A fatal error by NIBSS worsened Flutterwave's ₦21 billion glitch  

·
September 20, 2024
·
3 min read
Digital representation of a Flutterwave and NIBSS building side by side

In October 2023, Flutterwave suffered a glitch that led to a ₦21 billion ($26 million as of 2023) loss. However, an investigative report seen by Techpoint Africa, shows that an error by Nigeria Inter-Bank Settlement System (NIBSS), worsened the fintech's losses.

The investigation was triggered by a question, "why did the NIP (NIBSS Instant Payment) system allow the transaction to flow through even though the amount involved exceeded the daily settlement limit?"

Interestingly, the answer to this question is that someone at NIBSS increased Flutterwave's daily settlement limit from ₦7 billion ($4.2 million) to ₦21 billion ($26.6 million) and forgot to reset it for three months.

Settlement happens when financial institutions (FIs) settle debits and credits.  

Advertisement

For context, instant payments are possible because records of debits and credits are kept while the actual movement of money from one bank to another is deferred. This money movement is called settlement.

Experts who spoke to Techpoint Africa said deposit money banks, like Access Bank and Guaranty Trust Bank, have no settlement limits. This is because these institutions have something called guaranteed collateral with the Central Bank of Nigeria (CBN); essentially, they are directly connected to the CBN.

Other FIs, especially fintechs like payment solution service providers (PSSPs), microfinance banks, and mobile money operators, do not have this direct connection to CBN, so they need a settlement bank, which creates a settlement limit based on their risk appetite.

Flutterwave's settlement bank is Wema Bank, and on June 23, 2022, the bank sent a letter to NIBSS to reduce Flutterwave's settlement limit from ₦10 billion to ₦7 billion. This instruction raises the question of how Flutterwave's settlement limit increased to ₦21 billion.

Internal investigations at NIBSS reveal that the limit increased when Flutterwave was moved from a static limit to a dynamic limit.

Don't miss out on Africa's financial revolution

Keep up with the rapid pace of innovation in Africa's fintech landscape with Fintech Today. Designed for quick consumption, our exclusive newsletter, trusted by over 1,000 industry leaders, delivers the latest insights, trends, and breakthroughs right to your inbox.
Fintech Today

Give it a try, you can unsubscribe anytime. Privacy Policy.

However, the interesting thing about these terms is that they do not particularly exist. A source with knowledge of the matter told Techpoint Africa that less than five people within the organisation know about the static and dynamic limits.

According to the report, "there was no approved documentation where institutions were categorised into static and dynamic settlement limits.

"Our review of the team’s SOP and Operations policy document did not show anywhere where this operationalization was documented. Also, the terms "static" and "dynamic" limits were not documented within any process flow. Hence, this aspect was not included in Internal Control’s routine review."

Notable sources within FIs also said they didn't know about static and dynamic limits.

The report further noted that the static limit will not change on weekdays, weekends, or public holidays. That means the dynamic limit, on the other hand, will remain the same on weekdays but can change on weekends and public holidays.

Moving an FI from static to dynamic requires manually updating an SQL script. While the report said that this is done by a team, a source close to the company said it is done by only one person who knows the static and dynamic limits.

The source said this person moved Flutterwave from static to dynamic around June 2023. According to the report, this was done to accommodate a request to change Flutterwave's limit, although it was revealed who made the request.

Unfortunately, Flutterwave's institution code was missed when it was time to revert to weekday limits, and the reversal was not done for three months during which the glitch leading to the ₦21 billion loss happened.

"The total transactions happened within two settlement cycles, the reason why the total exposure exceeded ₦21B. The Settlement limit monitoring tool cut off Flutterwave at ₦19Bn, which represented approximately 90% of the limit maintained."

One too many glitches and hacks

It was revealed in February 2024 that Flutterwave got a court order to recover $24 million lost to unauthorised POS transactions.

“In 2023, we discovered that certain POS device merchants abused their access by conducting unauthorized transactions. In response to this, we temporarily suspended the accounts where funds were improperly transferred,” said Flutterwave.

It also said these unauthorised transactions were due to a glitch it noticed on October 10, 2023.

Techpoint Africa reached out to the fintech for comments, but hadn't gotten one as of the time of this publication. NIBSS did not respond to our request for clarity on the settlement error limit.

Meanwhile, Flutterwave has been in the news for several breaches with substantial losses since 2023. From a $3.7 million loss in March 2023 to $7.3 million loss in 2024, it has seen one of the highest reported fraud cases by a Nigerian fintech.

There are rumours of NIBSS becoming the central switch, but considering its culpability in one of these cases and how much of a problem fraud is, one wonders if this is a wise move.

He's a geek, a sucker for Blockchain and an all-round tech lover. Find me on Twitter @BoluAbiodun1.
He's a geek, a sucker for Blockchain and an all-round tech lover. Find me on Twitter @BoluAbiodun1.
Subscribe To Techpoint Digest
Join thousands of subscribers to receive our fun week-daily 5-minute roundup of happenings in African and global tech, directly in your inbox, hours before everyone else.
This is A daily 5-minute roundup of happenings in African and global tech, sent directly to your email inbox, between 5 a.m. and 7 a.m (WAT) every week day! 
Digest Subscription

Give it a try, you can unsubscribe anytime. Privacy Policy.

He's a geek, a sucker for Blockchain and an all-round tech lover. Find me on Twitter @BoluAbiodun1.

Other Stories

43b, Emina Cres, Allen, Ikeja.

 Techpremier Media Limited. All rights reserved
magnifier