Legal expert Lydia Ehisuoria Ohonsi, Esq., has released a critical analysis regarding the Central Bank of Nigeria’s (CBN) recent Addendum to the BVN regulatory framework, warning of significant compliance risks under the Nigeria Data Protection Act 2023 (NDPA).
The analysis examines the CBN’s directive, issued on 12 March 2026 and effective from 1 May 2026, which introduces sweeping changes to how Bank Verification Numbers (BVN) are managed in Nigeria.
Key Modifications to the BVN Framework
The CBN Addendum introduces four substantive changes to the existing system:
- One-Time Phone Number Restriction: Amendments to phone numbers linked to a BVN are now permitted only once in a lifetime.
- Age Floor for Enrolment: New BVN enrolments are restricted to individuals aged 18 years and above.
- Temporary Fraud Watchlist: A mandatory 24-hour mechanism where financial institutions must flag BVNs implicated in suspected fraudulent transactions.
- Tightened Access Controls: Database access is exclusively confined to CBN-licensed financial institutions.
The Legal Conflict: NDPA Primacy
Ohonsi highlights a "non-trivial" tension between these security measures and the NDPA 2023, which holds constitutional-level supremacy over other laws regarding personal data processing. As the BVN contains biometric data, it is classified as "sensitive personal data," attracting the highest level of protection.
The most contentious issue is the one-time phone number restriction. Legal practitioners argue this directly conflicts with the NDPA’s Accuracy Principle and the Right to Rectification. Section 33 of the NDPA grants data subjects the right to correct inaccurate or misleading information.
"A measure designed to prevent identity manipulation may paradoxically create new and more severe security vulnerabilities by locking customers into permanently outdated contact details," the report notes.
Risks and Implications for Banks
Financial institutions, often classified as Data Controllers of Major Importance (DCPMIs), face severe penalties for non-compliance with the NDPA.
- Fines: Penalties can reach up to NGN 10,000,000 or 2% of annual gross revenue.
- Compliance Obligations: Banks must conduct Data Protection Impact Assessments (DPIAs) for high-risk processing like the new watchlist mechanism.
- Transparency: Privacy notices must be updated before 1 May 2026 to reflect these new processing activities.
Recommendations for Reform
To reconcile financial security with data rights, the analysis suggests several key reforms:
- Enhanced Verification Model: Replace the lifetime ban on phone changes with a system requiring in-person biometric re-verification and a 72-hour pre-notification for subsequent changes.
- Regulatory Cooperation: The CBN and the Nigeria Data Protection Commission (NDPC) should execute a formal Memorandum of Understanding (MOU) to provide joint guidance.
- Guardian-Linked Enrolment: Introduce a pathway for minors to ensure financial inclusion while maintaining child data protection safeguards.
Conclusion
While the CBN’s objectives of fraud prevention are legitimate—especially given that digital payment fraud cost Nigeria an estimated NGN 25.85 billion in 2025—the report concludes that security must not come at the expense of fundamental data rights. Customers are advised to verify their linked phone numbers before the 1 May 2026 deadline.
Contact Information:
Lydia E. Ohonsi, Esq.
Email: info@kohlleedslegal.ng
March 2026
To explore the detailed legal interrogation of these modifications and their constitutional implications, you can read the full article by selecting the link to the PDF below.
https://drive.google.com/file/d/1L7iYRe2Z6KqlwEk1fK9fFYgMFifUeXlr/view?usp=sharing
0 Comments