Privacy & Data Rights

Bank Discloses Financial Data to Third-Party Lenders Without Consent

Q: You ticked a box agreeing to share data when you opened your account — that is your consent.

Subscribe to The Advocate to see the full rebuttal, legal basis, and practise this response out loud.

Q: This is anonymised data — the NDPA doesn't apply to anonymised information.

Subscribe to The Advocate to see the full rebuttal, legal basis, and practise this response out loud.

Your bank is sharing your financial information with lending platforms — calling it standard practice

Premium intermediate 8 minutes

The Situation

What They Said

“We share credit information with our partner credit bureaus and lending platforms — it's standard practice.”

Nigerian bank customers frequently discover that their financial data — account balances, transaction history, loan repayment records — has been passed to third-party lending platforms and fintech companies without their direct knowledge. With the rapid growth of Nigeria's digital lending sector, banks and microfinance institutions have formed data-sharing arrangements with numerous partners, often justified by vague references to 'industry practice' or fine print in account-opening documents. This practice has real consequences: unsolicited loan offers, negative credit listings, and decisions affecting your ability to access credit. The Nigeria Data Protection Act 2023, the Credit Reporting Act 2017, and CBN consumer protection frameworks together provide robust protections that customers can enforce.

The Fallacy

Industry Standard as Legal Authorisation

The fact that data sharing is widespread in an industry does not make it lawful. 'Standard practice' is a description of what many institutions do — it is not a source of legal authority. Under the NDPA 2023, every transfer of personal data to a third party requires an independently identified lawful basis; the prevalence of a practice among competitors cannot substitute for this. Furthermore, consent obtained through generic terms buried in an account-opening form is unlikely to satisfy the NDPA's requirement that consent be specific, informed, and given for a defined purpose. What is common is not always what is legal.

What the Law Says

Your Legal Foundation

Nigeria Data Protection Act 2023 (No. 14 of 2023)

Section 24 — Lawful Basis for Processing Personal Data

“A data controller shall not process the personal data of a data subject unless at least one of the following conditions is met: the data subject has given consent; processing is necessary for the performance of a contract; processing is necessary for compliance with a legal obligation; or processing is necessary for the legitimate interests of the data controller, provided such interests do not override the data subject's rights.”

Your bank must point to a specific, identifiable lawful basis for sharing your financial data with lending platforms. Saying it is 'standard practice' is not one of the prescribed bases. If the bank cannot identify a valid basis under s.24, the processing is unlawful regardless of how common it is in the industry.

Nigeria Data Protection Act 2023 (No. 14 of 2023)

Section 26 — Requirements for Consent

“Consent shall be freely given, specific, informed and unambiguous. Consent shall not be bundled as a condition for the provision of a service where the processing is not necessary for that service. A data subject may withdraw consent at any time.”

If the bank relies on your consent as the lawful basis, that consent must have been specific — you must have been told exactly which third parties would receive your data and for what purpose. A generic term in a 30-page account-opening document does not constitute valid consent for sharing financial data with lending platforms. You may also withdraw any consent already given.

Credit Reporting Act 2017 (No. 17 of 2017)

Section 15 — Rights of Data Subject in Credit Reporting

“A data subject whose credit information is held by a credit bureau shall have the right to: request access to their credit report; dispute inaccurate information; and be notified when their credit information is shared with a third party.”

You have a statutory right under the Credit Reporting Act to know when your credit information has been shared and to request a copy of your full credit report. If the bank or credit bureau failed to notify you of the disclosure, this is a separate violation under the Credit Reporting Act that can be reported to both the CBN and the NDPC.

CBN Consumer Protection Framework 2016

Section 3.4 — Data Privacy and Confidentiality of Customer Information

“Financial service providers shall not disclose customer information to third parties without the explicit consent of the customer, except as required by law or by a competent authority.”

The CBN Framework independently requires your explicit consent before any disclosure of your financial information to third parties. This means even where the bank claims a contractual basis under the NDPA, it must separately comply with this CBN requirement — 'explicit consent' under the CBN Framework is a higher bar than mere contractual terms.

What Scripture Says

God's Word on This

Psalm 31:20 (NIV)

“In the shelter of your presence you hide them from all human intrigues; you keep them safe in your dwelling from accusing tongues.”

This verse speaks to the safety and protection that comes from being truly known and yet kept secure. Your financial information is deeply personal — it reflects your life, your vulnerabilities, and your plans. When institutions share that information freely without your knowledge, they expose what should be sheltered. The principle here is that those entrusted with sensitive information bear a responsibility of care and protection.

🔒

You Know the Law — But Do You Know What to Say?

Reading your rights is one thing. Using them under pressure — calmly, correctly, in the right words — is what actually protects you. Members get the scripted rebuttal for this exact situation: what to say first, what to say if they push back, the tone to use, and the constitutional provision to cite. Practise out loud with audio until it's automatic.

Unlock This Scenario — R89/month

Identity & Dignity and Gender & Equality are free · All 17 domains from R89/month · Cancel anytime

Not ready to subscribe? Get the free checklist first.

10 South African rights scenarios — what to say, what to cite, what to refuse. Free, no card needed.

What They'll Say Next

Common Counter-Arguments

After you respond, they may push back with these arguments. Members get the full rebuttal for each.

They might say: “You ticked a box agreeing to share data when you opened your account — that is your consent.”

🔒 Subscribe to see the full rebuttal and legal counter-argument.

They might say: “This is anonymised data — the NDPA doesn't apply to anonymised information.”

🔒 Subscribe to see the full rebuttal and legal counter-argument.

Know Your Rights. Know Your Word.

149 South African rights scenarios — exact rebuttals, constitutional law, and Scripture. Practise out loud with audio. Free to start with 2 full domains.

Try Free — Identity & Dignity

No credit card · Upgrade anytime for all 17 domains