The fusion of financial institutions and technology (fintech) is unarguably the next big trending industry globally. Fintechs in Nigeria are not left out. According to a census carried out by EY the total amount of fintenchs in Nigeria’s fintech landscape is 290. Examples of Nigerian fintechs include the likes of Interswitch, Piggyvest, Cowrywise, Kudabank, Vbank, Remita, Flutterwave, and Chipper Cash. From 2014 and 2019, Nigeria’s fintech scene raised more than $600million in funding, while attracting 25 per cent ($122million) of the $491.6million raised by African tech startups in 2019 alone, which was the second-highest after Kenya at $149million. These numbers show the enormous potential of the Nigerian fintech industry.
For this reason, the regulatory space of fintechs has experienced a lot of back and forth. The regulatory bodies in this industry include the Central Bank of Nigeria (CBN), Securities and Exchange Commission (SEC), the Nigerian Deposit Insurance Corporation (NDIC), National Insurance Commission (NAICOM), Nigerian Communication Commission (NCC) and National Information Technology Development Agency (NITDA).
This article seeks to carry out a comparative analysis of the regulatory framework of the fintech industry in Nigeria with other countries.
ACTIVITIES IN THE FINTECH REGULATION SPACE
A regulatory sandbox is a framework set up by a regulator that allows fintech startups and other innovators to conduct live experiments in a controlled environment under a regulator’s supervision. It offers startups a safe space to test innovative products, services, business models and delivery mechanisms without worrying about incurring the consequences of not meeting all the necessary regulatory requirements.
As a result of the nature of the fintech industry, it is not uncommon for some fintech companies to enter the market and after some time, they realize that they are in breach of a regulation that they knew nothing about. It is for this reason that some Countries have explored the option of a “Regulatory Sandbox.” Regulatory Sandboxes have been implemented in several countries like, the UK, Singapore, Malaysia, Abu Dhabi, Canada, Denmark and Australia to name a few.
The Securities and Exchange Commission launched a regulatory sandbox for businesses or individuals that plan to launch innovative products, services, business models and delivery mechanisms relating to capital markets. With the SEC Regulatory Sandbox, fintechs will have a safe environment to test their solutions.
CBN has also issued a Framework for Regulatory Sandbox Operations. The Framework, defines the establishment, rules and operations of a Regulatory Sandbox for the Nigerian Payments System to promote effective competition, embrace new technology, encourage Financial Inclusion and improve customer experience, with a view to engendering public confidence in the Financial System.
OVERVIEW OF REGULATORY SANDBOX IN OTHER JURISDICTIONS
The United Kingdom was the first country to introduce the regulatory sandbox to its fintech industry in 2015 by the United Kingdom Financial Conduct Authority (FCA). The regulatory sandbox started off by operating on a cohort basis where the FCA selected companies to participate in the regulatory sandbox by evaluating them according to five criteria: scope, genuine innovation, consumer benefit, need for sandbox, and background research. The FCA seeks to provide these firms with five advantages: the ability to test products and services in a controlled environment, reduced time-to-market at a potentially lower cost, support in identifying appropriate consumer protection, safeguards to build into new products and services, and better access to finance.
Three of the Hong Kong financial regulators have introduced their own regulatory sandbox regime. The Hong Kong Monetary Authority (HKMA), launched its Fintech Supervisory Sandbox (FSS) in September 2016, followed by the Insurance Authority (IA) and the Securities and Futures Commission (SFC) in September 2017.
The FSS aims to allow banks to pilot trials of Fintech and other technological initiatives in a controlled environment with a more flexible supervisory arrangement before they are launched on a fuller scale. Fintech technologies covered by the FSS include mobile payment services, biometric authentication, blockchain, robotics and augmented reality. The SFC Regulatory Sandbox was established to provide a confined regulatory environment for qualified/eligible firms to operate regulated activities under the Securities and Futures Ordinance (Cap 571) (SFO) before it is used on a fuller scale. The Sandbox would enable qualified firms, through close dialogue with and supervision by the SFC under the licensing regime, to readily identify and address any risks or concerns relevant to their regulated activities. As of the end of March 2019, 48 new technology products or services have been allowed in the regulatory sandbox and 32 pilot trials have been completed and the products have subsequently been rolled out.
Sierra Leone’s Sandbox Regulatory Framework was launched in 2018. The process was started by the Bank of Sierra Leone with the help of the Financial Sector Deepening Africa (FSDA) and the United Nations Capital Development Fund (UNCDF), as part of the country’s Fintech Initiative. To be eligible to participate in Sierra Leone’s regulatory sandbox, the company must be registered with Sierra Leone, and a Sierra Leonean citizen needs to own at least 10% of the firm. The regulatory sandbox is limited to fintech companies, and has a focus on financial inclusion in the solutions they admit into the program.
Kenya’s regulatory sandbox is under the Capital Markets Authority of Kenya (CMA). It was approved in March 2019 when the CMA started to accept applications for admissions into the regulatory sandbox. Interested companies or individuals are expected to apply to be considered, following a list of requirements outlined in the Regulatory Sandbox Policy Guidance Note. The document outlines the steps needed to apply for the regulatory sandboxes and the eligibility criteria used. For instance, it is only open for companies incorporated in Kenya or those licensed by as securities market regulator in an equivalent jurisdiction. Once admitted, the company gets a 12-month period to run tests on the product or service, sending interim reports on the progress to the CMA. After the 12-month period, the company may either be granted permission to operate fully in the market or be denied permission based on the findings from their testing period. Before applying for the sandbox, the companies will need to have developed the idea to the level of operational testing according to the former CMA Chief Executive, Mr. Paul Muthaura. The CMA is currently accepting applications to the regulatory sandbox. Currently, at least 4 fintech companies that have been admitted into the regulatory sandbox of Kenya.
While there are several legislations containing ancillary provisions which seek to protect data privacy in Nigeria, in January 2019 an all-encompassing regulation was released by the National Information Technology Development Agency (‘NITDA’) for the sole purpose of regulating data protection across the nation.
The NITDA Regulations provide a more detailed approach to data protection, taking the time to define terms such as; ‘Personal Data’, ‘Data Subject’, ‘Data Controller’, ‘Lawful Processing’ and ‘Consent’. It provides that data processing will be lawful only in the following circumstances;
- the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes
- processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract
- processing is necessary for compliance with a legal obligation to which the Controller is subject
- processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- and processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller
DATA PROTECTION REGULATIONS IN OTHER JURISDICTIONS
In sharp contrast to the EU, Nigeria is still growing in this space and our current regime is nowhere near Europe’s General Data Protection Regulation (GDPR). While the NDPR and the GDPR provide similar definitions for ‘processing,’ ‘personal data’ and ‘sensitive personal data’, unlike the GDPR, the NDPR does not define or have any provisions on anonymous data, pseudonymized data, or data processed by automated means.
Another difference is that while the GDPR specifically provides for a Data Protection Impact Assessment in certain circumstances, including when processing is likely to result in a high risk for the rights and freedoms of individuals, in particular if a data controller utilises new technologies to process personal data, the NDPR is quiet and has no directly equivalent concept. However, the NDPR outlines that data controllers must have completed, within six months of the NDPR being issued, a detailed audit of privacy and data protection practices for assessing the impact of technology on privacy and security.
Currently, in India, data protection is regulated by the Information Technology Act (IT Act), 2000, and Information Technology Rules (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information), (SPDI Rules) 2011. The Information Technology Act has a very restricted scope, as it applies only to companies. Hence the government recently introduced a Personal Data Protection Bill, 2019. Neither the IT Act nor SPDI Rules provides for definition of terms such as “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject”, which are provided for in the PDPB. The PDPB has similar requirements to GDPR. Such as:
- Personal data should not be processed except for a specific reason or purpose.
- Data must be processed in a reasonable manner ensuring secured processing.
- The data must be processed only for the purpose which has been consented by the data principal.
- Data should be only collected to the extent which is needed.
- The data must be updated and not misleading.
- The data must not be stored beyond the period for which it is required.
- Compliance with this Act is the responsibility of the data fiduciary. 
The Nigerian fintech industry has such great potential and that is one of the reasons why it has attracted the interest of policy makers in the past few years. Regulations, although are meant to be a good thing, have nowadays become one of the major challenges of fintech startups. If the country wants to encourage these companies to reach their full potential, it should create regulations with the aim of improving the ease of doing business in this industry, which would in turn attract potential investors and promote the economy on a whole.
Regulations like the creation of the regulatory sandbox and the NDPR are a welcomed initiative. Regulatory bodies are encouraged to take a cue from countries with more developed regulatory frameworks in the fintech industry and with effective implementation, the fintech industry in Nigeria will be sure to flourish amongst
 nyujlb.org, ‘Playing in the Regulatory Sanaldbox’ (2019)
 Securities and Exchange Commission, Nigeria, ‘Regulatory Sandbox- Assessment’ (2019)
 The Impact of the Regulatory Sandbox on the Fintech Industry, with a Discussion on the Relation between Regulatory Sandboxes and Open Innovation
 Section 2.2 of Nigeria Data Protection Regulation
The opinions in the articles are for general information purposes only and do not form a legal relationship or be taken as legal advice. To explore legal advice, please consult your solicitor or feel free to get in touch with us directly.