Data Reuse in Bank Financial HoldCos: CBN Ring-Fencing Considerations

The Central Bank of Nigeria’s Exposure Draft Guidelines on Ring-Fencing Operations of Closely Linked Entities  highlight a significant data protection compliance risk that is uniquely pronounced within financial holding companies and their subsidiaries. This is the risk of data reuse, specifically, the practice where customer data is routinely shared across group entities in ways that stretch, and in some cases bypass, the boundaries of data protection law.

As a commercial matter, treating customer data as a group-wide asset to enable backend database pooling, shared cloud infrastructure, and unified “super-app” ecosystems offers undeniable operational efficiency. However, the new regulations on ring-fencing propose that such cross-company sharing must strictly satisfy specific data protection requirements regarding data reuse and data segregation.

1.             The Language of the Draft Regulations

The relevant sections of the Exposure Draft Guidelines on Ring-Fencing Operations of Closely Linked Entities provide as follows:

(a)            Section 8.9 mandates that customer data must be segregated and stored independently across closely linked entities to prevent commingling or unauthorized cross-access.

(b)           Section 8.10 mandates that the sharing of personal data between closely linked entities must be done with explicit user consent, unless the NDPA provides otherwise.

(c)            Section 4.8 further requires that where a customer is onboarded onto a service offered by an affiliate, express consent must be obtained after clear disclosure identifying the specific legal entity providing the service, along with alternative options where available.

Taken together, these provisions shift the regulatory framework away from enterprise-wide data entitlement and toward entity-specific data governance. The corporate legal fiction of “one customer across a financial group” is effectively replaced with the reality of “distinct customers per regulated entity.”

2.             What is Data Reuse in Data Protection Law?

In data protection jurisprudence, data reuse, more formally understood as “further processing”, refers to the use of personal data collected for one defined purpose for a separate, subsequent, or unrelated purpose.

Under Section 24(4) of the NDPA 2023, further processing is prohibited if it is incompatible with the original purpose of collection. To determine whether a secondary use is legally compatible, the Act mandates that data controllers must explicitly evaluate:

1. The relationship between the original purpose and the purpose of the intended further processing;

2. The nature of the personal data concerned;

3. The potential consequences of the further processing on the data subject;

4. How the personal data was originally collected; and

5. The existence of appropriate safeguards, such as encryption or pseudonymization.

In a financial holding company structure, data reuse typically arises when a commercial bank collects KYC and transaction data for account opening, and that data is later utilized by a sister entity such as a digital lender, fintech platform, or investment arm, for profiling, marketing, or credit decisioning. From a corporate perspective, this is seamless cross-selling. From a legal perspective, however, it constitutes a completely distinct processing activity executed by an entirely separate data controller.

Crucially, corporate affiliation within a group structure does not collapse separate legal personality. Each subsidiary remains independently responsible for its own compliance obligations. Accordingly, a sister company cannot automatically inherit or rely on the consent or contractual basis obtained by another entity within the wider group.

3.             Legal Obligations Governing Data Reuse under the NDPA 2023

The NDPA 2023 imposes strict constraints on any form of secondary or intra-group data use that extends beyond the original collection purpose.

(a)            Purpose Limitation: Section 24 of the NDPA codifies the principle of purpose limitation. Personal data must be collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes. In practical terms, data collected for basic deposit account servicing cannot automatically be repurposed for behavioral profiling or cross-selling high-risk credit products by unrelated group entities.

(b)           Requirement for an Independent Legal Basis: Section 25 of the NDPA requires that every processing activity must rest on a valid legal basis. In intra-group transfers, this requirement becomes particularly stringent. A holding company cannot rely on its internal group relationship or "legitimate interest" alone to justify unrestricted data sharing with affiliates for customer-facing services. In most retail banking contexts, the only defensible basis for such sharing is explicit, informed, and freely given consent, tied to a clearly identified purpose and entity.

(c)            Data Minimization and DPIA Requirements: Even where intra-group sharing is legally justified, the NDPA imposes strict data minimization obligations, meaning only data strictly necessary for the secondary purpose may be shared. Furthermore, where data reuse involves profiling, automated decision-making, or cross-entity data flows, a Data Protection Impact Assessment (DPIA) becomes mandatory. This requirement reflects the regulatory recognition that intra-group data sharing increases systemic privacy and cybersecurity risks, especially within centralized digital banking architectures.

Concluding Observation

The alignment between the NDPA 2023 and the CBN’s ring-fencing guidelines marks a definitive end to the era of unrestricted intra-group data pooling. For financial conglomerates, customer data can no longer be treated as a shared corporate commodity by default. To remain compliant, institutions must actively decouple their shared infrastructures, re-architect their database access layers, and accept that every cross-entity data flow must be individually justified, transparently authorized, and continuously auditable.