Regulatory Finality Or Rights Erosion? Reassessing The CBN’s One-Time Phone Number Update Rule Through The Lens Of Rectification And Proportionality

Introduction

The Bank Verification Number (“BVN”) has become a core layer of financial identity in Nigeria, and the phone number linked to it now does much more than enable communication. It is used for one-time passwords, transactions, alerts, account recovery, and authentication across digital channels.

In March 2026, it was widely reported that the Central Bank of Nigeria (“CBN”) introduced an addendum to the BVN framework, effective 1 May 2026, under which a customer may amend the phone number linked to a BVN only once.​¹

The regulatory objective is understandable, given the security risks associated with BVN-linked phone numbers, including fraud, SIM compromise, SIM-swap fraud, social engineering, and account takeover. The challenge, however, is that a phone number is inherently mutable personal data rather than a fixed identifier. It may change through theft, loss of access, deactivation, number recycling, number porting, migration between service providers, or compromise. The real question is therefore not whether the CBN may regulate BVN-linked phone number amendments, but whether a once-only amendment restriction is proportionate and compatible with the statutory right of rectification where the relevant phone number later becomes inaccurate, obsolete, inaccessible, or unsafe.

The Legal Tension

The Nigeria Data Protection Act, 2023 (“NDPA”) requires personal data to be accurate, complete, not misleading, and, where necessary, kept up to date.

It also grants data subjects a right to obtain the correction, or where correction is not feasible or suitable, deletion of personal data that is inaccurate, out of date, incomplete, or misleading. Accordingly, the concern is not merely that the accuracy principle may be strained; it is whether a once-only amendment restriction unduly burdens the exercise of a statutory right of rectification.​²

The General Application and Implementation Directive 2025 (“GAID”) reinforces this position by recognising that the right to data rectification is essential to the operation of the principle of data accuracy under the NDPA. It also requires data controllers and processors to ensure that the platforms through which they process personal data provide an effective opportunity for rectification and that data processing systems are designed in a manner that permits auditability of the source of error.​³

Against that framework, a single-update limitation creates a clear tension. If a BVN-linked phone number later becomes obsolete, inaccessible, or compromised, but the institution continues to rely on it for OTP delivery, transaction approval, or account recovery, the system may end up preserving inaccurate or unsafe data rather than protecting integrity. The consequence may be practical exclusion for customers, increased vulnerability for affected accounts and ongoing legal risk for financial institutions that remain responsible for accuracy, security, and accountability in their processing operations.

For customers, an outdated BVN-linked number may mean failed authentication, inability to recover an account, exposure to social engineering risks, and loss of access to digital financial services. For banks, fintechs, and payment service providers, the issue is also one of compliance. They remain subject to the NDPA even while complying with sector-specific banking rules. Any tension between data protection obligations and sectoral regulation should, consistently with the NDPA and the GAID, be approached through regulatory harmonisation rather than in a manner that erodes data subject rights or creates impossible compliance outcomes for regulated institutions.

A Better Regulatory Approach

A better approach would preserve the anti-fraud objective without converting mutable data into regulatory finality. The CBN and the Nigeria Data Protection Commission (NDPC) should issue joint sector-specific guidance on BVN-linked personal data, especially on correction requests, exceptional amendment procedures, review thresholds, complaint channels, institutional responsibilities, and documentary evidence required for high-risk amendments. That would give banks and payment service providers a clearer basis for reconciling banking supervision with data protection obligations.​⁴

In addition, the present one time amendment restriction should be replaced with a risk tiered rectification process. Repeated amendment requests can legitimately trigger enhanced verification, biometric re-validation, NIN alignment, fraud-risk scoring, cooling-off periods, manual approval, and structured audit trails. What should be resisted is the assumption that the only alternatives are either unrestricted amendment or near-permanent immutability. There is regulatory space for a middle path that is both security-conscious and rights-compatible.

Institutions should also maintain documented exception pathways for customers who can demonstrate that the registered number has become inaccurate or inaccessible, unsafe, or no longer within their control due to objectively verifiable circumstances. This is especially important because the right to rectification only has practical value where systems are designed to accommodate genuine correction.

Customer-facing processes should equally make clear, at the point of enrolment or amendment, that the BVN linked phone number has significant legal, security and operational consequences. The GAID’s emphasis on effective rectification, verification opportunity, evidence of verification, and auditability of error strongly supports this approach.​⁵

For regulated institutions, the practical response should include updating customer notices, strengthening identity proofing for BVN data changes, maintaining evidence of verification, documenting refusal decisions, escalating exceptional cases to designated compliance teams, and ensuring that grievance channels are available where a customer disputes the accuracy or accessibility of a BVN-linked phone number. This approach would reduce fraud without extinguishing the practical value of rectification.

Conclusion

The CBN’s one-time phone number update rule reflects a legitimate concern about fraud, identity manipulation, SIM compromise and the resilience of Nigeria’s payments ecosystem. The objective is therefore understandable. The difficulty lies in the mechanism chosen to pursue it. A phone number is inherently changeable, and a regime that blocks further correction after a single amendment without a clear exception pathway sits uneasily with the NDPA’s accuracy principle, the statutory right to rectification, and the GAID’s insistence that effective correction mechanisms should remain available.^​6

Ultimately, the better view is not that fraud controls should be weakened, but that they should be designed more carefully. Data integrity is not preserved by freezing inaccurate data in place; it is preserved through secure mechanisms that permit correction while managing fraud risk. A risk-tiered, auditable, exception-based rectification model would better balance regulatory certainty, financial system integrity, customer protection, and data-subject rights.

Footnotes

1. “CBN’s March 2026 addendum and the one-time phone number amendment rule” (Tribune Online) (accessed 21 April 2026)

2. Sections 24(1)(e) and 34(1) of the Nigeria Data Protection Act, 2023.

3. Article 36 of the General Application and Implementation Directive, 2025.

4. Article 3(1) and Article 4(2)(4), of the GAID.

5. Article 36 of the GAID.

6. Section 24(1)(e) and Section 34(1) of the NDPA; and Article 36 of the GAID. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.