¶ Presenting Digital Credentials at a Bank
In order to assure a holder of a NIN (called the ID Holder) of whom is verifying their identity, who requires it, where the data will be used and where it will be stored, the National Identity Management Commission now requires all Banks to:
- Apply directly to the National Identity Management Commission (NIMC) and apply for Enterprise Credentials, which will include a Long ID (in the form s.879FrG68EBddiXfYfEZ2Eehn or a7ad4e2e-f2b1-44b8-af98-c493c298fc84) and a short ID (in the form 688273)
- display the LongID in Banking Halls (roll up Banners, or Customer Service desks) stating the name of the Bank, its logo and a QR Code containing the Long ID.
- also display, the ShortID should be bold and legible under the QR Code of the banner or other display mechanism
- advise the customer that they may be required to generate a Virtual NIN for the Bank in question.
- purchase verification credits either directly from the NIMC, or any one of its accredited resellers. This may include what is known as “Redemption Codes”, which are bulk credits which may be redeemed by a single code, specifically for the Bank - and is NON-TRANSFERABLE.
¶ Why The Virtual NIN?
The Banking Industry is very familiar with Tokenization. The concept is to protect sensitive and highly valuable information (such as a Credit Card PAN) by replacing the real PAN with a pseudonymous token, which must also conform to certain criteria (including encryption and the Luhn checksum digit).
The NIMC is thus protecting the NIN from proliferation, data harvesting, illegal data persistence and unauthorised verification lookups, by ensuring that the ID Holder has a say in who may verify their Identity and have an idea as to when that verification was done.
The Virtual NIN is thus a Tokenized version of the NIN, with a lifecycle and ‘welded’ to the Relying Party (discussed below) that it is issued to - and no one else.
As the Financial Sector uses the Luhn checksum to validate a PAN entry, likewise the Virtual NIN uses ISO/IEC 7064, MOD 1271-36 to validate a Virtual NIN before submission.
¶ Digital Credentials
The new digital credentials issued to all holders of the National Identification Number (NIN), which are in ‘active’ status, are discussed extensively under The New Digital Credentials.
¶ Consumer (peer-to-peer) vs Enterprise
It is important to fully understand and appreciate what is permitted and what is not as it relates to the new Digital Credentials.
¶ User Consent
¶ Preamble
In the eyes of the NIMC, User Consent shall include:
- Providing the ID Holder with information of what information is required of them
- Where the information will be stored
- Providing the ID Holder with notification of the Verification transaction, which shall include (without exception), the UserID of the natural person carrying out the verification on behalf the Relying Party.
- Full transparency and accountability of who did what and when.
¶ Actors
- NIN: National Identification Number issued to a natural person who has enrolled and been issued an 11-digit Number. This NIN shall, in the context of Tokenization, be called the “RAW NIN”. The Raw NIN shall not include a NIN issued to a person by virtue of having been issued a Bank Verification Number (BVN)
- ID Holder: A person issued an Active RAW NIN
- Virtual NIN: A 16-digit alphanumeric digital token issued BY the ID Holder FOR the specific Bank in question.
- The NIMC: Custodian of Personal Identity of NIN Holders, and the Regulator of Identity Management in Nigeria.
- Relying Party: A Bank/Financial Institution, being a non-natural person who wishes to verify the Identity of an ID Holder as a part of Due Diligence or Know-Your-Customer processes and procedures.
- Verification Agent: A natural person, representing and duly authorised by the Relying Party to carry out and/or request Personally Identifiable Information (PII) of an ID Holder. This person MUST, without exception, be in possession of a UserID (which may be obtained via the NIMC MobileID Application) and be onboarded by an Administrator of the Relying Party, who has the responsibility to manage Verification Agents.
There is a full Enterprise Resource, distinct and separate from the Consumer MWS interfaces. This has been specifically designed and optimised for High-performance, highly-responsive and high volume transactions. This Enterprise Resource is readily available and online.
¶ Virtual NIN Generation
A Virtual NIN may be obtained in 3 Easy steps as illustrated below.
- The RAW NIN is only required by the ID Holder during onboarding on the NIMC MWS MobileID and is NOT required for the issuance of the Virtual NIN.
- The Virtual NIN may ONLY be generated by the ID Holder (using either the MWS MobileID app or via a USSD call using the Trusted Number, known to the NIMC). No other person may generate the Virtual NIN, not even by proxy.
¶ Discontinuation of Raw NIN Verifications
From a date to be determined by the Federal Government, no entity, bank (proxy, representative or otherwise), will be permitted to store, request or persist any personally identifiable information (PII) of a person who has been issued a National Identification Number (NIN).
In its place, each customer of the Bank must present a Virtual NIN issued by that person on behalf of the Bank in question - and not a proxy.