Skip to content

Data protection: Nigerian fintechs may be violating consumer rights

This publication explores how digital credit companies in Nigeria may be violating consumer data and privacy rights

In its modern form, microfinancing became popular on a large scale in the 1970s. The first organization to receive attention was the Grameen Bank, which was started in 1976 by Muhammad Yunus in Bangladesh, a country in South Asia.

The business model of the Grameen bank emerged from the poor-focussed grassroots target. It has been studied over the years and is now a go-to-case study in economics and business schools around the world.

The Model

Groups of five prospective borrowers are formed; in the first stage, only two of them are eligible for, and receive, a loan. The group is observed for a month to see if the members are conforming to rules of the bank.

Only if the first two borrowers repay the principal plus interest over a period of fifty weeks do other members of the group become eligible themselves for a loan.

As a result of these restrictions, there is substantial group pressure to keep individual records clear. In this sense, collective responsibility of the group serves as collateral on the loan.

Modern day credit companies have now adopted digital channels to market loan services, provide loans, manage the loans as well as recover the issued loans.

Truly, technology has the capacity to improve access to credit for individuals and MSMEs. Additionally, technology has the capacity to scale the Grameen Bank's model whilst shrinking the fifty-week timeline to four weeks.

Why bother when there is data?

Digital credit companies in Nigeria have taken a different approach to ensure that loans are repaid with the help of technology whilst possibly violating the customers privacy and data rights and attacking the customer's social reputation.

My investigation has shown that some digital credit companies in Nigeria access consumer's contact list, messages and call records upon sign up. This is done by requesting access to the consumer's contacts, similar to how Google Map request for access to your GPS. The unsuspecting customer will go ahead to approve access.

If the customer defaults on the loan, the credit company leverages access to the customer's contacts.

Redacted Messages to a contact from a digital credit company

They randomly message the consumer's contacts based on the frequency of call or messages.

I spoke to another consumer who has experienced the above, she had this to say:

A friend of mine has received a notification for this before - lol it was not funny.

She called the guy that collected the loan, and he said the loan platform sent it to all the people on his contact list.

Then we were asking, how did they have access to it?  Do they have the right to do that?

Additionally, another customer sent me a message he received from his loan provider in December 2020. The customer confirmed that he took a loan of NGN 15,000($39) but eventually repaid NGN 45,000 ($118).

Message from LionCash to a customer

Socially, the above message could lead to the customer committing suicide. I have left the above message non-redacted to advocate immediate action from the Kenya based service provider, LionCash, now called CashLion Credit in Nigeria.

One can argue that this measure would make the customer pay, but it poses a potential for loss of income to the customer. Imagine that this customer has been chasing a certain business with a potential client and has called this client several times. The customer's potential client receiving the above message may jeopardize that business opportunity.

It is particularly important for fintechs to leverage technology for sales and credit recovery but attacking client social reputation may just be making it difficult for the client to repay and would eventually discourage financial inclusion.


  1. Digital credit companies are advised to desist from collecting more-than-required data in line with Nigeria's NDPR, a local adaptation of GDPR. Access to consumer contact and call records is not legally required as part of the Central Bank's KYC requirement.
  2. The Government is advised to develop a digital credit handbook for credit companies that expressly emphasizes consumer data protection in the modern age. The Central Bank of Kenya has commenced this process in 2020.
  3. Consumers are advised to avoid services that request access to their contact list upon registration.
  4. Digital credit companies could give consumers the capacity to select contacts to be communicated if they default. Random selection is not good practice.

Credit: Information on the Grameen Bank is sourced from the Grameen Bank website.

Nigeria in Focus

Population: 200 million (2019) - World Bank

GDP: $448 billion (2019) - World Bank

GDP Per Capita: $2,230 (2019) - World Bank