For years, the Nigerian financial ecosystem has operated on a ‘do not disturb’ philosophy, placing the burden of security squarely on the shoulders of the consumers. But in a landscape where a stolen mobile phone or a recycled Subscriber Identity Module (SIM) card can liquidate a life’s savings in minutes, customer education is no longer a sufficient shield. The ‘attribution gap’ is widening. When fraud occurs, banks point at telcos, telcos point at banks, leaving the customer stranded in the crossfire. In this interview, ADEYEMI ADEPETUN engaged the Chief Digital Officer, Lotus Bank, Akin Adegoke, beyond the surface-level talk of PINs and OTPs and looked at the technical and regulatory handshakes required to turn a SIM card into a secure financial ID. 

How can we implement a real-time Application Programming Interface (API) handshake between banks and telcos to flag newly recycled SIMs before a transaction is authorised?

The solution is in coordination, not more customer warnings. Banks and telcos should establish a secure, real-time notification system where any SIM swap or number reassignment automatically triggers a status update to the linked bank.

Before authorising sensitive transactions, the bank should be able to confirm whether the SIM has been recently recycled. If it has, the system can temporarily step up authentication or restrict high-risk activity. This does not require reinventing infrastructure. It requires agreed standards, shared responsibility and regulatory backing to make real-time information exchange mandatory rather than optional.
In the event of a dormant SIM reassignment (where the previous owner doesn’t de-link their BVN), what automated fail-safes can the digital banking core trigger to freeze high-risk USSD movements?

IF a SIM is reassigned without the previous owner de-linking their Bank Verification Number (BVN), the bank’s system should automatically treat that number as high-risk the moment its status changes. Digital banking cores can trigger a temporary freeze on high-value Unstructured Supplementary Service Data (USSD) transfers, block profile changes, and require stronger re-verification before any sensitive transaction is approved. This should be automatic, not customer-driven. Once a SIM tenure is reset or a swap is detected, risk controls must activate immediately to protect the account until identity is properly confirmed.

While mandatory personal identification numbers (PINs) for all USSD steps add friction, how do we balance ‘UX-killing’ security with the reality that most Nigerian fraud stems from stolen handsets, where the session is already open?

SECURITY must reflect real behaviour, not ideal behaviour. In many fraud cases, the handset is already in the wrong hands, and the session is open, so a single-entry PIN at the start is not enough. The balance is simple: require PIN confirmation at every value-moving step, not for basic enquiries. Checking a balance can remain simple, but transferring funds or changing account details must always require fresh authentication. Convenience should never override protection where money is involved. The goal is smart friction, not blanket friction.

Given that USSD is often used by the most vulnerable segments, how can we implement ‘Adaptive PINs’ without complicating the underlying GSM protocol?

ADAPTIVE PINs work by moving the intelligence to the bank’s systems, not the GSM network. The bank can flag high-risk transactions, like new beneficiaries, large transfers, or recently reassigned SIMs, and require a PIN only in those cases. Routine actions, like checking balances or buying airtime, remain simple. This keeps USSD easy for everyday users while ensuring protection kicks in only when the risk is real.

If we treat the SIM card as a ‘Financial ID’ equivalent to a hardware token, what infrastructure shifts are required to move from basic SMS OTPs to encrypted, SIM-applet-based authentication?

TREATING the SIM as a Financial ID means authentication moves from SMS to the SIM itself. Banks and telcos need to issue SIMs with embedded applets capable of generating encrypted OTPs or signing transactions. Core banking systems must integrate with these SIM-based credentials for verification. It’s a shift from “what you know” to “what you hold,” making transactions inherently more secure without relying on
vulnerable SMS channels.

How can Nigerian banks collaborate to lobby for a ‘SIM-as-Identity’ regulatory framework that penalises telcos for unauthorised swaps, effectively treating a SIM breach as a bank vault breach?

BANKS can come together under industry associations to define clear standards for SIM-as-Identity. They should present regulators with evidence showing the financial risk of unauthorised swaps and propose liability rules that hold telcos accountable for failures. Framing a SIM breach as equivalent to a vault breach makes the stakes clear and drives joint responsibility, creating a framework where both banks and telcos are incentivised to prevent fraud.

As we push for more automation, how do we solve the ‘attribution gap’, where banks blame telcos and telcos blame banks, leaving the customer as the sole victim of SIM-based fraud?

THE attribution gap closes when responsibility is shared, not shifted. Banks and telcos need a joint fraud-monitoring system with real-time reporting and agreed investigation protocols. Every SIM-based incident should trigger coordinated verification, ensuring the customer is protected immediately. Accountability must be built into the process, so blame does not fall on the customer, and both parties act to prevent losses.