Beyond Licensing: The New Face Of Fintech Compliance Under The NDPA, GAID And CBN Guidelines

INTRODUCTION

In the last decade, Nigeria’s financial technology (FinTech) sector has grown exponentially, serving as a key driver of financial inclusion and transforming how millions access financial services.¹ The growth of Fintech entities has coincided with the evolution of the regulation of the sector. The regulation has evolved beyond answering the question of “who can operate?” to creating and enforcing comprehensive frameworks which mandate how FinTech companies handle data, protect consumers, and maintain operational standards. This article examines how the Nigerian Data Protection Act 2023 (NDPA), the General Application and Implementation Directive 2025 (NDPA-GAID), and the guidelines of the Central Bank of Nigeria’ (CBN) have created a multi-layered regulatory environment that demands strategic compliance navigation.

UNDERSTANDING THE FRAMEWORKS

Historically, FinTech compliance in Nigeria primarily revolved around ensuring alignment with licensing and capital requirements.² Today’s reality is materially different. The NDPA establishes foundational data protection principles applicable to all data controllers and processors, the GAID provides operational guidelines on implementation, and CBN guidelines address prudential requirements, consumer protection, and sector-specific obligations. Together, these frameworks create an integrated compliance These regulatory frameworks reflect a fundamental shift in approach: from stringent market entry to governing ongoing operations. FinTech companies must demonstrate not merely capacity to operate, but commitment to protecting customer data, ensuring service reliability and maintaining transparency throughout their operations.

DATA PROTECTION AS CORE INFRASTRUCTURE

The NDPA, Nigeria’s most comprehensive data protection legislation, creates a significant roster of obligations for FinTech companies whose business models typically involves the collection and processing of significant amounts of sensitive personal data.³

Under the NDPA, FinTech companies must establish lawful basis for data collection and processing, implement appropriate security measures and respect data subject rights including access, rectification, and erasure. The Act mandates Data Protection Impact Assessments for high-risk processing activities, a category that involves credit scoring algorithms, fraud detection systems and automated decision-making processes common in digital lending and payment platforms. 

Introduced in 2025, the GAID builds upon the foundation of the NDPA by providing detailed implementation guidelines. It clarifies ambiguities around consent requirements, specifies documentation standards for demonstrating compliance and establishes timelines for responding to data subject requests. Critically, the GAID addresses cross-border data transfers, an important consideration for FinTech companies operating across multiple jurisdictions or utilising cloud services hosted outside Nigeria. 

CBN GUIDELINES: PRUDENTIAL MEETS OPERATIONAL

The CBN’s regulatory framework for FinTech companies extends well beyond traditional banking supervision.⁴ Recent guidelines address payment system operations, digital lending practices, the adoption and use of Open Banking frameworks and cybersecurity requirements. These guidelines operate alongside data protection law, creating compliance obligations that must be satisfied simultaneously.

A significant regulatory frontier is consumer credit reporting. The CBN saddles regulated entities with compliance obligations which include the assessment of creditworthiness and the submission of reports to credit bureaus. Simultaneously, the NDPA restricts automated decision-making that produces legal or significant effect without human intervention, requires transparency about processing data and grants customers’ rights to contest decisions.⁵

Against the backdrop of the multi-faceted regulatory landscape, FinTech companies have to create and implement systems that satisfy both regulatory expectations and data protection requirements, a delicate balance which demands technical competence and legal clarity.

Similarly, CBN cybersecurity guidelines mandate specific technical controls, incident reporting timelines and audit requirements.⁶ These requirements intersect with the NDPA’s security obligations and the GAID&’s breach notification procedures. Effective compliance requires integrated systems where security measures simultaneously address both prudential and data protection concerns.

PRACTICAL COMPLIANCE CHALLENGES FOR FINTECH COMPANIES

Documentation Angst: FinTech companies must maintain records demonstrating compliance with CBN operational requirements, data protection impact assessments, processing registers under the NDPA and evidence of implementing GAID directives. This documentation must be accessible for inspections by multiple regulators with potentially different expectations and timelines.

Cross-regulatory Expectations: Considering the significant obligations birthed by the regulatory overlaps, FinTech entities have the knotty burden of determining the extent and scope of their obligation. The NDPA’s principle of “adequate security” may be interpreted within the framework of CBN’s more prescriptive technical requirements.

Clogged Enforcement Landscape: Multiple regulators such as the Nigeria Data Protection Commission, the CBN and others have jurisdiction over different aspects of FinTech operations. Enforcement actions, penalties and remediation requirements may come from multiple sources, potentially creating conflicting obligations or duplicated but independent sanctions- a potential burden which may clog rather than enable business efficiency.

STRATEGIC CONSIDERATIONS FOR FINTECH COMPANIES

For FinTech companies to continue to drive growth without falling short of mandated best practices, we recommend the following:

a. Proactive Compliance: FinTech companies have to transition beyond treating compliance as an afterthought by adopting integrated frameworks and business models which treat compliance as a cornerstone of operations. FinTech companies need to engage and retain competent professionals to provide the guidance needed to ensure compliance and avert liability.

b. Governance integration: Rather than maintaining separate compliance functions for data protection and financial regulation, FinTech companies can develop integrated governance measures that address both areas holistically. This approach ensures consistency, identifies potential conflicts early and promotes efficient resource allocation.

c. Privacy by design: Incorporating data protection considerations from product conception rather than as afterthought helps ensure that services satisfy both NDPA requirements and CBN operational expectations. This approach reduces costly retrofitting and demonstrates proactive compliance culture to regulators.

d. Documentation systems: Implementing centralized systems for maintaining compliance documentation across all regulatory areas streamlines audit responses and ensures consistency. These systems should capture not only what the company does, but why particular approaches were chosen and how they satisfy multiple regulatory requirements.

e. Regulatory engagement: Proactive dialogue with both the Nigeria Data Protection Commission and CBN can clarify ambiguities before they become compliance failures.

CONCLUSION

Nigeria’s FinTech regulatory framework has developed from simple licensing regime into a comprehensive governance structure addressing data protection, consumer rights concerns, and operational standards. FinTech companies that view compliance as a tick-box exercise will struggle with the complexity and potential conflicts inherent in this multi-layered framework. Those that embrace integrated governance, prioritise consumer protection alongside innovation and maintain proactive regulatory dialogue will find themselves better positioned not only to satisfy regulatory requirements but to build sustainable competitive advantages grounded in trust and operational excellence.

As the regulatory environment continues evolving, one reality remains distinct-in Nigeria’s FinTech sector, compliance excellence has become inseparable from business excellence.

Footnotes

1. Fintech Evolution And Development In Nigeria: Lessons From Other Jurisdictions -https://www.cbn.gov.ng/Out/2023/RSD/OCCASIONAL%20PAPER%20NO%2076%20 %20Fintech%20Evolution%20and%20Development%20in%20Nigeria.pdf

2. Fintech Laws and Regulations 2025 – Nigeria - https://www.globallegalinsights.com/practice-areas/fintech-laws-a%20single%20aggregator.

3. Olumide Babalola, ‘The GDPR-Styled Nigeria Data Protection Act 2023 and the Reverberations of a Legal Transplant’ (2024) 3 British Journal of Cyber Criminology 1.

4. Rodiyyah Bashir and Temitope Ogundare, ‘CBN Strengthens Regulatory Oversight With New Compliance Department’ TechHive Advisory Africa (2 October 2025) https://www.techhiveadvisory.africa/insights/cbn-strengthens-regulatory-oversight-with-new-compliance-department

5. Aisha Mohammed, ‘Implications Under the NDPA 2023: Retention and Reuse of Personal Data’ Medium (8 October 2025) https://medium.com/@aishaibnmohammed/implications-under-the-ndpa-2023-retention-and-reuse-of-personal-data-d028929d0ccb

6. Central Bank of Nigeria, “Central Bank of Nigeria Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Banks” https://www.cbn.gov.ng/Out/2024/BSD/CBN%20Risk-Based%20Cybersecurity%20Framework%20for%20DMBs%20and%20PSBs_2024.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.