Collection of Customers’ Social Media Information by Banks: An Examination of Legal Propriety

The regulator of the Nigerian financial system, the Central Bank of Nigeria (“CBN”), on June 20, 2023, issued the Customer Due Diligence Regulations (“Regulations”). This is ostensibly as a reaction to Nigeria being name-checked by the Financial Action Task Force (“FATF”) as a jurisdiction under increased monitoring.

The Regulations – though well-intentioned and designed to contribute its quota to the larger fight against financial crime – are not without controversy. The provision of the Regulations that has drawn the most ire from the public is the new requirement that banks collect the social media handles of customers as part of Know Your Customer (“KYC”) verifications (“SM Collection Requirement”) 1.

In this paper, we examine the legal propriety – including the constitutionality – of the SM Collection Requirement. We find that the Regulations are likely on the wrong side of our data privacy laws, including, most grievously, the Constitution of the Federal Republic of Nigeria, 1999 (as amended) (“Constitution”). In this paper, we review and provide our thoughts on the SM Collection Requirement from the perspective of legality.

The Crux of the Matter

The Regulations mince no words in creating the SM Collection Requirement. To be sure, per the Regulations, a financial institution is required to obtain from a customer such customer’s “social media handle.”2. The SM Collection Requirement also extends to a juristic person (that is, a non-natural person) from whom its banker is to collect its (the juristic person’s) “social media address.” 3.

The SM Collection Requirement must be understood in a different light from the collection, by financial institutions, of such garden-variety contact information as phone numbers, email addresses, and physical addresses. The fundamental difference between these other, afore-mentioned class of contact information on one hand and social media information on the other is that unlike the latter (that is, social media information), the former (phone numbers, physical address, etc.) constitutes vital 
details linking an account holder to his or her account and pertinent for keeping him or her informed on developments on the account.

For instance, a bank typically sends credit and debit information relating to an account holder’s account to his or her email address or phone number. Correspondences on existing or proposed loans may also be sent by surface mail to the account holder’s physical address. On the other hand, the social media information of an account holder is not of any apparent necessity to the opening and 
sustenance of a bank account, which accentuates its superfluity as far as the creation and sustenance of a bank account is concerned.

It is clear therefore that the SM Collection Requirement is not all too consistent with the principle of data minimization. In effect, the principle of data minimization stipulates that, as much as possible, the collection of personal data should be limited to such data as are absolutely necessary to achieve a given end.

The principle of data minimization has indeed been absorbed into Nigerian data law, having received legislative fillip in both the NDPA and the Nigeria Data Protection Regulations, 2019. The NDPA, for instance, is clear that data processors (such as financial institutions) “shall” limit data that may be collected for a purpose to personal data that are “adequate, relevant and limited to the minimum necessary for the purposes for which the personal data was collected or further processed.”4.

A rule of thumb of statutory interpretation is that the use of the word “shall” in the NDPA denotes obligation and compulsoriness. 5. It follows, therefore, that the NDPA’s use of “shall” in relation to the minimality of data to be collected means that there is an obligation on data processors(such as banks) to minimize the data they collect from customers and restrict what is collected to such personal data that is “necessary” for the “purpose” of “[the] collect[ion].”

Although while an argument can certainly be made (X) on the basis of the “lex specialis” doctrine that the Regulations (being a specific law for the governance of the KYC endeavours of financial institutions made under the unction of the Central Bank of Nigeria Act, 2007) trumps the NDPA (an agnostic law on data protection generally), there remains a key risk that in a litigation scenario, an adjudicating court may either hold that (Y) the Regulations (an administrative, subsidiary law) must kowtow to the NDPA (an Act of the National Assembly) 6 or (Z) it is the NDPA (a data-specific legislation) that must take precedence over the Regulations (a legislation that caters to financial institutions generally). 

Since the Regulations are yet to be weighted against the NDPA in court, it is unclear where the judicial pendulum would swing, but the key risks identified in (Y) and (Z) exist and cannot simply be wished away. In any event, if the court reaches the determination identified in (Y) and (Z), then the apologists or proponents of the SM Collection Requirement would have to satisfy the court that the SM Collection Requirement is of necessity for the purpose of its collection.

What then – the question inevitably becomes – is the purpose of the SM Collection Requirement? It would be difficult, in a litigation scenario where the validity of the SM Collection Requirement is under the judicial microscope, for its apologists to sustain any argument that the SM Collection Requirement is “necessary” for the “purpose” of use by financial institutions to open and/or maintain bank accounts. Such an argument is likely to fall on its own sword, as, historically, bank accounts have been opened without customer social media information. 

The SM Collection Requirement would therefore only survive if its apologists were able to convince an adjudicating court that it (that is, the SM Collection Requirement) is necessary for the purpose of the Regulations (that is, the enhancement of the ongoing CBN-led efforts in respect of money laundering, the financing of terrorism, and countering proliferation financing of weapons of mass destruction). 

In any event, it is clear based on this analysis that the SM Collection Requirement passing muster in the face of any judicial scrutiny is far from straightforward and guaranteed.

Further, it is not all too certain that the SM Collection Requirement is consistent with the privacy provisions of the Constitution. The Constitution famously guarantees the “privacy of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.” 7 While the foregoing privacy provision of the Constitution is far from absolute,8 for the SM Collection Requirement not to be in breach of the Constitution, it must demonstrably either be “in the interest of [national] defence, public safety, public order, public morality or public health” 9 or it must be “for the purpose of protecting the rights and freedom of other persons.”10.

Additionally, it must be “reasonably justifiable in a democratic society” in order to come under the Section 45 exemption.11 It stands to reason therefore that the SM Collection Requirement when tested by a court in the future would pass the constitutionality test if its apologists or proponents demonstrate that it is necessary for the “public good” within the contemplation of section 45 of the Constitution. The constitutionality of the SM Collection Requirement, in the absence of an affirming
judicial decision, remains far from settled.

On this basis, it would not be out of place for the CBN to pre-emptively go to work by revising the Regulations to expunge the SM Collection Requirement so that there can be certainty as to the alignment of the Regulations with extant governing primary laws such as the Constitution and the NDPA.

In reopening the dossier on the SM Collection Requirement, it would perhaps be helpful for the CBN to bear in mind that the SM Collection Requirement may further accentuate the financial exclusion of the so-called unbanked and underbanked population, who may not be on social media. Per reports, only about 16% of Nigeria’s 200 million-person-strong population are even active on social media.12

On the foregoing issues, the Regulations pose more questions than they provide

answers.

Conclusion 

Given Nigeria’s well-documented challenges with national (in)security and the strategic desirability of keeping Nigeria off the “blacklist” of influential global watchdogs such as the FATF, one may say that the elaborate provisions of the Regulations are in good faith. 

While requiring immediate enforcement, some of the provisions of the Regulations should be revisited to (i) achieve full alignment with the data minimization bent of the NDPA and (ii) ensure that members of the population without social media accounts are not inadvertently prejudiced or denied rights to own bank accounts.

1 Regulations, para 6(a)(iv).
2 Ibid. 
3 Regulations, para. 6(b)(iii). 
4 NDPA, s. 24(1)(c)

5 Balonwu et al. v. Governor Anambra State et al. (2008) LPELR-4907 (CA). 
6 See African Natural Resources & Mines Ltd. v. SS Minerals Resources Ltd et al. (2021) LPELR-551551 (CA).
7 Constitution, s. 37. 
8 See, for instance, FRN v. Daniel (2011) LPELR-4152 (CA).
9 Constitution, s. 45(1)(a).
10 Constitution s, 45(1)(b). 
11 Constitution, s. 45.

12 Editorial, “Number of Social Media Users in Nigeria 2017-2023” May 23, 2023, https://www.statista.com/statistics/1176096/number-ofsocial-media-users-nigeria/#:~:text=As%20of%20January%202023%2C%20Nigeria,social%20media%20platforms%20in%20Nigeria. Accessed August 21, 2023. 

--

Read the original publication at G. Elias & Co.