Balancing KYC Requirements with Data Protection: A Review of the Recent Nigerian Court Ruling

In a landmark ruling in May 2024, the Federal High Court in Lagos, Nigeria, upheld the collection of social media links as a mandatory requirement for Know Your Customer (KYC) procedures in financial institutions. This decision has generated intense debate and raised concerns about the balance between crime prevention and data protection. By upholding the Central Bank of Nigeria’s (CBN) requirement for financial institutions to collect social media links as part of KYC procedures, the court’s ruling has far-reaching implications for data privacy and security. In this article, we will delve into the consequences of this decision and argue that requesting social media links violates the fundamental principle of data minimization, potentially compromising individuals’ right to privacy and data protection.

KYC Requirements and Crime Prevention

KYC is an essential tool in preventing money laundering, terrorist financing, and other financial crimes. It involves verifying the identity of customers and assessing their risk profile. The goal is to ensure that financial institutions and other organizations do not facilitate illicit activities. In Nigeria, KYC requirements are regulated by the Central Bank of Nigeria (CBN) and the Nigerian Financial Intelligence Unit (NFIU).

The recent court ruling in favour of collecting social media links as part of KYC requirements aims to enhance the verification process and prevent fraudulent activities. However, this decision raises concerns about the potential infringement on individuals’ right to privacy and data protection.

Intersection of KYC and Data Protection

The decision of the court highlights the tension between KYC requirements and data protection principles. While KYC measures aim to prevent financial crimes, they must not compromise individuals’ right to privacy and data protection. 

Requesting social media links as part of KYC requirements violates the principle of data minimization, which states that only necessary personal data should be collected for a specified purpose. Social media links are not essential for verifying identity or assessing risk profiles, and their collection may lead to unnecessary surveillance and monitoring.

The Nigerian Data Protection Act (NDPA) 2023 emphasizes the importance of data protection and privacy. The principles of data minimization, purpose limitation, and informed consent are fundamental to ensuring that personal data is collected and processed lawfully (Section 24 of NDPA). It is imperative to find a balance between these two conflicting requirements.

To address this issue, organizations can implement alternative verification methods that do not infringe on individuals’ privacy, such as:

• Identity verification through government-issued documents or biometric data.

• Risk assessment based on transaction history and behavior.

• Regular updates to KYC requirements to ensure they align with data protection principles.

The Limitations of Relying on Section 37 of the Constitution for Litigants 

The advent of data protection and privacy laws has significantly impacted the legal landscape, introducing new principles and regulations that govern the handling of personal data. In Nigeria, the Nigeria Data Protection Regulation (NDPR) 2019 and the Nigeria Data Protection Act 2022 have established a robust framework for data protection and privacy. However, some lawyers still rely on Section 37 of the Constitution, which guarantees the right to privacy, to bring cases related to data protection and privacy. This approach is deficient and may not yield the desired results, as illustrated by the matter against the CBN over the collection of social media for KYC.

In the recent case of Miss Folashade Molehin v UBA (Suit No. FHC/L/C5/2625/2023) a better approach was adopted and justice was dispensed accurately. The applicant relied on the provisions of the NDPR and successfully argued that opening a domiciliary account without authorization constituted a breach of her privacy. The court awarded damages of 7.5 million naira. This outcome highlights the importance of understanding the specific principles and regulations governing data protection and privacy. Relying solely on Section 37 of the Constitution may not be sufficient to establish a strong case, as it only provides a general right to privacy. In contrast, the NDPR and the Data Protection Act 2022 offer specific guidelines and principles for data protection and privacy, such as data minimization, purpose limitation, and informed consent. By invoking these principles, lawyers can build a more robust case and demonstrate a deeper understanding of the legal framework governing data protection and privacy in Nigeria.

Conclusion

The recent Nigerian court ruling on collecting social media links as part of KYC requirements raises concerns about the infringement on individuals’ right to privacy and data protection. While KYC measures are essential for preventing financial crimes, they must be balanced with data protection principles. Organizations and regulators must work together to ensure that verification methods do not compromise individuals’ privacy and that data protection regulations are respected.

As the growth of the data protection space continues, it is crucial that judges and regulators are equipped with the knowledge to make informed decisions that do not lead to unfavorable precedents. By gratifying the impulses of both KYC requirements and data protection, we can create a safer and more privacy-conscious environment for all.