The Nigeria Data Protection Commission has begun an investigation into an alleged data breach involving Remita Payment Services Limited, Sterling Bank, and other institutions, marking a significant enforcement action under the Nigeria Data Protection Act 2023. Mr Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at NDPC, said in a statement on Monday that a notice of investigation was duly served on April 1, in line with the commission’s procedures, and that relevant parties and individuals have since been providing information to aid the investigation and address the incident.
Bamigboye stressed that the investigation aims to ensure that data subjects are protected with appropriate technical and organisational measures. “The investigation by NDPC covers, among others, the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects and the mitigation measures carried out where a breach is confirmed,” he said. The investigation signals the commission’s willingness to exercise its enforcement powers against major financial services institutions, demonstrating that compliance with data protection obligations is not optional.
From an economic perspective, data breaches in the financial services sector carry significant potential consequences. Payment platforms and banks process vast quantities of sensitive personal information, including bank account details, transaction histories, identification documents, and in some cases, biometric data. A breach of this data could expose individuals to financial fraud, identity theft, and phishing attacks. For the institutions involved, a breach can result in regulatory sanctions, reputational damage, loss of customer trust, and potential civil liability. The NDPC’s investigation will determine the scope of any breach and the adequacy of the institutions’ response.
The National Commissioner of NDPC, Dr Vincent Olatunji, stated that organisations deploying digital payment systems without adequate safeguards would come under scrutiny. He added that such measures were mandated under the Nigeria Data Protection Act 2023 as part of efforts to ensure the integrity of the ecosystem. This statement reflects the commission’s view that digital payment systems, given their access to sensitive financial data, must meet high standards of data protection. The investigation of Remita, a major payment platform used by many government agencies and businesses, suggests that the commission is focusing on systemically important players in the digital payments infrastructure.
The Nigeria Data Protection Act 2023, which came into force after years of advocacy and legislative work, established a comprehensive framework for data protection in Nigeria. The Act created the NDPC, gave it enforcement powers, and set out principles for the collection, processing, and storage of personal data. Under the Act, data controllers and processors are required to implement appropriate security measures to protect personal data from breaches, notify the commission and affected data subjects in the event of a breach, and cooperate with investigations. The investigation of Remita and Sterling Bank represents a test of these provisions.
The timing of the investigation is notable, coming as Nigeria’s digital economy continues to expand rapidly. More Nigerians are using digital payment platforms for salaries, bill payments, transfers, and commerce. The volume of personal data flowing through these systems has grown correspondingly, making them attractive targets for malicious actors. The NDPC’s proactive enforcement, including investigations of potential breaches, is intended to deter lax security practices and ensure that institutions handling personal data take their obligations seriously.
For Remita and Sterling Bank, the investigation presents both compliance and reputational challenges. The institutions will need to demonstrate that they have adequate security measures in place, that any breach was promptly detected and mitigated, and that affected data subjects were properly notified. The outcome of the investigation, whether a finding of compliance, recommendations for improvement, or imposition of sanctions, will be closely watched by other financial institutions and data controllers across the economy.
The NDPC’s action also has implications for the broader fintech ecosystem. Many fintech companies handle sensitive personal data but may operate with lean compliance teams or limited security budgets. The investigation of major players like Remita and Sterling Bank sends a signal that the commission is actively monitoring the sector and will enforce the law regardless of an institution’s size or market position. Fintech companies would be wise to review their data protection practices and ensure they are prepared for potential regulatory scrutiny.
As the investigation proceeds, the NDPC will determine whether a breach occurred, its scope and impact, and whether the institutions took appropriate measures to protect data and respond to the incident. Depending on the findings, the commission could issue recommendations, impose administrative fines, or take other enforcement actions. For data subjects who may have been affected, the investigation may ultimately provide clarity about what happened and what steps they should take to protect themselves. For the broader public, the investigation demonstrates that the NDPC is fulfilling its mandate to enforce the Nigeria Data Protection Act and hold data controllers accountable.
