Our attention has been
drawn to a news story titled, “NDPC Fines Fidelity Bank for Data Breach”. While
the matter is a subject of an ongoing engagement with the regulator, we wish to
assure the public that we have conducted ourselves to the highest ethical
standards by ensuring full compliance with extant laws on data protection.
Below is a breakdown of our dealings with the NDPC since we
received their letter informing us about an alleged data breach:
On April 30th, 2023, we received a notice of investigation from the Nigerian Data Protection Agency (NDPA), now the Nigerian Data Protection Commission (NDPC). The investigation was in respect of a complaint from [name has been withheld to protect the identity of the complainant] who claimed that [name withheld] details were used to open an account in the bank without [name withheld] consent.
Based on this notice, we conducted an internal investigation
into the circumstances around the claim and discovered as follows:
An account opening request was received online in the name of
[name withheld], and an email was sent to the email address attached to the
request informing them about this.
In compliance with our Data Protection policy, accounts
created online without full documentation are not allowed to be operational and
are closed after 30 days if the outstanding documents are not provided to
authenticate the identity of the person seeking to open the account.
In compliance with our data protection laws, the account was
not allowed to be operational as the passport photograph and BVN were not
provided.
The account was immediately placed on “Post No Debit” status
as the applicant was expected to complete the account opening process by
providing the outstanding documents for verification within 30 days. This was
not done, and the account was eventually closed.
On May 2nd 2023, we responded to the NDPC that the bank did
not violate any law because there was no data breach and that the account
opening process was not completed. On our part, we carried out due diligence by
immediately blocking the account and subsequently closing the account when we
did not receive the outstanding documents.
At no point in the process was the account ever
operational.
On July 7th, 2023, we were invited for a Pre-Action meeting
with NDPC. During the meeting, we restated our position as earlier communicated
to them in our letter dated May 2nd.
However, despite our explanation and evidence provided to
support our claim, the agency informed us that they had reached a conclusion to
impose a penalty on the bank.
On 5th December of 2023, we got a letter from NDPC demanding
we pay a ‘remedial fee’ of N250 million within 21 days.
We immediately commenced another round of engagements with the
Commission as we were convinced, we had not breached any extant law or
regulation.
While discussions were still ongoing with the NDPC, we
received another letter on the 20th of August demanding that we now pay N555.8m
naira.
As a responsible financial organization with a history of
strong corporate governance standards, we remain committed to the due process
of the law, and we wish to assure all our customers of our unwavering
commitment to upholding the highest level of ethical standards in all our
dealings with customer data.
Our commitment to strong corporate governance has earned us
local and international recognition, including the prestigious CG+ award. This
is the highest rank under the Corporate Governance Rating System (CGRS) of the
Nigerian Exchange Group (NGX), which evaluates listed companies against
established best practices and standards.
As a Bank, we remain in discussions with the NDPC over an
amicable resolution to this matter.
Signed.
Dr Meksley Nwagboh
Divisional Head, Brand & Communications
Fidelity Bank Plc.
0 Comments