"(1) That am the above-named person as well as the investigating police
officer in a case of Conspiracy and fraudulent transfer reported by Flutterwave
Technology Solution Limited through his counsel Albert Onimole, legal practitioner
by virtue of which I am conversant with the fact of this case.
(3) That a case of Conspiracy and Fraudulent transfer was reported to the
Police via petition written by Albert Onimole & Co. on behalf of
Flutterwave Technology Solution Limited bothering on allegation of Conspiracy,
stealing and fraudulent transfer over Two billion naira having hacked into the
complainant account. Copy of the Petition is hereby attached and marked exhibit
‘A’.
(4) That it was revealed in the course of investigation that the
suspected hackers hacked into the cyber space of the complainant and transferred
over two billion naira to various accounts listed on this application. Copy of
the statement of the Complainant is hereby attached and marked exhibit ‘B’."
Flutterwave in its official statement, said; “During a routine check of our transaction monitoring system,
we identified an unusual trend of transactions on some users’ profiles. Our
team immediately launched a review (in line with our standard operating
procedure), which revealed that some users who had not activated some of our
recommended security settings might have been susceptible.” However, the
fintech flatly denied that any user lost any funds, as its security measures
were “able to address the issue before any harm could be done to our users”.
This denial is in stark contrast to the contents of the petition and affidavit earlier mentioned. If no user funds were lost, how come there was a petition to the police and an application to freeze accounts? The denial and statement shifting blame to "some users who had not activated some of our recommended security settings" is typical of what many financial institutions in Nigeria say whenever a customer complains of unauthorised withdrawals or transfers from their accounts. In the case of Barrister Wole Abidakun v. Diamond Bank Plc.(Suit No: CV/2779/18), which involved unauthorized transfer from customer account, Justice Kutigi of the High Court of the FCT, while delivering judgement on 23 June, 2021 observed thus:
“I agree that because these facilities have security features known only
to the customer and so
the customer bears
some responsibility to
secure them, once however
a customer makes
a serious complaint
of foul play
in his account,
the usual standard and
rather lazy and lame response
by Defendant Bank
that the customer has compromised
the security features will not stand or fly in the absence of a forensic
investigation to determine responsibility.
There must be proper in-house
and then police
investigations showing clearly
and positively that
the customer must have
indeed compromised the
security features or
given his PIN numbers to a third party. Bare and empty verbal assertions will not
suffice in this age of savvy and sophisticated criminals.”
Now, if it were in the United
States, where data breaches and hacks are not tolerated by the financial
services regulators, Flutterwave would have been in big trouble. The regulators would have carried out investigations and Flutterwave would have been fined heavily if found wanting. Flutterwave customers would have also likely filed a
class action against the fintech.
For instance, in 2020 in the US, a
class action was filed against Bank of America for failing to provide
sufficient protections for unemployment payment debit cards after thousands
across California, fell victim to fraud. Among the issues that were raised in
the case against the bank was the lack of secure microchips in unemployment
debit cards, a failure to secure private account information and a sluggish
response to consumer fraud reports.
Also in the United States, the
Consumer Financial Protection Bureau (CFPB) in 2016, found that online payment
platform Dwolla, deceived consumers about its data security practices and the
safety of its online payment system and therefore ordered Dwolla to pay a
$100,000 penalty and fix its security practices.
As of May 2015, Dwolla had more
than 650,000 users and had transferred as much as $5 million per day. For each
account, Dwolla collected personal information including the consumer’s name,
address, date of birth, telephone number, Social Security number, bank account
and routing numbers, a password, and a unique 4-digit PIN.
From December 2010 until 2014,
Dwolla claimed to protect consumer data from unauthorized access with “safe”
and “secure” transactions. On its website and in communications with consumers,
Dwolla claimed its data security practices exceeded industry standards and were
Payment Card Industry Data Security Standard compliant. They claimed also that
they encrypted all sensitive personal information and that its mobile
applications were safe and secure.
However, it was found that Dwolla’s
data security practices in fact fell far short of its claims. Specifically, the
CFPB found, among other issues, that Dwolla misrepresented its data-security
practices by:
(1)Falsely claiming its data
security practices “exceed” or “surpass” industry security standards: Contrary
to its claims, Dwolla failed to employ reasonable and appropriate measures to
protect data obtained from consumers from unauthorized access.
(2)Falsely claiming its
“information is securely encrypted and stored”: Dwolla did not encrypt some
sensitive consumer personal information, and released applications to the
public before testing whether they were secure.
The above action of the CFPB in the
US represents how a regulator should act in the face of continuous data
breaches and/or hacks. In 2022 it was MTN Mobile Money Bank that was hacked but it is unclear what actions, if any, the regulators in
Nigeria took or made against MTN, concerning the breach or hack. The Federal Competition and Consumer
Protection Commission, the Central Bank of Nigeria, the Nigeria Deposit Insurance
Corporation, and the newly created Nigeria Data Protection Commission needs to
sit up and do more.
It is therefore, high time that the
regulators in Nigeria mentioned above woke up to their responsibilities and
took punitive action against erring financial institutions in Nigeria for data
breaches and hacks. Perhaps the fear of sanctions will make the financial
institutions to improve on their cyber security practices and better protect customer
funds/deposits in their custody.
It is also recommended that there
should be a quarterly or yearly report made available to the public, showing
financial institutions that were sanctioned for failing to comply with relevant
industry cybersecurity framework and/or data protection regulations.
