The Central Bank of Nigeria only regulates banks and institutions that are financial license holders. As OkHi is neither, they do not regulate us and they will not issue an approval directly to us. They did refer us to NIBBS who ran an in-depth review of OkHi and this was their response to the CBN: "We are confident that the solution delivered by OkHi is quite promising and will be useful to customers address verification in the financial services ecosystem." See the full response here. We continue to engage with the regulators around eKYC regulations. Some of our customers have also requested letters of no objection directly from the CBN - if you would like support doing so, please contact our team directly. We have also had a customer using OkHi go through a new banking license application review with the CBN and they were successfully approved.

We are currently NDPR compliant and are in the final stages of completing GDPR and SOC-II compliance.

We strive for the highest level of end-user data privacy and control, recording only what we need to deliver the service. We do not sell any customer data to any 3rd party and retain only the minimum data required to verify a users address details.

OkHi’s smart address verification is more accurate than any other form of address verification because:

• It doesn’t require any human involvement which removes human error and fraud.

• Continuous verification means that the longer we verify the address the more accurate the verification will be.

• From a split trial with an enterprise bank where the same addresses were verified via our service along side agent verification where we proved that we were 30% more accurate.

As per our Privacy Policy and Terms of Service, a user can opt-out of data collection through OkHi at anytime by logging into their profile at okhi.me and selecting to "opt-out" of our service from the menu. At that point, we will stop recording any new information from the user's addresses but we do retain historical data in line with data compliance reasons. (In Nigeria this is 5 years.)

It is worth noting that if a user wants to stop verification, they can turn off location permissions at any time, which will prevent their device from sending any further data.

No. We only collect data relating to the "enter" or "exit" events related to the geofence that they set up on their phone. We do not permanently track a user's live location.

There are various instances of whether we will check if a user is inside the geofence: when they open your app, when the operating system detects that they have crossed the boundary or, only on Android, every few hours while a verification is in progress.

The transit data sent during these geofence events contains the user and address ID, timestamp, enter/exit state, and the GPS point at that time. We do not store transit data that is far away from the geofence.

We collect and store only basic user information (eg. their name, email and phone number) as well as the addressing information that they provide (eg. GPS latitude and longitude, photo of their entrance, text address information) but we do not record any other personal information (eg. BVN or identity numbers.)

To power our verification engine, we also collect and store some transit location data from the user’s phone (user and address ID, timestamp, enter/exit state, and the GPS point) as well as device information (make, model, OS, battery level, signal strength, etc) and limited network information (such as IP address, mobile network carrier, etc.) We use this data to monitor and improve our service on an aggregate level.

This data is used to generate an address verification status that is the only information that we share with we share with our customers that they do not have already.

It is worth noting that each user has a User Address Book that is connected to their phone number. This is used across all customers but only shared with them if the user explicitly elects to share the previously entered information from their address book.

We provide the same information to customers via our API webhook as well as in our Customer Dashboard, namely:

• customer information (that you provided to us on creation)

• address information (GPS point, streetview image, text description collected during service)

• verification status (verification mode and result that we have determined)

For a specific law enforcement request, we can provide much more detailed transit data, the intermediate statuses and output analysis from our machine learning algorithms. This shows data clusters and corrected GPS points with improved accuracy. Contact our team directly with details of the request for processing.

Most providers use one or more of the many ways to get a user's location and cross-reference them. These might be a user's current location, a document upload, the location metadata on a photo, or searching an official database, among others. Each of these has a combination of pros and cons - but most are either inaccurate, quickly out-of-date, or easily forged.

OkHi's approach takes the real-world movement in and out of the geofence for a specific location and processes that through a set of behavioral profiles that specifically assess how much time a user has been at that location. (Not by aggregating the gps location of the pins.) This includes analysis of day vs night hours, antifraud patterns, and a number of other edge cases that we have built for. This analysis of time spent at the address is more accurate and harder to fake than any other method (including agent verification).

Yes. OkHi's solution complies with all of these regulations as a standalone service as it is a trusted source collecting documentary evidence in the way of location data of the customer at the address and allows for the front gate image to be added. It then processes this over a period of time to make a determination. (Details of the specific regs below.)

The following clauses are the most relevant to address verification are pulled from the Regulatory Notices published by the CBN (2013, 2019, 2023) and referenced by [year of publication: section. clause.]

3 Tier KYC:

• Tier 1 requires a customer to provide an address [2013: 46)2)a)iii)]. Verification of the information is not required. [2013: 46)2)c)]

• Tier 2 requires an address [2013: 46)3)a)] and that it is checked against official government databases. [2013: 46)3)c)]

• Tier3 requires FI's to "obtain, verify and maintain copies of" [2013: 46)4)a)] and that "KYC requirements shall apply." [2013:46)4)d)]

• It was added that "Tiered KYC shall apply to individuals only." [2023: 16)2)]

The second #46 clause [2013: 46-1] states that the relevant parties "have been identified, verified, and the nature of the business ... ascertained." This is slightly ambiguous as it could be interpreted to imply that verification of all information must occur for any business relationship.

A FI must also "take reasonable steps to keep the information up to date as the opportunities arise" - which is pretty vague. [2013: 47)3)] With digital verifications, this can be done far more frequently and often without additional input from the user.

Interestingly, FI's have a lot of discretion and need to "take a risk-based approach to KYC" [2013: 48)1)] and it is up to you to "decide on the number of times to verify the customers." [2013: 48)2)] It also mentions that the information needs to be "reviewed against the inherent risks." [2013: 48)5)]

"In determining a customer's identity" consideration also needs to be given to "the residential address where the customer can be located" [2013: 50)c)] and further clarification was given to define the difference between individual's "permanent address (full physical address" and their "residential address (where the customer can be located)." [2023: 6)ii) and (iii)] OkHi verifies the "residential address" as defined in this clause.

If there are no material change and a customer opens a new account is is not nessecary to reverify their information [2013: 65)1)] as an FI can rely on the previous verification steps. [2023: 18)1)]

Although "validated" is not clearly defined as separate form "verified", where it is available the "permanant home address" needs to be "independantly validated for all private individuals." [2013: 72)1)b)]

The FI needs to "reference a number of sources" to confirm the name and address of individuals. [2013: 73)1)] And, explicitly "the checks shall be undertaken by cross-validation that the applicant exists at the stated address either through the sighting of actual documentary evidence {physical visitation to the stated address} [2019: 30)] or by undertaking electronic checks of suitable databases or by a combination of the two." [2013: 73)2)] This clause makes it possible to confirm the information by undertaking electroninc checks of a suitable database - of which NIBBS believes that OkHi is.

However, the "address... may be checked electronically... as an alternative or suplimentary to documentary evidence of ...address." [2013: 76)1)] and a combination of sources [2013: 76)2)] "perferably covering a period of time" [2013: 76)3)] are to be used.

It is our interpretation that an address may be electronically checked without the need for a physical visit provided it is from a trusted source and includes documentary evidence. An address only legally needs to be verified for Tier 3 KYC of individuals, provided you are checking government sources for Tier 2, and applying a risk-based approach with no material change to the customers address information over time.

OkHi's solution complies with all of these regulations as a standalone service as it is a trusted source collecting documentary evidence in the way of time-specific location data of the customer at the address and allows for the front gate image to be added. OkHi then processes this over a period of time to make a trusted determination.

No, this is not necessary. Some customers have chosen to do so anyway. Contact us for information and motivation templates to assist if you wish to request one.