Fidelity Bank Denies Data Breach Claims, Challenges N555.8M Fine Imposed by NDPC

Fidelity Bank has firmly denied allegations of a data breach and contesting the N555.8 million penalty imposed by the Nigerian Data Protection Commission (NDPC).

The bank asserts that it has consistently adhered to data protection laws and maintained high ethical standards in its operations.

In a statement released on Wednesday, August 20, Meksley Nwagboh, the bank’s divisional head of brand and communications, emphasized that Fidelity Bank “conducted itself to the highest ethical standards” and fully complied with data protection regulations. This response comes in the wake of the NDPC’s claim that the bank breached data privacy laws, prompting the significant fine. Vincent Olatunji, the NDPC’s national commissioner, suggested that the bank’s “arrogance” contributed to the imposition of the maximum penalty.

Fidelity Bank, however, maintains that the fine is unwarranted. According to the bank, the incident in question involved an online account opening request that was never completed due to incomplete documentation. The bank promptly blocked and then closed the account when the necessary paperwork was not provided.

The timeline provided by Fidelity Bank outlines their response to the NDPC’s investigation notice, received on April 30, 2023. The complaint alleged that an account was opened using someone’s details without their consent. Fidelity Bank’s internal probe revealed that the online account was never activated because the applicant failed to provide required documents, including a passport photograph and BVN (Bank Verification Number).

The bank’s policy mandates that online accounts cannot be operational without complete documentation and are closed if the missing paperwork is not submitted within 30 days. Fidelity Bank had informed the NDPC on May 2, 2023, that there was no breach, as the account in question was never activated.

Despite presenting evidence at a Pre-Action meeting with the NDPC on July 7, 2023, and reiterating their compliance with data protection laws, Fidelity Bank was surprised to receive a letter on December 5, 2023, demanding a remedial fee of N250 million. The bank was further taken aback by a subsequent letter on August 20, 2024, which escalated the penalty to N555.8 million, while discussions with the commission were still ongoing.

Fidelity Bank continues to maintain its compliance with data protection laws and is seeking to resolve the matter with the NDPC.

Fidelity Bank’s Statement to the Fine From NDPC

“On April 30th, 2023, we received a notice of investigation from the Nigerian Data Protection Agency (NDPA), now the Nigerian Data Protection Commission (NDPC). The investigation was in respect of a complaint from [name has been withheld to protect the identity of the complainant] who claimed that [name withheld] details were used to open an account in the bank without [name withheld] consent.

“Based on this notice, we conducted an internal investigation into the circumstances around the claim and discovered as follows:
An account opening request was received online in the name of [name withheld], and an email was sent to the email address attached to the request informing them about this.

“In compliance with our Data Protection policy, accounts created online without full documentation are not allowed to be operational and are closed after 30 days if the outstanding documents are not provided to authenticate the identity of the person seeking to open the account.

“In compliance with our data protection laws, the account was not allowed to be operational as the passport photograph and BVN were not provided.

“The account was immediately placed on “Post No Debit” status as the applicant was expected to complete the account opening process by providing the outstanding documents for verification within 30 days. This was not done, and the account was eventually closed.

“On May 2nd 2023, we responded to the NDPC that the bank did not violate any law because there was no data breach and that the account opening process was not completed. On our part, we carried out due diligence by immediately blocking the account and subsequently closing the account when we did not receive the outstanding documents.

“At no point in the process was the account ever operational.

“On July 7th, 2023, we were invited for a Pre-Action meeting with NDPC. During the meeting, we restated our position as earlier communicated to them in our letter dated May 2nd.

“However, despite our explanation and evidence provided to support our claim, the agency informed us that they had reached a conclusion to impose a penalty on the bank.

“On 5th December of 2023, we got a letter from NDPC demanding we pay a ‘remedial fee’ of N250 million within 21 days.

“We immediately commenced another round of engagements with the Commission as we were convinced, we had not breached any extant law or regulation.

“While discussions were still ongoing with the NDPC, we received another letter on the 20th of August demanding that we now pay N555.8m naira.”