Security Policies — ValuePay MFB

8.1 Physical security

Restricted access to the Bank's premises and data-centre facilities, with badge access, CCTV, and visitor logging.
Segregated zones for high-sensitivity areas including the server room, treasury, and the document storage room.
Documented procedures for after-hours access, contractor access, and equipment movement.

8.2 Logical and IT security

Least-privilege role-based access control (RBAC), with quarterly access reviews.
Multi-factor authentication for all administrative and privileged access.
Encryption of data in transit (TLS 1.2+) and at rest (AES-256), with hardware-backed key management.
Centralised logging, security information & event management (SIEM), and 24×7 monitoring through a Security Operations function.
Vulnerability management with monthly scans and prioritised remediation, and annual independent penetration testing.

8.3 Application security

Secure software development lifecycle (SSDLC) with code review, static and dynamic application security testing, and dependency vulnerability scanning.
Secrets management through a dedicated vault — no secrets in source code or configuration files.
Mobile app integrity checks at runtime, anti-tampering, and certificate pinning.
Backend services deployed with the principle of zero trust between services and verified service identities.

8.4 Customer-side security obligations

Protect your PIN, password, OTP, and biometric template at all times.
Verify the identity of any person purporting to act on the Bank's behalf — the Bank will never request your full PIN, password, or OTP.
Keep your device and the ValuePay app updated; install operating-system security patches promptly.
Notify the Bank immediately of any suspected compromise of your credentials, device, or Account.

8.5 Incident response

The Bank operates a documented Cyber Incident Response Plan with defined roles, communication paths, and external reporting obligations. Material cyber incidents are reported to the Central Bank of Nigeria within 24 hours and to the Nigeria Data Protection Commission within 72 hours where personal data is involved, in line with applicable regulations.

8.6 Security Operations

A Security Operations function provides continuous monitoring, threat-intelligence integration, anomaly detection, and triage of security events. The function operates under written runbooks and conducts post-incident reviews for material events.

8.7 Fraud prevention

Real-time transaction monitoring informed by behavioural baselines, device fingerprinting, and known-fraud signals.
Velocity, value, geography, and counterparty rules tuned to the customer's historical profile.
Cooling-off windows on high-risk actions — new beneficiary, large transfer, device change.
Customer-controlled controls — instant card freeze, channel restriction, and per-channel transaction limits.

8.8 Business continuity and disaster recovery

The Bank maintains a Business Continuity Plan and Disaster Recovery Plan covering customer-impacting outages, premises events, supplier failure, and personnel events. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are documented per critical service and validated annually through tabletop and live exercises.

8.9 Third-party risk

All third parties that provide operationally significant services to the Bank are subject to a documented risk assessment, contractual data and security obligations, periodic re-assessment, and SLA monitoring as described in the Third-Party SLA document.

ValuePay Microfinance Bank Limited has received Approval-in-Principle from the Central Bank of Nigeria (ref. FPR/LAD/CON/MFB/015/047 dated 17 March 2026). The Bank shall not commence banking business until the grant of a final licence.