Emerging Trends In Subsidiary Governance And Liability – A Nigerian Perspective

1. Legal and regulatory tightening: CAMA 2020 reshapes director duties and disclosure

The Companies and Allied Matters Act 2020 (“CAMA 2020”) introduced reforms that materially reshaped governance requirements for Nigerian companies. These include strengthened disclosure obligations, which now attract active monitoring and penalties for non-compliance; the requirement to disclose the Persons with Significant Control (PSC) of entities with the Corporate Affairs Commission (CAC),1 which the CAC enforces as part of Nigeria's anti-money laundering commitments; and a broadened articulation of directors' duties. Directors are expressly required to have regard not only to the interests of shareholders but also those of employees, creditors, communities, and the environment when making decisions2. Taken together, these provisions signal a clear shift in Nigerian corporate law toward transparency, accountability, and sustainability, with enforcement already underway.

Why it matters: statutory compliance, accurate disclosure, and demonstrable board oversight are now baseline expectations. Failure to meet them exposes local directors and, in some cases, the company itself to regulatory sanctions. Although Nigerian regulators have not yet tested the boundaries of these provisions extensively, the trend points to closer scrutiny of director conduct.

Practical Implications: How Boards and Parent Companies Should Respond

In practical terms, these developments require boards of Nigerian subsidiaries and their parent companies to move beyond box-ticking compliance and adopt demonstrable governance oversight. Subsidiary boards should ensure that statutory disclosures (particularly PSC filings, financial statements, and governance returns) are accurate, timely, and periodically reviewed at the board level, with clear documentation of deliberations and decision-making. Parent companies, especially those exercising significant influence over strategy or operations, should recalibrate their oversight frameworks to avoid informal control that may blur governance boundaries, while still maintaining robust reporting and compliance systems. This includes implementing group-wide governance policies, clearly delineating reserved matters, training directors on their expanded statutory duties, and maintaining evidence that decisions are taken in the subsidiary's best interests. As regulatory scrutiny intensifies, boards that demonstrate active oversight, independence of judgment, and compliance discipline will be better positioned to mitigate liability risks and regulatory exposure. 

2. Piercing the Corporate Veil: Limits, Risk Indicators, and Implications for Parent Companies and Officers

While the doctrine of separate legal personality remains fundamental under Nigerian law, it is not absolute. Courts have consistently affirmed that they will disregard the corporate veil where a company is deployed as an instrument of fraud, a device to evade existing legal obligations, or a façade to conceal true facts.3 The Supreme Court has over time reiterated the principle that the veil will not protect individuals who hide behind a corporate entity to perpetrate illegality. The Court has also repeatedly underscored the principle that where a party uses corporate structures to frustrate contractual or statutory duties, the substance of the relationship will prevail over its form. These decisions, read together, show a clear willingness of Nigerian courts to pierce or lift the veil as justice, public policy, or the prevention of abuse demands. For multinationals, this means that reliance on formal group structures without demonstrable governance, independence, and operational substance at the subsidiary level carries real legal and reputational risk.

Why it matters: While poor subsidiary governance will not, without more, justify piercing the corporate veil, it can materially increase scrutiny of the parent–subsidiary relationship by courts and regulators. Where a parent company exercises extensive operational control, issues detailed directives without corresponding local discretion, or fails to maintain clear governance separation, this may weaken its ability to demonstrate that the subsidiary operates as an independent legal entity. In such circumstances, courts may be more willing to interrogate the substance of the relationship where allegations of fraud, evasion of legal obligations, or abuse of corporate form are raised. At a minimum, governance failures at the subsidiary level expose parent companies to significant reputational, regulatory, and litigation risk, even where the legal threshold for veil-piercing is not met.

Practical Implications: How Boards and Parent Companies Should Respond

To mitigate the risk of piercing the corporate veil and related liability, parent companies must closely monitor how control is exercised over Nigerian subsidiaries in practice. While oversight may be legitimate, excessive operational control by the parent, particularly where it supplants the subsidiary board's decision-making, can undermine the reality of the separate legal personality of subsidiary entities, thereby making the lifting of corporate veil easier. Parent companies should therefore ensure that strategic directives are channelled through formal governance mechanisms, such as reserved matters and shareholder approvals, rather than informal instructions or ad-hoc intervention in the management of the subsidiary. 

Subsidiary boards should meet regularly, exercise genuine discretion, and maintain contemporaneous records demonstrating independent consideration of issues ahead of taking decisions, including where parent guidance is followed. Key contracts, regulatory engagements, and financing arrangements should clearly identify the subsidiary as the contracting party, with signatories acting in their proper corporate capacities.

Care should also be taken to avoid overlaps between the executive officers of the parent entity on one hand, and subsidiary on the other, which could create the risk of the parent executives being regarded as shadow directors of the subsidiary.

In summary, parent entities should design governance frameworks that allow effective oversight without operational dominance. At the same time, subsidiary boards must be empowered and seen to act as the true mind and management of the subsidiary entity.

3. Regulatory cross-pollination and ESG expectations

Although ESG obligations are not yet codified in Nigerian law in the same way as in Europe, they are gaining traction. CAMA 2020 encourages directors to consider environmental sustainability4. The Securities and Exchange Commission (SEC) has also released a Corporate Governance Code that highlights stakeholder and sustainability considerations. In addition, the rules of the Nigerian Exchange impose sustainability reporting obligations on listed companies.

Why it matters: While many ESG requirements remain soft law, regulators and investors are increasingly aligning governance expectations with global practice. ESG failures at the subsidiary level can, therefore, trigger regulatory attention, reputational harm, and loss of investor confidence.

Practical Implications: How Boards and Parent Companies Should Respond

As ESG expectations increasingly influence regulatory enforcement, investor decision making, and public scrutiny, parent companies must treat Nigerian subsidiaries as integral components of their group-wide sustainability and risk frameworks. This requires more than adopting global ESG policies; it demands localisation. Subsidiaries should translate group standards into Nigeria-specific procedures that reflect local regulatory requirements, sectoral risks, and community impact considerations, while aspiring towards international best practices.

Boards should ensure that ESG responsibilities are clearly allocated, whether through board committees, designated officers, or integration into existing risk and compliance functions. Regular reporting on ESG metrics should be built into management information systems, enabling both the subsidiary board and the parent to identify emerging risks early. For entities operating in regulated or sensitive sectors, proactive engagement with regulators, communities, and other stakeholders can significantly reduce reputational and operational exposure.

As Nigerian regulators and investors increasingly align with global ESG norms, groups that embed sustainability into subsidiary governance will be better positioned to manage risk, attract capital, and maintain long-term operational legitimacy.

4. Data protection and cyber risk at the subsidiary level

The Nigeria Data Protection Act 2023 (NDPA) and the General Application and Implementation Directive (GAID) 2025 consolidate and expand obligations under the earlier NDPR. It imposes duties on data controllers and processors to implement privacy governance frameworks5, conduct data protection impact assessments (DPIAs)6 and annual data protection audits7, and maintain robust personal data breach response mechanisms. Enforcement activity is increasing, with the Nigeria Data Protection Commission (NDPC) announcing audits and compliance investigations.

Why it matters: Weak privacy controls in a Nigerian subsidiary can expose both the subsidiary and its parent company to regulatory fines and reputational damage, especially where cross-border processing is involved. Under the NDPA 2023, the NDPC treats each entity in a corporate group as a separate controller or processor (depending on the role an entity plays in data processing), meaning the parent and the subsidiary are individually responsible for compliance. Where a parent company receives personal data from a Nigerian subsidiary, mandates the use of centralised systems, or dictates how data is processed, it may fall within the NDPA's regulatory scope as a controller in its own right. In such cases, the NDPC is likely to scrutinise both entities as participants in the same processing activity, exposing each to regulatory action based on its level of control and operational involvement. This makes it critical for group-wide policies to be effectively localised, monitored, and enforced at the subsidiary level.

Practical Implications: How Boards and Parent Companies Should Respond

1. Move from policy to implementation
   Having group-level compliance policies is not sufficient. Parent companies should request evidence of local implementation, such as records of staff training, data processing registers (RoPAs), data protection impact assessments (DPIAs), and reports showing how identified risks have been addressed.
2. Clarify governance roles and decision-making
   Where the parent company makes or approves key operational decisions for the subsidiary, it should also recognise the corresponding responsibility and liability that may arise. Clear governance mapping helps reduce the risk of blurred accountability.
3. Strengthen the local board
   Subsidiary boards should include directors with technical competence in areas such as compliance, data protection, or finance. For material subsidiaries, appointing at least one independent non-executive director can improve credibility and oversight.
4. Integrate privacy and cyber risk into operations
   Data protection and cybersecurity risks should be factored in from the design stage of new projects. DPIAs should be carried out where relevant, and both the parent and subsidiary should be part of an incident response framework with clear escalation protocols. In addition, regular data protection audits should also form part of group governance arrangements, as they provide visibility into the compliance level of entities within the group and help identify gaps in data privacy practices. Statutory data protection audits are part of the NDPA's compliance and accountability framework. The NDPA and GAID requires the statutory audits to be conducted by a Data Protection Compliance Organisation (DPCO) licensed by the NDPC. Even where not strictly mandatory, periodic audits are increasingly viewed by regulators as evidence of proactive compliance and effective oversight.
5. Substantiate intra-group arrangements
   Parents should maintain proper documentation of related-party transactions, including contemporaneous records of transfer pricing rationale. Regular reviews and benchmarking help reduce exposure during tax or regulatory audits.
6. Develop sustainability reporting practices
   Even if not legally mandated, subsidiaries in sensitive sectors (such as extractives, energy, or consumer goods) should track and report environmental and social impacts. Independent verification of key disclosures will strengthen stakeholder confidence.

Conclusion: Finding the Right Balance

Subsidiaries in Nigeria are no longer peripheral structures. They are increasingly treated as independent governance and regulatory frontlines, with directors expected to demonstrate transparency, accountability, and genuine operational substance in practice, not merely in form.

For parent companies, the real challenge lies in moving beyond group policies on paper to practical, demonstrable, well-documented oversight and decision-making at the subsidiary level. Nigerian regulators are intensifying enforcement under CAMA 2020, the NDPA, and securities rules, while courts remain willing to pierce the corporate veil where structures are abused.

The direction of travel is clear: enforcement will deepen, expectations will rise, and liability will more easily flow from subsidiaries to their parents. Groups that invest early in strengthening subsidiary governance through clear delegation, documented compliance, integrated compliance frameworks and credible local board oversight will be best positioned to capture opportunities in Nigeria while avoiding escalating legal and reputational risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.