REGULATION | The Latest 2024 Regulatory Requirements for Digital Assets Exchanges and VASPs in Nigeria

The SEC, as the authorized entity, oversees the regulation of virtual and digital assets within Nigeria’s capital markets, encompassing both categories under its jurisdiction.

Below are the latest regulatory requirements for virtual assets service providers (VASPs) looking to operate in Nigeria.

2.2.1. General Registration Requirements for VASPs 

2.2.1.1. Eligibility Criteria

Companies seeking to operate as VASPs in Nigeria must now first be incorporated with the Corporate Affairs Commission (CAC) and have a registered office in Nigeria. The Chief Executive Officer (CEO)/Managing Director (MD) or its equivalent shall be resident in Nigeria (As introduced by the Proposed SEC Rules 2024)

(b) No person or entity shall provide any virtual assets service unless first registered with the SEC (As introduced by the Proposed SEC Rules 2024)

(c) Existing Capital Market Operators (CMOs) registered to provide trading, offering platforms, and custodial services seeking registration under these Rules may be required to establish a subsidiary/separate entity to take up the function (As introduced by the Proposed SEC Rules 2024)

(d) The initial position that VASPs could simply have an office in Nigeria managed by a Director of the company is no longer tenable. (As introduced by the Proposed SEC Rules 2024)

2.2.1.2. Required Documentation for VASPs

An application for registration as a VASP must be filed on the appropriate SEC Form contained in the applicable Schedule to the SEC’s Rules and Regulations. The form must be accompanied by the following documents:

• (A sworn undertaking that the applicant will be able to carry out its obligations as set out under these Rules;
• A sworn undertaking that the information or document that is furnished by the applicant to the SEC is not false or misleading nor does it contain any material omission;
• Evidence that the applicant is not in the course of being wound up or otherwise dissolved;
• Evidence that no receiver manager or an equivalent person has been appointed within or outside Nigeria, or in respect of any property of the applicant;
• A sworn undertaking that the applicant has not, whether within or outside Nigeria, entered into a compromise or scheme of arrangement with its creditors, being a compromise or scheme of arrangement that is still in operation;
• Evidence that the applicant, applicant’s directors, chief executive, controller, and any person who is primarily responsible for its operations or financial management are fit and proper, taking into account the following:

(i) That they are suitably qualified to assume the position, including having the relevant experience and track record in managing a business and not;

(1) been convicted, whether within or outside Nigeria, of an offence involving fraud or other dishonesty or violence or the conviction of which involved a finding that he acted fraudulently or dishonestly:

(2) been convicted of an offence under the securities laws or any law within or outside Nigeria relating to capital market;

(3) contravened any rules of a registered Exchange, registered clearing house, depository or a registered self-regulatory organisation;

(4) contravened any provision made by or under any written law whether within or outside Nigeria appearing to the SEC to be enacted for protecting members of the public against financial loss due to dishonesty, incompetence or malpractice by persons concerned in the provision of financial services or the management of companies or against financial loss due to the conduct of discharged or undischarged bankrupts;

(5) engaged in any business practices appearing to the Commission to be deceitful, oppressive or otherwise improper, whether unlawful or not, or which otherwise reflect discredit on his method of conducting business;

(6) engaged in or has been associated with any other business practices or otherwise conducted himself in such a way as to cast doubt on his competence and soundness of judgement; or

(7) engaged in or has been associated with any conduct that cast doubt on his or her ability to act in the best interest of investors, having regard to his or her reputation, character, financial integrity and reliability.

(ii) Evidence that there are no other circumstances which are likely to –

• lead to the improper conduct of operations by the applicant or by any of its directors, chief executive, controller or any person who is primarily responsible for the operations or financial management of the applicant; or
• reflect discredit in the manner it operates its business.

(g) Submit a business model which has a clear or unique value proposition or will contribute to the overall development of the capital market;

(h) Submit the rules of the entity it seeks to operate and make satisfactory provisions –

1. for the protection of investors and public interest;
2. to ensure proper functioning of the entity; to promote fairness and transparency;
3. to manage any conflict of interest that may arise;
4. to promote fair treatment of its users or any person who subscribes for its services;
5. to promote fair treatment of any person who is hosted, or applies to be hosted, on its platform;
6. to ensure proper regulation and supervision of its users, or any person utilising or accessing its platform, including suspension and expulsion of such users or persons; and
7. to provide an avenue of appeal against the decision of the VASP;

(i) Evidence that the applicant will be able to take appropriate action against a person in breach including directing the person in breach to take any necessary remedial measure;

(j) Evidence that the applicant will be able to manage risks associated with its business and operation including demonstrating the processes and contingency arrangement in the event the applicant is unable to carry out its operations;

(k) Evidence that the applicant has sufficient financial, human and other resources for its operation, at all times; and

(l) Evidence that the applicant has appropriate security arrangements which include maintaining a secured environment pursuant to the SEC’s Rules on Technology Risk Management.

2.2.2. General Registration Requirements for DAXs

In addition to the general requirements for VASPs as outlined above, an applicant seeking to register as a DAX Operator must comply with the following requirements:

2.2.2.1 Eligibility Criteria

(a) Payment of Prescribed Fees: 

(i) Filing/Application Fee – N300,000 (Three Hundred Thousand Naira only) (Formerly N100,000 (One Hundred Thousand Naira) but now increased by the Proposed SEC Rules 2024)

(ii) Processing Fee – N1,000,000 (One Million Naira) (Formerly N300,000 (Three Hundred Thousand Naira) but now increased by the Proposed SEC Rules 2024)

(iii) Registration Fee – N150,000,000 (One Hundred and Fifty Million Naira)  (Formerly N30,000,000 (Thirty Million Naira) but now increased by the Proposed SEC Rules 2024)

(iv) Sponsored Individuals Fee – N300,000 per individual (Three Hundred Thousand Naira)   (Formerly N100,000 (One Hundred Thousand Naira) but now increased by the Proposed SEC Rules 2024) 

 Proof of Minimum Paid-Up Capital and Fidelity Bond

(i) Evidence of required minimum paid up capital of N1,000,000,000 (One Billion Naira) subject to verification of the sources of the funds (Formerly N500,000,000 (Five Hundred Million Naira but now increased by the Proposed SEC Rules 2024)

(ii) Current Fidelity Bond covering at least 25% of the minimum paid up capital as stipulated by the Commission’s Rules and Regulations;

(iii) The Commission may at any time impose additional financial requirements or other terms and conditions on the DAX Operator that commensurate with the nature, operations and risks posed by the DAX Operator;

(iv) All funds shall be made through Real-Time Gross Settlement (RTGS).

Regarding prescribed fees and minimum paid-up capital, apparently, by the proposed amendments, the SEC seeks to increase the application, processing, registration, and sponsored individuals fees. This increment is significantly up by about 300% generally and by 500% for registration fee.

Apart from the devaluation as well as the depreciation of the local currency, the Nigerian Naira (NGN), being a possible reason for these proposed increments, the SEC may also have considered the need to further limit risks in the market by raising the bar on prudential requirements. In other words, the bigger the VASP, the safer it will be for customers. Think of this as the whale. While this may not always be the case, it is valid.

But are the proposed amendments on fees and prudential requirements sound, especially for local DAX operators who may not have the capacity—relative to their foreign counterparts—to meet these financial and prudential requirements? Maybe not, and maybe yes, depending on where one stands. Generally, one would expect that before considering consolidation in the market, the regulator will allow the market to legally operate first. Besides, the prescribed fee of N150,000,000 as registration fee is 5 times bigger than SEC’s present prescribed registration fee for securities exchanges in the traditional capital market.

However one sees it, one consideration merits attention: The need for potentially affected VASPs to start considering—if not already on the table—strategic partnerships and mergers & acquisitions (M&As). In this emerging market, it will be a marathon, not a sprint.

2.2.2.2. Required Documentation 

An application for registration of a DAX is required to be made on the appropriate SEC form and must be accompanied by the following:

(a) Completed duplicates of the following forms:

(i) Form SEC 2 – Application Form for Registration of Sponsored Individuals under the ISA 2007; and

(ii) Form SEC 2D – Form for Fit and Proper Persons (Sponsored Individuals, Directors/Partners) for Registration in the Capital Market under the ISA 2007.

The forms are to be completed by all principal officers (Managing Director (MD)/Chief Executive Officer (CEO) and other Directors) and sponsored individuals/ compliance officers of the DAX in duplicates. Sponsored individuals and compliance officers for purposes of this registration are the principal officers and/or professionals held out by the applicant DAX as experts and on whose advice or actions investors are expected to rely. A DAX is required to register a minimum of four (4) sponsored individuals with the SEC, two of which must be the MD/CEO and the Compliance Officer of the DAX.

(b) A copy each of the following, duly certified by the CAC:

(i) Certificate of Incorporation (original to be sighted);

(ii) Memorandum and Articles of Association which shall include the power to perform the specified function;

(iii) CAC Form(s) showing Statement of Share Capital, Return of Allotment, and Particulars of Directors;

(iv) Latest audited accounts or audited statement of affairs of the company in the case of a new company.

(c) A sworn undertaking that the applicant will be able to operate an orderly, fair and transparent market in relation to the securities including derivatives that are offered or traded, on or through its platform (As introduced by the Proposed SEC Rules 2024)

(d) A sworn undertaking to keep proper records and render returns as may be specified by the SEC from time to time, signed by a director or the company secretary;

(e) A sworn undertaking by a director or the company secretary, to abide by SEC Rules and Regulations and Investments and Securities Act No. 29 of 2007 as may be amended from time to time;

(f) Before a DAX Operator can commence  operations, the SEC may require the following documents:

(i) Evidence of Information Technology (IT) assurance regarding the system readiness and;

(ii) A written declaration by its internal auditor confirming that it has:

1. 1. 1. Sufficient human, financial and other resources to carry out operations;
      2. Adequate security measures, systems capacity, business continuity plan and procedures, risk management, data integrity and confidentiality, record keeping and audit trail, for daily operations and to meet emergencies;
      3. Sufficient IT and technical support arrangements; and
      4. A Chief Information Security Officer to ensure amongst other things, that cyber risks are adequately mitigated.

(g) Such other documents that may be required by the SEC from time to time to be necessary for registration.

3.0.  Operational Requirements and Obligations for DAXs 

In addition to the above-listed requirements for the registration of DAXs, the following are operational requirements and obligations for DAXs as stipulated by the SEC which may affect its continued registration:

3.1. General Obligations of DAXs:

A DAX shall ensure the following:

(a) Monitor and ensure compliance of its rules;

(b) Ensure fair treatment of its users; ensure that all disclosures are accurate, clear and not misleading;

(c) Obtain and retain self-declared risk acknowledgement forms from its users prior to them investing through a DAX;

(d) Provide a conspicuous disclaimer on its platform informing investors that any loss resulting from the investors trading or investment through the DAX is not covered by any protection fund;

(e) Ensure that all fees and charges payable are fair, reasonable and transparent;

(f) Ensure that the same account holder is not on both sides of the same transaction (As introduced by the Proposed SEC Rules 2024)

(g) Ensure that investors only invest or trade in virtual or digital assets hosted on its platform using Naira. The rate for conversion of foreign currency denominated assets shall be the official exchange rate as published by the CBN (As introduced by the Proposed SEC Rules 2024)

(h) Ensure that it does not engage in any business practices that appears  to be deceitful, oppressive or improper (whether unlawful or not) to the SEC or which otherwise reflect discredit on applicant’s method of conducting business;

(i) Carry out continuous awareness and education programmes;

(j) Have in place adequate policies, procedures and controls to mitigate against money laundering, terrorism financing and counter proliferation financing requirements and comply with Anti Money Laundering/Combating Financing of Terrorism and Countering Proliferation Financing laws and regulations;

(k) Disclose and display prominently on its platform, any relevant information relating to the DAX such as –

(i) All necessary risk warning statements, including all risk factors that users may require in making a decision to participate on the platform;

(ii) Information on rights of investors relating to investing or trading on the Exchange;

(iii) Criteria for access to the Exchange;

(iv) Education materials, including comparative information where necessary;

(v) Fees, charges and other expenses that it may charge, impose on its users;

(vi) Information about complaints handling or dispute resolution and its procedures;

(vii) Information on processes and contingency arrangement in the event the DAX is unable to carry out its operations or cessation of business;

(viii) And any other information as may be specified by the SEC.

3.2. Corporate Governance Requirements

SEC-Approved Board: A DAX  is required to have a Board whose appointment shall be subject to approval of the SEC.

SEC-Approved Appointment of Chief Executive and Principal Officers

(i) The Chief Executive Officer of a DAX shall hold office for a period of five (5) years in the first instance and may be re-appointed for a further period of five (5) years and no more;

(ii) The appointment of a Chief Executive Officer and Principal Officers of a DAX  shall be subject to the prior approval of the SEC;

(iii) The Chief Executive Officer and other Principal Officers of a DAX shall:

1. 1. 1. be registered by the SEC as Sponsored Individuals;
      2. be persons of proven integrity with no record of criminal conviction;
      3. hold at least a university degree or its equivalent;
      4. have at least five (5) years cognate experience;
      5. not have been found complicit in the operation of an institution that has failed or been declared bankrupt or has had its operating licence revoked as a result of mismanagement or corporate governance abuses;
      6. not have been found liable for financial impropriety or any other misdemeanour by any court, panel, regulatory agency or any professional body or previous employer;
      7. comply with any other criteria which the SEC may, in the public interest, determine from time to time.

Outsourcing

The DAX Operator must have a Board that is accountable for all outsourced functions. The Board shall be responsible for the following:

(i) Establish policies and procedures for outsourcing arrangements, including a monitoring framework to track service provider performance;

(ii) Ensure the service provider has adequate policies/procedures to monitor any sub-contractors;

(iii) Periodically assess service providers as part of monitoring and report assessments to the Board/senior management;

(iv) Obtain a sworn undertaking from providers/subcontractors allowing the SEC access to all relevant information/records; and

(v) Notify the SEC within 2 weeks of any adverse development in an outsourcing arrangement that could significantly impact the DAX’s operations.

3.3. Reporting Requirements

A DAX Operator shall submit to the SEC the following:

(a) Weekly and monthly trading statistics and all reporting requirements;

(b) Quarterly and annual financial as well as compliance reports to demonstrate its compliance with any conditions imposed by the SEC pursuant to the registration of the DAX operator;

(c) Its latest audited financial statements, within three months after the close of each financial year or such period that the SEC may allow; and

(d) Any information required by the SEC.

3.4. Requirements for DAXs to Trade Virtual Assets/Digital Tokens

(a) No DAX Operator shall facilitate the trading of any virtual/digital asset unless the SEC has issued a “no objection” to the trading of the virtual/digital asset.

(b) The issuance of virtual asset/digital token shall comply with the relevant Rules issued by the SEC. Such virtual asset/digital token would require approval from the SEC before being traded on any DAX.

(c) In relation to trading of such assets, a DAX is required to submit an application to the SEC enclosing relevant documents and any other information to be determined by the SEC from time to time;

(d) A DAX must demonstrate availability of information related to the project, including but not limited to –

(i) The whitepaper or any other disclosure document accompanying the virtual/digital Asset;

(ii) The progress of the project including both business and technical aspects;

(iii) Compliance with all other legal and regulatory frameworks in Nigeria and other jurisdictions where the project operates in;

(iv) Security of the underlying distributed ledger, including but not limited to –

• The number of nodes;
• Any history of hacks and other forms of attacks; and any known security vulnerabilities.

(e) A DAX Operator must –

(i) ensure that its platform is operating in an orderly, fair and transparent   manner;

(ii) have in place rules and procedures for the trading, clearing and settlement of virtual assets/digital tokens on the platform; and

(iii) conduct real-time market surveillance.

3.5. Internal Audit Requirements 

A DAX Operator is required to establish an internal audit function to develop, implement and maintain an appropriate internal audit framework commensurate with its business and operations.

3.6. Risk Management Requirements 

A DAX Operator must identify and mitigate operational risks (internal and external) through implementing a robust operational risk management framework with appropriate systems, policies, procedures, and controls. This includes defining clear roles/responsibilities for addressing risk, setting operational reliability objectives and policies to achieve them, ensuring adequate capacity to meet service levels under stress volumes, and implementing comprehensive physical and information security policies to address vulnerabilities/threats.

3.7. Asset Protection Requirements

A DAX Operator must ensure the following –

(a) Establish systems and controls for maintaining accurate and up-to-date records of investors and any monies or virtual assets/digital tokens held in relation thereto;

(b) Ensure investors monies and virtual assets/digital tokens are properly safeguarded from conversion or inappropriate use by any person, including but not limited to implementing multi-signature arrangements;

(c) Establish and maintain with a registered Central Securities Depository or Trustee, one or more Central Securities Depositories or trust accounts, designated for the monies received from investors;

(d) Ensure that the Central Securities Depository or trust accounts are administered by an independent registered Central Securities Depository or trustee;

(e) Establish and maintain a sufficiently and verifiably secured storage medium designated to store virtual assets/digital tokens from investors; and

(f) In relation to investors’ virtual assets/digital tokens, have arrangements and processes in place to protect against the risk of loss, theft or hacking.

3.8. Settlement and Custody Requirements

A DAX Operator must:

(a) ensure there are orderly, clear and efficient clearing and arrangements; settlement;

(b) ensure these arrangements include prior or upfront deposit of monies and virtual assets/digital tokens with the DAX Operator before entering into a transaction on the DAX; and

(c) provide clear and certain final intraday settlement.

3.9. Record Keeping Obligations 

A DAX is required to maintain records of all transactions and activities executed on its platform in a form and manner to be determined by the SEC from time to time.

3.10. Transaction Fees Requirements 

(a) The SEC shall charge fees on transaction carried cut virtual assets/digital tokens traded on a DAX at a rate or percentage to be determined by the SEC from time to time.

(b) All transaction fees payable to DAX by its users shall be subject to approval of the SEC.

3.11. Anti-Money Laundering, Countering the Financing of Terrorism and Countering Proliferation Financing (AML/CFT/CPF) Obligations of DAXs

A most critical area of compliance for DAXs operating in Nigeria is the implementation of robust anti-money laundering, countering the financing of terrorism, and countering proliferation financing (AML/CFT/CPF) measures. The anonymity and decentralised nature of digital assets have raised concerns about their potential misuse for illicit activities, such as money laundering, terrorist financing, and the proliferation of weapons of mass destruction. As a result, the SEC has placed a strong emphasis on ensuring that VASPs such as DAXs have adequate AML/CFT/CPF controls to mitigate these risks and comply with relevant laws and regulations. Some of these obligations include the following:

(a) Adoption of AML/CFT/CPF Policies: A DAX is required to adopt policies stating its commitment to comply with AML/CFT/CPF obligations under the law. This will ensure the prevention of any transaction that facilitates criminal activities on the DAX platform.

Assignment of a Designated AML/CFT/CPF Chief Compliance Officer: A DAX is required to have a designated AML/CFT/CPF Chief Compliance Officer with relevant competence, authority, and operational independence to implement the AML/CFT/CPT policies of the platform. Such an officer is also to be registered with the SEC as a sponsored individual and must satisfy the fit and proper persons’ requirement set out by the SEC.

Identification and Filing of Suspicious Transactions Reports (STRs) to the Nigerian Financial Intelligence Unit (NFIU): DAXs are tasked with the identification and the reporting of any suspicious transactions derived from activities such as terrorism and terrorist financing, trafficking in human beings and migrant smuggling, sexual exploitation including sexual exploitation of children, illicit arms trafficking, illicit trafficking in stolen and other goods, corruption and bribery, and fraud, among others to the NFIU.

Conduct of Customer Due Diligence (CDD): From the moment the life cycle of a client’s (private individual clients, quasi-corporate clients, corporate clients, and other institutions) business relationship begins with a DAX till the end of such relationship, a DAX is required to conduct risk-sensitive CDD measures on that client. Where the client is classified as high risk, the DAX is to adopt an enhanced CDD (ECDD) process and apply greater caution. All virtual asset transfers are treated as cross-border transfers and should automatically be treated as high risk by the DAX. Where the DAX cannot perform CDD on a client, it must consider filing an STR to the NFIU in respect of such a client.[/efn_note] All virtual asset transfers are treated as cross-border transfers and should automatically be treated as high risk by the DAX. In addition to this, the DAX is required to put in place appropriate risk-management systems to determine whether a potential client, existing client, or the beneficial owner of the digital asset is a politically exposed person (PEP).

Compliance with Travel Rule Requirements: Originator and beneficiary VASPs must obtain and hold full, accurate, and available originator and beneficiary information. Full beneficiary and originator information must contain:

(i) the full name of the originator;

(ii) the originator’s wallet address;

(iii) the physical address or national identity number of the originator. Where the originator is not a natural person, the incorporation number or business registration number;

(iv) the name of the beneficiary; and

(v) the beneficiary’s wallet address.

For transactions below $1,000, DAXs must ensure that all such transfers include the    name of the originator, the name of the beneficiary, and the wallet address for each.Regulation 15(6) of the Securities and Exchange Commission (Capital Market Operators Anti-Money Laundering and Combating the Financing of Terrorism) Regulations, 2022

Comprehensive Employee Education and Training Programme: DAXs must design comprehensive employee-training programs to ensure awareness of AML/CFT/CPF obligations and equip employees with relevant skills. The training content and timing should be tailored to the DAX’s specific needs under the guidance of the AML/CFT/CPF Chief Compliance Officer and top management, and should cover the following:

(i) AML/CFT/CPF laws, regulations and offences

(ii) Nature of money laundering, terrorism financing, proliferation financing

(iii) AML/CFT/CPF red flags, suspicious transactions, typologies, virtual assets and emerging trends

(iv) Reporting requirements

(v) Customer due diligence (CDD)

(vi) Risk-based approach to to AML/CFT/CPF

(vii) Record keeping and retention requirements

All DAXs must submit their annual AML/CFT/CPF employee training program to the SEC by 31 December of every financial year for the upcoming year.

Performance of Know Your Customer (KYC) and Identification Procedures: A DAX is not to establish any relationship with a client until all relevant parties have been identified through the submission of relevant information and the nature of the business to be conducted has been ascertained. Sufficient information on the nature of the business relationship include:

(i) the purpose and reason for opening the account or establishing the relationship;

(ii) the nature of the activity that is to be undertaken;

(iii) the expected origin of the funds to be used during the relationship; and

(iv) the details of occupation, employment, business activities and sources of wealth or income.

A DAX is to establish and independently validate information for all private individuals whose identities need to be verified. The client’s identity, address, and other available information should be checked physically or electronically through databases and directories.  This requirement extends to all other types of clients who may establish business relationships with the DAX.

Record Keeping: A DAX is mandated to keep and preserve all necessary records related to transactions and business relationships for at least five years.

4.0 Other Relevant Regulatory Bodies to DAX Operations in Nigeria 

Although the SEC is the primary regulatory body for DAXs, the laws and regulations released by several other relevant regulatory bodies may apply to DAXs. Where applicable, they must be complied with to ensure complete coverage under the law. These bodies include:

(a) the Economic and Financial Crimes Commission (EFCC) as it relates to the prevention of financial crimes in DAXs;

(b) the NFIU as it relates to financial intelligence and money laundering monitoring requirements in a DAX;

(c) the Federal Inland Revenue Service (FIRS) as it relates to corporate-tax obligations of the DAX;

(d) the Nigerian Data Protection Bureau (NDPB) as it relates to data control and processing requirements to be observed by DAXs in their operations;

(e) the Federal Competition and Consumer Protection Commission (FCCPC) as it relates to consumer protection and competition law; and

(f) the Advertising Regulatory Council of Nigeria (ARCON) as it relates to the advertising and marketing activities of the DAX.