FINTECH REGULATIONS INNIGERIA

AN OVERVIEW (PART 2)

J U N E 2 0 1 9

Nigeria has seen remarkable growth in thetechnological sector, including anexponential growth in FinTech companies,encompassing start-ups and moreestablished businesses. Consequently, the Nigerian government hasbeen inquiring into the financial servicessector and focusing on FinTech as one of thekey impetus for growth in the Nigerianfinancial services industry. For this reason, and as part of a nationalstrategy for the development of the FinTechindustry in Nigeria, there has beensignificant interest from policymakers inimplementing new regulations for theFinTech industry. In the first part of this series, we took acloser look at FinTech in relation to DigitalPayments and discussed the variousregulations that inadvertently affect themwithin Nigeria. In this part, we seek to examine the Nigerianregulations that affect, FinTech Testing andData Protection respectively.

In the tech space, testing applications andsoftware can sometimes be a daunting task-especially in Nigeria where tech start-upsare cropping up by the minute. Usually, it takes a great deal of time forFinTechs to test their solutions and ensurethat they are ready for the market, afterwhich several of those FinTechs then realisethat they are in breach of a regulation thatthey  were not aware of. In light of this and in a bid to keep up withthe fast-paced changes in the technologysector, some Countries have explored theoption of a ‘Regulatory Sandbox’. A ‘Regulatory Sandbox’ is a controlledenvironment that offers a ‘safe space’ inwhich start-ups and other businesses cantest innovative products, services, businessmodels and delivery mechanisms relating tothe financial and capital markets in a liveenvironment without immediately satisfyingall the necessary regulatory requirements.[1] Regulatory Sandboxes have beenimplemented in  several countries like, theUK, Singapore, Malaysia, Abu Dhabi, Canada,Denmark and Australia[2] to name a few.

02

FinTech REGULATIONS INNIGERIA

FINTECHTESTING1

[1] Securities and Exchange Commission, Nigeria, ‘Regulatory Sandbox- Assessment’ (2019) <https://sec.gov.ng/regulatory-sandbox-assessment/>[2] nyujlb.org, ‘Playing in the Regulatory Sanaldbox’ (2019) <https://www.nyujlb.org/single-post/2018/01/08/Playing-in-the-Regulatory-Sandbox>

03

[3] Securities and Exchange Commission, Nigeria, ‘Regulatory Sandbox- Assessment’ (2019) <https://sec.gov.ng/regulatory-sandbox-assessment/>[5] https://www.independent.ng/cbn-nibss-launch-regulatory-sandbox-to-empower-fintechs/[6] Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended)

There are several regulations that applyto Data protection in Nigeria. In January2019, an all-encompassing regulationwas released by the National InformationTechnology Development Agency(‘NITDA’) for the sole purpose ofregulating data protection across thenation- but it is not the only one. Below are all the regulatory sources thatapply to data protection in Nigeria: a. Section 37 of the 1999 Constitution(as Amended) The Nigerian Constitution provides theumbrella law that clearly states thenation’s position on the issue of dataprotection. Section 37 provides; ‘ ’The privacy of citizens, their homes,correspondence, telephone conversationsand telegraphic communications ishereby guaranteed and protected.’’[6] All other regulations that were releasedsubsequently, used the provisions of thissection as the underlying principle. 

The Securities and Exchange Commission(SEC) have just launched a RegulatorySandbox. SEC, on its portal, invitesbusinesses or individuals  that plan tolaunch innovation products, services,business models and deliverymechanisms relating to capital markets,to fill the questions contained on itswebsite to enable the SEC provideguidance to the tester on regulatoryrequirements (if any).[3] With the SEC Regulatory Sandbox,FinTechs will have a safe environment totest their solutions. We believe thesandbox is live and fully operational andexpect this step to have a huge impacton both the growth and the successfulregulation of FinTechs in the comingyears. Furthermore, the Central Bank of Nigeria(‘CBN’) and the Nigerian Inter-BankSettlement System (‘NIBSS’) announcedin 2018, that they would becollaborating to create a CBN x NIBSSregulatory sandbox for the facilitation ofdigital innovation and FinTech solutions. To that effect, they created the FinancialService Innovators Association of Nigeria(FSI) to co-ordinate the project and areexpected to launch by the end of theyear.[5] 

DATAPROTECTION2

04

b. Freedom of Information Act 2011 The Freedom of Information Act (‘the Act’)was signed into law in May 2011 and it aimsto:[7]- Make public records and information morefreely available;- Provide for public access to public recordsand information;- Protect public records and information tothe extent consistent with the publicinterest and the protection of personalprivacy;- Protect serving public officers fromadverse consequences of disclosing certainkinds of official information withoutauthorization; and- Establish procedures for the achievementof those purposes. To the extent of data protection, the Actprovides that a public institution must denyan application for information, if theinformation requested contains personalinformation. Such personal information being[8]:- maintained with respect to clients,patients, residents, students, or otherindividuals receiving social, medical,educational, vocation, financial, supervisoryor custodial care or services directly orindirectly from public institutions;

[7] Preamble of the Freedom of Information Act 2011[8] Sections 14(1&2) of the Freedom of Information Act 2011[9] Section 16 of the Freedom of Information Act 2011

- maintained with respect to employees,appointees or elected officials of anypublic institution or applicants for suchpositions;  - maintained with respect to anyapplicant, registrant or licensee by anygovernment or public institutioncooperating with or engaged inprofessional or occupationalregistration, licensure or discipline;  and - required of any tax payer in connectionwith the assessment or collection of anytax unless disclosure is otherwiserequested by the statute It further provides that before suchpersonal information can be released,the consent of the related party musthave been obtained. The Act pays cognisance to professionalprivileges and provides that a publicinstitution may deny an application forinformation that is subject to legalpractitioner-client privilege; healthworkers- client privilege; journalismconfidentiality privilege and any otherprofessional privileges provided for inan Act.[9]

05

[10] Explanatory Memorandum of the Cybercrimes (Prohibition, Prevention, etc.) Act, 2015[11] Preamble of the Nigerian Data Protection Regulation 2019[12] Article 2.2 of the Nigerian Data Protection Regulation 2019

c. Cybercrimes (Prohibition, Prevention,etc.) Act, 2015 The Cybercrimes (Prohibition,Prevention, etc.) Act, 2015 (‘theCybercrimes Act’) came into effect inMay 2015 for the purpose of; ensuring the protection of criticalnational information infrastructure;promotingcybersecurity and the protection ofcomputer systems and networks;protecting electroniccommunications, data and computerprograms; and safeguarding intellectualproperty and privacy rights.[10] The Cybercrimes Act goes on to provideseveral punitive measures againstindividuals or corporations engaged incybercrimes and breach of data privacy,describing each offence usually with thewords; ‘fraudulent intent’ or ‘withoutauthorization.’       d. The Data Protection Regulation 2019 Finally, the NITDA Nigeria DataProtection Regulations 2019 (‘the NITDARegulations’) were put into placerecognizing that many public and privatebodies have migrated their businesses 

online and realising that there is indeeda need to safeguard the data of thesesubjects.[11] The NITDA Regulations provide a moredetailed approach to data protection,taking the time to define terms such as;‘Personal Data’, ‘Data Subject’, ‘DataController’, ‘Lawful Processing’ and‘Consent’. It provides that data processing will belawful only in the followingcircumstances;[12] - the Data Subject has given consent tothe processing of his or her PersonalData for one or more specific purposes - processing is necessary for theperformance of a contract to which theData Subject is party or in order to takesteps at the request of the Data Subjectprior to entering into a contract - processing is necessary for compliancewith a legal obligation to which theController is subject - processing is necessary in order toprotect the vital interests of the DataSubject or of another natural person;and 

06

[13] Article 2.6, 2.7, 2.11, 2.12 & 3.1 of the Nigerian Data Protection Regulation 2019[14] Article 2.10 of the Nigerian Data Protection Regulation 2019

- processing is necessary for theperformance of a task carried out in thepublic interest or in exercise of officialpublic mandate vested in the controller;  The NITDA Regulations make provisionsfor data security, third party processing,transfer of data to a foreign country andthe rights of Data Subjects amongothers.[13] Any person/organisation in breach of thedata privacy rights of a Data Subject willif dealing with less than 10, 000 datasubjects be liable to pay a sum equalling1% of annual revenue or 2 million naira(whichever is greater) and if more than10, 000 Data Subjects, be liable to pay2% of same or 10 million naira(whichever is greater).[14] All organizations involved in the controlor processing of Personal Data are nowmandated to publish their dataprotection policies and failure to complywith the provisions of the Regulationsshall be treated as a breach of theNITDA Act of 2007 and sanctionedaccordingly.

Concluding NoteFinTechs should be aware of the fastapproaching FinTech testing regulationsas well as the various sources of dataprotection regulations, as they willstrongly affect several of their decisionsin the coming years.

C O P Y R I G H T : A l l r i g h t s r e s e r v e d . N o p a r t o f t h e p u b l i c a t i o n m a y b e r e p r o d u c e d , s t o r e d i n ar e t r i e v a l s y s t e m o r t r a n s m i t t e d i n a n y f o r m o r b y a n y m e a n s w i t h o u t t h e p r i o r p e r m i s s i o n i nw r i t i n g o f Ǽ L E X o r a s e x p r e s s l y p e r m i t t e d b y l a w .   D I S C L A I M E R : T h i s p u b l i c a t i o n i s n o t i n t e n d e d t o p r o v i d e l e g a l a d v i c e b u t t o p r o v i d ei n f o r m a t i o n o n t h e m a t t e r c o v e r e d i n t h e p u b l i c a t i o n . N o r e a d e r s h o u l d a c t o n t h e m a t t e r sc o v e r e d i n t h i s p u b l i c a t i o n w i t h o u t f i r s t s e e k i n g s p e c i f i c l e g a l a d v i c e . Ǽ L E X i s a f u l l - s e r v i c e c o m m e r c i a l a n d d i s p u t e r e s o l u t i o n f i r m . I t i s o n e o f t h e l a r g e s t l a w f i r m si n W e s t A f r i c a w i t h o f f i c e s i n L a g o s , P o r t H a r c o u r t a n d A b u j a i n N i g e r i a a n d A c c r a , G h a n a .  

C o n t a c t u s a t :

4 t h F l o o r , M a r b l e H o u s e ,  1 K i n g s w a y R o a d , F a l o m o I k o y i ,L a g o s , N i g e r i a

T e l e p h o n e : ( + 2 3 4 - 1 ) 4 6 1 7 3 2 1 - 3 , 2 7 9 3 3 6 7 - 8 , 7 4 0 6 5 3 3 ,                          

E - m a i l : l a g o s @ a e l e x . c o m

@ae lexpa r tne r s

t o f o l l o w o u r s o c i a l m e d i a h a n d l e s c l i c k b e l o w

C l i c k h e r e w w w . a e l e x . c o m

HANNATU DAN-HABU

DAVIDSON OTURU

PARTNER IP/TMT AND CORPORATE/COMMERCIALDOTURU@AELEX.COM

KANYINSOLA OJESHINA