By Chiweindu Rufus
The Nigeria Data Protection Commission (NDPC) is currently conducting an investigation into alleged data privacy breaches involving MTN’s MoMo Payment Service Bank (PSB), a subsidiary of MTN Nigerian Communications Plc. This investigation could potentially lead to significant penalties for the company. Authorities in Abuja have widened their scope of inquiry to include approximately 150 other organisations, according to reports received by IT Edge News this week.
The NDPC is scrutinizing the licensed payment service provider, licensed by the Central Bank of Nigeria (CBN), for various infractions.
Suspected misuse of customer data, other violations
These infractions include suspected misuse of customer data, involving the unauthorized use of such data without proper consent, thereby violating user privacy rights and trust.
Additionally, the NDPC is investigating the lack of transparency exhibited by MoMo PSB, as the company has allegedly failed to provide clear and concise privacy policies regarding the collection, storage, and usage of their customers’ data. Moreover, concerns have been raised about inadequate consent practices, whereby personal data is collected and processed without explicit consent from users, resulting in privacy violations and regulatory non-compliance.
Furthermore, the NDPC is examining potential cybersecurity vulnerabilities that may have exposed sensitive customer data to hackers, leading to data breaches and compromises of personal and financial information.
MoMo PSB offers mobile phone-based financial services to Nigerians, particularly those in rural and remote areas who are excluded from the formal banking system. After receiving final approval from Nigeria’s regulatory authorities in 2022, the payment service bank officially commenced operations, boasting more than 166,000 active agents and a digitized partnership infrastructure nationwide.
NDPC ramping up enforcement efforts
The NDPC had previously signaled its intent to ramp up enforcement efforts in 2024, evidenced by the issuance of a Code of Conduct for Data Protection Compliance Organisations (DPCOs) earlier in the year.
DPCOs, licensed to provide data protection regulation compliance and breach services for data controllers like MoMo PSB, play a crucial role in upholding data privacy standards.
Last year, Dr. Vincent Olatunji, National Commissioner for the NDPC, expressed concerns regarding the compliance of many financial and telecom companies with data privacy laws. He highlighted ongoing investigations into over 110 data controllers and data processors for various degrees of data privacy and protection breaches, particularly in the financial, telecom, gaming, and online lending industries.
’We are investigating over 110 data controllers and data processors for various degrees of data privacy and protection breaches. The most worrisome are those in the financial, telecom, gaming, and online lending industries.
“When you factor in the lack of due diligence on the part of data controllers in engaging data processors or vendors that have access to the personal data of customers, you find in some cases abuse and violation of the Nigeria Data Protection Regulation (NDPR) and section 37 of the 1999 Constitution,” said Olatunji at a function a Lagos.
Olatunji emphasized the statutory obligation of mobile money and fintech companies to prioritize data protection and privacy compliance to maintain regulatory adherence and safeguard user trust.