NDPC suspects Chams, Moniepoint and 1367 others of non-compliance with Data Protection Act, issues Notice

The Nigeria Data Protection Commission (NDPC) has commenced a sector-by-sector investigation of organisations suspected of non-compliance with Nigeria’s Data Protection Act (DPA) 2023.

The current audit exercise includes 1,369 companies in gaming (136), banking and other financial institutions (OFI) make up the remaining 1,233. These banking and other financial institutions include pension companies, insurance companies and insurance brokers.

The Commission has not only issued compliance notices to these companies, but it has also published their names in local newspapers on August 25, 2025.

Among these are some of Africa’s tech darlings, like Moniepoint (Moniepoint Microfinance Bank Ltd), and Pocket by PiggyVest (Abeg Technologies Ltd); indigenous public tech firms Chams (Chams PLC), and eTranzact (E-Tranzact International Plc); and local subsidiaries, Cellulant (Cellulant Nigeria Ltd).

The notice allows only 21 days for these companies to provide:

× Sponsored

• evidence of filing NDP Act Compliance Audit Returns for 2024 (in line with Section 6 (d) of the NDP Act)
• evidence of appointing a data protection officer, including name and contact details (S.32)
• summary of organisational and technical measures for data protection within the organisation (S.39)
• evidence of registration as a data controller or processor of major importance (S.44)

The Commission reiterated in a press release that failure to comply with the compliance notice may result in an enforcement order, administrative fine, and/or criminal prosecution in line with the Act.

Under the Nigeria Data Protection Act of 2023, companies found in violation face the greater of a ₦10 million fine or a penalty equal to 2% of their gross revenue from the preceding year. Regulators can also compel firms to pay compensation to affected individuals and surrender profits earned from the violation.

However, the scale of the investigation has raised questions about the regulator’s capacity to review submissions and enforce remedial actions, where necessary.

“It makes the entire exercise look impractical,” said one industry insider who remarked privately. “The NDPC simply doesn’t have the manpower to chase all of them.”