NDPC Probes GTB And Unity Bank Over Data Breach, Flays CBN’s Collection Of Social Media Handles


NDPC Probes GTB And Unity Bank Over Data Breach, Flays CBN’s Collection Of Social Media Handles

The Nigeria Data Protection Commission (NDPC) says the recent policy by the central bank directing commercial banks to collect the social media handles of their customers “is not necessary”.

On Sunday, the Central Bank of Nigeria (CBN) directed banks to collect and verify social media accounts as part of their know-your-customer (KYC) procedures for permanent or occasional clients.

The financial regulator said the new directive aims to prevent financial crimes and terrorism while boosting the precision and thoroughness of customer identification.

However, in a statement on Thursday by Itunu Dosekun, NDPC’s head of media, Vincent Olatunji, the commission’s national commissioner, said data collection ought to go through due process.

Olatunji said before the establishment of the Nigerian Data Protection Act (NDPA) on June 12, indiscriminate collection of citizens’ data by the Data Controller Organisations (DCO) was not taken seriously.

He said there are prerequisite steps any data controller must take prior to the collection of data from the data subject.

The commissioner said any organisation that defaults was going against the law and causing a data breach, and as such, would attract fines.

“There are provisions in the law to go against any data controller be it private or government office, NGOs, hotels, because we are pro-citizens,” he said.

“The whole idea of this law is to protect the rights, the interests of Nigerians who are data subjects.

“We are already engaging with the CBN to let them know that what they have done is against the law because there are basic principles you must meet when you want to collect citizens’ data.

“There is data minimisation, meaning you don’t collect data beyond the purpose for which it was intended, purpose limitation, what purpose is it for.”

The national commissioner further said, “asking for social media handles is not necessary”.

Olatunji, however, said if the collection of the social media handles happens under public interest, which could include monitoring some transactions, there should be proper awareness among the customers.

He also called for an inquiry into why the CBN regulation came up and how best to resolve it in line with global best practices.


In a related statement, the commission said it is investigating three banks, one university, and other suspects over an alleged data breach.

Olatunji said the investigation came following complaints from data subjects.

With the new Nigerian Data Protection Act (NDPA), he said the commission has been empowered with a legal framework to address issues of citizens’ data breaches.

“In the last few weeks, the NDPC has received complaints bothering on unlawful data processing, unauthorised access to personal data, and violation of data subjects’ rights,” he said.

“Under part 10 of the newly-signed NDPA Act 2023, a data controller with a turnover of N200 billion yearly may pay as high as N2 billion, which represents two percent of the gross revenue.

“Not only that, but offenders also risk up to a one-year jail term.

“We are currently investigating Guarantee Trust Bank, Fidelity, Unity, Zenith banks, Leadway Insurance and Babcock University, among others, for data breach.”

Olatunji said many microfinance banks are yet to align their operations with the requirements of data privacy and protection.

The commissioner also disclosed that loan organisations would face the law with the new mandate of the Federal Competition and Consumer Protection Commission (FCCPC) which requires lending firms to seek compliance and clearance from NDPC before approving online lenders.

“The commission is investigating over 400 complaints in the online lending sector,” he added.

“Soko Loan is already working on a comeback to the digital lending market, but yet to be approved.”