N555m fine: Fidelity Bank disputes NDPC’s allegations, says no ‘extant law was breached’

Fidelity Bank has denied allegations of a data breach and disputed the fine imposed by the Nigerian Data Protection Commission (NDPC). Meksley Nwagboh, divisional head of brand and communications at Fidelity Bank, stated that the bank “conducted itself to the highest ethical standards by ensuring full compliance with extant laws on data protection.”

On Wednesday, the NDPC said it imposed a N555.8 million fine on Fidelity Bank for allegedly violating data privacy laws. According to Vincent Olatunji, the national commissioner of NDPC, the bank’s “arrogance ultimately led us to impose the full penalty.”

Reacting to the fine, the bank said the alleged data breach was investigated, and it was discovered that “an account opening request was received online, but the account was not operational due to incomplete documentation.” The bank added that it “carried out due diligence by immediately blocking the account and subsequently closing it when outstanding documents were not provided.”

“On April 30th, 2023, we received a notice of investigation from the Nigerian Data Protection Agency (NDPA), now the Nigerian Data Protection Commission (NDPC),” the bank said. “The investigation was in respect of a complaint from [name has been withheld to protect the identity of the complainant], who claimed that [name withheld]’s details were used to open an account in the bank without [name withheld]’s consent.”

*‘ACCOUNT IMMEDIATELY PUT ON POST NO DEBIT’*

Fidelity Bank said that based on the notice received, it conducted an internal investigation into the circumstances surrounding the claim. The bank said it discovered that “an account opening request was received online in the name of [name withheld], and an email was sent to the email address attached to the request informing them about this.”

“In compliance with our Data Protection policy, accounts created online without full documentation are not allowed to be operational and are closed after 30 days if the outstanding documents are not provided to authenticate the identity of the person seeking to open the account,” the bank added. “In compliance with our data protection laws, the account was not allowed to be operational as the passport photograph and BVN were not provided. The account was immediately placed on ‘Post No Debit’ status as the applicant was expected to complete the account opening process by providing the outstanding documents for verification within 30 days. This was not done, and the account was eventually closed.”

“On May 2nd, 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed. On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents. At no point in the process was the account ever operational.”

“On July 7th, 2023, we were invited for a Pre-Action meeting with NDPC. During the meeting, we restated our position as earlier communicated to them in our letter dated May 2nd. However, despite our explanation and evidence provided to support our claim, the agency informed us that they had concluded to impose a penalty on the bank.”

“On December 5th, 2023, we received a letter from NDPC demanding we pay a ‘remedial fee’ of N250 million within 21 days. We immediately commenced another round of engagements with the Commission, as we were convinced we had not breached any extant law or regulation.”

Fidelity Bank, however, said while they were still engaging with the NDPC, they received another letter on August 20, demanding that the bank now pay N555.8 million.