FinTech Regulations in Nigeria

Nigeria has seen remarkable growth in the technological sector, including an exponential growth in FinTech companies, encompassing start-ups and more established businesses. Consequently, the Nigerian government has been inquiring into the financial services sector and focusing on FinTech as one of the key impetus for growth in the Nigerian financial services industry. For this reason, and as part of a national strategy for the development of the FinTech industry in Nigeria, there has been significant interest from policymakers in implementing new regulations for the FinTech industry.

In the first part of this series, we took a closer look at FinTech in relation to Digital Payments and discussed the various regulations that inadvertently affect them within Nigeria.

In this part, we seek to examine the Nigerian regulations that affect, FinTech Testing and Data Protection respectively.

1. FinTech Testing

In the tech space, testing applications and software can sometimes be a daunting task- especially in Nigeria where tech start-ups are cropping up by the minute. Usually, it takes a great deal of time for FinTechs to test their solutions and ensure that they are ready for the market, after which several of those FinTechs then realise that they are in breach of a regulation that they were not aware of. In light of this and in a bid to keep up with the fast-paced changes in the technology sector, some Countries have explored the option of a 'Regulatory Sandbox'.

A 'Regulatory Sandbox' is a controlled environment that offers a 'safe space' in which start-ups and other businesses can test innovative products, services, business models and delivery mechanisms relating to the financial and capital markets in a live environment without immediately satisfying all the necessary regulatory requirements.1

Regulatory Sandboxes have been implemented in several countries like, the UK, Singapore, Malaysia, Abu Dhabi, Canada, Denmark and Australia2 to name a few.

The Securities and Exchange Commission (SEC) have just launched a Regulatory Sandbox. SEC, on its portal, invites businesses or individuals that plan to launch innovation products, services, business models and delivery mechanisms relating to capital markets, to fill the questions contained on its website to enable the SEC provide guidance to the tester on regulatory requirements (if any).3

With the SEC Regulatory Sandbox, FinTechs will have a safe environment to test their solutions. We believe the sandbox is live and fully operational and expect this step to have a huge impact on both the growth and the successful regulation of FinTechs in the coming years. Furthermore, the Central Bank of Nigeria ('CBN') and the Nigerian Inter-Bank Settlement System ('NIBSS') announced in 2018, that they would be collaborating to create a CBN x NIBSS regulatory sandbox for the facilitation of digital innovation and FinTech solutions. To that effect, they created the Financial Service Innovators Association of Nigeria (FSI) to co-ordinate the project and are expected to launch by the end of the year.4

2. Data Protection

There are several regulations that apply to Data protection in Nigeria. In January 2019, an all-encompassing regulation was released by the National Information Technology Development Agency ('NITDA') for the sole purpose of regulating data protection across the nation- but it is not the only one. Below are all the regulatory sources that apply to data protection in Nigeria:

a. Section 37 of the 1999 Constitution (as Amended)

The Nigerian Constitution provides the umbrella law that clearly states the nation's position on the issue of data protection. Section 37 provides;

''The privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.''5

All other regulations that were released subsequently, used the provisions of this section as the underlying principle.

b. Freedom of Information Act 2011

The Freedom of Information Act ('the Act') was signed into law in May 2011 and it aims to:6

  • Make public records and information more freely available;
  • Provide for public access to public records and information;
  • Protect public records and information to the extent consistent with the public interest and the protection of personal privacy;
  • Protect serving public officers from adverse consequences of disclosing certain kinds of official information without authorization; and
  • Establish procedures for the achievement of those purposes.

To the extent of data protection, the Act provides that a public institution must deny an application for information, if the information requested contains personal information. Such personal information being7:

  • maintained with respect to clients, patients, residents, students, or other individuals receiving social, medical, educational, vocation, financial, supervisory or custodial care or services directly or indirectly from public institutions;
  • maintained with respect to employees, appointees or elected officials of any public institution or applicants for such positions;
  • maintained with respect to any applicant, registrant or licensee by any government or public institution cooperating with or engaged in professional or occupational registration, licensure or discipline; and
  • required of any tax payer in connection with the assessment or collection of any tax unless disclosure is otherwise requested by the statute

It further provides that before such personal information can be released, the consent of the related party must have been obtained.

The Act pays cognisance to professional privileges and provides that a public institution may deny an application for information that is subject to legal practitioner-client privilege; health workers- client privilege; journalism confidentiality privilege and any other professional privileges provided for in an Act.8

c. Cybercrimes (Prohibition, Prevention, etc.) Act, 2015

The Cybercrimes (Prohibition, Prevention, etc.) Act, 2015 ('the Cybercrimes Act') came into effect in May 2015 for the purpose of; ensuring the protection of critical national information infrastructure; promoting cybersecurity and the protection of computer systems and networks; protecting electronic communications, data and computer programs; and safeguarding intellectual property and privacy rights.9

The Cybercrimes Act goes on to provide several punitive measures against individuals or corporations engaged in cybercrimes and breach of data privacy, describing each offence usually with the words; 'fraudulent intent' or 'without authorization.'

d. The Data Protection Regulation 2019

Finally, the NITDA Nigeria Data Protection Regulations 2019 ('the NITDA Regulations') were put into place recognizing that many public and private bodies have migrated their businesses online and realising that there is indeed a need to safeguard the data of these subjects.10

The NITDA Regulations provide a more detailed approach to data protection, taking the time to define terms such as; 'Personal Data', 'Data Subject', 'Data Controller', 'Lawful Processing' and 'Consent'.

It provides that data processing will be lawful only in the following circumstances;11

  • the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes
  • processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract
  • processing is necessary for compliance with a legal obligation to which the Controller is subject
  • processing is necessary in order to protect the vital interests of the Data Subject or of another natural person; and
  • processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller;

The NITDA Regulations make provisions for data security, third party processing, transfer of data to a foreign country and the rights of Data Subjects among others.12

Any person/organisation in breach of the data privacy rights of a Data Subject will if dealing with less than 10, 000 data subjects be liable to pay a sum equalling 1% of annual revenue or 2 million naira (whichever is greater) and if more than 10, 000 Data Subjects, be liable to pay 2% of same or 10 million naira (whichever is greater).13

All organizations involved in the control or processing of Personal Data are now mandated to publish their data protection policies and failure to comply with the provisions of the Regulations shall be treated as a breach of the NITDA Act of 2007 and sanctioned accordingly.

Concluding note

FinTechs should be aware of the fast approaching FinTech testing regulations as well as the various sources of data protection regulations, as they will strongly affect several of their decisions in the coming years.


1. Securities and Exchange Commission, Nigeria, 'Regulatory Sandbox- Assessment' (2019) (

2., 'Playing in the Regulatory Sanaldbox' (2019) (

3. Securities and Exchange Commission, Nigeria, 'Regulatory Sandbox- Assessment' (2019) (


5. Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended)

6. Preamble of the Freedom of Information Act 2011

7. Sections 14(1&2) of the Freedom of Information Act 2011

8. Section 16 of the Freedom of Information Act 2011

9. Explanatory Memorandum of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015

10. Preamble of the Nigerian Data Protection Regulation 2019

11. Article 2.2 of the Nigerian Data Protection Regulation 2019

12. Article 2.6, 2.7, 2.11, 2.12 & 3.1 of the Nigerian Data Protection Regulation 2019

13. Article 2.10 of the Nigerian Data Protection Regulation 2019

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.