Recently, the Nigeria Inter-Bank Settlement System (NIBSS)[1] in collaboration with the Central Bank of Nigeria (CBN), developed the iGree platform, as a data protection measure to provide bank customers with more control over their Bank Verification Number (BVN) and how it is used. This development was in furtherance of a directive issued in July 2022 by the CBN – the apex regulatory authority in the banking industry and the issuer of the BVN – to alter the process for BVN data retrieval through the NIBSS.
The CBN introduced the BVN in 2014, as a means of ensuring that every bank account holder in the country has a unique identifier. However, the use of the BVN has come under scrutiny due to concerns about privacy and data protection. For instance, concerns have been raised about the use of the BVN for purposes other than its intended use, such as for data mining and profiling. Additionally, some financial institutions have been accused of sharing customers’ BVN information with third parties without their consent. With the increased sharing and processing of personal data online via electronic banking, use of the social media, internet research, online learning, and automated advertising, the new BVN consent management platform, called "iGree", has been developed in response to these concerns.
With iGree, customers can give or withhold consent to the use of their BVN information by financial institutions or third-party organizations. This means that customers have the power to decide how their personal information is used, which is a significant step towards data protection in the Nigerian financial services sector. The iGree platform, which became effective on Friday, 31st March 2023, is a centralized platform that performs consent management functions for web and mobile applications integrated into a merchant’s onboarding process, to enable NIBSS, who acts as administrator of the platform, to collect consent directly from BVN holders to having their data accessed for processing[2]. Several digital banking platforms, like Flutterwave[3], have introduced this layer into their BVN endpoint, and it is relatively user friendly. To verify a BVN, the holder will complete a few steps on the iGree interface to grant NIBSS consent to release the holder’s information. The holder provides his BVN number, completes a 2-step verification using an OTP, and click “allow” to grant access to his BVN data. This process may be incorporated into the merchant app.
The iGree is essentially a consent management system. Consent management can be described as a process, system or set of policies which informs customers on how businesses collect and use their data and gives them the opportunity to consent or object to such processing, providing them with privacy controls and transparency[4]. In light of the rights bestowed on data subjects by the Nigeria Data Protection Regulation of 2019 (“NDPR"), such as the right to object to processing, the data privacy conversation has widened to consider ways through which data subjects[5] can control their online footprint, safeguard it from misuse or unauthorized use, and update their preferences whenever they wish.
It is important that any consent management framework is in harmony with existing data protection and privacy laws. In this case, the NDPR and its Implementation Framework (2020). Section 2.3 of the NDPR provides that no data shall be obtained unless the specific purpose for its collection is made known to the data subject, and the consent of the data subject obtained thereafter. Consent is not to be obtained by fraud, coercion, or undue influence, for it to be valid. Therefore, the BVN holder must give informed consent to the accessing and collection of his data and such collection must not be tainted with fraud, coercion, or undue influence. A consent management system that fails to ensure that the customer’s informed consent is obtained legally would be in breach of the provisions of the NDPR.
A careful analysis of the iGree system shows that it complies with the consent provisions of the NDPR, as it ensures that, whenever institutions seek access to a customer’s BVN data, the customer is notified and given the choice to give or withhold his consent. This also ensures that both the banks and the CBN are fully compliant with the NDPR requirement that data controllers should obtain consent from data subjects before processing their personal data. In addition, a verification process which entails the use of an OTP sent to the customer’s phone number or email address by the NIBSS is also provided. This protects the customer’s data from data breaches and ensures privacy and control. The platform uses advanced security features to ensure that only authorized parties have access to customers’ BVN information once consent has been obtained. This helps to protect customers’ personal information from unauthorized access, thus complying with the security principle for data protection.
Additionally, the principle of transparency in personal data processing is upheld. Due to the requirement for financial institutions and third parties to obtain consent before using BVN information, customers are now fully aware of how their personal information is being used among these institutions and can better understand how to exercise their rights in these instances. This transparency in processing could ultimately promote trust between financial institutions and their customers, which is a key factor for success in the sector.
In conclusion, the iGree platform is an important step towards compliance with data protection requirements in Nigeria. By giving customers more control over their personal information and promoting transparency in the use of BVN information, iGree helps to promote trust between financial institutions and their customers. Additionally, the platform helps to prevent unauthorized access to customers’ BVN information – a significant step towards data protection in Nigeria, particularly the financial services sector. It is hoped that the new BVN consent management system will improve the protection of BVN holders’ personal data from criminal breach. It is therefore essential that banks fully implement the system and ensure that they are fully compliant with the data protection regulations to enhance the security and stability of the Nigeria's banking sector.
DISCLAIMER: This publication is only intended to provide general information on the subject matter and does not by itself create a client/attorney relationship between readers and our Law Firm or serve as legal advice. We are available to provide specific advice on the subject of this newsletter, as may be required.
[1] Nigeria Inter-Bank Settlement System Plc
[2] QoreID, ‘Introducing iGree: The New BVN Consent Management System’ (Medium, February 10, 2023) accessed 4 April 2023
[3] Rotimi Okungbaye, ‘The New BVN Consent Management Platform, Flutterwave and You’ (Flutterwave, March 30, 2023) https://flutterwave.com/us/blog/the-new-bvn-consent-management-platform-flutterwave-and-you accessed 4 April 2023
[4] Osano Staff, ‘Consent Management 101: Everything You Need to Know’ (Osano,April 1, 2022) accessed 4 April 2023
[5] This includes bank customers, as can be inferred from the definition of data subjects under Regulation 1.3 of the NDPR 2019 which defines a data subject as any person who can be identified directly or indirectly, by reference to an identification number or to one or more factors specific to his psychological, mental, economic, cultural or social identity.