By Daniel Chibuike Okoro

Abstract
In recent times, the emergence of fintech industries have revolutionized the financial landscape and this has made financial dealings much more accessible, easy and seamless. It is with this innovation that the use of data has become more predominant. This has now increased the need to ensure data privacy and protection. The number of data privacy violations and cyber attacks faced by fintech industries is alarming and much so because of the value and worth that is placed on sensitive information and the money that can be derived from it. It is as a result of this that policymakers and stakeholders have made laws and regulations to address compliance mechanisms and how balance can be created in this interface to enable a peaceful coexistence.

Keywords: Data Protection, Data Privacy, Security, Fintech, Regulatory Compliance.

Introduction

Financial technology often referred to as fintech has brought about a transformation from the traditional way of carrying out financial transactions and services to a more digitized way, which is characterized by cutting edge innovation, data-driven decision, ease and speed. The financial landscape has in recent years experienced notable and remarkable development which makes user experience smoother and more accessible. Most Startups in the world are fintech based and this is championed by the young population who are disrupting the traditional financial model to create a system that helps businesses and individuals to manage their finances in a much more relaxing and less chaotic setting. There are different categories of fintech businesses in different jurisdictions or what you may know as fintech offerings. The common ones include:

Digital Banking: The easiest bank account to open in this age and time are digital banks that can be opened in minutes within the comfort of your homes. Required documents for account opening can be scanned or processed with any means from the phone or computer. Unlike the traditional banks where you have to queue for long to open an account which sometimes takes days before it is processed and finally opened, digital banks have come to save the day. In Nigeria, a number of fintech companies have registered under the CBN to operate online banks and they include: Opay, Palmpay, Moniepoint, etc.
Electronic Payments: As the world embraces the cash in bank system which is a detour from the cash at hand system, most financial transactions are now carried out by way of transfers. It has become a trend to make payments automatedly with your card or your digital banking app. For example in Nigeria, due to cash crunch earlier in 2023, alternative means of facilitating transactions arose and point-of-sale (“POS”) terminals saved the day. Total cashless POS transactions arose by 45.41% year-on-year to NGN 139.58 trillion (approx. USD 85.96 billion) in January 2023. [1] According to projections, Net interest income in this market is set to reach US $664.68m by 2025. In 2025, China is expected to generate a staggering US $528.8 billion. [2] With the use of credit cards, debit cards, transfer, mobile payment apps, digital wallets, bank apps, etc, when payment is to be made, information is sent to a payment gateway which acts as a bridge between the users, merchant and financial institutions. The system validates before payment is processed and approved.

Lending Platform/Digital Credits: Digital money lending platforms are emerging daily in this tech-driven economy. Unlike traditional credits/loan application which is characterized by papyrocracy and delay, these recents digital credit facilities that operate on websites and mobile applications now give instant credit facilities which are unsecured by collateral. Lenders now use artificial intelligence to determine the credit score which is the analysis of likelihood of repayment and risk evaluations, and this most time is mined from the mobile phone of the intended borrower using algorithms.

Investment and Savings Platform: Some Fintech companies now operate automated financial advice and investment options that are low cost. Investments like mutual funds, ETFs, crowdfunding, real estate, etc are made available on these investments websites. There are also savings options where you can keep your money until a set time before you withdraw it. The advantage is that a percentage will be added depending on the duration and amount that you saved.

Decentralized Finance and Cryptocurrency: Although this in many jurisdictions has remained cautionary because regulatory bodies like Securities and Exchange Commission and Central Bank have not found the perfect way to perform oversight function and control especially to prevent fraud and market manipulation. Fintech now uses blockchain technology to offer financial services such as trading, lending, borrowing without intermediaries.

Due to the growth of technology, personal data has become very important in a bid to thrive. Fintech companies work by processing a large volume of data which is oftentimes personal and sometimes sensitive. This use of data becomes a target for cyber criminals and thus needs to be adequately safeguarded. Apart from the unlawful breach which can be done by cybercriminals, hackers, or cyber bad actors, the use of personal data for any reason even by companies must be lawful before such use can be said to be valid. The conversation around data protection in the fintech industry becomes very pertinent to have.

What is Data Protection and Privacy?

Data privacy defines who has access to data, while data protection provides tools and policies to actually restrict access to data. [3] Data Protection ensures taking practical and proactive steps to ensure that data is secured. Data Privacy covers who has access to data, what the access will be used for, how long the data will be used, and other salient points. The use of data in the Fintech Industry is the driving force and such adequate protection must be in place.

The case of Equifax Data Breach is a prominent case in the intersection between data protection and the fintech industry. Equifax was a Credit Reporting Agency (CRA). CRAs aggregate and sell historical credit information of individuals and companies. Credit card companies, banks, employers, and landlords sell consumers’ borrowing and repayment history to CRAs which is compiled into credit reports, bought by lenders and used to assess the creditworthiness of individuals applying for loans. It is a mechanism for risk assessment. In the years before the breach, Equifax struggled with outdated cybersecurity policies and instruments. In April 2015, former CSO Susan Mauldin implemented Equifax’s first patch management policy. An internal audit of the policy later that year revealed numerous security deficiencies, including over 8500 unresolved software vulnerabilities (PSI). In May 2016, Equifax’s W-2 Express website was also hacked, resulting in the leak of 430,000 names, addresses, social security numbers, and other types of personal information. By 2017, most of Equifax’s security deficiencies had not been resolved, giving room to hackers to breach Equifax’s network and harvest the personally identifiable information of over 147 million consumers. After finding out about the breach, Equifax GVTM teams attempted and failed to locate the software vulnerability that was exploited, it is said that this can be attributed to the existing flaws in their cybersecurity policy, outlined in a report published by the senate subcommittee on investigations (PSI).

Equifax faced lawsuits as expected from both local and state governments. In July 2019, in a settlement with the FTC, the Consumer Financial Protection Bureau, 48 states, the District of Columbia, and Puerto Rico, Equifax agreed to pay up to $700 million in fines and compensation to the individuals whose personal data got stolen. $300 million was distributed to these individuals and other payments were made by Equifax. [4]

The above case study explains the importance of ensuring proper protection of data to prevent breaches or misuse of sensitive information. Fintech companies should ensure that as data protection becomes more pertinent in sustaining their organisations, they employ the best hands in carrying this out. Privacy laws should be adhered to, as default will attract sanctions. Different jurisdictions have different data protection laws. For the sake of this article, two of these laws will be taken into consideration. The first is the Nigeria Data Protection Act, 2023 and the second is the General Data Protection Regulation which guides the countries under the European Union.

Fintech companies are data controllers and processors under the law. A data controller means:
an individual, private entity, public commission , agency or any other body which alone or jointly with others determine the purposes and means of processing of personal data. [5]
A data processor means:
an individual, private entity, public authority, or any other body, who processes personal data on behalf of or at the direction of a data controller or another data processor. [6]

It should be understood that fintech companies might not in themselves be the processors, as they may delegate the work of processing to others, but they are the ones who determine the purpose and means of processing the data. Processing as used above means:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.[7]

An analysis of the Equifax’s case will clearly show that the company processes personal data as the element of processing which includes collecting, recording, storage, use, dissemination, etc could be seen in their business structure. This, though not illegal, must be done in line with certain principles of lawful data processing. These principles are the values that must be adhered to when handling personal data. One of which is that data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).[8] There is no gainsaying that this principle was not properly followed and as such, they were in violation of the privacy and data protection laws in the jurisdiction they operate.

Privacy Violation in the Fintech Industry: Using Loan Apps as a case study.
Unlike traditional banks that require lengthy forms, paperwork and extensive documentation which more often than not span for days or weeks before loan applications are approved and loan granted, online loan apps are faster as they grant instant loans. It should be noted however that most of these loan apps require personal information and access to bank account information before loan is granted. For example in Nigeria, loan companies/lending companies are regulated by the Central Bank of Nigeria as empowered by the Banks and Other Financial Institution Act (BOFIA) and the Federal Competition and Consumer Protection Commission (FCCPC). These agencies determine the companies that can carry on the business and stipulate guidelines that must be followed to those eligible and approved to carry on the business. They ensure that consumers are protected. It is sad to know that despite public access to know those companies that are approved by the government, some people still take loans from loan sharks and companies that do not have approval to carry on business.

Over the years, there have been complaints of loan app harassment, defamation and privacy violation and these complaints and more are always investigated and dealt with by the agencies in charge. It is a practice of some loan apps to access the contact information of loan defaulters and begin to harass unconcerned people with incessant phone calls demanding that they reach out to the loan defaulter or that the loan defaulter used them as guarantor for the loan and since the fellow has defaulted, they are the ones to pay.

In 2021, the National Information Technology Development Agency (NITDA) had sanctioned an online lending platform, Soko Lending Company Limited (Soko Loans) for privacy invasion. This action was taken after receiving a series of complaints against the company for authorized disclosures, failure to protect customers’ personal data and defamation of character. [9] More recently, a loan app named “Delinquent Loans” posted a series of videos containing a total of 87 loan defaulters images on TikTok and captioned each video “Please settle your loans.” This act sparked controversy as different people had things to say. Without prejudice to the fact that some people take online loans with the intention to play smart and not pay back, the law however laid down procedures to recover loans without privacy infringement. In some comments on the privacy violation, some people said that the defaulters probably ticked a box that empowers the loan app to recover their money using any method they deem fit which may include disclosing their personal information or reaching out to their contacts and the right to sue is lost in such instances. This most times happens when people do not read companies policies. This however is against the law. The NDPA and the GDPR provided that before personal data is processed, it shall be done in a fair, lawful and transparent manner.[10] This begs the question whether such public disclosure of a financial transaction is lawful. Under the duty of confidentiality in the prominent Nigerian case of UBA PLC v Bakare Wasiu [11], the court establishes that a bank acts as a trustee for its customers’ funds and therefore owes a duty of secrecy regarding account details, unless legally required to disclose information, like in cases of suspected fraudulent activity. In using the ejusdem generis rule of interpretation, a similar kind of bank in this context are other financial institutions of which loan apps fall under. It is therefore important to note that any contract by fintech companies that seeks to overturn the principles of data processing is in contravention of the law.

Open Banking System in Nigeria: Understanding Privacy Rights in the Fintech Industry.
Open banking is a system of sharing customers’ financial data/information to third party providers who use it to offer financial products and give them a seamless experience. It should be noted that such financial data can only be shared on the basis of consent of the customer and application programming interfaces (APIs) are used to enable ease of sharing data and functionality between the different applications. In an open banking system, there are three main participants: the API provider who makes consumer financial data available securely; the API consumer who creates services and access customers data through APIs; and the API customer who owns the financial data and grants consent for access and can also revoke the consent at any time. The Central Bank of Nigeria regulates and grants approval for open banking operations in Nigeria. Examples of API providers include banks, insurance companies. Examples of API consumers include fintech companies, while customers are end users of financial services.
Open banking operation in Nigeria is currently governed by the Operational Guidelines for Open Banking which was published on March 7, 2023. These guidelines amongst other things requires that the participants comply with data protection and privacy laws and ensure strong data security measures which include encryption and authentication to prevent data theft. It also requires that the principles of data minimisation and purpose limitation be adhered to. This means that any information beyond what is needed should not be requested for and also API consumers should not use the information granted to them beyond what they demanded it for or beyond what consent was granted for.

KYC Regulations and Privacy Implications

Know Your Customer (KYC) is a set of procedures that financial institutions must adhere to in order to verify the identity of their customers. These procedures typically involve collecting and verifying personal information such as name, address, date of birth, and official identification documents. [12].
It is a regulation that fintech companies must follow to ensure that they have information of the customers to confirm that they do not pose any financial risk like fraud, money laundering, etc. It also helps for the sake of risk assessment.

In Nigeria, the CBN Customer Due Diligence Regulations 2023 was passed to all Banks and Other Financial Institutions of which fintech companies fall under. Section 6 of the regulation provides that financial institutions shall identify their customer (whether permanent or occasional, and whether natural or legal persons or legal arrangements) and obtain the following information —
For individuals
(i)legal names and any other names used (such as maiden name),
(ii)permanent address (full physical address),
(iii)residential address (where the customer can be located),
(iv)telephone number, email address, and social media handle,
(v)date and place of birth,
(vi)bank verification number (BVN),
(vii)tax identification number (TIN),
(viii)nationality,
(ix)occupation, public position held and name if employer,
(x)an official personal identification number or other unique identifier contained in an unexpired document issued by a government agency, that bears a name, photograph and signature of the customer such as a passport, national identification card, residence permit, social security records or drivers’ license,
(xi)type of account and nature of the banking relationship, and
(xii)signature, and
(xiii)politically exposed persons (PEPs) status.

It is important to note that these information requested for are personal data as they are specific to either physical, physiological, genetic, mental, economic, cultural or social identity of that natural person and as such, it is right to hold that customers retain a measure of reasonable expectation of privacy of this information. It begs the question: are the data requested for properly minimised to what is required? Also, how are these data safeguarded to reduce the risk of unauthorised access and misuse of individuals’ privacy. What the principle of data minimisation entails is that when you are collecting data to process for a particular purpose, you ought not to collect beyond what you need for that purpose. Information that are requested for should not be more than what is needed. It is important for the regulatory body to go back to the drafting table as it relates to what amounts to unnecessary and excessive data collection in KYC policies. On July 24, 2014. the ECB (European Central Bank) announced that they had suffered a data breach after unknown bad actors attempted to ransom the stolen data back to the bank on July 21. The hackers breached the bank’s database security and stole 20,000 emails and European event registrants’ contact information. The ECB also suffered a malware attack in 2018, in which contact information for 500 subscribers was stolen as the Banks’ Integrated Reporting Dictionary (BIRD) was hacked.[13].

In 2019, a class action lawsuit was brought against Google over excessive personal data collection through its street view project, Google had to settle with about $13million.

What is the way forward?

The fintech industry has a lot of regulation to comply with and this is dependent on the activity they are involved in. There are many statutes and regulations that guide the proper and legal functioning of the industry. As it relates to the protection of data and privacy rights, the main regulation in Nigeria is the Nigerian Data Protection Act, 2023. There are other statutes like cybercrimes (prohibition, prevention, etc Act, 2015), FCCPA and FCCPC regulations, NITDA Nigeria Cloud Computing Policy, 2019, CBN Risk Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, 2018, amongst others. Some of the key strategies for data regulatory compliance include:
(1)Privacy By Design
Organisations in the design of new products are advised to take proactive steps into incorporating privacy while building. This helps prevent any issue that may arise upon completion and use of the product. In this regard, the principles of data processing are included in the default of the products.

(2)Filing Compliance Audit Reports
Data controllers and Data Processors are required to file Compliance Audit Returns (CARs) which relies on principles of data protection, lawful basis of processing data and compliant mechanism as stipulated under the NDPR. This audit is done by licensed Data Protection Compliance Organisations.

(3)Training in data protection and cybersecurity
Fintech companies should prioritise training their staff on data privacy and security and how it can reflect the organisation’s image. In 2019, former Chief information Office of Equifax Company, Jun Ying was found guilty of insider trading and sentenced to four months in jail. Former Equifax manager Sudhakar Reddy Bonthu was also found guilty of insider trading and sentenced to 8 months of home confinement. In line with cyber theft, employees can give the hackers information that may soften the landing or springboard the penetration of the company’s database. Also, this training should be extended to customers who have the highest tendencies of falling into the hands of scammers who wants to steal their data all in the name of searching for a fintech company to use.

(4) Privacy Policy
Fintech organisations should prepare their privacy policies or notices in line with data protection regulations and there should be a clear outline of the data controller and who the data processors are, the data that is being collected and the purpose of collection, how it would be processed, who these information would be shared in case of third party transfer, how it would be stored, the duration the data will be kept for, what lawful basis they have for processing amongst other things. It should be noted that clarity enables transparency and vice versa, and as such companies should be very transparent in their dealings.

(5)Data Protection Mechanism
Companies should have internal statements that indicate how they intend to protect and ensure the security of their customers’ data. This could be by different cybersecurity measures like strong encryption, pseudonymisation, anonymisation, access control, security information and events management, database management system, etc. There should also be regular checks for vulnerability to ensure quick patch before bad actors take advantage of such vulnerabilities.

Conclusion

The use of data is the lifeblood of most industries in the digital era, and fintech companies are not left out. Financial data and Personal data is the driving force of a successful economy and as such fintech companies must navigate appropriate data compliance mechanisms and cybersecurity framework.
To build a successful economy, fintech companies must create a balance between the need to use personal data and the rights of data subjects. Privacy By Design, timely data audit, sensitization on privacy and data security, inclusion of data protection principles in the privacy policy and many more measures will not only be beneficial to data subjects, but in turn promote the industry’s marketability and viability.

References

1 Fintech Laws and Regulations 2024 – Nigeria, Global Legal Insights, 2024, https://www.globallegalinsights.com/practice-areas/fintech-laws-and-regulations/nigeria/#_edn8

2 Digital Banks – Nigeria, Statista, 2024, https://www.statista.com/outlook/fmo/banking/digital-banks/nigeria

3 Jeremy Ross, “What is Data Protection and Privacy?”,Cloudian, https://cloudian.com/guides/data-protection/data-protection-and-privacy-7-ways-to-protect-user-data/amp/

4 Miyashiro I.K, “Case Study: Equifax Data Breach”, Seven Pillars Institute, April 30. 2021, https://sevenpillarsinstitute.org/case-study-equifax-data-breach/

5 Section 65, NDPA 2023

6 Ibid

7 Chapter 1, Article 4, GDPR (EU) 2016/679

8 Chapter 2, Article 5, GDPR (EU) 2016/679

9 NITDA News, Press Release, “NITDA Sanctions SokoLoan For Privacy Invasion”, NITDA, August 17, 2021, https://nitda.gov.ng/nitda-sanctions-soko-loan-for-privacy-invasion/4914/

10 Section 24(1)(a), NDPA 2023 and Article 5(1)(a), GDPR (EU) 2016/679

11 (2017) 4 NWLR (PT. 1555) 318

12 Shijas M., “Balancing KYC Requirements and Privacy Concerns: Navigating the Delicate Interplay”, March 14, 2024, LinkedIn.

13 Kyle Chin, “Biggest Data Breaches in Europe [Updated 2025]”, Dec 30, 2024, https://www.upguard.com/blog/biggest-data-breaches-europe

Daniel Chibuike Okoro, a data expert, wrote in from Lagos