Products
▸
In this review, we examine how Nigerian banks are getting slammed with fines for noncompliance with regulatory requirements.
Upon adoption of Data Protection Act in 2023 in Nigeria, the national watchdog, the Nigerian Data Protection Commission (NDPC), continues to make an effort to enhance regulatory compliance among public and private sector entities.
In January 2024, the Commission stated it was investigating 17 data breach cases across various sectors, ranging from finance, technology, and education to government, logistics, and gaming. According to the NPDC, in June private sector compliance was above 55%, while the public sector has reached 15%.
One of the measure, aimed at enhancing of data protection is imposture of fines for incompliance with data protection regulations. And this measure is being put into effect. As it was revealed recently by the watchdog, the four banks and three companies were fined a total of ₦400 million (~ $238,000) for violating national DPA.
“In the law, we can fine companies depending on the nature of the breach, impact on the subject, and level of cooperation, and we got ₦400 million from remediation fee,” Vincent Olatunji, the commission's National Commissioner and CEO announced.
The latest case of one of the Nigerian bank's DPA violations seems to be the most severe among those the Commission investigated this year. As reported by the watchdog, Fidelity Bank, Nigeria’s mid-tier lender, is to pay 0.1% of its 2023 revenue, or $358,580 (₦555.8 million), for violating data protection laws (Nigeria Data Protection Act, 2023; Nigeria Data Protection Regulation, 2019).
The Commission found out that the lender was illegally collecting personal data to open an account for a customer. Despite the charges, the bank representatives denied guilts, saying there was no data breach as such, “and that it did not complete the account opening process for the unnamed customer”. As Olatunji explained, the lender’s poor cooperation during the investigation aggravated the penalty.
It is not specified who is responsible for the incident within the bank. However, we can assume that an insider or a group of insiders is involved in the case since only employees of the bank itself can have direct access to the collected data, as well as the ability to open customer accounts. Nevertheless, there is a chance that external attackers have gained access to the lender’s corporate network. But again, this could only happen by gaining access to employee accounts that may have been lost due to, for example, a phishing attack.
Anyway, without reliable and efficient security solutions it’s impossible to ensure appropriate data protection. The solutions must enable IS officer to:
As Nigeria’s watchdog warned, the non-compliance with data protection requirements among local organizations would be further met with severe penalties.
If you want to prevent data-related incidents, avoid being penalized and not suffer financial and reputational damage because of non-compliance with regulatory requirements, it’s required to implement DLP&DCAP class solutions, enabling to deal with the abovementioned tasks. In case organization lacks resources for dealing with data protection in-house, choosing Managed Security Services can be the solution. The MSS model enables organizations to ensure protection without labor costs or necessity to purchase protective software&hardware – all is available within subscription.