Regulatory Enforcement Across Payment Infrastructure Exposes Vendor Accountability Gaps

Why This Matters for Governance and Contractual Risk

The Nigeria Data Protection Commission's simultaneous investigation into Remita Payment Services Ltd. and Sterling Bank signals a structural shift in how regulators enforce data protection across multi-party financial ecosystems. When regulatory authorities probe both a payment processor and its acquiring bank concurrently, it typically indicates a fundamental contractual failure: neither party had sufficiently documented who owns breach response obligations, notification liability, or regulatory cooperation duties. This investigation will establish enforcement precedent that extends beyond Nigeria's borders—particularly for EU-regulated entities with African payment exposure, where GDPR, NIS2, and DORA obligations intersect with local data protection regimes.

The Controller-Processor Accountability Problem

The NDPC's Notice of Investigation, served April 1, 2026, focuses on breach scope, personal data categories, risk mitigation, and organizational safeguards. This framing reveals a critical regulatory expectation: organizations will be held liable not only for breach response speed but for demonstrable pre-breach contractual governance. Payment infrastructure contracts typically contain vague or absent data protection schedules. Many agreements lack explicit definitions of who qualifies as data controller versus processor under the Nigeria Data Protection Act 2023, creating ambiguity about which party bears primary notification and remediation responsibility. When regulators investigate both parties, they are implicitly assessing whether contractual documentation was sufficiently clear to prevent this ambiguity.

This has immediate implications for vendor risk management. Organizations cannot rely on generic data processing addenda or assume that industry-standard payment processor agreements address local regulatory expectations. The NDPC investigation will establish whether contractual safeguards were adequate before the breach occurred—shifting liability from reactive incident response to proactive due diligence. Organizations that cannot produce contemporaneous vendor risk assessments, signed data protection schedules, or documented approval of processor security measures will face heightened enforcement exposure.

The Continuous Monitoring and Audit Rights Gap

A critical vendor governance weakness emerges from the investigation's scope: most financial institutions lack contractual rights to conduct continuous monitoring, real-time log review, or penetration testing of payment infrastructure vendors. Many rely on annual SOC 2 audits or periodic security assessments while breaches persist undetected for months. The NDPC's examination of "mitigation measures implemented where a breach is confirmed" suggests regulators will now evaluate whether organizations had contractual mechanisms to detect and respond to threats in real time, not merely to audit historical compliance.

This forces a recalibration of vendor agreements. Payment processor contracts must explicitly grant audit rights, including unannounced security assessments, continuous vulnerability scanning, and incident response participation. Organizations should audit existing agreements to determine whether they contain: (1) defined response time obligations for vendor breach notification; (2) contractual rights to conduct independent security testing; (3) explicit data location and residency requirements; (4) regulatory cooperation clauses that obligate vendors to participate in investigations; and (5) insurance and indemnification provisions that allocate financial liability across parties. Without these provisions, organizations face regulatory exposure even when the breach originated in vendor infrastructure.

Regulatory Coordination and Multi-Jurisdictional Liability

For EU-regulated entities with Nigerian financial exposure, this investigation underscores an emerging pattern: data protection enforcement is increasingly coordinated across jurisdictions, and breach timelines are compressed. A single incident affecting EU customers could trigger simultaneous investigations under GDPR (with 72-hour notification requirements), NIS2 (for critical infrastructure operators), and DORA (for financial service providers), each with distinct notification sequencing, regulatory reporting, and liability frameworks. The NDPC investigation demonstrates that African regulators are adopting similar enforcement rigor, meaning organizations cannot treat emerging market data protection as a lower-priority compliance domain.

The NDPC's statement that it will "extend its review to organisations that utilise digital payment platforms without fully complying with data protection requirements" signals a shift toward supply chain accountability. Organizations that outsource payment processing cannot claim ignorance of vendor security posture. Regulators will assess whether organizations conducted adequate vendor due diligence, documented security requirements contractually, and maintained audit trails demonstrating ongoing oversight. This extends liability upstream: acquiring banks and payment integrators will be held accountable for processor compliance failures.

Systemic Governance Weakness: Contractual Notification Ambiguity

Cybersol's analysis identifies a persistent governance gap that this investigation will likely codify into enforcement precedent: most vendor agreements lack explicit, sequenced notification protocols. Payment infrastructure contracts often contain generic "notify within X days" clauses without specifying: (1) who initiates notification (vendor or organization); (2) what constitutes a reportable breach under local law; (3) whether notification to regulators precedes or follows customer notification; (4) what information the vendor must provide to enable regulatory reporting; and (5) how notification obligations interact with contractual confidentiality clauses.

When regulators investigate both parties simultaneously, they are assessing whether contractual ambiguity prevented timely, accurate breach disclosure. Organizations should immediately review payment processor agreements to ensure notification clauses are unambiguous, sequenced, and aligned with both NDPC requirements and any applicable EU regulatory obligations. Notification protocols should specify that vendor breaches trigger organization notification obligations regardless of vendor cooperation, and that regulatory cooperation is a non-waivable contractual requirement.

Closing Reflection

The NDPC investigation into Remita and Sterling Bank represents a governance inflection point for payment infrastructure risk. This is not merely an incident response matter—it is a contractual and regulatory accountability event that will establish enforcement standards across African fintech ecosystems. Organizations with payment processing exposure should treat this investigation as a governance stress test: audit vendor agreements immediately, document pre-breach security assessments, and establish continuous monitoring mechanisms that contractually obligate vendors to participate in real-time threat detection. The investigation's outcome will likely become de facto contractual standard for payment infrastructure across the region.

For full context and regulatory detail, review the original Businessday NG report.

Source: Businessday NG – "NDPC probes Remita, Sterling Bank over alleged data breach" URL: https://businessday.ng/news/article/ndpc-probes-remita-sterling-bank-over-alleged-data-breach/ Author: Businessday NG