The Nigeria Data Protection Commission (NDPC) has opened a sector-by-sector investigation into dozens of companies for suspected non-compliance with the Nigeria Data Protection Act (NDP Act, 2023), naming several household fintech and financial services brands among the targets.
A few prominent firms listed in the public notice include eTranzact, Abeg Technologies, Chams Plc, Moniepoint Microfinance Bank, FBN Mortgages, Merrybet, Leadway Assurance, Coronation Insurance and Zenith Pensions.
The notice, published by Businesday on August 25, 2025, instructs every organisation in the schedule to provide documentary proof within 21 days that they filed NDP Act compliance audit returns for 2024, formally designated a Data Protection Officer (DPO), registered as a data controller or processor of major importance where required, and put in place adequate technical and organisational measures to protect personal data.
The NDPC warns that failure to comply could trigger enforcement orders, administrative fines or criminal prosecution under the Act.
For many Nigerians, the inclusion of recognisable fintech players and legacy financial institutions on the list will raise immediate questions about the safety of personal and financial data held by platforms they use daily.
Moniepoint and Abeg, for instance, are front-line consumer finance apps with millions of customer records; eTranzact powers payment rails for banks and merchants across the country; Chams runs identity and card services; while pension and insurance firms such as Zenith Pensions and Coronation Insurance sit on troves of sensitive retirement and policyholder data.
The NDPC’s public notice therefore touches the backbone of Nigeria’s digital financial infrastructure.
Regulatory context matters. The NDP Act gives the NDPC broad powers to audit, demand documentation and sanction organisations that fail to meet statutory safeguards. By publishing a sectoral schedule, the commission signals a shift from private enforcement to visible, public regulatory pressure, a tactic intended to compel rapid compliance and reassure data subjects that the state is taking data protection seriously.
For companies, however, the short window to respond raises operational challenges as many will have to marshal legal, security and compliance teams quickly to assemble audit returns, evidence of technical controls, and DPO appointments.
Read also: How fintech platforms bypass data privacy requirements with consent loopholes
The business implications are immediate and layered. First, reputational damage is a real risk. Customers may pause onboarding, withdraw accounts, or demand explanations if they perceive that their data might be at risk.
Second, commercial partners – banks, payment processors, advertisers and regulators abroad – may reassess integrations or risk exposure, particularly where cross-border data transfers are involved.
Third, enforcement actions such as fines or requirements to cease certain data processing activities could disrupt services, erode revenue streams and inflate compliance costs at a time when fintech companies and insurers are already operating on thin margins.
Yet the notice is also an opportunity. Companies that move swiftly to comply can convert regulatory pressure into competitive advantage. Publishing a named DPO, completing audit returns and clearly documenting technical protections, from encryption standards to access controls and incident-response playbooks, can be reframed as customer reassurance.
For Nigerian fintech companies selling abroad or courting foreign investors, demonstrable compliance with domestic law is often a de-risking checkbox for capital and partnerships. The NDPC’s public naming campaign therefore nudges the market toward maturity. Compliance becomes not only a legal obligation but also a market differentiator.
What should the listed companies do now? The public notice spells out the essentials: (1) file the 2024 NDP Act compliance audit returns, (2) appoint and publish DPO details, (3) register as a data controller/processor where required, and (4) provide a summary of technical and organisational measures for data protection.
Firms should also consider immediate transparency measures including customer-facing statement on data handling, channels for breach reporting, and expedited audits by reputable third parties. These steps reduce the chance of heavier enforcement and help restore public confidence.
Consumers should watch closely but not panic. A named investigation does not itself prove a data breach or deliberate wrongdoing. It flags potential non-compliance that the NDPC will now probe. Still, customers should expect timely communication from affected companies about what data is processed, how it is protected, and what remediation looks like if issues are found.
The NDPC public notice is available in full below; it sets out the schedule of organisations under investigation and the documentation required within 21 days. For enquiries, the notice points to [email protected] and the commission’s contact lines.