NDPC’s ₦555.8 Million Fine against Fidelity Bank over Alleged Data Privacy Violation: Insights and Lessons

Data Protection in Nigeria
Data Protection and Privacy, Policy & Regulations, Regulatory Compliance

Pamela Victor Ibitamuno, Associate

The Nigeria Data Protection Commission (NDPC) has reportedly fined Fidelity Bank the sum of ₦555.8 million for data privacy violations.1 Fidelity is required to comply with the order within 14 days of receiving the Commission’s notice. The National Commissioner of the NDPC, Mr. Vincent Olatunji, announced the penalty at a validation workshop on the Nigeria Data Protection Act (NDPA) in Abuja on Wednesday, 21 August 2024.2

The recent decision of the NDPC to impose a fine on Fidelity Bank for data privacy violations has sent shockwaves through the Nigerian financial sector.  It is the largest fine ever imposed by the NDPC.

The NDPC’s decision underscores the growing importance of data protection in the country and serves as a stern warning to other organizations to prioritize the security of sensitive information.

 

NDPC’s investigation finds that Fidelity Bank failed to adequately protect customer data.

The NDPC initiated an investigation against Fidelity Bank following reports of alleged data-privacy breaches. The Commission’s findings revealed that the bank had failed to adequately protect customer data, leading to potential risks of unauthorized access.

The NDPC National Commissioner  confirmed that the Commission commenced an investigation into Fidelity Bank in April 2023 and, upon conclusion, found that it defaulted.

Specific violations identified by the NDPC include the following:

  1. Insufficient data encryption: The bank failed to employ robust encryption algorithms in its systems to protect sensitive customer data, making it vulnerable to cyber attacks.
  2. Weak access controls: The bank is said to have  inadequate access controls in place, which may allow unauthorized individuals to access customer data.
  3. Lack of data-breach notification procedures: The bank failed to implement timely data breach notification procedures, potentially delaying the reporting of incidents and allowing breaches to escalate.

 

The Imposed Fine and Implications for the Nigerian Financial Sector

In the light of the violations identified during NDPC’s  investigation, the NDPC imposed a substantial fine of ₦555.8 million on Fidelity Bank. This penalty is intended to serve as a deterrent and to reinforce the importance of compliance with data protection regulations. 

The NDPC’s action has significant implications for the Nigerian financial sector. It sends a clear message that data privacy is a top priority for regulators and that non-compliance will result in severe consequences. Banks and other financial institutions must now redouble their efforts to strengthen their data-security measures and ensure that they are in full compliance with the law.

The fine on Fidelity Bank could also lead to increased scrutiny of other financial institutions by regulators. This could result in fines or penalties for organizations that are found to be in violation of data protection laws.

 

Fidelity Bank’s Position

Fidelity Bank does not agree with the NDPC’s findings and enforcement order. 

The bank maintains that it did not violate any law because there was no data breach and that the account-opening process which led to the alleged violation was not completed by the bank due to incomplete KYC by the affected customer. The bank claims that it subsequently closed the account when it did not receive the outstanding documents. Because a post-no-debit order was put on all such accounts, at no point in the process was the account ever operational, argues Fidelity Bank.

According to Fidelity Bank, it initially received in December 2023 a compliance order by the NDPC imposing a ‘remedial fee’ of ₦250 million payable in  21 days. Unconvinced about the alleged breach, Fidelity Bank said it was still “engaging with the NDPC on resolving the alleged data violations” when “the bank received another letter on August 20 this year, indicating the imposition of ₦555.8 million fine on the banking institution.”3

 

What lessons can data processors in Nigeria learn?

The NDPC’s fine on Fidelity Bank offers valuable lessons for organizations across all industries. It highlights the importance of the following measures:

  1. Data encryption: Organizations must deploy robust encryption algorithms to adequately protect sensitive customer data against cyber attacks.
  2. Access controls: Organizations must ensure that only authorized individuals have access to customer data, and strict procedures must be in place regarding how such access is managed.
  3. Lack of data-breach notification procedures: As part of their cybersecurity policies, organizations must have effective procedures for reporting incidents of data breaches. For accountability and immediate escalation, reporting should be mandatory and timely. Reporting should also be both internal (to management) and external (to relevant regulators).
  4. Incident response plans: Organizations should have well-developed incident response plans in place to quickly address data breaches and minimize their impact.
  5. Regular audits and assessments: Organizations must conduct regular audits and assessments of their data-security practices to identify and address vulnerabilities.

Insights

  1. A data subject, who is aggrieved by the decision, action, or inaction of a data controller or data processor may lodge a complaint with the NDPC, if he or she believes that his or her rights have been violated under the NDPA or subsidiary legislation.4
  2. If the NDPC is satisfied that a data controller or data processor has violated or is likely to violate any requirement under the NDPA or subsidiary legislation made under the NDPA, the NDPC may make an appropriate compliance order against that data controller or data processor.5
  3. If the NDPC is satisfied that a data controller or data processor has violated any provision of the NDPA or subsidiary legislation made under the NDPA, the NDPC may make any appropriate enforcement order or impose a sanction on the data controller or data processor. This is to ensure that the data controller or data processor remedies the violation; pays compensation to the victim(s); accounts for the profits realized from the violation; or pays a penalty or remedial fee.
  4. If the NDPC orders a penalty or remedial fee, the amount may be a “higher maximum amount” (for a data controller or data processor of major importance) or a “standard maximum amount” (for a data controller or data processor of no major importance). While the “higher maximum amount” shall be the greater of (a) ₦10,000,000, and (b) 2% of the data controller’s and data processor’s annual gross revenue in the preceding financial year, the “standard maximum amount” shall be the greater of (a) ₦2,000,000, and (b) 2% of its annual gross revenue in the preceding financial year.6 In Fidelity Bank’s case, it is clear that it is a data controller of major importance in which case the higher maximum amount applies. But if Fidelity Bank’s reported 2023 full-year, profit-before-tax of N124.26 billion is anything to go by, it would appear that in fining the bank ₦555.8 million, the NDPC did not apply the additional statutory fee of 2% of the bank’s annual gross revenue in the preceding financial year.7 
  5. Though the provisions of Section 48 of the NDPA on enforcement orders does not expressly state that the NDPC has any discretion regarding the amendment of penalty or remedial fees, it is likely that in sanctioning Fidelity Bank, the NDPC considered the following factors based on the circumstances of the particular case, as provided for under the NDPA: 
    • Nature, gravity, and duration of the infringement;
    • Purpose of the processing;
    • Number of data subjects involved;
    • Level of damage and damage mitigation measures implemented;
    • Intent or negligence;
    • Degree of cooperation with the Commission;
    • Types of personal data involved.8

Conclusion

The NDPC’s decision to fine Fidelity Bank for data-privacy violations is a significant development in Nigeria’s data-privacy climate.  Being the biggest NDPC fine ever, it no doubt serves as a strong reminder that data-privacy rights are fundamental and must be respected by eligible organizations who deal in the personal data of citizens. The window is not completely shut against Fidelity Bank though. The NDPA offers any dissatisfied data controller and data processor an opportunity for judicial review. It will be interesting to see how the matter is finally concluded. 

As the digital landscape continues to evolve, it is imperative that organizations remain vigilant in their efforts to safeguard sensitive information. How is your data-protection and privacy health?

  1. ‘NDPC fines Fidelity Bank ₦555.8 million for Data Violation’, Ugo Onwuaso, August 22, 2024, https://www.nigeriacommunicationsweek.com.ng/ndpc-fines-fidelity-bank-n555800000-for-data-violation/
  2. ‘Nigerian Government fines  Fidelity Bank ₦555.8 million over data breaches’, Agency Report, August 22, 2024, https://www.premiumtimesng.com/business/business-news/726713-nigerian-govt-fines-fidelity-bank-n555-8-million-over-data-breaches-official.html
  3. ‘Fidelity Bank kicks as NDPC issues ₦555.8m ‘full penalty’ for alleged data violations’, Consumer Connect, August 25, 2024, https://consumerconnectng.com/37078
  4. Section 46 of the Nigerian Data Protection Act
  5. Section 47 of the Nigerian Data Protection Act
  6. Section 48(3) of the Nigerian Data Protection Act
  7. ‘Fidelity Bank grows profit by 131.5% in 2023’, BusinessDay, April 16, 2024, https://businessday.ng/companies/article/fidelity-bank-grows-profit-by-131-5-in-2023/
  8. Section 46-48 of the Nigerian Data Protection Act

Leave a Reply

Your email address will not be published. Required fields are marked *