The Central Bank of Nigeria ("CBN") is the apex Bank in Nigeria and the primary regulator for the Financial Services Industry in Nigeria, particularly for banks and other financial institutions. In this regard, the CBN has powers to regulate banks and other financial institutions in the prevention and control of Money Laundering, Financing of Terrorism through the issuance of subsidiary legislation in respect of Anti – Money Laundering, Combating of Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction ("AML/CFT/ CPF").
The Banks and Other Financial Institutions Act 2020 empowers the Governor of the CBN to issue regulations, guidelines and policies to fight money laundering and combat financing of terrorism.1 In line with these powers, on 20 June 2023, the CBN published the Central Bank of Nigeria (Customer Due Diligence) Regulations, 20232 (the "Regulation").
The Regulation, amongst other things, seeks to assist banks and other financial institutions with the implementation and compliance with the existing AML/ CFT/CPF. It also has prescriptions on Customer Due Diligence ("CDD"). The Regulation introduced a provision on mandatory submission of social media handles by bank customers as a Know Your Customer ("KYC") requirement. This inclusion has turned out to be controversial and has attracted lots of debates, pushback and commentary. The Regulation introduced the new CDD requirement directing all financial institutions to obtain and verify new and existing customers' social media handles3 and this has raised issues around the powers of the CBN and the CBN Governor, the constitutionality of the Regulation, the compatibility of the Regulation with the Nigeria Data Protection Act 2023 and the Nigeria Data Protection Regulation 2019.
Whilst it is not in doubt that the aim of the Regulation is to strengthen and enhance the existing AML/CFT/CPF standards and controls within the financial institutions, the CBN's new CDD requirement issued to financial institutions has received pushback from key stakeholders such as the National Assembly and the Nigeria Data Protection Commission ("NDPC or Commission"). Some of these stakeholders have criticized the Regulation as being "unnecessary"4 and "arbitrarily restricting the rights to freedom of expression and privacy"5 in contravention of the fundamental human right to privacy guaranteed under Section 37 of the Constitution of the Federal Republic of Nigeria, 1999 (as altered).6 It has also been stated repeatedly that the Regulation offends the principle of minimal data collection ("Data Minimization") enshrined under extant data protection laws in Nigeria.
The aim of this article is to examine, the right to privacy guaranteed in the Constitution, along with the prescriptions in other privacy legislations. It will also analyze the legal basis for processing data by controllers in the financial services industry within the context of processing of social media type personal data and review the practice in other jurisdiction. Thereafter, it will state our position on the legality of the new Regulation within the context of the privacy regime in Nigeria.
The Constitutional and Statutory Right to Privacy and the Legal Basis for Processing Data in Nigeria
Section 37 of the Nigerian Constitution provides for the right to privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications. 7 This means that the right to privacy is an overriding right that can only be derogated from on the basis of clear prescriptions and exemptions provided in the same Constitution.
One of such constitutional exemptions is Section 45 of the Constitution, which provides that the right to privacy can be overridden if a statute overriding or limiting it can be reasonably justified in a democratic society, is enacted in the interest of defence, public safety, public order, public morality or public health or for the protection of the rights and freedoms of other persons.
In the exercise of his constitutional powers, President Bola Ahmed Tinubu, signed into law, the Nigeria Data Protection Act ("NDPA or Act") on 12th June, 2023. The NDPA like its predecessor, the Nigeria Data Protection Regulation 2019 ("NDPR"), guarantees and protects the right to privacy in Nigeria and provides details on what privacy rights entail, including its scope, limitation, application, technicalities, etc.
One innovation of the NDPA and the NDPR, like other global privacy laws, is the introduction of the concept of legal basis for processing data. This means that before a data controller or processor can process the data of any individual, they must identify one or more bases for their collection and processing of that data. Failure to support data processing activities with a legal basis is automatically an infraction of the privacy law and individual privacy right of the data subject. The applicable legal bases are as follows8 –
- The data subject has given consent for the specific processing activity.
- Performance of a contract to which the data subject is a party or to take pre-contract steps at the request of the data subject.
- Compliance with a legal obligation which applies to the data controller or processor.
- To protect theFor the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or processor. vital interest of the data subject or another person.
- For the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller or processor.
- For the purpose of a legitimate interest pursued by the data controller or processor or by a third party to whom the data is disclosed.
The NDPA also prescribes situations where data controllers and/or processors can be exempted from the application of the Act. Hence, the NDPA will not apply in the following circumstances9 –
- The processing activity is carried out solely for personally or household activities; or
- Where processing activity is carried out by a competent authority for the prevention, investigation, detection, prosecution or adjudication of a criminal offence or execution of a criminal penalty; or
- Where processing activity is carried out by a competent authority for the prevention or control of a national public health emergency; or
- Carried out by a competent authority for national security; or
- In respect of publication in public interest, for journalism, educational, artistic and literary purposes; and
- Necessary for the establishment, defence of establishment of a legal claim.
Legality of the CBN Regulation
The first enquiry is whether the provisions on the collection of social media handles in the Regulation can be reasonably justifiable in a democratic society? Globally, submission of social media handle is not a requirement for opening or maintaining bank accounts or for the conduct of bank's due diligence. It is not a tool generally used by banks or Central Banks for CDD, rather it is a tool used by law enforcement agencies where there is suspicion of criminal activities. Mass collection of bank customer data is excessive collection and may not pass the reasonability test prescribed by the Constitution. Such level of intrusive collection can begin to negatively affect the right to freedom of expression of citizens because when people observe that they are being monitored, they begin to self–censor their publications and communication. This is inherently undemocratic and should not be encouraged.
Second, the CBN Regulation did not mention in its Recital and Explanatory Note that it is being issued in the interest of defence, public safety, public order, public morality or public health. Rather, the Explanatory Notes states that – ''these Regulations seek to ensure that Financial Institutions comply with customer due diligence measures as required by the Anti-Money Laundering, Combating the Financing of Terrorism, and Countering Proliferation
Globally, submission of social media handle is not a requirement for opening or maintaining bank accounts or for the conduct of bank's due diligence. It is not a tool generally used by banks or Central Banks for CDD, rather it is a tool used by law enforcement agencies where there is suspicion of criminal activities. Mass collection of bank customer data is excessive collection and may not pass the reasonability test prescribed by the Constitution.
Financing of Weapons of Mass Destruction legislations and regulations''. A close examination of the Regulation indicates that it cannot be safely situated within any of the bases for exemption from the constitutionally guaranteed rights. Third, the exemptions under the NDPA 2023 have been made subject to the Constitution, however, even if the Regulation can be considered in isolation of other legislation, it may still not qualify under any of the exemptions in the NDPA. In this regard, only the exemption on prevention of criminal offence comes close for consideration and a perusal of the provision of the Act suggest that it can be applied where there is an effort to prevent a crime from being committed. The Act did not use the phrase ''prevention of crimes'', rather, it uses ''prevention of a crime'', which is indicative of the fact that there must be a specific crime that is being sought to be prevented. It therefore means that the provision cannot be applied broadly for general crime prevention or where there is no reasonable suspicion that a crime is about to be committed.
The only country on record that specifically collects social media handles of data subjects is the United States through the US Department of Homeland Security, which is empowered under the US Privacy Act 1974 (as amended) to collects the "social media handles, aliases, associated identifiable information and search results"10 of immigrants seeking to enter into the US.
Conclusion
No doubt, the Regulation represents efforts by the CBN to strengthen and enhance existing AML/CFT/CPF controls within the Nigeria financial industry. However, the new CDD requirement appears to offend the letters and spirit of the Constitution and the NDPA 2023. It is also likely, that the Regulation was issued by the CBN without widespread consultation with stakeholders, which would have afforded it the opportunity to get various views and possibly understand the practice in other jurisdictions on this issue. It is our position, that the Regulation of the CBN negates the principles of data minimization as it appears to be excessive when compared against other CDD requirements obtainable in other climes.
Considering the avalanche of criticisms against the Regulation, it is expected, that the CBN will review the new CDD requirements and make this requirement optional given its propensity to lead to the financial exclusion of customers who may not want to give their social media handles and those who may not even have such social media presence.
Banks and other financial institutions should also be interested in how this issue is resolved, as they may be open to sanctions by CBN, where they do not comply with the Regulation. We therefore advise that they should take the lead in engaging with the CBN and the NDPC so they can confirm whether to comply with the Regulation or not pending its withdrawal by the CBN or a specific instruction from the NDPC that they should not comply. In addition, it may be advisable to seek for and obtain professional legal advice as this is an issue that may potentially end up in a legal dispute, if not resolved amicably.
Footnotes
1. Banks and Other Financial Institutions Act 2020, s 66(2)
2. Central Bank of Nigeria Customer Due Diligence Regulations 2023.
3. Central Bank of Nigeria Customer Due Diligence Regulations 2023, s 6(a)
4. James Kwen, 'Reps Ask CBN to Stop Social Media Handle Addition To 'Know Your Customer' (Leadership Newspaper, Abuja, 8 July 2023) https://www.vanguardngr.com/2023/07/reps- direct-cbn-to-stop-social-media-handles-requirement-from-bank-customers/ accessed 22 July 2023.
5. Ayodeji Adegboyega, CBN Directive to Scrutinize Bank Customers Social Media Presence Illegal – Data Protection Council' (Premium Times, 30 June 2023) https://www.premiumtimesng.com/ business/607400-cbn-directive-to-scrutinise-bank-customers-social-media-presence-illegal-data- protection-council.html accessed 22 July 2023
6. Constitution of the Federal Republic of Nigeria 1999 (as altered), s 37.
7. Nigeria Data Protection Act 2023, s 25(1)(a)(b)(i)-(v)
8. Nigeria Data Protection Act 2023, s 3(2)(a)-(e).
9. Paul Ross, 'US Begins Collecting Social Media Information from Immigrants' (Voice of America, 22 October 2017) https://learningenglish.voanews.com/a/us-begins-collecting-social-media- passwords-information-from-immigrants/4079134.html accessed on 22 July 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.