Why pension platform security has a different consequence profile
A compromised consumer wallet loses the current wallet balance — typically thousands of naira. A compromised RSA account can expose decades of accumulated pension contributions. The contributor cannot earn that money back. The long time horizon also means that benefit redirect fraud — changing the bank account for retirement benefit payments — can go undetected for years if the contributor is not monitoring their RSA account regularly. By the time they attempt to access their retirement funds, the account may be empty.
PENCOM takes IT risk seriously. PFAs that have experienced security incidents and have not reported them in line with PENCOM's incident reporting guidelines, or that cannot demonstrate adequate security controls during regulatory examinations, face administrative sanctions that can affect their licence to operate.
1. RSA portal authentication and account takeover testing
The RSA self-service portal allows contributors to view their contribution history, update personal details, and track their account balance. We test the portal's authentication mechanisms for: credential stuffing susceptibility (the portal's lockout policy and rate limiting on login attempts), password reset security (email-based reset link entropy and expiry), and session management (session token entropy, session fixation vulnerability, and concurrent session handling).
We also test identity verification on the password reset flow. Common findings: the password reset link does not expire after use, allowing replay attacks; the reset flow requires only an email address and date of birth, both of which are easily obtained through OSINT; and the reset token is transmitted in the URL without HTTPS enforcement, allowing interception in unsecured network environments.
2. Bank account change security controls
Modifying the bank account registered for benefit payments is the highest-risk action in the RSA portal. We test the authorization controls on the bank account change workflow. The control requirements we verify: the change must require re-authentication at the time of submission (not just an active session), a notification must be sent to the registered email address and phone number immediately, a mandatory cooling period of at least 48 hours must apply before the new account becomes effective for disbursements, and the change must be reversible within the cooling period through a verified channel.
3. Contribution data access authorization
Employer HR administrators have access to their employees' contribution data on PFA portals — they submit contribution schedules and can view payment status. We test whether an employer admin can access the contribution data of employees who have since left the company, whether the employer admin's access is scoped to their own company's employees or can be expanded to other employer accounts, and whether the data export functions available to employer admins include personally identifiable information that should be masked.
4. Benefit application processing authorization
The benefit application processing system is where contributors request retirement benefits, programmatic withdrawals (25% at 50), and other scheduled disbursements. We test the authorization on benefit approval workflows, the validation of eligibility criteria (age, years of contribution, retirement status), and the binding between the benefit approval and the disbursement account on record. A benefit disbursement that processes without verifying the current registered account against a KYC-confirmed record is a redirect fraud vector.
Bank account change effective immediately with no cooling period
During a security assessment of a Nigerian PFA's RSA portal, we found that bank account changes submitted through the self-service portal took effect immediately — there was no cooling period. A notification email was sent but the change was already active before the notification was received. We tested the benefit disbursement flow and confirmed that a transfer request submitted immediately after the account change would disburse to the new account. An attacker who compromises an RSA portal account (through credential stuffing, SIM swap, or social engineering) can change the disbursement account and initiate a benefit withdrawal in a single session. Fix priority: critical. Remediated by implementing a 72-hour cooling period on bank account changes, during which the change is pending and the original account remains active for any disbursements, and adding a step-up authentication requirement for the account change action.
Operating a Pension Fund Administrator, RSA portal, or pension technology platform in Nigeria? Book a security assessment aligned to PENCOM's IT risk requirements.
Book a Pension Platform PentestFrequently asked questions
What PENCOM regulations apply to pension platform security?
PENCOM's Guidelines on Investment of Pension Fund Assets, the Revised Regulation on Administration of Retirement and Terminal Benefits, and PENCOM's IT Risk Management Framework collectively require PFAs to maintain documented security controls, conduct regular security assessments, and report security incidents to the Commission. PENCOM also requires that PFAs' core technology systems meet defined availability and data integrity standards.
What makes pension fund data particularly sensitive?
RSA data includes the contributor's full name, PFA account number, PIN, employer name, cumulative contribution history (sometimes spanning decades), investment returns, and the registered bank account for benefit payments. This is a comprehensive long-term financial record that cannot be changed — unlike a bank account number, a person's contribution history cannot be replaced if compromised.
What is the risk of retirement benefit redirect fraud?
Benefit redirect fraud occurs when an attacker compromises a contributor's RSA portal account and modifies the registered bank account for benefit payments before the contributor retires and accesses their funds. If the account change is not subject to multi-step verification and a mandatory waiting period, the contributor may not discover the change until they apply for retirement benefits — at which point their accumulated pension has already been disbursed to the attacker.
Related reading
Blog: CBN licence security requirements · SEC Nigeria cybersecurity framework · CBN IT examination preparation
Services: Penetration testing · Secure architecture review