INTRODUCTION
In the last decade, Nigeria’s financial technology (FinTech) sector has grown exponentially, serving as a key driver of financial inclusion and transforming how millions access financial services. The growth of Fintech entities has coincided with the evolution of the regulation of the sector. The regulation has evolved beyond answering the question of “who can operate?” to creating and enforcing comprehensive frameworks which mandate how FinTech companies handle data, protect consumers, and maintain operational standards. This article examines how the Nigerian Data Protection Act 2023 (NDPA), the General Application and Implementation Directive 2025 (NDPA-GAID), and the guidelines of the Central Bank of Nigeria’ (CBN) have created a multi-layered regulatory environment that demands strategic compliance navigation.
UNDERSTANDING THE FRAMEWORKS
Historically, FinTech compliance in Nigeria primarily revolved around ensuring alignment with licensing and capital requirements. Today’s reality is materially different. The NDPA establishes foundational data protection principles applicable to all data controllers and processors, the GAID provides operational guidelines on implementation, and CBN guidelines address prudential requirements, consumer protection, and sector-specific obligations. Together, these frameworks create an integrated compliance These regulatory frameworks reflect a fundamental shift in approach: from stringent market entry to governing ongoing operations. FinTech companies must demonstrate not merely capacity to operate, but commitment to protecting customer data, ensuring service reliability and maintaining transparency throughout their operations.
DATA PROTECTION AS CORE INFRASTRUCTURE
The NDPA, Nigeria’s most comprehensive data protection legislation, creates a significant roster of obligations for FinTech companies whose business models typically involves the collection and processing of significant amounts of sensitive personal data.
Under the NDPA, FinTech companies must establish lawful basis for data collection and processing, implement appropriate security measures and respect data subject rights including access, rectification, and erasure. The Act mandates Data Protection Impact Assessments for high-risk processing activities, a category that involves credit scoring algorithms, fraud detection systems and automated decision-making processes common in digital lending and payment platforms.
Introduced in 2025, the GAID builds upon the foundation of the NDPA by providing detailed implementation guidelines. It clarifies ambiguities around consent requirements, specifies documentation standards for demonstrating compliance and establishes timelines for responding to data subject requests. Critically, the GAID addresses cross-border data transfers, an important consideration for FinTech companies operating across multiple jurisdictions or utilising cloud services hosted outside Nigeria.
