Data Watchdog Fines Nigerian Banks for Compromising Data
02.10.2024

In this review, we examine how Nigerian banks are getting slammed with fines for noncompliance with regulatory requirements.


Upon adoption of Data Protection Act in 2023 in Nigeria, the national watchdog, the Nigerian Data Protection Commission (NDPC), continues to make an effort to enhance regulatory compliance among public and private sector entities. 

In January 2024, the Commission stated it was investigating 17 data breach cases across various sectors, ranging from finance, technology, and education to government, logistics, and gaming. According to the NPDC, in June private sector compliance was above 55%, while the public sector has reached 15%.

One of the measure, aimed at enhancing of data protection is imposture of fines for incompliance with data protection regulations. And this measure is being put into effect. As it was revealed recently by the watchdog, the four banks and three companies were fined a total of ₦400 million (~ $238,000) for violating national DPA.

“In the law, we can fine companies depending on the nature of the breach, impact on the subject, and level of cooperation, and we got ₦400 million from remediation fee,” Vincent Olatunji, the commission's National Commissioner and CEO announced. 

The latest case of one of the Nigerian bank's DPA violations seems to be the most severe among those the Commission investigated this year. As reported by the watchdog, Fidelity Bank, Nigeria’s mid-tier lender, is to pay 0.1% of its 2023 revenue, or $358,580 (₦555.8 million), for violating data protection laws (Nigeria Data Protection Act, 2023; Nigeria Data Protection Regulation, 2019).

The Commission found out that the lender was illegally collecting personal data to open an account for a customer. Despite the charges, the bank representatives denied guilts, saying there was no data breach as such, “and that it did not complete the account opening process for the unnamed customer”. As Olatunji explained, the lender’s poor cooperation during the investigation aggravated the penalty.

It is not specified who is responsible for the incident within the bank. However, we can assume that an insider or a group of insiders is involved in the case since only employees of the bank itself can have direct access to the collected data, as well as the ability to open customer accounts. Nevertheless, there is a chance that external attackers have gained access to the lender’s corporate network. But again, this could only happen by gaining access to employee accounts that may have been lost due to, for example, a phishing attack.

Anyway, without reliable and efficient security solutions it’s impossible to ensure appropriate data protection. The solutions must enable IS officer to:

  1. Obtain all the sensitive data the organization  keeps and where exactly it is stored;
  2. Reveal, who has access to this data and be able to reconfigure access rights to confidential documents;
  3. Monitor operations, related to data usage, prevent incidents and potentially dangerous operations.
  4. Reconstruct all the details of violation to prevent incident occurrence in future.

As Nigeria’s watchdog warned, the non-compliance with data protection requirements among local organizations would be further met with severe penalties. 


If you want to prevent data-related incidents, avoid being penalized and not suffer financial and reputational damage because of non-compliance with regulatory requirements, it’s required to implement DLP&DCAP class solutions, enabling to deal with the abovementioned tasks. In case organization lacks resources for dealing with data protection in-house, choosing Managed Security Services can be the solution. The MSS model enables organizations to ensure protection without labor costs or necessity to purchase protective software&hardware – all is available within subscription.


Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.