NDPC Probes Fintechs, Insurers Over Data Protection Gaps Moniepoint, Abeg, Leadway, eTranzact among firms named in compliance sweep

The Nigeria Data Protection Commission (NDPC) has launched a sector-wide investigation into suspected non-compliance with the Nigeria Data Protection Act (NDP Act, 2023), naming some of the country’s best-known fintech and financial services firms among its targets.

In a public notice published on August 25, 2025, the NDPC listed dozens of organisations — including eTranzact, Abeg Technologies, Chams Plc, Moniepoint Microfinance Bank, FBN Mortgages, Merrybet, Leadway Assurance, Coronation Insurance and Zenith Pensions — and instructed them to provide evidence of compliance within 21 days.

What the regulator demands

According to the notice, each organisation must submit:

• Proof that they filed 2024 compliance audit returns under the NDP Act.
• Details of a formally appointed Data Protection Officer (DPO).
• Evidence of registration as a data controller or processor of major importance, where applicable.
• Documentation of technical and organisational measures safeguarding customer data.

The NDPC warned that failure to comply could result in enforcement orders, administrative fines, or even criminal prosecution.

Why it matters

The inclusion of major fintech apps and legacy financial institutions raises concerns for millions of Nigerians who entrust them with sensitive financial and personal data.

• Moniepoint and Abeg process transactions for millions of users.
• eTranzact provides payment rails for banks and merchants nationwide.
• Chams Plc runs identity and card services.
• Pension and insurance companies such as Zenith Pensions and Coronation Insurance hold large volumes of retirement and policyholder records.

Industry watchers say the probe strikes at the backbone of Nigeria’s digital financial infrastructure.

Regulatory shift

The NDP Act gives the NDPC broad powers to audit, demand documentation, and sanction firms that fail to protect personal data. By publishing its investigation list publicly, the commission signals a shift from private enforcement to visible, sector-wide regulatory pressure.

“Customers need to see that their data is being taken seriously,” an NDPC spokesperson noted in the notice, adding that non-compliant companies risk reputational damage alongside legal penalties.

Business implications

For companies, the risks are layered:

• Reputation: Customers may pause onboarding or withdraw accounts if trust is shaken.
• Commercial ties: Banks, processors, and foreign partners may reassess risk exposure.
• Operational costs: Fines or enforced service restrictions could cut into already tight margins.

Still, analysts note that compliance could also become a market advantage. Firms that act quickly — appointing DPOs, publishing customer-facing data statements, and commissioning third-party audits — can rebuild trust and position themselves as leaders in a tightening regulatory landscape.

What’s next

The listed companies have 21 days to respond to the NDPC. The commission advises organisations to send enquiries to legal@ndpc.gov.ng or use its official contact lines.

For consumers, experts say the notice is not proof of a data breach but a red flag for regulatory review. Customers should watch for updates from service providers on how their personal data is being handled and protected.