CBN directive on bank customers’ social media handles illegal — Commission

THE Nigeria Data Protection Commission (NDPC) has faulted the Central Bank of Nigeria’s (CBN) recent directive that banks should obtain and verify customers’ social media handles.

The Commission described the directive as illegal, noting that it violated privacy laws.

The apex bank had on June 26, directed banks to obtain the social media handles of customers as part of enhanced Customer Due Diligence (CDD) regulations.

Read Also:

It explained that the move was geared towards bolstering bank customers’ compliance with anti-money laundering (AML) and counter-terrorism financing (CFT) provisions, while aligning with international best practices.

However, in a statement on Thursday, June 29, the NDPC said it was currently engaging with the CBN on the directive, stressing that there is need to adhere to fundamental principles when collecting citizens’ data.

NDPC national commissioner Vincent Olatunji, who reacted to the directive in the statement, highlighted the significance of the Nigerian Data Protection Act (NDPA), which was enacted on June 12, in ensuring the responsible handling of citizens’ data by Data Controller Organisations.

Olatunji said the Act outlines guidelines for the processing of personal data, emphasising fairness, lawfulness, transparency, minimal data collection, and limited retention periods.

He explained that there were prerequisite steps any Data Controller must take prior to the collection of data from data subjects.

The NDPC official added that any organisation that defaulted was going against the law and causing a data breach, noting that such would attract a fine.

“We are already engaging with the CBN to let them know that what they have done is against the law because there are basic principles you must meet when you want to collect citizens’ data,” he said.

“There is data minimisation, meaning you don’t collect data beyond the purpose for which it was intended, purpose limitation, what purpose it is for.”

Olatunji stressed that the NDPC’s role is to protect the rights and interests of Nigerian citizens, making it applicable to all data controllers, including private and government offices, NGOs, and hotels.



    “The purpose of this law is to safeguard the rights and interests of Nigerians who are data subjects.”

    He highlighted key principles, such as data minimization, which mandates that data should only be collected for its intended purpose, and purpose limitation, which specifies the purpose for which data is collected.

    Olatunji further argued that requesting social media handles from bank customers was unnecessary.

    However, he acknowledged that if the collection of social media handles served a public interest, such as transaction monitoring, customers should be properly informed.

    You can reach out to me on Twitter via: vincent_ufuoma

    Join the ICIR WhatsApp channel for in-depth reports on the economy, politics and governance, and investigative reports.

    Support the ICIR

    We invite you to support us to continue the work we do.

    Your support will strengthen journalism in Nigeria and help sustain our democracy.

    If you or someone you know has a lead, tip or personal experience about this report, our WhatsApp line is open and confidential for a conversation


    Please enter your comment!
    Please enter your name here

    Support the ICIR

    We need your support to produce excellent journalism at all times.

    - Advertisement


    - Advertisement