Published online by Cambridge University Press: 12 April 2018
Technology-driven payment instruments and services are facilitating the development of e-commerce; however, security concerns beleaguer their implementation, particularly in developing countries. This article considers the limits of private ordering in the regulation of e-payment systems. It uses Nigeria to exemplify a developing country that is increasingly pushing for the adoption of a regulatory framework for e-payment systems based on private ordering. It argues that, although technical standards and self-regulation by the financial industry are important, law is an essential regulatory mechanism that is largely absent. The article proposes that law be used as a mechanism to set and compel compliance with technical and industry standards, thus building trust, catering to public interest concerns and legitimizing the regulatory process.
Lecturer, Faculty of Law, University of Lagos.
Associate professor, School of Law, University of Leeds.
The authors wish to thank Professors Joan Loughrey, Clive Walker, David O'Mahony, Jean Allain and Philip Leith and anonymous referees who made helpful comments on an earlier draft of this article.
1 See European Commission “Towards an integrated European market for card, internet and mobile payments” (COM 941 2011), para 2.3.
2 European Central Bank “The payment system” (2010), available at: <https://www.ecb.europa.eu/pub/pdf/other/paymentsystem201009en.pdf> (last accessed 12 February 2018); see also Ofcom “Innovation in UK consumer electronic payments: A collaborative study by Ofcom and the Payment Systems Regulator” (2014), available at: <https://www.ofcom.org.uk/__data/assets/pdf_file/0014/45041/e-payments.pdf> (last accessed 12 February 2018).
3 Other countries, particularly in Africa, are also involved in this drive. For example: Kenya's M-pesa is the largest market for mobile money; South Africa has the most developed e-payment systems in Africa; and Ghana and Tanzania are pushing for wider adoption of e-payment systems. See KPMG “Payment developments in Africa” (vol 1, 2015), available at: <https://assets.kpmg.com/content/dam/kpmg/za/pdf/2016/09/Payment-Developments-in-Africa-2015.pdf> (last accessed 12 February 2018).
4 These include “National payment systems vision (NPSV) 2020” developed by the federal government; and the Central Bank of Nigeria's “Cashless Nigeria” policy.
5 Smith, D “Nigerian scams as political critique: Globalization, inequality and 419” in Grinker, R, Lubkemann, S and Steiner, C (eds) Perspectives on Africa: A Reader in Culture, History, & Representation (2010, Blackwell Publishers) 616 at 617–28Google Scholar.
6 PCIDSS is a proprietary information security standard for organizations that handle branded credit cards from the major card companies including Visa, MasterCard and American Express. For more information, see: <https://www.pcisecuritystandards.org/pci_security/> (last accessed 12 February 2018).
7 The concept of public interest is discussed in the next section.
8 Morgan, B and Yeung, K An Introduction to Law and Regulation (2007, Cambridge University Press) at 3CrossRefGoogle Scholar.
9 Baldwin, R, Cave, M and Lodge, M Understanding Regulation Theory, Strategy and Practice (2nd ed, 2012, Oxford University Press) at 3Google Scholar.
10 Ibid.
11 Ibid.
12 They have also been defined more broadly to include rules originated by the private sector but put in place by sovereign governments, as well as rules put in place by private actors following government delegation. However, a critical reading of the literature suggests that these more aptly describe self-regulation generally and could refer to other models of regulation such as co-regulation and meta-regulation. See S Schwarcz “Private ordering” (2002–03) North West University Law Review 319 at 324; see also C Coglianese and E Mendelson “Meta-regulation and self-regulation” (Penn Law School public law and legal theory research paper no 12-11) 1 at 6–9.
13 Schwarcz, ibid.
14 PCI Security Standards Council “PCI security”, available at: <https://www.pcisecuritystandards.org/pci_security/> (last accessed 3 March 2018).
15 Ibid.
16 Ibid.
17 Schwarcz “Private ordering”, above at note 12 at 319.
18 See generally, Webb, K “Understanding the voluntary code phenomenon” in Webb, K (ed) Voluntary Codes: Private Governance and Public Interest and Innovation (2004, Carleton University Press) 3Google Scholar.
19 Ogus, A Regulation: Legal Form and Economic Theory (2004, Hart Publishing) at 15Google Scholar.
20 Black, J “Critical reflections on regulation” (2002) 27 Australian Journal of Legal Philosophy 1 at 20Google Scholar.
21 Ibid.
22 Mitnick, BM The Political Economy of Regulation: Creating, Designing, and Removing Regulatory Forms (1980, Columbia University Press) at 242Google Scholar.
23 See for example Macy, JR “Public and private ordering and the production of legitimate and illegitimate rules” (1997) 82/5 Cornell Law Review 1123 at 1133Google Scholar.
24 Baldwin, Cave and Lodge Understanding Regulation Theory, above at note 9 at 25.
25 Id at 25–39.
26 Mitnick The Political Economy, above at note 22 at 7.
27 Id at 7.
28 Selznick, P “Focusing organisational research regulation” in Noll, R (ed) Regulatory Policy and the Social Sciences (1985, University of California Press) 363 at 363Google Scholar.
29 R Leenes “Framing techno-regulation: An exploration of state and non-state regulation by technology” (Legisprudence Tilburg Law School legal studies research paper series no 10/2012) 143 at 149.
30 RA Posner “Theories of economic regulation” (1974, NBER working paper no 41) at 1.
31 Christensen, JG “Competing theories of regulatory governance: Reconsidering public interest theory of regulation” in Levi-Faur, D (ed) Handbook on the Politics of Regulation (2011, Edward Elgar) 96Google Scholar.
32 Mitnick The Political Economy, above at note 22 at 91.
33 For example, Posner “Theories of economic regulation”, above at note 30 at 4–5.
34 Feintuck, M The Public Interest in Regulation (2004, Oxford University Press) at 33CrossRefGoogle Scholar.
35 Id at 38.
36 Id at 11.
37 Id at 39.
38 Id at 39–41.
39 Id at 58.
40 A public good is a commodity the benefit of which is shared by the public, or by a group within it. It consists of two characteristics: that consumption by one person does not leave less for others to consume; and it is impossible or too costly for the supplier to exclude those who do not pay for the good but enjoy the benefit. See Ogus Regulation, above at note 19 at 33.
41 Ibid.
42 See A Smith “Nigerian scam e-mails and the charms of capital” (2009) 23/1 Cultural Studies 27 at 30 and 33.
43 Zook, M “Your urgent assistance is requested: The intersection of 419 spam and new networks of imagination” (2007) 10/1 Ethics, Place & Environment 65CrossRefGoogle Scholar.
44 Oboh, J and Schoenmakers, Y “Nigerian advance fee fraud in transnational perspective” (2010) 15 Policing Multiple Communities 235Google Scholar.
45 See “Countries and regions supported by PayPal”, available at: <https://developer.paypal.com/docs/classic/api/country_codes/> (last accessed 12 February 2018).
46 For example, the CBN had directed Nigerian banks to charge processing fees on all cash transactions but not for e-payments; see CBN letter titled “Industry policy on retail cash collection and lodgement” (IITP/C/01 circular BPS/DIR/GEN/CIR/01/003, 16 March 2012) (copy on file with the authors).
47 For example, ATM fraud constituted the leading consumer complaint to the CBN between 2010 and 2012, as a result of which the CBN directed the system to migrate from basic “chip and PIN” to EMV cards (cards using the global standard for chip-based debit and credit card transactions, developed by Europay, MasterCard and Visa). See Nigeria Deposit Insurance Corporation “Annual report and statement of account” (2010, 2011 and 2012), available at: <http://ndic.gov.ng/publications/> (last accessed 12 February 2018).
48 Nigeria Electronic Fraud Forum (NeFF) “Annual report 2012” (copy on file with authors). It is not clear whether the report was subsequently published or otherwise made publicly available.
49 See CBN “Payments system vision 2020” (release 2.0, September 2013).
50 See generally Electronic Banking Regulations 2003; Revised Guidelines on Stored Value / Pre-Paid Card Issuance and Operation 2012; Standards and Guidelines on Automated Teller Machines (ATM) Operations in Nigeria 2010; Regulatory Framework on Mobile Payment Services in Nigeria 2014; and the Electronic Banking Regulations 2003.
51 POS Guidelines, item 3.1.
52 E-banking Guidelines, item 1.5.2 (emphasis added).
53 POS Guidelines, item 3.1.
54 See Nigerian Identity Management Commission Act 2007, secs 27, 28 and 29.
55 See Revised Guidelines on Stored Value / Pre-Paid Card Issuance and Operation 2012.
56 See further at note 65 and sections on “Private ordering and the index for strong regulation” and “How law regulates: Lessig's modalities of regulation in cyberspace and the regulation of e-payments” below.
57 Obodoeze, FC et al. “Enhanced modified security framework for Nigeria cashless e-payment system” (2012) 3/11 International Journal of Computer and Science Applications 189 at 189Google Scholar.
58 Ibid.
59 Id at 189–90.
60 See Security Standards Council “Securing the future of payments together”, available at: <https://www.pcisecuritystandards.org/> (last accessed 12 February 2018).
61 Ibid.
62 Morse, EA and Raval, V “PCI DSS: Payment card industry data security standards in context” (2008) 24 Computer Law and Security Report 540 at 553CrossRefGoogle Scholar.
63 Id at 551.
64 AS Rosenberg “Better than cash? Global proliferation of debit and prepaid cards and consumer protection policy” (2005, Berkeley University Press (Bepress) Legal Series paper 766).
65 See Lessig, L Code Version 2.0 (2nd ed, 2006, Basic Books) 120 at 127Google Scholar.
66 T Wu “When code isn't law” (2003) 89 Virginia Law Review 101 at 106.
67 Cases from England are particularly relevant here because they constitute persuasive authorities in Nigerian courts, as Nigeria was a British colony and operates a common law system.
68 Case no 7BQ00307 (30 April 2009) in Kelman, A “Case judgement: England and Wales” (2009) 6 Digital Evidence and Electronic Signature Law Review 235Google Scholar.
69 Id at 238.
70 Clerkenwell and Shoreditch County Court case no 1YE003643 (24 October 2012) in Mason, S and Bohm, N “Commentary on case on appeal: England and Wales” (2013) 10 Digital Evidence and Electronic Signature Law Review 175Google Scholar.
71 Id at 185.
72 Id at 187.
73 See Evidence Act (Nigeria) 2011, secs 93–97.
74 Emphasis added.
75 See, for example, Regulations on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (910/2014/EU), in particular regs 3, 13, 25, 26 and 32.
76 See Kanade, SG, Petrovska-Delacretaz, D and Dorizzi, B Enhancing Information Security and Privacy by Combining Biometrics with Cryptography (2012, Morgan and Claypool)CrossRefGoogle Scholar.
77 See CBN “Letter to all other financial institutions (OFIs): Bank verification number (BVN) enrolment for customers” (ref OFI/DIR/CIR/GEN/17/139, 21 April 2017), available at <https://www.cbn.gov.ng/Out/2017/OFISD/CIRCULARONBVNOFOFIs0001(3).pdf> (last accessed 4 March 2018).
78 Meadows, AD “Spoof and vulnerability of biometric systems” in Du, EY (ed) Biometrics from Fiction to Practice (2013, Pan Stanford Publishing) 188 at 195Google Scholar.
79 This would be a general or omnibus data protection law modelled on EU data protection law. Although detailed discussion of the problems with the EU law is beyond the scope of this article, it is important to note that a proposal to adopt the EU approach does not suggest that a Nigerian law on data protection should replicate the exact provisions of EU law, particularly because of its broad and rather nebulous definition of personal data.
80 See generally Akerlof, G “The market for ‘lemons’: Quality uncertainty and the market mechanism” (1970) 84/3 The Quarterly Journal of Economics 488CrossRefGoogle Scholar. See also Schreft, SL “Risks of identity theft: Can the market protect the payment system?” (2007) Fourth Quarterly Federal Reserve Bank of Kansas City Economic Review 5Google Scholar.
81 Schreft, id at 23.
82 See the definition of public goods, above at note 40.
83 Schreft “Risks of identity theft”, above at note 80 at 22–28.
84 NeFF “Annual report 2012”, above at note 48.
85 Letter dated 6 July 2012 from CBN to all deposit money banks, ref CFP/DIR/GDL/01/018 (copy on file with the authors).
86 SJ Mudorch and R Anderson “Security protocols and evidence: Where many payment systems fail” (pre-proceeding draft for the Conference on Financial Cryptography and Data Security, Barbados, 3–7 March 2014), available at: <http://www.cl.cam.ac.uk/~sjm217/papers/fc14evidence.pdf> (last accessed 12 February 2018).
87 CBN “About Nigerian Electronic Fraud Forum”, available at: <http://www.cenbank.org/neff/about.asp> (last accessed 12 February 2018).
88 See for example, Payment Services Regulations 2009 SI 2009/209 (UK), part 5.
89 See Cornes, R and Sandler, T The Theory of Externalities, Public Goods and Club Goods (2nd ed, 1996, Cambridge University Press) at 39CrossRefGoogle Scholar.
90 Schreft “Risks of identity theft”, above at note 80 at 5.
91 CBN Guidelines on Electronic Banking 2003, item 3.0(g).
92 CBN “E-payment dispute arbitration framework” (proposed, 2013), item 3, available at: <https://www.cbn.gov.ng/out/2013/ccd/e-payment%20dispute%20arbitration%20framework.pdf> (last accessed 12 February 2018).
93 Payment Services Regs, above at note 88, regs 60(3) and 57(2).
94 Id, regs 60(1)–(3).
95 Mason, S “Electronic banking and how courts approach the evidence” (2013) 29/2 Computer Law and Security Review 144 at 144Google Scholar.
96 See Cybercrimes (Prohibition, Prevention etc) Act 2015.
97 This prototype was given to the authors by law enforcement agents and forms part of the data used by one of the authors in broader research into the challenges of implementing cybersecurity in Nigeria.
98 Ibid.
99 For example, rights to privacy and to freedom from discrimination, harassment and intimidation are guaranteed under the Constitution of the Federal Republic of Nigeria 1999 (as amended), chap IV, sec 28(1)(a)–(h).
100 NeFF “Annual report 2012”, above at note 48.
101 See CBN “Submission of fraud report on e-channels using a common portal for the payment industry” (CBN circular BPS/DIR/CIR/GEN/02/103, 2 July 2013).
102 See generally CBN “About Nigerian Electronic Fraud Forum”, above at note 87.
103 POS Guidelines, item 3.1.
104 For example, statistics are disputed regarding PCIDSS compliance levels. As at 2011, only two of the potential target organizations were reported to be PCIDSS compliant. Contested reports also put the level of compliance at 2% in 2012 and up to 50% in 2013, although there are no reports on ongoing compliance checks or the present state of PCIDSS compliance in Nigeria.
105 Morse and Raval “PCI DSS”, above at note 62 at 551.
106 See for example Johnson, DR and Post, D “Law and borders: The rise of law in cyberspace” (1996) 48 Stanford Law Review 1367CrossRefGoogle Scholar; see also JP Barlow “A declaration of the independence of cyberspace”, available at: <https://projects.eff.org/~barlow/Declaration-Final.html> (last accessed 12 February 2018).
107 See for example, Goldsmith, JL “Against cyberanarchy” (1998) 65/4 The University of Chicago Law Review 1199CrossRefGoogle Scholar; see also Wu, T “Cyberspace sovereignty? The internet and the international system” (1997) 10/3 Harvard Journal of Law and Technology 647Google Scholar.
108 Goldsmith, id at 1201.
109 Lessig Code Version 2.0, above at note 65.
110 Id at 123–25.
111 Id at 340–41.
112 Ibid.
113 Id at 342.
114 Ibid.
115 Id at 341.
116 Id at 5.
117 L Lessig “The law of the horse: What cyberlaw might teach” (1999) 113/2 Harvard Law Review 501 at 514.
118 Id at 511.
119 Id at 502.
120 See previous arguments at notes 9–18 above.
121 The use of the terms “technology” and “industry” is for consistency as they essentially align with Lessig's concept of code and market.
122 Goldsmith, J and Wu, T Who Controls the Internet? Illusions of a Borderless World (2006, Oxford University Press) at 152CrossRefGoogle Scholar.
123 Lessig Code Version 2.0, above at note 65 at 223.
124 Id “The zones of cyberspace” (1996) 48/5 Stanford Law Review 1403 at 1407Google Scholar.
125 Ibid.
126 See RD Cooter “Law from order” in J Mancur Olson and S Kahkoneh (eds) A Not-So-Dismal Science: Broader Brighter Approach to Economies and Societies, cited in Macey, JR “Public and private ordering and the production of legitimate and illegitimate rules” (1997) 82/5 Cornell Law Review 1123 at 1133Google Scholar.
127 Matwyshyn, AM (ed) Harbouring Data: Information Security, Law, and the Corporation (2009, Stanford University Press) at 229CrossRefGoogle Scholar.
128 Verizon “2012 Data breach investigation report” at 33, available at: <http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf> (last accessed 12 February 2018).
129 Murray, AD The Regulation of Cyberspace Control in the Online Environment (2007, Routledge Cavendish) at 51CrossRefGoogle Scholar.
130 See BSA “The compliance gap: BSA global software survey, June 2014”, available at: <http://globalstudy.bsa.org/2013/downloads/studies/2013GlobalSurvey_Study_en.pdf> (last accessed 12 February 2018).
131 A Cavoukian “Privacy by design: The 7 foundational principles: Implementation and mapping of fair information practices” (2011), available at: <https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf> (last accessed 12 February 2018).
132 See Brownsword, R “Code, control, and choice: Why east is east and west is west” (2005) 25/1 Legal Studies 1 at 3–21CrossRefGoogle Scholar.
133 R Leenes “Framing techno-regulation: An exploration of state and non-state regulation by technology” (series no 10/2012 Tilburg Law School Legal Studies Research Paper 149).
134 Jaap-Koops, B “Criteria for normative technology: The acceptability of ‘code as law’ in the light of democratic and constitutional values” in Brownsword, R and Yeung, K (eds) Regulating Technologies: Legal Futures, Regulatory Frames and Technological Fixes (2008, Hart) 157 at 158Google Scholar.
135 Brownsword “Code, control, and choice”, above at note 132 at 15–17.
136 K Yeung “Towards an understanding of regulation by design” in Brownsword and Yeung (eds) Regulating Technologies, above at note 134 at 79–107.
137 Jaap-Koops “Criteria for normative technology”, above at note 134 at 159.
138 Murray, AD The Regulation of Cyberspace Control in the Online Environment (2007, Routledge Cavendish) at 23CrossRefGoogle Scholar.
139 See NIMC “Facts about the national electronic (e-ID) card”, available at: <https://www.nimc.gov.ng/facts-about-the-national-electronic-identity-e-id-card/> (last accessed 12 February 2018).
140 See C Coglianese and E Mendelson “Meta-regulation and self-regulation” (Penn Law School public law and legal theory research paper no 12–11) at 16.
141 See above at note 3.