🇳🇬 Confidential Policy Document
BuySafePay
Policy Framework
A comprehensive governance, compliance, and risk management framework for Nigeria's student laptop financing platform — designed to meet CBN digital lending standards, NDPA 2023 data protection requirements, and investor-grade due diligence expectations.
📅 Effective: April 2026
🔄 Review: Semi-annual
⚖️ Jurisdiction: Nigeria
📄 Version: 1.0
🔴 Critical — Legally Required🟡 Required — CBN/FCCPC🔵 Recommended — Investor Grade🟢 Best Practice
This document covers 10 core policy domains across lending compliance, data protection, consumer rights, cybersecurity, credit risk, and corporate governance — structured to satisfy due diligence from the CBN, FCCPC, NITDA, and institutional investors.
00
Policy Priority Matrix
All 10 domains ranked by regulatory urgency and investor impact.
| # | Policy Domain | Regulator | Priority | Investor Impact |
|---|---|---|---|---|
| 01 | Lending & Credit Policy | CBN / FCCPC | Critical | ★★★★★ |
| 02 | KYC & Anti-Money Laundering | CBN / NFIU | Critical | ★★★★★ |
| 03 | Data Protection & Privacy | NITDA / NDPC | Critical | ★★★★★ |
| 04 | Consumer Protection | FCCPC / CBN | Required | ★★★★ |
| 05 | Cybersecurity Policy | CBN / NITDA | Required | ★★★★★ |
| 06 | Credit Risk Management | CBN | Required | ★★★★★ |
| 07 | Operational Risk & BCP | CBN | Required | ★★★★ |
| 08 | Voucher & Disbursement | Internal / CBN | Required | ★★★★ |
| 09 | Regulatory Licensing | CBN / CAC / FCCPC | Critical | ★★★★★ |
| 10 | Corporate Governance | CAC / CBN | Recommended | ★★★★★ |
01
Lending & Credit Policy
Governs loan origination, pricing, and management under CBN Digital Lending Regulations 2025 and FCCPC Digital Lending Guidelines.
Loan Origination Standards
Eligibility, underwriting, and approval criteria
Critical▾
- !Maximum loan amount capped at ₦500,000 per student per cycle, matching CBN micro-lending thresholds.
- !Total APR disclosure mandatory before application submission — not just the monthly instalment (CBN Consumer Protection requirement).
- RDebt check — applicants must not hold an active BuySafePay loan before a new application can be approved.
- RStudent verification — enrollment confirmed via student ID upload, plus optional BVN linkage for loans above ₦100,000.
- ✓All decisions communicated within 72 hours of completed application.
- ✓Any auto-rejection must be reviewable by a human underwriter on request.
CBN Ref — Digital Lending Regulations 2025: Lenders must disclose total cost of credit, apply responsible lending standards, and maintain a transparent complaints mechanism.
Interest Rate & Fee Transparency
Total cost of credit, late fees, and prepayment terms
Critical▾
Loan Agreement & E-Signature Policy
Legally binding digital contract before voucher issuance
Required▾
02
KYC & Anti-Money Laundering
Obligations under CBN AML/CFT Regulations 2022 and the Money Laundering (Prevention and Prohibition) Act 2022.
Customer Identification Program (CIP)
Identity verification at onboarding — non-negotiable CBN requirement
Critical▾
- !Tier 1 KYC (MVP): Full name, phone, DOB, student ID upload, school enrollment proof.
- !Tier 2 KYC (Scale): BVN linkage via Prembly or Smile Identity for loans above ₦100,000. Verifies identity against NIBSS records.
- RNIN verification for loans above ₦200,000 via NIMC API.
- RAll identity documents stored in encrypted, access-controlled Supabase Storage with full audit logs.
- ✓Rejected KYC applications must state the specific reason — vague rejections invite FCCPC complaints.
NFIU Circular 2022: Suspicious Transaction Reports (STRs) must be filed within 24 hours. A designated Compliance Officer (MLRO) must be named — can be a founder at early stage.
AML Transaction Monitoring
PEP screening, sanctions, and fraud detection
Critical▾
03
Data Protection & Privacy Policy
NDPA 2023, NDPA General Application and Implementation Directive (GAID) 2025, and NITDA guidelines.
Data Collection & Consent Policy
What is collected, why, and explicit student consent
Critical▾
- !A Privacy Policy page must exist on the public website, written in plain English.
- !Explicit consent checkbox on application form — pre-ticked or bundled consent is illegal under NDPA 2023.
- !Register as a Data Controller with the NDPC — legally required for organisations processing data of 1,000+ Nigerians annually.
- RData Minimisation — only collect data strictly necessary for underwriting. No social media or unrelated personal information.
- RStudents have the right to request data deletion. Honour Data Subject Access Requests (DSARs) within 30 days.
- ✓Document Data Processing Agreements (DPAs) with Supabase, Paystack, Resend, and Africa's Talking.
GAID 2025: Data Protection Impact Assessments (DPIAs) required for any automated credit decision systems. If algorithmic scoring is used, file a DPIA with NDPC before deployment.
Data Retention & Deletion Schedule
Retention periods and secure deletion procedures
Required▾
04
Consumer Protection Policy
FCCPC Digital Lending Guidelines 2022, CBN Consumer Protection Framework 2022, and Federal Competition and Consumer Protection Act 2018.
Ethical Debt Collection Policy
What BuySafePay can and cannot do when collecting repayments
Critical▾
- !Prohibited: contacting a borrower's contacts, family, or employer about their debt without written consent.
- !Prohibited: publishing or threatening to publish a borrower's name, photo, or debt on social media or WhatsApp groups.
- !Prohibited: more than 3 SMS/email reminders per week to an overdue borrower.
- ROverdue accounts referred to a licensed debt recovery agent after 90 days.
- RA written Debt Hardship Policy must exist — offering payment holidays or restructuring for students facing genuine difficulty.
- ✓All collection communications must include the FCCPC complaints hotline number.
Complaints & Dispute Resolution
How students escalate issues and get fair resolution
Required▾
05
Cybersecurity Policy
CBN Cybersecurity Framework for Financial Institutions and NITDA Cybersecurity Guidelines. A data breach on a student lending platform is a critical liability event.
Platform Security Standards
Technical and operational security requirements
Critical▾
- !All data in transit encrypted via TLS 1.2+ — Supabase and Vercel handle this by default.
- !All data at rest (student IDs, financial records) AES-256 encrypted in Supabase Storage.
- !API keys must never be committed to GitHub. Use Vercel Environment Variables exclusively.
- RAdmin panel (/admin) protected by Multi-Factor Authentication (MFA).
- RSupabase Row Level Security (RLS) enabled on all tables — students see only their own records.
- RAll admin actions (approve, reject, voucher issue) logged with timestamp and admin user ID in a non-deletable audit table.
- ✓Paystack webhook HMAC-SHA512 verification already implemented — maintain and never disable.
- ✓Penetration test before public launch and annually thereafter using a CBN-approved security firm.
Breach Notification (NDPA 2023): Any breach affecting personal data must be reported to the NDPC within 72 hours of discovery. A documented Incident Response Plan must exist before launch.
06
Credit Risk Management Policy
How BuySafePay assesses, monitors, and provisions for loan default risk — a primary concern for any lending partner or institutional investor.
Loan Portfolio & Default Management
NPL ratios, provisioning, write-off policy, and reporting
Required▾
- !NPL target: maintain Non-Performing Loans below 5% of total loan book — the CBN benchmark for digital lenders.
- !Loan Classification: 30+ days overdue = Watch · 60+ days = Substandard · 90+ days = Doubtful · 180+ days = Lost.
- RLoss Provisioning: minimum 2% of active loan book set aside as loan loss reserve. Report monthly to lending partner.
- RWrite-off Policy: loans uncollected after 12 months may be written off after exhausting all recovery options. Each write-off documented.
- ✓Build a Monthly Portfolio Performance Report — disbursements, repayments, defaults, NPL ratio. Investors require this from day one of funding.
07
Operational Risk & Business Continuity
Ensuring BuySafePay can operate through system failures, vendor outages, and unexpected events.
Business Continuity & Disaster Recovery
Uptime, backup, and vendor redundancy requirements
Required▾
- !99.5% uptime SLA target — monitor via Vercel and Supabase status pages. Set up uptime alerts via BetterUptime.
- RDaily automated backups of Supabase database — confirm backup retention is set to 30 days minimum.
- RPaystack fallback: students must see a clear maintenance message if payment is unavailable — not a broken UI.
- RDocument a Key Person Risk plan — another named person must have access to all critical systems if a founder is unavailable.
- ✓Write a Business Continuity Plan (BCP) — even a 2-page document satisfies early-stage investor expectations.
08
Voucher & Loan Disbursement Policy
Governs how digital vouchers are generated, distributed, redeemed, and tracked to prevent fraud and misuse.
Voucher Control & Anti-Fraud Policy
Issuance, redemption limits, expiry, and audit trail
Required▾
- !One voucher per approved application — no duplicates for the same student ID or application.
- !90-day expiry — unused vouchers are void after 90 days. Student must reapply.
- !Ring-fenced use — vouchers redeemable only at pre-approved stores for laptops. Cash conversion is prohibited.
- RPartner store must confirm purchase to BuySafePay before loan is considered disbursed — no unconfirmed disbursements.
- RFull audit trail: voucher code → issuing admin → redemption timestamp → store → amount confirmed.
- ✓Voucher codes must be cryptographically unique (8+ characters, alphanumeric). Sequential codes are a fraud risk.
09
Regulatory Licensing Plan
The licensing roadmap BuySafePay must follow to operate legally. This is the single most important section for investor confidence.
Licensing Requirements & Pathway
CBN, FCCPC, CAC, and NITDA registrations — phased approach
Critical▾
- !CAC Incorporation (Immediate): BuySafePay Ltd registered with the Corporate Affairs Commission as a limited liability company before any commercial activity.
- !FCCPC Digital Lending Registration (Within 3 months): all digital lenders must register under the FCCPC's Limited Interim Regulatory Framework for Digital Lending (2022). Fee: ₦200,000.
- !NDPC Data Controller Registration (Within 3 months): register with the Nigeria Data Protection Commission under NDPA 2023.
- RCBN Finance Company Licence or MFB Partnership (Within 12 months): to disburse loans directly, BuySafePay needs a Finance Company licence or must partner with a CBN-licensed Microfinance Bank. Most early-stage fintechs choose the MFB partnership route — faster and cheaper than a direct licence.
- ★CBN Regulatory Sandbox (Optional): apply to test the model under relaxed rules before full licensing. Signals seriousness to investors.
Key Risk: Operating without FCCPC registration is a criminal offence under the FCCPC Act — fines up to ₦10M and potential platform shutdown. FCCPC registration is the highest-return compliance action BuySafePay can take right now.
10
Corporate Governance Policy
Internal governance structures that give investors confidence the platform is professionally managed and operationally sound.
Board, Management & Compliance Structure
Roles, responsibilities, and accountability framework
Recommended▾
- !Appoint a named Compliance Officer responsible for AML, KYC, FCCPC, and CBN reporting. Can be a co-founder at early stage.
- RRisk Committee — meets monthly to review NPL rates, fraud incidents, complaints log, and system uptime.
- RDocument a Conflict of Interest Policy — no loan approved for team members, family, or investors without independent board sign-off.
- RAudited financial statements — annual audit by a registered Nigerian accounting firm. Investors will not fund without this.
- ★Establish an Advisory Board with at least one member with Nigerian banking or fintech regulatory experience.
- ✓Document a Cap Table and Vesting Policy — 4-year vesting with 1-year cliff for founders and employees.
Investor Readiness Checklist
What institutional investors and lending partners will request in a due diligence pack. Every item should be a signed, dated document — not just an intention.
□CAC Certificate of Incorporation
□FCCPC Digital Lending Registration
□NDPC Data Controller Certificate
□Loan Agreement Template (lawyer reviewed)
□Privacy Policy (public, NDPA-compliant)
□Terms & Conditions (platform usage)
□AML/KYC Policy Document
□Data Retention & Deletion Schedule
□Monthly Portfolio Performance Reports
□Complaints Log (last 12 months)
□Business Continuity Plan (BCP)
□Audited Financial Statements
□Cybersecurity Penetration Test Report
□Cap Table & Shareholder Agreement
→
Compliance Implementation Roadmap
A phased 12-month action plan to achieve full regulatory compliance and investor readiness.
Q1
Month 1–3 · Foundation
Legal Entity & Immediate Registrations
Register BuySafePay Ltd with CAC. Register with FCCPC under Digital Lending Framework (₦200,000 fee). Register as Data Controller with NDPC. Draft and publish Privacy Policy and Terms & Conditions on website. Appoint Compliance Officer (MLRO).
Q2
Month 4–6 · Platform Compliance
KYC, Data & Security Implementation
Integrate BVN verification (Prembly) for loans above ₦100,000. Implement admin audit logging table. Enable Supabase RLS on all tables. Set up automated data retention and deletion. Draft Loan Agreement template with a Nigerian lawyer. Conduct first security review.
Q3
Month 7–9 · Lender Readiness
Credit Risk & Governance Framework
Build Monthly Portfolio Performance Report. Establish Risk Committee cadence. Begin MFB partnership conversations or CBN Finance Company licence application. Commission penetration test. Build complaints tracking system. Engage auditing firm for year-end financials.
Q4
Month 10–12 · Investor Grade
Full Due Diligence Readiness
Complete all 14 investor due diligence documents. Apply to CBN Regulatory Sandbox if applicable. Finalise MFB lending partnership agreement. Complete year-one audited financials. Prepare Series A / institutional lending pitch with compliance as a competitive moat.
BuySafePay Policy Framework v1.0 · April 2026 · Confidential
Next review: October 2026