Africa: Is Bitcoin The Golden Silver Bullet?

 image

No longer business as usual

Essentially, the communication from Paystack is that all fintech startups in Nigeria are, at the moment, barred from using what has become one of the most popular, effective, and reliable Know-Your-Customer (KYC)/Anti-Money Laundering (AML) tools employed by Nigerian fintechs to verify identities while onboarding customers.

A screenshot showing a portion of the email from Paystack

In Nigeria, the Bank Verification Number (BVN) is an eleven-digit number unique to each bank customer and it acts as the universal ID in all commercial banks in Nigeria. The Central Bank of Nigeria (CBN) implemented this Biometric Identification System within the industry to curb illegal banking.

The 73 million+ Nigerians who have bank accounts each have a unique BVN tied to personal details such as addresses, phone numbers, fingerprints – the works! The Nigerian Inter-Bank Settlement Scheme (NIBSS) is the primary custodian of Nigeria’s BVN service.

So, why cut off every other financial firm except banks from accessing this important verification medium?

There are theories being put forward about an ongoing aggressive drive to position the National Identity Number (NIN) issued by the National Identity Management Commission (NIMC) as the central verification service in the country. However, this explanation is found to be highly unlikely given that an alternative story that has transpired under the radar is probably the real issue.

A possible infraction?

The real reason fintech startups have been blocked from utilising the BVN verification route may be tied to an elaborate but bizarre online college scam that appears to have been unwittingly facilitated by Paystack; the startup Stripe reportedly acquired for USD 200 Mn last year.

As published by Chikezie Omeje for Quartz Africa, Paystack is embroiled in an issue that saw a group that turned out to be scammers succeed in defrauding a number of unsuspecting Nigerians who were seeking educational opportunities abroad.

According to the story, towards the end of 2020, a certain web link was making the rounds across several WhatsApp Groups and Facebook communities; it’s not uncommon for hoaxes to spread like wildfire anyway.

But this was no hoax, it’s probably worse. That link was actually the starting point of an elaborate scam that ultimately defrauded a number of persons.

The link directed individuals to a group masquerading as “St. Michael Foundation” promising full ride scholarships for undergraduate and postgraduate studies in colleges based abroad, in countries like Canada and Australia.

After scaling through the application process that involved submitting written essays via a decent-looking website portal that was doctored with plagiarised and falsified content, individuals were offered fake admission and asked to upload certain documents before the expiration of a deadline.

This is where the trick happens; Part of the document required for submission is an English proficiency certificate. For individuals who lack the usual certifications [Test of English as a Foreign Language (TOEFL) and International English Language Testing System (IELTS)], the fraudulent platform recommends the Online International English Proficiency Examination (OIEPE).

Then, applicants are requested to pay NGN 10.5 K (about USD 25.00) for the phony and badly-put-together 30-question test which they are expected to complete in 45 minutes. In some cases, the platform also recommends a sample prep test which also has to be paid for. This one costs about NGN 2.5 K (about USD 6.56).

To cut a long story short, the victims were conned into paying for and sitting for multiple phony tests online. When they passed, they were promised an admission letter that is supposed to arrive in the next 30 working days. But obviously, that doesn’t happen because the whole thing is a sham.

How does Paystack come in?

Well, it turns out that the fraudsters used Paystack as the payment processor on their phony website, and some damage had been done by the time Paystack caught wind of the whole scheme and deactivated the account.

“When we became aware of this merchant’s questionable activity, we deactivated their account immediately and are working with their bank to investigate this incident,” Paystack revealed in an email to Quartz Africa.

Like Paystack, other fintech startups operating in Nigeria across such segments as wallets, payments, savings, lending, investments, and even crypto have, before now, used BVN for identity verification for users who want to open an account with them.

Specifically, to get activated as a merchant or user on Paystack, intending customers must submit a number of KYC documents that are reviewed before the business is cleared to accept payments.

The verification of identity or KYC, according to regulations, is a compulsory requirement that must be completed before any financial institution can signup or start any business relationship with a customer.

The verification system helps keep risk in check and assists in determining whether or not there is an element of money laundering, fraud and other corruption-related activities, associated with a given entity. But it appears this fraudulent group calling themselves St. Michael Foundation somehow eluded Paystack and others along the chain.

As part of its process, Paystack requires prospective customers to submit the bank verification number (BVN) of any director or trustee, the certificate of registration from the Corporate Affairs Commission, and a corporate bank account.

But somehow, the fraudsters went undetected and were onboarded, and Paystack unwittingly facilitated the collection of payments. Apparently, these bad actors were hard to find until they pricked some fingers and drew blood; like “a needle in a Paystack.”

At the moment, it is unclear how much money is involved and how many victims suffered the con. Also, it’s yet to be determined if this was laxity on the part of Paystack or whether current KYC rules have too many loopholes.

Whatever be the case, it is certain that at least one or more corporate organisations along the payments chain flunked its due diligence.

Although Paystack was used by the perpetrators as a payment gateway on the scam website, the money collected from the con must have been transferred into a bank or some other financial institution.

So, there are a couple of liable parties along the chain, and it’s no surprise that Paystack says it’s working with the bank tied to the scammers to get to the bottom of the matter.

The story has it that Osita Nwanisobi, a CBN spokesman, revealed that an investigation had been launched to unravel the entities behind the scam and serve justice. But it also looks like the apex regulator, which oversees banks and fintechs in Nigeria, is already taking steps.

It does seem like one such step is the recent order dictating that fintechs and other non-bank financial institutions are now barred from accessing the BVN verification service. At least, that’s what the timing suggests.

With the suspension of BVN, non-banks have essentially been blocked out from using one of the most comprehensive means of identity verification in the country.

However, at this point, it’s not clear if this is temporary move to allow for the rejigging of the verification system used by fintechs or a permanent move that will force fintech startups to invest in alternative non-BVN KYC processes, though this could prove more expensive and tedious.

For starters, a number of local startups like VerifyMe, Smile Identity, and Appruve seem well-positioned to provide alternative KYC and identity verification services that eliminate the need for BVN but require NIN, Drivers’ License, and Voter ID. On the whole, it’s no longer business as usuals for Nigerian fintech startups.

Featured Image Courtesy: Paystack/Dribbble