By Blessing Emmanuel
Fidelity Bank has expressed its disagreement with the Nigeria Data Protection Commission’s (NDPC) recent decision to impose a fine of N555.8 million, asserting that it has adhered to data protection laws.
The bank contends that the imposed penalty stems from a misunderstanding regarding an account opening request and insists that it followed proper procedures in handling and eventually closing the account in question.
The NDPC imposed a fine of N555.8 million on Fidelity Bank PLC for violations of the Nigeria Data Protection Act (NDPA) 2023 and the Nigeria Data Protection Regulation (NDPR) 2019.
The fine, representing 0.1 percent of the bank’s annual gross revenue for 2023, follows the bank’s failure to address serious data privacy concerns despite multiple warnings and opportunities to comply.
The NDPC’s investigation was sparked by a complaint from an individual whose personal data had been collected without proper authorisation during the process of opening an account at Fidelity Bank. This complaint, lodged in April 2023, led to a thorough review of the bank’s data handling practices, revealing a pattern of non-compliance with Nigeria’s data protection laws.
The investigation uncovered that Fidelity Bank had been processing personal data through various platforms, including its widely used banking app, without obtaining informed consent from users. At the time, the app had over one million downloads, amplifying the potential impact of these violations. Additionally, the bank was found to be using non-compliant third-party data processors, a breach of the NDPA’s requirement that organizations ensure their partners also adhere to data protection standards.
The NDPC’s initial findings were communicated to Fidelity Bank in July 2023, followed by a directive in December 2023 to implement a remedial plan. However, despite more than ten correspondences and repeated warnings, the bank failed to present an adequate plan to rectify the issues. As a result, the NDPC was compelled to impose the N555.8 million fine, which the bank must pay within 14 days of receiving the notice.
National Commissioner and CEO of the NDPC, Dr. Vincent Olatunji, criticised the bank’s lack of accountability, stressing that such lapses undermine public trust in Nigeria’s ability to protect personal data.
He warned that without strict adherence to data protection laws, economic progress could be jeopardised, as trust is essential for the growth of data-driven transactions and services.
Reacting however, Fidelity Bank in a statement on Wednesday night said, “An account opening request was received online in the name of [name withheld], and an email was sent to the email address attached to the request informing them about this.
“In compliance with our Data Protection policy, accounts created online without full documentation are not allowed to be operational and are closed after 30 days if the outstanding documents are not provided to authenticate the identity of the person seeking to open the account.
“In compliance with our data protection laws, the account was not allowed to be operational as the passport photograph and BVN were not provided.
“The account was immediately placed on ‘Post No Debit’ status as the applicant was expected to complete the account opening process by providing the outstanding documents for verification within 30 days. This was not done, and the account was eventually closed.
“On May 2nd 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed. On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents.
“At no point in the process was the account ever operational.
“On July 7th, 2023, we were invited for a Pre-Action meeting with NDPC. During the meeting, we restated our position as earlier communicated to them in our letter dated May 2nd.
“However, despite our explanation and evidence provided to support our claim, the agency informed us that they had reached a conclusion to impose a penalty on the bank.
“On 5th December of 2023, we got a letter from NDPC demanding we pay a ‘remedial fee’ of N250 million within 21 days.
“We immediately commenced another round of engagements with the Commission as we were convinced we had not breached any extant law or regulation.
“While discussions were still ongoing with the NDPC, we received another letter on the 20th of August demanding that we now pay N555.8m.
“As a responsible financial organisation with a history of strong corporate governance standards, we remain committed to the due process of the law, and we wish to assure all our customers of our unwavering commitment to upholding the highest level of ethical standards in all our dealings with customer data.
“Our commitment to strong corporate governance has earned us local and international recognition, including the prestigious CG+ award. This is the highest rank under the Corporate Governance Rating System (CGRS) of the Nigerian Exchange Group (NGX), which evaluates listed companies against established best practices and standards.
“As a Bank, we remain in discussions with the NDPC over an amicable resolution to this matter,” Fidelity noted.