What the NDPA requires from fintechs
The NDPA imposes obligations on any "data controller" or "data processor" handling personal data of Nigerian data subjects. For fintech companies, this means virtually every piece of customer data you collect — from onboarding KYC details to transaction records.
Lawful basis for processing
You must have a valid legal basis for every category of data you collect and process. For fintechs, this typically includes contractual necessity (to provide the service) and legal obligation (CBN KYC requirements). But collecting more data than necessary violates the proportionality principle.
Appropriate technical measures
The Act requires you to implement technical security measures proportionate to the sensitivity of data you hold. For a fintech holding BVNs, NINs, and financial records, this bar is among the highest in any industry. Penetration testing is the standard method of proving these measures are effective.
Data breach notification
The NDPA requires notification to the NDPC and affected data subjects when a breach is likely to result in risk to their rights. For fintechs handling financial data, virtually any unauthorized data access must be reported. Having evidence of prior security testing reduces your liability exposure.
Data Protection Impact Assessment (DPIA)
High-risk data processing activities require a formal DPIA. Any fintech processing at scale — especially with sensitive categories like biometrics (facial verification) or financial data — should conduct DPIAs and incorporate security testing into the assessment process.
The data fintech apps typically expose
During penetration testing engagements, we regularly find Nigerian fintech applications leaking PII through:
- API over-exposure: Endpoints returning full BVN, NIN, or account numbers when only the last 4 digits are needed for display. See API security testing.
- Application logs: Full request/response payloads containing customer PII written to log files accessible to operations staff.
- CSV exports: Admin export utilities that dump unmasked personal data to downloadable files without audit trails.
- Error messages: Verbose error handling that leaks database field names, internal customer IDs, or partial PII in API responses.
- Support dashboards: Internal tools giving every staff account access to full customer records without role-based access controls.
10,000+ BVNs exposed via support dashboard
A neobank's support dashboard displayed full, unmasked BVN numbers for every customer account. The dashboard had no role-based access control — any of the 40+ support agents could view and screenshot any customer's BVN, NIN, full name, date of birth, and transaction history. Under the NDPA, this constitutes inadequate technical measures and would significantly increase penalty exposure in the event of a breach.
How security testing supports NDPA compliance
Demonstrates "appropriate measures"
A penetration test report proves to the NDPC that you actively sought out and remediated vulnerabilities. This is your strongest evidence of implementing appropriate technical measures, even if the test found issues — because it proves you're actively managing risk.
Identifies data exposure points
Our testing specifically maps where PII is exposed — in APIs, logs, exports, error messages, and internal tools. This directly supports your data mapping and DPIA obligations under the NDPA.
Reduces breach liability
If a breach occurs, the NDPC evaluates whether you took reasonable steps to prevent it. Having a current penetration test report, evidence of remediation, and a retesting certificate significantly reduces your penalty exposure compared to having no security testing evidence at all.
Demonstrate NDPA compliance with evidence-backed security testing.
Get a Compliance-Ready AssessmentRelated services and resources
NDPA compliance overlaps with CBN cybersecurity requirements — a single well-scoped engagement can satisfy both. Start with a vulnerability assessment to map your exposure, then move to penetration testing for proof of exploitability. For API-specific data exposure, see API security testing. Understand your overall risk profile as a Nigerian fintech.
Frequently asked questions
What's the difference between NDPR and NDPA?
The NDPR (Nigeria Data Protection Regulation, 2019) was the predecessor regulation. The NDPA (Nigeria Data Protection Act, 2023) is the current law, enforced by the NDPC (Nigeria Data Protection Commission). The NDPA supersedes the NDPR but many compliance frameworks still reference both. Our guidance covers current NDPA requirements.
Does the NDPA specifically require penetration testing?
The NDPA requires 'appropriate technical and organizational measures' to protect personal data. It doesn't prescribe specific tools. However, penetration testing is the industry-standard method for demonstrating that your technical measures are effective. Regulators and auditors interpret the absence of independent security testing as a failure to meet this requirement.
What happens if we get breached without evidence of security testing?
The NDPC considers whether you took 'appropriate measures' to prevent the breach. If you can't demonstrate that you conducted independent security testing, the penalty exposure is significantly higher. A pre-existing penetration test report — even one that found vulnerabilities — shows that you were actively managing risk.
How does this interact with CBN requirements?
CBN cybersecurity requirements and NDPA requirements overlap significantly. A well-structured penetration test and vulnerability assessment can satisfy both simultaneously. See our CBN compliance guide for the banking-specific requirements.