NFIU official: ‘‘the impact of the data breach and the possible far-reaching implications for Nigeria,’’
NITDA: ‘‘In as much as the action is condemned, NITDA will have to investigate and revert soon’’
With the ongoing investigation of the suspended Acting Chairman, Economic and Financial Crimes Commission (EFCC), Ibrahim Magu, data breach and destruction of certain vital documents and sensitive data that could aid the investigation at the Nigeria Financial Intelligence Unit (NFIU) Office in Abuja, Nigeria, might actually be in trouble with the Egmont Group, Financial Action Task Force (FATF) and GIABA over this. Adedayo Adejobi writes about a potential suspension or expulsion from the group, and its attendant effect on international business, importation, domestic and international transactions, foreign trade, and why Nigeria’s Financial Intelligence Unit may be under the sledge hammer again….
The data breach incident at the NFIU portends a dangerous step considering the fact that Nigeria has earlier been suspended because of operational negligence and data breach in the past. The report that a breach has occurred at the NFIU beats one’s imagination as to how that may have occurred without insider knowledge, especially at a time the Anti-Corruption Czar is being grilled on grounds of money laundering, theft and corruption.
The world over, and, ideally, the NFIU’s security should be more water-tight than the Central Bank of Nigeria, CBN, going by the sensitivity of intelligence and the fact that it warehouses the information of all financial transactions in the world. To have allowed anyone break into the NFIU and cart away data, not only puts Nigeria in a bad light, but it also scandalises Nigeria.
Nigeria, through the Nigerian Financial Intelligence Unit(NFIU), became a member of the Financial Intelligence Units (the Egmont Group). The group is an international anti-corruption body consisting of the Financial Intelligence Units (FIUs) of countries that are signatories to its charter. Nigeria was the first country in Africa to sign up to the charter. With this, it plays a crucial role in the fight against money laundering, terrorism financing, illicit flow and other financial crimes.
The group serves as the operational arm of the International Anti- Money Laundering and Counter Finance Terrorism apparatus. The primary purpose of the Egmont Group is to provide a platform for secure exchange of financial intelligence between and among its member FIUs.
In 2017, the Nigeria Financial Intelligence Unit (NFIU), an arm of the Economic and Financial Crimes Commission (EFCC), was suspended from the group at a plenary of the Heads of FIUs in Macao on July 5, 2017 on the grounds that Nigeria was leaking confidential information obtained from the group (specifically information relating to the status of suspicious transaction report details and information derived from international exchanges) to the media, and was using the confidential information obtained from the Egmont Group to blackmail individuals and politically exposed persons (PEPs).
Although the allegations were investigated, it, however, triggered the placement of the NFIU on the Egmont Group support and compliance process, which necessitated a review of the entire compliance process, requirement and architecture of the NFIU. The petition to the group further strengthened resolve and heightened the groups concerns over the autonomy of the NFIU.
The Egmont Group is an informal network of 154 national FIUs which provides a platform for the secure exchange of expertise and financial intelligence to combat money laundering, the financing of terrorism and other related offences. On the other hand, the NFIU helps tackle money laundering and monitor financial flows, a task eased by its membership of the group whose members share intelligence relating to illicit flow and international finance.
What happened to NFIU three years ago is not strange or peculiar to Nigeria. The Egmont Group is not averse to having FIUs domiciled in law enforcement organisations except for a few that are stand alone. It recognises that an FIU must be a clear cut dichotomy of its functions and operations in the larger entity. With that resolve to address the concerns of the Egmont Group, suspended Magu inaugurated a committee to reposition the NFIU.
NFIU, the agency that investigated all the allegations of financial malfeasance against Magu, was only recently severed from the EFCC, with the suspended Chairman, Magu demoted its former Director, Francis Usani, on grounds of autonomy – a matter which was kept away from the prying eyes of the media.
When THISDAY reached out to the Head Corporate Communications, National Information Technology Development Agency (NITDA), Hafiza Umar, he initially declined to comment but linked up the reporter to its Director, Vincent Olatunji. Barely minutes after the rather brisk phone conversation, Umar confirmed NITDA’s position and next line of action through a text message: “In as much as the action is condemned, NITDA will have to investigate and revert soon.”
A close source at the FIU that spoke to THISDAY on anonymous grounds confirmed that the data breach has wisely been reported to the Egmont Group and it awaits its questioning of the integrity of its systems protection – physical and otherwise, recommendations and decision, whilst investigation to get to the root of the data breach heightens at the NFIU.
Speaking on the impact of the data breach and the possible far-reaching implications for Nigeria, an official and close source in the agency that spoke on anonymous grounds said, ‘‘this break-in portrays a dangerous trend for Nigeria in international circles. It could jeopardise our membership of the Egmont Group and negatively affect global perception of our ability to conform to best practices when it comes to Data Protection and Privacy and combating money laundering, terrorist financing, proliferation financing and all other criminal activities which the NFIU plays pivotal roles.”
Another very notable figure in Nigeria’s Compliance, AML/CFT industry and a close inter-government official, who also spoke on anonymous grounds, said, ’Every FIU has a secure data site, and apart from what is stored in their computers physically, they would have backups in other places and also use cloud storage. I do not think if anything has happened there, it’ll be a major breach. But it’s advisable they have backups. But they would be working with other agencies of government relevant to data protection. Usually, I don’t think anyone working at the data protection unit of the FIU should have anything to worry about. This is a security breach and I do not think they’ll have such a database without backup. Even if you have physical destruction of facilities, you cannot go to the could to destroy the could.”
Ex-raying how the Egmont Group measures a data breach, information protection against criminal or unauthorised use, in data security, there is CIA triad, -Confidentiality, Integrity and Availability. These security steps to guide cybersecurity policies, as automotive systems and related infrastructure must be protected against deliberate compromise of confidentiality. Confidentiality ensures that data exchanged is not accessible to unathorised users who could be applications, processes or humans. The more sensitive the data, the higher the confidentiality.
Integrity is the ability to ensure that a system and its data have not suffered. In this case of the NFIU, proper investigations by the authorities would answer the integrity of the data.
Availability guarantees that systems, applications and data are available to the users when they need them.
With this breach, the questions that beg for answers are many: are NFIU Data still confidential or compromised and available?
The first principle is at play in Nigeria’s case because it can solve the problem of integrity, but not confidentiality and availability.
The Egmont Group which constitutes the highest inter-governmental association of financial intelligence agencies in the world, and suspension from the Group could have adverse implications for any country, Nigeria inclusive.
If as a result of Nigeria’s suspension again from the group, it can no longer exchange and receive sensitive financial information from other member countries. It would also be denied access to vital intelligence and information on money laundering, financing terrorism, the proliferation of arms, financial crimes and related offences aimed at supporting local and international investigations, prosecutions and asset recovery. If expelled, Nigeria would suffer a blacklist in the global finance sector and Nigerian banks will be unable to issue MasterCard and visa/credit/debit cards while card transactions with Nigerian originated cards will be blocked, meaning that Nigerians would not be able to carry out foreign transactions.
Given the fact that Egmont Group is noted not to joke with the breach of its data, and that a breach of the NFIU is a breach of Egmont data. At the NFIU, nobody’s hand is clean in the whole scheme, everyone is a suspect.
Most crucial is the fact that NFIU has breached the law and global best practices. The imminent threat of Nigeria’s expulsion from the Group and the projected impact of such expulsion could affect Nigeria’s FAT-F ratings, the long-awaited report of the mutual evaluation done last year September, which is currently under review under finishing touches.
At the moment, it hasn’t been discussed at the FATF Plenary. With the turn of events at the NFIU, the fortunes of Nigeria at FAT-F hangs on the balance. If Nigeria becomes downgraded by rating, that would be too bad for the country.
Hence, the is need to accelerate a speedy, clear- cut investigation into the operations of the NFIU and the data breach and strong recommendations to forestall a recurrence.