Nigeria’s data protection regulator says entities implicated in an alleged breach are cooperating with a sweeping investigation, as authorities widen scrutiny across the digital payments ecosystem.
The Nigeria Data Protection Commission (NDPC) also confirms it is carrying out a formal probe into an incident involving Remita Payment Services Limited, Sterling Bank and other organisations, with affected parties already providing information to support the inquiry.
In a statement dated April 5, 2026 seen by Technology Times, the Commission says a Notice of Investigation was “duly served” on April 1, marking the official commencement of proceedings.
Dr Vincent Olatunji, National Commissioner/CEO of NDPC, is directing an expanded compliance review, stating that organisations deploying digital payment systems without adequate safeguards “will also be examined as part of a wider effort to ensure the integrity of the ecosystem.” The directive indicates that the regulator is not limiting its focus to the named entities but is assessing systemic adherence to statutory requirements across the sector.
Data breach probe, part of broader compliance sweep, NDPC says
“Relevant parties and individuals have been providing information for the purpose of addressing the incident,” the regulator states, signalling active engagement by entities under review.
The NDPC says the exercise as part of a broader compliance sweep, beyond the immediate allegations.
According to the Commission, the investigation is designed to ensure that “data subjects are protected with appropriate technical and organisational measures,” with the scope covering the categories of personal data involved, the nature and extent of the alleged breach, potential risks to individuals, and mitigation steps taken where breaches are confirmed.
The inclusion of Remita and Sterling Bank, both central to Nigeria’s high-volume electronic transaction flows, has heightened industry attention, given the scale of personal and financial data processed across their networks. As critical infrastructure providers in the payments value chain, such entities are subject to stringent obligations under the Nigeria Data Protection Act 2023 to secure personal data against unauthorised access, loss, or misuse.
Dr Vincent Olatunji, National Commissioner/CEO of NDPC, is directing an expanded compliance review, stating that organisations deploying digital payment systems without adequate safeguards “will also be examined as part of a wider effort to ensure the integrity of the ecosystem.” The directive indicates that the regulator is not limiting its focus to the named entities but is assessing systemic adherence to statutory requirements across the sector.
Under the NDP Act, data controllers and processors, including financial institutions and technology service providers, are required to implement administrative, physical, and technical controls that protect personal data throughout its lifecycle. The law also guarantees rights to data subjects, including transparency on data usage, access to personal data, and avenues for redress in the event of compromise.
While the NDPC has not disclosed specific details about the data involved or the root cause of the alleged breach, the breadth of the investigation underscores heightened regulatory vigilance as digital payments scale across Nigeria’s economy. By interrogating both exposure risks and remediation frameworks, the Commission is seeking to establish whether compliance gaps or control failures occurred.
Industry analysts note that incidents affecting financial platforms can materially impact consumer trust, particularly in markets experiencing rapid digital adoption. The NDPC’s intervention is therefore being viewed as both an enforcement action and a signal to the market on the importance of robust data governance.
As enquiries continue, organisations within scope are expected to maintain full cooperation with the regulator. The outcome is likely to shape future enforcement posture and refine compliance expectations for payment service providers operating under Nigeria’s evolving data protection regime.
Home
