The Nigeria Data Protection Commission (NDPC) has launched a wide-ranging sectoral probe into dozens of organisations over suspected breaches of the Nigeria Data Protection Act (NDP Act, 2023). The investigation, revealed through a public notice, highlights household names in fintech and financial services, underscoring the seriousness of the regulator’s compliance drive. Companies listed must now present proof of compliance or face potential sanctions.
Major Firms Under Scrutiny
Among the companies named are eTranzact, Abeg Technologies, Chams Plc, Moniepoint Microfinance Bank, FBN Mortgages, Merrybet, Leadway Assurance, Coronation Insurance, and Zenith Pensions. These firms collectively handle vast amounts of sensitive data, from personal identities to pension and insurance records. Their inclusion signals that the NDPC is turning its attention to sectors most exposed to risks of data misuse.
Requirements Outlined in the Notice
The notice, first published by BusinessDay on August 25, 2025, compels each organisation to provide evidence of compliance within 21 days. This includes filing statutory compliance audit returns for 2024, formally appointing a Data Protection Officer (DPO), registering as a data controller or processor of major importance, and documenting security measures already in place. The NDPC made it clear that firms unable to meet these demands could face enforcement orders, heavy fines, or even criminal prosecution.
Data Protection at Stake
The announcement resonates with everyday Nigerians who rely on the named platforms for daily financial transactions. For example, Moniepoint and Abeg operate consumer-facing apps serving millions of users, while eTranzact underpins payment infrastructure across banks and merchants. Pension and insurance firms, meanwhile, manage deeply sensitive information tied to retirement funds and policyholders, raising the stakes for secure data handling.
A Shift in Regulatory Strategy
This move marks a transition from quiet compliance checks to visible public accountability. Under the NDP Act, the NDPC holds broad powers to audit and sanction non-compliant organisations. By publicly listing companies, the regulator seeks both to push firms into urgent compliance and reassure citizens that data protection is actively enforced.
Operational Challenges for Companies
The short timeframe for response has created pressure across the affected organisations. Compliance requires not only legal documentation but also evidence of technical safeguards and governance structures. Many companies will need to mobilise compliance, legal, and cybersecurity teams simultaneously to meet the regulator’s tight deadline.
Business Risks and Repercussions
The risks extend beyond fines or legal penalties. Public confidence could suffer if customers interpret the probe as evidence of weak data protection practices. Equally, international business partners, especially those involved in cross-border transactions, may reassess their exposure to Nigerian firms caught up in the investigation.
Turning Compliance into Advantage
Despite the risks, companies have an opportunity to turn regulatory scrutiny into strategic value. By moving quickly to appoint visible DPOs, file complete audit returns, and outline robust technical controls such as encryption and access restrictions, firms can strengthen customer trust. In an increasingly competitive market, demonstrable compliance can serve as both a reputational safeguard and a commercial differentiator.
Implications for the Fintech Ecosystem
For fintechs eyeing foreign investment or expansion abroad, strong compliance with Nigeria’s laws is a prerequisite. Investors and partners often treat data protection as a critical risk filter before signing deals. The NDPC’s sector-wide naming exercise thus nudges the industry toward higher standards, creating a clearer path to sustainable growth.
Next Steps for Organisations
The NDPC spelled out the minimum actions required: filing 2024 compliance audit returns, naming DPOs, registering where necessary, and presenting summaries of technical protections. Beyond these steps, companies may also issue public statements on how customer data is safeguarded and engage independent auditors to review their systems. Such proactive moves could help restore confidence among both customers and regulators.
For consumers, the probe does not mean that breaches have already occurred, but it highlights where regulatory attention is now focused. For businesses, it is a sharp reminder that compliance with the NDP Act is no longer optional but central to market credibility. The NDPC’s intervention signals a new era of accountability in Nigeria’s digital economy, one in which firms that adapt quickly will likely emerge stronger.