Nigeria law enforcement data requests

Nigeria's Fintech Data Localization Order Is Defensible Infrastructure Policy — Its Law Enforcement Rationale Is Not

The CBN's June 2026 mandate to store payment transaction data locally has legitimate infrastructure grounds, but citing law enforcement access as its primary benefit exposes a gap that civil society groups are right to flag.

People of Internet Research Team · 2026-06-26
Nigeria's Payment Data Mandate: The Numbers People of Internet Research · Nigeria 14B+ Annual payment transactions Transactions processed annually by… ₦60B Foreign hosting cost yearly Annual cost Nigeria incurs routing… ₦7.2B NDPC fines collected Total fines and compliance fees co… peopleofinternet.com

Key Takeaways

The Mandate

On June 15, 2026, the Central Bank of Nigeria issued Circular PSS/DIR/PUB/CIR/001/004, signed by Rakiya Yusuf, Director of the Payments System Supervision Department, directing all deposit money banks, fintech companies, mobile money operators, and licensed payment service providers to store and process payment transaction data on servers within Nigeria by January 1, 2027. The six-month window is tight. Nigeria's payments ecosystem processes over 14 billion transactions annually, the bulk of them routed through foreign cloud infrastructure operated by AWS and Microsoft Azure. Migrating that volume onshore in half a year presents genuine engineering challenges.

But the directive's most politically consequential element is not its timeline — it is its stated rationale. The CBN framed local storage as a tool to allow authorities to "easily access records, conduct audits, enforce compliance, and investigate criminal offenses," reducing the delays caused by "cross-border data intermediation." That framing, which centres state access rather than data resilience or consumer protection, has prompted four civil society organisations to raise formal concerns.

The Legitimate Case for Localization

Before evaluating the surveillance risk, the underlying infrastructure argument deserves a fair hearing. Nigeria currently spends an estimated ₦60 billion annually routing domestic financial data through foreign-owned servers — an outflow that also creates operational dependencies on cloud providers whose pricing, uptime terms, and governance lie entirely outside Nigerian regulatory reach. When law enforcement needs transaction records for a financial crime investigation, the current path runs through mutual legal assistance treaty (MLAT) processes that can take months. For a regulator overseeing a digital payments market that grew 70 percent in 2025 and processed over 11 billion NIBSS Instant Payment transactions in 2024, the case for onshore storage as a matter of jurisdictional and operational resilience is real.

The CBN directive also bundles in legitimate structural reforms: beneficial ownership disclosure requirements for significant shareholders, and market-share caps (25 percent for card issuers, 15 percent combined with merchant acquiring) to curb concentration risk in a market expanding too fast for its own stability. These measures represent proportionate regulatory housekeeping.

The Surveillance Asymmetry

The problem is not that the CBN wants Nigerian financial data subject to Nigerian law. The problem is that the law governing state access to that data has a structural gap.

A coalition comprising Media Rights Agenda, Paradigm Initiative, the Digital Rights Lawyers Initiative, and Accountability Lab Nigeria released a report titled Protected From the State, Not By It, identifying what they describe as the central contradiction in Nigerian data governance: "citizens are under-protected from data abuse and over-exposed to state monitoring and punishment."

That diagnosis is grounded in statute. Under Section 3 of the Nigeria Data Protection Act 2023 (NDPA), data processing carried out by a "competent authority for the prevention or investigation, detection, prosecution or adjudication of a criminal offense" is largely exempt from the Act's standard obligations. This is a standard law enforcement carve-out found in comparable frameworks worldwide — the EU's Law Enforcement Directive, India's DPDPA, Kenya's Data Protection Act all contain similar provisions. What distinguishes Nigeria's arrangement is the absence of a matching procedural layer: no codified judicial pre-authorization requirement for accessing financial records, no statutory obligation to log law enforcement data requests, and no independent oversight mechanism to audit how state agencies use Section 3 exemptions.

Concentrating 14 billion annual transactions on locally accessible infrastructure in this regulatory environment means that the state's practical ability to access Nigerians' financial records increases substantially, without a commensurate increase in accountability for how that access is used.

An Enforcement Record That Cuts Both Ways

Nigeria's data protection enforcement has genuinely improved. The NDPC has collected ₦7.2 billion in compliance fees and fines since the NDPA came into force, completed 246 data breach investigations, and levied significant penalties on private-sector actors — Fidelity Bank was fined ₦555.8 million in August 2024 for processing personal data without informed consent. The General Application and Implementation Directive (GAID), which came into effect in September 2025, tightened compliance requirements further.

But enforcement has focused almost exclusively on private companies. The civil society coalition's report documents a pattern of inconsistent accountability between public and private institutions: state agencies have accessed sensitive databases — including the voter registration records of over 90 million Nigerians — with limited public accountability for how that access was authorised or audited. Section 3's broad carve-out means the same NDPC that fines banks for consent failures has limited authority to scrutinise how the police or intelligence agencies use transaction records they obtain under an investigative mandate.

Infrastructure Fragility

There is also a technical risk the directive does not adequately address. Nigerian data centres are geographically concentrated in Lagos, limiting redundancy. Musa Ganiyu, CEO of Payvessel, has specifically warned that if a major incident occurs at a local data centre with no foreign backup, "that's going to be a big problem." If the CBN's directive is interpreted to prohibit encrypted offshore replication for disaster recovery purposes, it could inadvertently introduce systemic fragility into the very payments infrastructure it seeks to protect.

What Proportionate Looks Like

The CBN's mandate can be made coherent — and civil-society-defensible — without abandoning data localization. Three targeted additions would help:

Data localization is not inherently a rights violation. What matters is the accountability framework built around it. Nigeria's directive inverts the proper design sequence: it uses law enforcement convenience as the leading justification for an infrastructure policy, then leaves the safeguards that would make that justification proportionate as an afterthought. The civil society groups raising concerns about this are not opposing digital sovereignty — they are insisting that sovereignty should run in both directions.

Sources & Citations

  1. Punch NG — CBN Data Localization Circular
  2. CoinGeek — Nigeria Data Mandate and Civil Society Report
  3. Nigeria Communications Week — Privacy Crisis and ₦60B Hosting Cost
  4. Lawyard — CBN Mandate Infrastructure Challenges
  5. ICLG — Nigeria Data Protection Laws and Regulations 2025-2026
  6. TechMoonshot — NDPC ₦7.2 Billion Enforcement
  7. Nigeria Data Protection Act 2023 — Statutory Summary