Research Directorate, Immigration and Refugee Board of Canada, Ottawa

1. Obtaining a SIM Card

The Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011 provides that mobile telephone service providers must capture and register the "biometrics and other personal information" of their customers before activating a new SIM card (Nigeria 2011, Art. 11-12). The data is then uploaded to a central database administered by the National Communication Commission (NCC) [1] (Nigeria 2011, Art. 6).

According to sources, facial image and fingerprints are required as biometric information that must be provided for [telephone] subscribers (Paradigm Initiative and Privacy International Mar. 2018, para. 40; The Nation 4 Sept. 2018), along with "other personal information" (Paradigm Initiative and Privacy International Mar. 2018, para. 40). In addition, The Nation, a Nigerian newspaper, states that the following personal information must be registered: full name, mother's maiden name, gender and date of birth (The Nation 4 Sept. 2018). The same source also indicates that proof of identity must be shown upon registration: "National Identity Card, [i]nternational [p]assport[,] [d]river's [l]icence" or, in rural areas, a "[l]etter of authentication [from a] traditional ruler/community leader, affixed with [a] passport photograph" (The Nation 4 Sept. 2018).

MTN, a Nigerian telecommunications service provider, states that the following identity documents can be used for SIM card registration: Voter's Card, driver's licence, national ID card, passport, valid student ID card, E-tax card or a letter of authentication from a "traditional ruler/community leader" (MTN n.d.). Corroborating information could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.

According to Vanguard, a Nigerian daily newspaper, since its launch in 2011, SIM card registration in Nigeria has been "poor" (Vanguard 1 Nov. 2017). The same source reports that in late October 2017, the Nigerian Chief of Army Staff raised concerns over the "proliferation of unregistered SIM cards" (Vanguard 1 Nov. 2017). Corroborating information could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.

2. Opening a Bank Account

According to their respective websites, Nigerian banks Zenith Bank and Guaranty Trust Bank (GTBank) request the following to open a bank account:

• One [recent] passport photo;
• Identification document: driver's licence, passport or national ID card [or Voter's Card (Zenith Bank n.d.a) or "any other acceptable identification document deemed fit by the bank" (GTBank n.d.a)];
• Two references;
• Utility bill issued within the last three months (Zenith Bank n.d.a; GTBank n.d.a).

The same banks indicate on their respective "[a]ccount [o]pening" forms that the customer applying for a bank account must provide the following information:

• Branch and account number;
• Bank Verification Number (BVN);
• Personal information: title, surname, first name, other names, mother's maiden name, date and place of birth, gender, nationality, state of origin, marital status, local government area (LGA) [of origin (GTBank n.d.b)], Tax ID number (TIN), phone number(s), email address, residential address (including state, LGA and city/town), residence permit number, residence permit issue and expiry dates, means of identification [(National ID card, driver's licence, passport, Voter's Card or other) and number of the ID document (Zenith Bank n.d.b)], ID document issue and expiry dates;
• Details of next of kin: title, names and surname, date of birth, gender, relationship, phone numbers, email address and home address;
• Employment details: employment status, annual salary/expected annual income, employer's name and address;
• Additional details: name(s) of "[b]eneficial [o]wner(s) (if any)," sources of funds to the account [and "[o]ther [s]ources of [i]ncome (if any)" (Zenith Bank n.d.b)] (Zenith Bank n.d.b; GTBank n.d.b).

In addition, GTBank's form requests the following information:

• Personal information: educational level, name and birth date of first child, whether the customer has citizenship or residency in any other country, and social security number;
• Additional details: spouse's name if applicable, spouse's date of birth, spouse's occupation, [spouse's] phone numbers, sources of funds to the account, name of associated business(es) (if any), type of business and business address;
• Information on accounts held with other banks (GTB n.d.b).

Zenith Bank's form also lists the following fields of information: home town; "[r]eligion (optional)" (Zenith Bank n.d.b).

2.1 BVN

According to sources, the BVN project aims to create a unique identity number for each person holding bank account(s) in Nigeria (Paradigm Initiative and Privacy International Mar. 2018, para. 36; NIBSS n.d.). For further information on the BVN, see Response to Information Request NGA106108 of May 2018.

3. Third Party Access to Information

Information on the access of third parties to SIM card and bank account information could not be found among the sources consulted by the Research Directorate within the time constraints of this Response. However, the following information on general access to personal information in Nigeria may be useful.

3.1 Data Protection Legislation and Implementation
3.1.1 SIM Card Central Database

The Nigerian Communications Commission (Registration of Telephone Subscribers) Regulations, 2011 provides that the information of mobile telephone subscribers registered in the central database can only be provided to security agencies and that the request must be made in writing by "an official of the requesting Security Agency who is not below the rank of an Assistant Commissioner of Police or a co-ordinate rank of any other Security Agency" (Nigeria 2011, Art. 8). According to the same source, mobile telephone service providers must obtain the subscriber's written consent before disclosing their personal information to a third party, excluding security agencies (Nigeria 2011, Art. 10).

However, sources report that, according to the head of the NCC's Projects Department, "the Office of the National Security Adviser (ONSA) has a direct link to" the NCC's SIM card registration database in order to facilitate the monitoring and apprehension of criminals (Daily Trust 6 Mar. 2018; TechCity 8 Mar. 2018).

3.1.2 BVN Data

According to the Central Bank of Nigeria (CBN)'s Regulatory Framework for Bank Verification Number (BVN) Operations and Watch-List for the Nigerian Banking Industry,

1. Parties involved in the BVN operations, shall put in place, secured hardware, software and encryption of messages transmitted through the BVN network;
2. BVN data shall be stored within the shores of Nigeria and shall not be routed across borders without the consent of the CBN;
3. Users of the BVN information shall establish adequate security procedures to ensure the safety and security of its information and those of its clients, which shall include physical, logical, network and enterprise security; and
4. Parties to the BVN operations shall ensure that all information that its employees have obtained in the course of discharging their responsibilities shall be classified as confidential. (CBN 18 Oct. 2017, 9)

The same source indicates in section 1.6 that the following entities can access BVN information, subject to the approval of the CBN: DMBs [Deposit Money Banks], OFIs [other financial institutions], MMOs [Mobile Money Operators], PSPs [Payment Service Providers], law enforcement agencies, credit bureaus and "[o]ther entities as applicable" (CBN 18 Oct. 2017, 8-9). In July 2018, media sources reported that section 1.6 of the CBN's framework for access to BVN information was amended to add the requirement of obtaining a "'valid [c]ourt [o]rder'" before the disclosure of BVN information (Daily Post 13 July 2018; Business Post 15 July 2018).

However, a report produced for the UN's Universal Periodic Review of Nigeria prepared by Paradigm Initiative and Privacy International [2] states that the BVN program has "few mandatory data security measures and falls short of adequately protecting banking customers' personal information" (Paradigm Initiative and Privacy International Mar. 2018, para. 37). The source explains that the data collecting entities' security obligations are defined in broad terms, so there is "little guidance as to what safeguards are called for when they collect sensitive information from customers" (Paradigm Initiative and Privacy International Mar. 2018, para. 37). In addition, financial institutions are not subjected to monitoring mechanisms to ensure they respect their security obligations (Paradigm Initiative and Privacy International Mar. 2018, para. 37). The source also states that because the BVN directive was issued by the CBN, it does not hold the CBN "accountable with respect to data protection" (Paradigm Initiative and Privacy International Mar. 2018, para. 37). Further and corroborating information could not be found among the sources consulted by the Research Directorate within the time constraints of this Response.

This Response was prepared after researching publicly accessible information currently available to the Research Directorate within time constraints. This Response is not, and does not purport to be, conclusive as to the merit of any particular claim for refugee protection. Please find below the list of sources consulted in researching this Information Request.

Notes

[1] According to its website, the Nigerian Communications Commission (NCC) is the "independent National Regulatory Authority for the telecommunications industry in Nigeria" (Nigeria n.d.).

[2] The Paradigm Initiative is a non-profit organization that advocates for digital rights for under-served youth in Africa, including Nigeria (Paradigm Initiative and Privacy International Mar. 2018, para. 1). Privacy International is a "human rights organisation that works to advance and promote the right to privacy around the world," including to "ensure that surveillance is consistent with the rule of law" (Paradigm Initiative and Privacy International Mar. 2018, para. 1).

References

Business Post. 15 July 2018. Dipo Olowookere. "Don't Release Customer's BVN Without Court Order - CBN Warns Banks." [Accessed 8 Feb. 2019]

Central Bank of Nigeria (CBN). 18 October 2017. Regulatory Framework for Bank Verification Number (BVN) Operations and Watch-List for the Nigerian Banking Industry. [Accessed 8 Feb. 2019]

Daily Post. 13 July 2018. Chijioke Jannah. "Demand Court Order Before Releasing Customer's BVN - CBN Tells Banks." [Accessed 8 Feb. 2019]

Daily Trust. 6 March 2018. Zakariyya Adaramola. "Why ONSA Has Direct Link to SIM Registration Data Base - NCC." [Accessed 8 Feb. 2019]

Guaranty Trust Bank (GTBank). N.d.a. "Individual Current Account." [Accessed 8 Feb. 2019]

Guaranty Trust Bank (GTBank). N.d.b. "Account Opening Form - Individual. Form A (Tier 2)." [Accessed 8 Feb. 2019]

MTN. N.d. "SIM Registration Centers." [Accessed 8 Feb. 2019]

The Nation. 4 September 2018. Lucas Ajanaku. "SIM Card Registration Blues." [Accessed 8 Feb. 2019]

Nigeria. 2011. Nigerian Communication Commission (Registration of Telephone Suscribers) Regulations, 2011. [Accessed 8 Feb. 2019]

Nigeria. N.d. Nigerian Communications Commission (NCC). "About the NCC." [Accessed 12 Feb. 2019]

Nigeria Inter-Bank Settlement System (NIBSS). N.d. "About BVN." [Accessed 12 Feb. 2019]

Paradigm Initiative and Privacy International. March 2018. The Right to Privacy in Nigeria. [Accessed 8 Feb. 2019]

TechCity. 8 March 2018. Paul Adepoju. "National Security Adviser Has Access to NCC's SIM Registration Database." [Accessed 7 Feb. 2019]

Vanguard. 1 November 2017. Prince Osuagwu. "8 Years After, Poor SIM Card Registration Still Affects National Security." [Accessed 8 Feb. 2019]

Zenith Bank. N.d.a. "Individual Current Account." [Accessed 8 Feb. 2019]

Zenith Bank. N.d.b. "Individual Account Opening Form." [Accessed 8 Feb. 2019]

Additional Sources Consulted

Oral sources: Canada – Immigration, Refugees and Citizenship Canada, visa office in Lagos; Civil Society Legislative Advocacy Centre.

Internet sites, including: Amnesty International; Australia - Department of Foreign Affairs and Trade; BudgIT; Civil Society Legislative Advocacy Centre; ecoi.net; EU – European Asylum Support Office; Factiva; France – Office français de protection des réfugiés et apatrides; Freedom House; Global Integrity; Global Witness; Human Rights Watch; Nigeria – National Bureau of Statistics; This Day; Transparency International; UN – Office on Drugs and Crime; US – Department of State.