SEC GUIDELINES: REVIEW OF THE PROPOSED OPERATING STANDARDS FOR DIGITAL CAPITAL MARKET OPERATORS IN NIGERIA

/1 Comment/in /by

By Aderonke Alex-Adedipe and Chinomnso Sharon Okpo

DOWNLOAD PUBLICATION

Introduction

Information technology continues to significantly impact the development and growth of the capital market in Nigeria and the world over. The Securities and Exchange Commission (“SEC”), in an effort to ensure the integrity of information systems employed by capital market operators in digitizing their processes, in May 2022, issued the exposure draft on the Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators in Nigeria. (“Proposed Guidelines”). The purpose of the Proposed Guidelines is to establish a standard of operational efficiency in the Nigerian Capital market for operators using Information Technology to provide services, and ensuring security, confidentiality, integrity and reliability. The Proposed Guidelines provide the minimum requirements for computing environment, Information Technology/Information System Management, Websites and Emails, Brokers, Custodians and Trustees, Registrars, and Clearing Houses.

This newsletter will analyze in summary some of the salient provisions of the Proposed Guidelines.

Applicability of the Proposed Guidelines

The Guidelines apply generally to and are binding on all categories of CMOs, except where it refers specifically to a particular category. Generally, SEC rules identify a CMO as one (either an individual or a company) who operates in the Nigerian capital market, either as an expert, a professional or in any other capacity whatsoever as may be determined by SEC, or carries on investment and securities business.

What are the Minimum Requirements for a Computing Environment?

The Proposed Guidelines requires that all CMOs shall:

  1. maintain any/a combination of client-servers, cloud, distributed or time-sharing environments which suit their operations and business objectives.
  2. own and manage a private data center, or employ the services of a cloud service provider (“CSP”) for computing, storage and networking requirements. Where the CMO employs the services of a CSP, it shall conduct proper due diligence and ensure that the data security, governance and business policies of both parties align. The CMO must also be aware and always informed of the data privacy rules and regulations governing personal data in the jurisdiction where the CSP stores personal data.

These requirements are applicable to all electronic workstations, data storage devices, software applications and networks interfacing to support the processing and exchange of information for the business.

What are the Minimum Requirements for Information Technology/Information Systems (“IT/IS”) Management and Governance?

The Proposed Guidelines describes IT/IS as the interaction between humans and technology which is relied upon by an organization for the collection, storage, processing and transmission of information and digital products.  For the effective management and governance of IT/IS, the CMOs are required to observe the following:

  1. maintain an IT policy which is duly approved by the Board, and which shall be reviewed every 5 years.
  2. establish an IT steering committee established by the Board and chaired by the Executive Director to provide IT/IS governance for the organization. The committee shall hold meetings at least once a month.
  3. operate a cybersecurity policy which shall conform to international best practices and effective to ensure safety, confidentiality and reliability of the network, data, information systems and their underlying technologies.
  4. establish internal audit and risk management functions.

These requirements are applicable to all CMOS except Capital Market Consultants/Experts, sole proprietorships, and business names.

What are the Minimum Requirements for Websites and Electronic Mails?

SEC requires that a CMO shall;

  1. Have a functional website which contains relevant and up-to-date information.
  2. Ensure that content management of its websites is performed internally and not outsourced to third parties.
  3. own and register its own domain name
  4. Ensure that access to databases and backend systems is only possible from front-end web applications and not through the internet directly.

Capital Market Consultants/Experts, sole proprietorships and business names are also exempt from meeting these requirements.

In addition to above, Brokers, Registrars, Central Securities Depositories and Clearing Houses, Custodians and Trustees are also required to have websites and web applications that allow their clients/investors to securely create and manage their accounts/profiles online, make enquiries and receive customer support.

Conclusion

Considering the ever-increasing need and reliance on information technology by Capital market operations, and the evolving nature of technological trends, the Proposed Guidelines is of utmost importance in establishing and ensuring that the vast benefits of the use of technology open to the market operators are fully harnessed without fear of cybercrimes and other security risks associated with the use of technology.

REGULATORY COMPLIANCE CHECKLIST FOR STARTUPS IN NIGERIA

/in /by

By Seun Timi-Koleolu and Adedolapo Arisoyin

DOWNLOAD PUBLICATION

Introduction 

Startups wishing to operate with ease and avoid sanctions from regulators must pay attention to compliance and ensure that they understand regulations in countries in which they operate.

A few startups in various jurisdictions have suffered reputational damages as a result of their failure to understand regulations and properly comply.

In view of this, we have set out below a preliminary compliance checklist for startups operating in Nigeria.

 

 Regulatory Authority/

Regulation

 Requirement Details of requirement Timeline Penalty for non-compliance
Corporate Affairs Commission

Companies and Allied Matters Act (CAMA)

Incorporation and filing of annual returns Startups are required to:
i) be incorporated in Nigeria; andii) file annual returns regularly.		 Startups are required to:

i) incorporate their company before commencing business in Nigeria; and

ii) file their annual returns within 18 months of incorporation of the company in Nigeria and

subsequently on an annual basis.

 Startups who fail to file their annual returns shall be required to pay an additional N3,000 or N5,000 fine for each year of non-compliance depending on whether the company is a small or large company.
Nigeria Social Insurance Trust Fund (NSITF);

National Pension Commission (PENCOM).

Employee Compensation Act, 2020

Pension Reform Act (PRA), 2014

 – Employment matters Startups are required to:

i) contribute 1% of their employee monthly payroll to NSITF; and

ii) upon the employment of 3 or more employees deduct and remit monthly pension contribution (employee – 8% and employer -10%), with an approved Pension Funds Administrator (PFA).

 Startups are required to remit:

i) the 1% contribution to the NSITF within 2 years of commencement of its operations, and subsequently every year; and

ii) pension contribution with an approved PFA not later than 7 days of payment of salary every month.

 Startups who fail to remit the statutory contribution to NSITF, shall be required to pay a fine of at least 2% of the amount due to be remitted, in addition to the amount to be paid.

Penalties for failure to remit pension contribution by a startup varies from cautions, monetary penalty to imprisonment, depending on the duration of non-compliance.
Federal Inland Revenue Service (FIRS); State Inland Revenue Service (SIRS)

Finance Act, 2019 & 2020; Companies Income Tax (CIT) ; Value Added Tax (VAT).

 – Taxation Startups are required to file and remit:

i) Companies Income Tax; and

ii) Value Added Tax.

 

 Startups are required to:

i) file CIT within 18 months of incorporation, and subsequently on or before June 30 of every year; and

ii) remit VAT monthly to the FIRS on or before the 21st day of every month.

 Failure to:

i) file CIT attracts a penalty of N25,000 for the first month and N5,000 for each subsequent month; and

ii) remit VAT attracts a payment of fine of 5,000 for every month of default.
National Information Technology Development Agency (NITDA)

Nigerian Data Protection Regulation (NDPR) 2019

 -Data Protection Startups that process data of up to 1,000 data subjects within 6 months are required to:

i) submit to an annual audit; and

ii) file the report of such audit, amongst other requirements.

 The audit report is to be filed not later than the 15th day of March of every year.

(Please note that NITDA at its discretion could extend the deadline for submission of the report.)

 Payment of fine of 2% of the annual gross revenue of the preceding year or payment of 10 million naira, whichever is greater, depending on the number of data subjects dealt with.
Federal Ministry of Industry, Trade and Investments

Trademarks Act, Cap T13, Laws of the Federation of Nigeria

 – Brand Protection Although, this is not a requirement, it is advisable that startups register their intangible assets which include: brand names and marks; patents; and copyrights. Trademark registrations are valid for 7 years and renewable subsequently every 14 years. Although there is no penalty for non-compliance, it is essential that startups protect their trade/brand names and marks by registering them so as to enjoy a priority status on such marks.
Financial Reporting  Council of Nigeria

The Nigerian Code of Corporate Governance 2018

 – Corporate Governance Set up a board of directors comprising of a sufficient size to effectively undertake and fulfil its business and to constitute a quorum. It is good practice for startups to set up a board of directors consisting of experienced and knowledgeable persons to assist in overseeing its affairs and providing advise where necessary, as this boosts investor confidence.

It is important to note that certain licenses and permits are required to successfully commence operations in specific industries. A few of these are set out below.

  1. Some licenses required to operate in the fintech sector include: switching and processing license; mobile money operator license; digital crowdfunding intermediary license; digital banking license etc. Please note that the license to be obtained depends on the fintech service to be provided by the startup.
  2. Some licenses required to operate in the insuretech sector include: web aggregators license, micro insurance license; life insurance license; general insurance license etc.

Conclusion

The consequences of non-compliance with stipulated regulations in Nigeria may be rather steep, as it may hinder the smooth operations and growth of a startup.

It is important that startups understand the regulatory terrain it wishes to operate in; take necessary measures to ensure compliance; and engage the services of a skilled lawyer to properly advise.

FINTECH REGULATION IN NIGERIA; REVIEW OF PROPOSED DIGITIAL FINANCIAL SERVICES AWARENES GUIDELINES

/in /by

By Aderonke Alex-Adedipe and Feyijuwa Akinyanmi

 

Introduction
On July 5, 2022, the Central Bank of Nigeria (“CBN”) issued an exposure draft of its Digital Financial Services Awareness Guidelines (“Draft Guidelines”). The Draft Guidelines were issued in cognizance of the increase in the provision and use of digital financial services in Nigeria, majorly impacted by the Covid- 19 virus. The Draft Guidelines provide a set of principles and requirements that digital financial service providers (“DFSPs”) are required to comply with in the provision of digital financial services to customers.

Today’s newsletter briefly highlights the scope of the Draft Guidelines and the principles laid down for DFSPs.

What are Digital Financial Services?
The Draft Guidelines defines digital financial services as services delivered to consumers through digital channels irrespective of whether or not they are offered by banks. Such services include electronic money services, mobile financial services, online financial services, branchless banking, i-teller services etc.

Which businesses would the Draft Guidelines apply to?
The Draft Guidelines apply to;
(i)Deposit Money Banks;
(ii) Merchant banks;
(iii) Payment service banks;
(iv) Other Financial Institutions; and
(v) Other payment service institutions licensed by the CBN.

What are the Principles laid down in the Draft Guidelines?
The Draft Guidelines require DFSPs to comply with the following principles:

1. Customer Awareness and Education: DFSPs should ensure easy access to information on their product offerings and provide necessary information to their customers to enable them to differentiate between digital financial services offerings and conventional banking products. The Draft Guidelines also require DFSPs to develop educational materials regarding their services for prospective and existing customers and circulate such materials through Short Message Services (SMS), Unstructured Supplementary Service Data (USSD) e.t.c. upon prior review by the CBN.

2. Disclosure, Transparency and User Privacy: This principle requires DFSPs to disclose the terms and conditions of their services (including all fees and applicable charges) to customers prior to subscription. They are also required to ensure data privacy in their processes and put measures in place to enable customers easily “opt-out” from sharing data with third parties.

3. Product Usability and Market Testing: DFSPs are to test the usability of their products and modify their products to reduce transaction errors. In addition, DFSPs are to provide consumers with reliable and easily accessible customer support channels.

4. Fraud Prevention and Risk Management: The Draft Guidelines require DFSPs to educate their clients on how they can protect their assets against potential fraud and share general fraud prevention tips to their customers in local languages.

5. Awareness and Access to Redress and Complaints Handling: DFSPs are required to include information on service levels and customer complaint channels on their subscription materials and conduct periodic training for staff responsible for handling complaints.

6. Monitoring and Evaluation: DFSPs are required to put strategies in place to assess their policies on consumer awareness. They are also required to submit bi-annual and monthly returns on their strategies and performance measures; and consumer awareness initiatives respectively to the CBN.

Conclusion
The Draft Guidelines complement the existing obligations of DFSPs which are provided for in other guidelines and regulations issued by the CBN and other regulatory agencies. It primarily seeks to ensure the commitment of DFSPs toward data privacy, financial literacy and consumer protection.

REGULATORY UPDATE: CYBERSECURITY FRAMEWORK AND GUIDELINES FOR FINANCIAL INSTITUTIONS IN NIGERIA

/1 Comment/in /by

By Seun Timi-Koleolu and Eustace Aroh

Introduction

On June 29, 2022, the Central Bank of Nigeria (“CBN”) issued the Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions (the “Framework”). This was issued in furtherance of the CBN’s commitment to ensure the security of the banking sector. The Framework contains cybersecurity programs and mechanisms designed to combat modern cyberattacks that financial institutions face.

We have highlighted in this article, salient provisions of the Framework.

Who is affected?

The Framework provides the minimum level of cybersecurity for all Other Financial Institutions (“OFIs”). Under the Bank and Other Financial Institutions Act 2020 (“BOFIA”), OFIs are defined to include all Discount Houses, Bureau de Change, Credit Bureau, Finance Companies or Money Brokerage, International Money Transfer Services, Mortgage Refinance Companies, Mortgage Guarantee Companies, Credit Guarantee Companies, Financial Holding Companies.

It is pertinent to note that though the BOFIA defined Payment Service Providers (“PSPs”) as OFIs, it appears that PSPs are not covered by this Framework.  PSPs are, however, regulated under the 2018 CBN Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers.

What are the salient provisions of the Framework?

  1. Cybersecurity Governance and Oversight: OFIs are required to establish cybersecurity governance which includes:
  1. ensuring cybersecurity is a standing agenda in the Board meetings and Senior Management meetings of all OFIs;
  2. ensuring a quarterly report on the cybersecurity status of the OFI is prepared by the Senior Management and reviewed by the Board of Directors;
  3. preparing a cybersecurity framework which will be submitted to the Director of Other Financial Institutions Supervision Department of the CBN (the “Director”).
  1. Appointment of a Chief Information Security Officer (CISO): Every OFI is required to appoint a CISO who shall be primarily responsible for the day-to-day cybersecurity activities. However, for small OFIs such as Unit Tier 2 MFBs, the head of IT or a part-time consultant may be appointed as the CISO.
  2. Establishment of an Information Security Steering Committee (ISSC): All OFIs with over 30 employees are required to establish an ISSC responsible for enforcing policies developed to manage cybersecurity risks in the organisation. For OFIs with less than 30 employees, the responsibility of the ISSC can be carried out by a relevant management committee provided that the CISO shall be a member and shall lead all cybersecurity issues.
  3. Implementing a Cybersecurity Risk Management System: Each OFI is required to implement a cybersecurity risk management system based on the threats, vulnerability and tolerance of the OFI.
  4. Resilience Assessment and Internal Audits: OFIs are required to conduct regular Cybersecurity Resilience assessments and internal audits to mitigate the risk exposure and ascertain the adequacy of the cybersecurity measures in place.
  5. Returns to the CBN: A report of the cybersecurity self-assessment signed by the CISCO shall be submitted every year on or before March 31 to the Director. OFIs are also required to promptly report all potential cyber-threats to their information assets, to the Director.
  6. Compliance with other CBN Guidelines: OFIs are to ensure compliance with all other CBN directives and all relevant laws including the Cybercrimes (Prohibition, Prevention etc) Act 2015.

Conclusion

The Framework is set to become fully effective from January 1, 2023. OFIs are, however, advised to commence implementing the requirements of the Framework now to ensure full compliance by the effective date.

NEGOTIATING KEY PROVISIONS IN A SIMPLE AGREEMENT FOR FUTURE EQUITY (“SAFE”)

/in /by

By Aderonke Alex-Adedipe and Karo Isiorho

DOWNLOAD PUBLICATION

In a previous article, we discussed what it means to raise capital through a  Simple Agreement for Future Equity (“SAFE”).  The SAFE was introduced in 2013, by Y Combinator (YC)[i] and, has since been used by Startups as the main instrument for early-stage financing.

This article summarizes some key provisions which should be considered by the investors and Startups in the course of negotiating a SAFE. Some of these are highlighted below.

A. MATURITY DATE

SAFEs generally do not have a fixed maturity date for investors to recoup. Therefore, investments only yield returns when there is an occurrence of a triggering event, such as a liquidation, merger, future priced round, etc. In view of this fact, there are generally four (4) provisions which determine the returns on investment of a SAFE investor. They are:

i. Discount, No Valuation Cap;

ii. Valuation Cap, No Discount;

iii. Valuation Cap and a Discount; and

iv. Most Favoured Nations (MFN) No discount; No Valuation Cap.

B.  DISCOUNT, NO VALUATION CAP

A SAFE with a discount rate gives an investor a bonus for investing in the Startup at its early stage by providing a discount on the price of the investor’s shares when such shares are valued during a subsequent priced round. This is done with the belief that the shares of the Startup will increase in value and be sold at a higher price to future investors. When this occurs, the earlier investor is entitled to have his shares converted at a lower rate than future investors.

A practical example is as follows: Investor A gives the Startup N10,000,000 and the SAFE specifies that the investment is subject to a 50% discount. By implication, Investor A will be entitled to purchase shares from the Startup at a 50% discount from the price sold to other investors at the subsequent priced round. Therefore, if the Startup later sells at N2 per share, Investor A’s investment will convert to shares  at N1 per share (50% off).

C. VALUATION CAP, NO DISCOUNT

While a discount offers investors a percentage off, a valuation cap imposes a limit on the value of the shares of the Startup by setting a maximum value of the shares of the Startup at which an earlier investor’s SAFE will convert to shares. Simply put, it is a renegotiated amount stated in the SAFE at which the early investor will purchase the Startup’s shares in the future notwithstanding where the value of the shares has increased beyond the “Cap”. This protects an early investor where the company’s worth skyrockets.[ii]

For example, where the SAFE sets an investor’s valuation cap at N50,000,000 and the Startup subsequently raises funds when it is valued at N100,000,000, the early investor will be entitled to convert his SAFE at a share price equivalent to N50,000,000, as if the Startup was valued at that Cap.   Investors would, therefore, typically negotiate a lower cap compared to a higher one as it offers them a higher percentage ownership in the Startup.

D. VALUATION CAP AND A DISCOUNT 

Some SAFEs have both a valuation cap and discount. If this is the case, the investor’s shares will convert under the provision that offers a greater benefit for the investor. Although both provisions can be used in a SAFE, they cannot apply simultaneously to the benefit of the investor. Most investors prefer to have both a valuation cap and a discount as it provides them an option of choosing the terms upon which their shares will convert in the future.

E. MOST FAVOURED NATION, NO CAP, NO DISCOUNT 

Finally, it is possible to issue a SAFE with no valuation cap and no discount rate, but with a Most Favoured Nation (MFN) provision. This implies that where the Startup subsequently issues another SAFE with more advantageous provisions to a future investor, the earlier investor will be entitled to the same benefits of the later SAFE. It is worthy of note, however, that an MFN provision only offers a single opportunity to amend the provisions of the SAFE except, the later SAFE also includes an MFN provision.

CONCLUSION

SAFEs are flexible and generally easier to negotiate compared to other forms of financing. It is important to note, however, that a SAFE does not guarantee the conversion of an investor’s equity in a Startup.  Despite the identified triggers for conversion of the SAFE, there may be scenarios where the triggers do not occur and the SAFE is not converted leaving the investor with less than his investment.

 

 

 

 

[i] https://www.ycombinator.com/documents

[ii] WHAT PURPOSE DOES “VALUATION CAP” SERVE IN A SIMPLE AGREEMENT FOR FUTURE EQUITY?

https://www.parsalaw.com/what-purpose-does-valuation-cap-serve-in-a-simple-agreement-for-future-equity