In a move that sends shockwaves through Nigeria’s financial technology sector, the Nigeria Data Protection Commission (NDPC) has levied a staggering ₦555.8 million ($353,000) fine against Fidelity Bank PLC. The penalty, representing 0.1% of the bank’s annual gross revenue, was imposed after an investigation uncovered serious violations of the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation 2019.
The case originated from a complaint lodged in April 2023 by an individual whose personal data was allegedly used without consent to open a bank account. The NDPC’s subsequent investigation revealed that Fidelity Bank had engaged in a pattern of processing personal data without obtaining proper consent from individuals. This included the use of data collection tools such as cookies and mobile banking applications, with the bank’s app having been downloaded over a million times.
The NDPC also found that Fidelity Bank relied on third-party data processors who were not in compliance with data protection regulations. The law mandates that organizations ensure their vendors and partners are equally accountable for handling personal data.
The NDPC’s decision to impose the fine was not taken lightly. The Commission’s initial ruling was issued in July 2023, followed by a directive to pay a remedial fee in December 2023. Over the course of a year, the NDPC engaged in extensive communication with Fidelity Bank, issuing repeated warnings and providing ample opportunities for the bank to demonstrate accountability. However, the bank failed to provide a satisfactory remedial plan, leading to the landmark fine.
Fidelity Bank’s Response
In a statement released after the news of the fine broke, Fidelity Bank affirmed its commitment to data protection and strong corporate governance. The bank emphasized that it has always conducted itself with the highest ethical standards and ensured full compliance with data protection laws.
The bank also provided a detailed timeline of its interactions with the NDPC, outlining the steps it took to address the initial complaint and its belief that no data breach had occurred. According to Fidelity Bank, the account in question was never operational and was closed in accordance with its data protection policy.
Implications for the Fintech Industry
If this fine is upheld, Nigerian fintechs could face significant scrutiny, with the NDPC potentially intensifying efforts to identify non-compliant companies across the internet. Recently, Meta was fined $220 million for breaching Nigeria’s data protection laws. The message from the NDPC is unequivocal: organizations that neglect data protection will encounter severe penalties.
For fintech companies, especially those newer to the industry, this is a crucial moment to reassess their data handling practices. With the data protection law only recently enacted in July of last year, many companies may still be adjusting to its requirements. It is essential for fintech firms to closely evaluate their third-party data processors and ensure compliance throughout their operations.
As Nigeria’s digital economy expands and the government seeks to bolster revenue, the protection of personal data is likely to become even more critical. The NDPC’s significant fine against Fidelity Bank signals a new phase of regulatory enforcement.
This could be a clear signal to Nigerian fintechs to proactively review their data protection policies and procedures. The NDPC’s next target might be the cookies on your website or the data gathered by your mobile app.