Uncovered in Nigeria: Widespread Financial Swindle Utilizing Stolen Data and Collaborating with Fintech Enterprises, as Investigated by the Economic and Financial Crimes Commission (EFCC)

Uncovered in Nigeria: Widespread Financial Swindle Utilizing Stolen Data and Collaborating with Fintech Enterprises, as Investigated by the Economic and Financial Crimes Commission (EFCC)

In a startling revelation, the Economic and Financial Crimes Commission (EFCC) in Nigeria has exposed a large-scale fraud operation involving several fintech companies. The operation is accused of buying stolen personal and biometric data for illegal financial activities, such as investment scams, money laundering through cryptocurrency transactions, and defrauding Nigerians.

The stolen data, which includes National Identification Numbers (NIN), Bank Verification Numbers (BVN), and other personal details, is typically used to open new accounts at microfinance banks or fintech institutions. The network of individuals involved in this operation, known as "Account Suppliers" or the "KYC Group," convince Nigerians to surrender their personal identification information for small payments.

The EFCC's allegations suggest a critical vulnerability in the Know Your Customer (KYC) processes of some digital financial platforms. The scheme implies that KYC protocols are either being circumvented or are vulnerable to manipulation with high-quality stolen data.

To combat these emerging threats, the EFCC is working to recover the stolen funds and has made several arrests in connection with these scams. The agency's statement signals potential for heightened scrutiny and regulatory actions within the fintech industry.

Nigeria has several regulatory measures to combat fraudulent activities involving the sale of stolen personal and biometric data in its fintech industry. The Nigeria Data Protection Act (NDPA) of 2023 mandates that data controllers and processors, including fintech companies, maintain the confidentiality, integrity, and security of personal data. Fintech platforms are required to strictly verify the origin of Know-Your-Customer (KYC) data to prevent the use of illicitly obtained information.

While robust legal frameworks exist, challenges remain in effective implementation and institutional oversight. The Nigeria Data Protection Commission (NDPC) plays a critical role in enforcing data protection regulations and sanctioning violations under the NDPA. The Central Bank of Nigeria (CBN) also ensures proper regulatory oversight of fintech operations and adherence to cybersecurity best practices.

In addition to data protection laws, fintech companies must comply with licensing requirements set by the CBN and related authorities. The NDPA also establishes mandates on consent, lawful processing, and data subject rights, with penalties for breaches.

While some fintechs globally are adopting proactive AI-powered fraud prevention technologies, specific details about their deployment in Nigerian fintechs were not found in the current results.

The EFCC's findings raise significant concerns about the strength of security and compliance measures within the fintech industry. The public is advised not to act as "Account Donors" for any financial gain, and to be vigilant against fraudulent activities.

The fraud operation also uses malware concealed within promotional offers and fake discounts on tickets from a prominent foreign airline. Victims are instructed to make a small ₦500 payment, presented as a "charity" donation, which leads them to download a malicious version of the airline's app, granting unauthorized access to their device and banking details.

The EFCC is actively investigating this operation and emphasizes prosecution of suspects as part of its enforcement efforts. The agency encourages the public to report any suspicious activities to the appropriate authorities.

1. The stolen personal and biometric data, often obtained from ordinary Nigerians for small payments by "Account Suppliers" or the "KYC Group," is typically used to open new accounts at microfinance banks or fintech institutions, highlighting a potential weakness in financial inclusion through these digital platforms.
2. In response to increasing instances of fraud, the Nigeria Data Protection Act (NDPA) of 2023 mandates that fintech companies maintain the confidentiality, integrity, and security of personal data, and requires strict verification of KYC data to prevent the use of illicitly obtained information.
3. Despite the robust legal frameworks in place, challenges persist in the effective implementation and institutional oversight of these data protection regulations, with organizations like the Nigeria Data Protection Commission (NDPC) and the Central Bank of Nigeria (CBN) playing critical roles in enforcing compliance and ensuring regulatory actions within the fintech industry.

Read also: