By Olumide Babalola

By a Circular dated 12 March 2026, the Central Bank of Nigeria (CBN) issued an Addendum to the Revised Regulatory Framework for Bank Verification Number (BVN) Operations and Watchlist for the Nigerian Banking Industry. Among its provisions is a particularly consequential clause as follows: “Amendments to phone numbers linked to a BVN shall be allowed only once.”

At first glance, this may appear to be an administrative or anti-fraud measure. However, from a privacy, data protection, and consumer rights perspective, the implications are far-reaching and require careful examination.

This article interrogates the legal, practical, and human rights consequences of this restriction within the framework of Nigerian law, particularly the Nigeria Data Protection Act (NDPA) 2023.
Understanding the Role of Phone Numbers in BVN

The BVN system is a biometric-based identification framework designed to uniquely identify bank customers and reduce fraud within the Nigerian banking system. As part of BVN enrolment, customers are required to provide personal data, including their phone numbers. These phone numbers serve multiple functions including authentication and transaction alerts, two-factor verification (2FA), communication between banks and customers and linkage across financial institutions

Thus, the phone number is not merely ancillary personal data, it is a critical identifier within Nigeria’s financial ecosystem. Moreover, with the rapid proliferation of FinTech companies and fully digital banking platforms, telephone numbers have increasingly evolved beyond their traditional communication function. They now serve as critical financial identifiers, often doubling as account numbers while also being directly linked to customers’ BVN. This convergence enhances convenience and accessibility for users, enabling seamless transactions and identity verification, but it also underscores the growing importance of safeguarding personal phone numbers within the financial ecosystem.

The Amendment: A Restriction on Data Updating
The new rule restricts customers to a single opportunity to amend the phone number linked to their BVN. This raises a fundamental question: Can a data subject’s ability to update their personal data be legitimately restricted in this manner?

Under the NDPA, data subjects have the right to request correction of inaccurate or outdated personal data. A phone number, by its nature, is dynamic and prone to change due to: loss or theft of SIM cards; network changes; regulatory SIM re-registration requirements and/or personal security concerns. Restricting amendment to a single instance may conflict with the right to rectification, particularly where data becomes inaccurate after the single permitted change.

Further, the NDPA mandates that personal data must be: “accurate, complete, not misleading and where necessary kept up to date.” A rigid limitation on updating phone numbers may result in: outdated contact information, increased risk of failed authentication and/or potential exposure to fraud. This raises compliance concerns for financial institutions acting as data controllers.

Data processing must be fair, lawful, and proportionate. While the CBN’s objective may be to curb fraud and identity manipulation, the measure must be balanced against individual rights. The “one-time amendment” rule may be seen as disproportionate, especially where less restrictive alternatives exist, such as: enhanced verification procedures, multi-factor authentication for changes and audit trails and monitoring Ironically, restricting updates could create new security vulnerabilities where individuals are unable to update compromised numbers due to their BVNs’ continued linkage to stolen or recycled SIM cards or increased exposure to social engineering attacks Thus, a rule intended to enhance security may inadvertently weaken it.

Regulatory Justifications and Counterarguments
While it is important to acknowledge that the CBN’s uncommunicated rationale which may likely include preventing identity fraud, limiting unauthorized BVN modifications and strengthening the integrity of the banking system, it is our respectful opinion that, regulatory measures must still align with data protection principles and human rights standards.

This was judicially emphasised by the High Court of Lagos State when My Lord, Y.A. Adesanya, J. held that: “The provision of the CBN Consumer Protection Framework Guidelines on Disclosure and Transparency relied on by the Respondent Bank cannot override the provision of the Nigeria Data Protection Act” (See Suit No. LD/17392MFHR/2024 between Tokunbo Olatokun and Polaris Bank Limited delivered on the 5th day of December 2024)

In appropriate and justifiable circumstances, the provisions of the Framework on Bank Verification Number (BVN) should not be interpreted or applied in a manner that overrides or diminishes the supremacy and protections afforded under the Nigeria Data Protection Act (NDPA). This is particularly significant in relation to the data subject’s right to rectification, as well as the overarching principle of data accuracy.

Accordingly, where there are inconsistencies, inaccuracies, or outdated personal data within the BVN system, data subjects must retain the unfettered right to request and obtain corrections. Any operational or regulatory constraints imposed by the BVN Framework must therefore yield to the NDPA’s clear mandate that personal data be accurate, complete, and kept up to date, ensuring that individuals are not prejudiced by erroneous records within the financial identification ecosystem.

Recommendations
To achieve a balance between security and rights, it is recommended that the existing one-time amendment limitation be replaced with a more flexible framework that permits controlled and verifiable updates. Such an approach would allow data subjects to correct inaccuracies as they arise, while still maintaining safeguards to prevent abuse through clearly defined conditions, validation processes, and oversight mechanisms.

Furthermore, enhanced identity verification protocols should be introduced for every amendment request. By implementing multi-factor authentication and rigorous validation procedures, the CBN can ensure that only duly authorized individuals are able to effect changes to BVN records, thereby mitigating the risks of fraud and unauthorized alterations.

In addition, there is a need to maintain comprehensive and tamper-resistant audit trails for all BVN-related modifications. These records should capture detailed information about each change request, including the nature of the change, the identity of the requester, the verification steps undertaken, and the approving personnel and authority, thus promoting transparency and accountability.

There should also be provision for clearly defined exception mechanisms to address legitimate cases where standard procedures may prove inadequate. Such mechanisms should be carefully structured to

provide necessary flexibility without compromising system integrity, ensuring that genuine data subjects are not unfairly restricted.
Finally, BVN operations should be explicitly aligned with the provisions and principles of the NDPA. This alignment should ensure that key rights, particularly the right to rectification and principles such as accuracy, fairness, and accountability are fully embedded within BVN governance, policies, and operational practices.

Conclusion
The CBN’s amendment represents a significant shift in the governance of identity data within Nigeria’s financial system. While the objective of fraud prevention is legitimate, the means adopted raise serious concerns from a data protection, privacy, and consumer rights perspective. Ultimately, effective regulation must strike a careful balance between security and individual rights. A rigid, one-time amendment rule risks undermining this balance and may invite legal, operational, and societal consequences if not reconsidered.

______________________________________________________________________ [A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials
“Evidence Act: Complete Annotation” by renowned legal experts Sanni & Etti.
Available now for NGN 40,000 at ASC Publications, 10, Boyle Street, Onikan, Lagos. Beside High Court, TBS. Email publications@ayindesanni.com or WhatsApp +2347056667384. Purchase Link: https://paystack.com/buy/evidence-act-complete-annotation ______________________________________________________________________ ARTIFICIAL INTELLIGENCE FOR LAWYERS: A COMPREHENSIVE GUIDE Reimagine your practice with the power of AI “...this is the only Nigerian book I know of on the topic.” — Ohio Books Ltd Authored by Ben Ijeoma Adigwe, Esq., ACIArb (UK), LL.M, Dip. in Artificial Intelligence, Director, Delta State Ministry of Justice, Asaba, Nigeria. Bonus: Get a FREE eBook titled “How to Use the AI in Legalpedia and Law Pavilion” with every purchase.

How to Order: 📞 Call, Text, or WhatsApp: 08034917063 | 07055285878 📧 Email: benadigwe1@gmail.com 🌐 Website: www.benadigwe.com

Ebook Version: Access directly online at: https://selar.com/prv626

________________________________________________________________________ The Law And Practice Of Redundancy In Nigeria: A Practitioner’s Guide, Authored By A Labour & Employment Law Expert Bimbo Atilola _______________________________________________________________________