Nigeria’s data protection regulator, the Nigeria Data Protection Commission (NDPC), kicked off a sweeping investigation into several leading fintech and financial services firms including Moniepoint, Abeg, and eTranzact over suspected violations of the Nigeria Data Protection Act (NDPA) 2023. The NDPC released a public notice identifying dozens of organisations under scrutiny, urging them to submit definitive proof of compliance within 21 days.
The listed entities must file their 2024 compliance audit returns, formally appoint a Data Protection Officer (DPO), register as data controllers or processors of major importance, and deploy sufficient technical and organisational safeguards for data protection. NDPC warned that failure to comply carries the risk of enforcement orders, financial penalties, or criminal prosecution.
A Wide-Ranging Compliance Push
The investigation isn’t limited to fintech alone. NDPC’s action reaches across various sectors, raising the urgency for Nigeria’s digitally driven firms to align with new data protection standards. Featuring in the notice: household fintech brands like Moniepoint, Abeg, and Merrybet; payment infrastructure providers such as eTranzact; national identity operators like Chams Plc; and long-established financial institutions including FBN Mortgages, Coronation Insurance, and Zenith Pensions.
By publicly disclosing the list, the NDPC signalled a shift from private reprimands to transparent enforcement. The move puts pressure on firms to react quickly and visibly while providing reassurance to Nigerians that the regulator remains vigilant over personal data rights.
What’s at Stake for Companies and Consumers
For companies, the implications run deep. Regulators could impose significant sanctions, including fines, forced compliance mandates, or even criminal liability. Customer trust and investor confidence may take a hit if consumers perceive unsafe data handling. Some businesses may need to overhaul operations, beef up security, and engage legal and compliance professionals rapidly. On the flip side, firms that embrace proper data governance could turn compliance into a market differentiator.
Consumers, however, should not panic. Being on NDPC’s list doesn’t equate to wrongdoing, it reflects possible gaps in paperwork or procedural compliance. Data subjects deserve clarity, and companies that proactively communicate their practices can help calm concerns.
The Regulation Landscape and NDPC’s Track Record
The NDPC emerges from the Nigerian Data Protection Bureau, established in 2022 to implement the 2019 NDPR and now the broader 2023 Act.
The Commission already bears a track record of enforcement: data breach probes across sectors, and at least N400 million in revenue from fines over the last two years. Fines have ranged from N10 million to 2% of annual gross earnings, and NDPC wielded major sanctions such as a ₦555 million fine on Fidelity Bank in 2024 for non-cooperation during an investigation.
This latest industry-wide notice demonstrates NDPC’s shift to preventive regulation, demanding documented compliance before issues escalate. Through public scheduling, the Commission amplifies both pressure on firms and public awareness of data rights in the digital economy.
