NDPR: Can Commercial Banks Release the Personal Data of Defaulters of PTA/BTA Guidelines on their Websites as Directed by the CBN?

Recently, the Central Bank of Nigeria (“CBN”) issued a directive to commercial banks that they publish the personal information of customers that breach the provisions of its PTA/BTA guidelines (“Guidelines”) on their websites. Now, from a data protection standpoint, this raises all sorts of red flags because an individual’s name and Bank Verification Number (BVN) are classified as Personal Data, the processing of which should be done in line with the provisions of the Nigeria Data Protection Regulation (“NDPR”). In addition, there is a constitutional guarantee to every individual, pursuant to the provisions of section 37 of the Nigerian 1999 Constitution, of his/her privacy and private life, including the right to keep his/her information private.

This article seeks to clarify whether the publication of the personal data of defaulting bank customers is in line with the provisions of the NDPR and other consumer data protection provisions.

Introduction

At law, the relationship between a bank and its customer is contractual in nature and is often characterized as that of a debtor – creditor with superimposed duties and obligations, from the bank’s side. One of such superimposed duty is the duty of secrecy or confidentiality. Put simply, a bank is required to keep the affairs of its customer secret. This duty is not restricted to account transactions – it extends to all the information that the bank has about the customer. This duty is however not absolute and exceptions include where the bank is required by law to make disclosure; and where the customer consents to the disclosure.

Furthermore, the NDPR, with a view to safeguarding the rights of natural persons to data privacy, amongst other objectives, provides strict guideline for processing of personal data. In this regard, the NDPR stipulates that there must be legal basis for processing of personal data and identified five legal basis -  Consent, Legal Obligation, Vital Interest, Performance of Contract and Public Interest. Publication of customer information by a bank on its website as required by the Guidelines, constitutes “processing” of personal data under the NDPR. Therefore, the question arises whether CBN’s directive to publish the names of defaulters under the Guidelines constitutes a valid basis under the NDPR. For the purpose of this article and in line with the Bill of Rights, the focus will be on two out of the five legal bases provided for by the NDPR – Consent and legal Obligation.

Legal Obligation - required by law to make disclosure

As established in the case of UBA Plc v Bakare Wasiu[1], the bank in possession of a customer’s money can be seen as a trustee and therefore owes its customer a duty of secrecy in relation to that customer’s account details and related matters. However, where the bank is required by law to disclose a customer’s information, the customer’s right to privacy and confidentiality does not apply. For example, section 31 of the Anti-Money Laundering Regulations[2] provides that where the bank suspects a customer’s account of being used for fraudulent activities, it has the legal obligation to transmit that information to the appropriate authorities for criminal investigation. This is also in line with the provisions of Article 2.1 of the NDPR Implementation Framework that exempts the applicability of the provisions of the NDPR in instances of transmission of personal data to regulatory agencies for the purpose of criminal investigations and tax offences, among others.

However, the publication of the personal data of defaulters under the Guidelines does not fall under the transmission of data to regulatory authorities for criminal investigations and tax offences, as envisaged by the NDPR. Consequently, this particular processing will need to identify one of the other legal bases for processing as provided in Article 2.2 of the NDPR, in order to accord with the requirements of the NDPR.

Section 33 of the Central Bank of Nigeria Act, 2007 (“CBN Act”) provides that the CBN may issue guidelines to any person and institution under its supervision. In addition, the Bank and Other Financial Institutions Act, 2020 (“BOFIA”) gives the Governor of the CBN power to make regulations for the operation and control of all institutions under the supervision of the CBN.  By virtue of the powers conferred on the CBN to make regulations or issue guidelines by the CBN Act and BOFIA, it can be deduced that commercial banks have the legal obligation to comply with the guidelines issued by the CBN in exercise of its statutory powers, to avoid applicable sanctions for non-compliance.

Further to the foregoing, where commercial banks decide to publish the personal data of defaulters under the Guidelines on their websites, they may rely on Legal Obligation, that is; processing was necessary for compliance with a legal obligation to which the commercial banks are subject, under Article 2.2(c) of the NDPR, as the legal basis for such processing of the customer’s personal data.

Consent - customer consents to the disclosure

Another possible legal basis for the publication of a customer’s bank details on the website of a commercial bank is Consent. Under the NDPR, consent is the default legal basis for valid processing of personal data. In this regard, Article 2.1 of the NDPR stipulates that …Personal Data shall be collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject. Accordingly, data controllers (commercial banks, in this instance) have the obligation to ensure that customers consent to each processing activity (including publication of their personal information on their websites) and such consent must be informed and has been obtained without fraud, coercion or undue influence. Further, the Bill of Rights permits commercial banks to disclose a customer’s account information where the customer has consented to such disclosure.

Under the NDPR, for this processing to be based on consent, the relevant customers would have, at the time of applying for PTA or BTA, been individually informed of all the possible uses of their personal data for the purposes of obtaining the PTA or BTA, including the publication of their personal information on the processing bank’s website; where they default under the Guidelines. At the same time, the banks would also have obtained a waiver of the customers’ right to confidentiality in such event, together with express consent to such publication. Where the foregoing condition is satisfied, the publication of the personal data of defaulting customers under the Guidelines, will be deemed to be have been done on the basis of consent and therefore not in contravention of the provisions of the NDPR.

Conclusion

While every individual is entitled to privacy and should be able to protect his/her private information from indiscriminate and unauthorized disclosure to the public, personal information can be published under certain circumstances without infringing such individual’s right to privacy/private life. Such exceptional instances include where banks publish the personal data of defaulting customers under the Guidelines, in compliance with the directive of the CBN, being the regulator of the Banking Industry and the appropriate authority vested with powers to issue guidelines to any person or institution under its supervision; who are bound to comply in order to promote a sound financial system in Nigeria. Therefore, commercial banks are advised to update their data protection policy documents, including data protection notices, to include Legal Obligation or Consent as basis for the publication of the details of defaulters under the Guidelines, in order to ensure compliance with the provisions of the NDPR.

The Grey Matter Concept is an initiative of the law firm, Banwo & Ighodalo.

DISCLAIMER: This article is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship
between readers and our Law Firm or serve as legal advice. We are available to provide specialist legal advice on the readers’ specific circumstances when they arise.

 

[1]  (2017) 4 NWLR (pt. 1555) 318 C.A
[2] Central Bank of Nigeria (Anti-Money Laundering and Combating Financing of Terrorism for Banks and Other Financial Institutions in Nigeria), Regulations, 2013.