ANTI-MONEY LAUNDERING: NIGERIA’S OPEN CENTRAL REGISTER OF PERSONS WITH SIGNIFICANT CONTROL

/1 Comment/in /by

BY SEUN TIMI-KOLEOLU AND NURATULAHI YISHAWU

DOWNLOAD PUBLICATION 

INTRODUCTION

In our previous newsletter, we discussed the provisions of the  Central Bank of Nigeria’s Guidance on Ultimate Beneficial Ownership which was released following the imminent threat of Nigeria being grey-listed for not properly combating money laundering and terrorist financing.

Taking a further step towards accountability and transparency, the Corporate Affairs Commission (CAC) launched Nigeria’s Open Central Register of Persons with Significant Control (PSC Register) on Thursday 25, May 2023.  This marked a significant milestone in the country’s ongoing battle against corruption and its commitment to fostering transparency in the corporate landscape. The initiative is expected to assist citizens, financial institutions, law enforcement agencies, civil society organizations, and the media to access critical information about the ownership and control of business organizations.

In this newsletter, we have discussed key things to note about the PSC Central Register and how it helps the government in its fight against corruption in business organisations.

1. Who qualifies as a Person with Significant Control (PSC)?

According to the Persons with Significant Control (PSC) Regulations 2022 (the ‘Regulations[1]’), a PSC is essentially synonymous with the concept of a Beneficial Owner which refers to the natural person(s) who ultimately owns or controls a company or limited liability partnership (LLP) or the natural person on whose behalf a transaction is being conducted and includes those natural persons who exercise ultimate effective control over a legal person or arrangement. A corporate entity cannot be a PSC.

A person is identified as a PSC if they:

  1. possess a minimum of 5% of the issued shares in a company or has an interest in a limited liability partnership, whether directly or indirectly;
  2. wield a minimum of 5% of the voting rights in a company or limited liability partnership, whether directly or indirectly;
  3. hold the direct or indirect authority to appoint or remove the majority of directors within the company or partners in the limited liability partnership;
  4. exert significant influence or control, whether directly or indirectly, over the company or limited liability partnership; or
  5. hold the right to exercise, or actively exercises, substantial influence or control over the operations of a trust or firm, regardless of whether it has legal entity status, and would meet any of the first four conditions if it were an individual.

2. How can the PSC Register be accessed?

The PSC Register is a free and publicly accessible database which can be accessed via https://bor.cac.gov.ng/.

The following information about a PSC is accessible: full name of PSC; date on which the reportable ownership or control started; date of declaration of significant influence or control; occupation; service address; nationality; nature of ownership or control in the company or limited liability partnership; and unique identifier.

 3. When should the CAC be notified?

Every person who qualifies as a PSC is required to notify the company of the date it becomes a PSC. Such notification is required to be made within 7 days of becoming a PSC. The company in turn shall disclose this information to the CAC within one month of it’s receipt[2]. Other important disclosures to be made to the CAC include when:

  1. a person no longer has or holds the minimum interest/shares threshold.
  2. the person is a Politically Exposed Person (PEP). A PEP is a person that has been entrusted with a prominent public position as well as his or her family members and close associates.
  3. the PSC is a state-owned entity (SOE). The information to be submitted to the CAC in this instance shall include the same information of the Chief Executive Officer (CEO) of the SOE as is required of an individual who is a PSC.

4. How can the CAC be notified?

A company or LLP can notify the CAC through the Company Registration Portal (CRP). Information about persons with significant control (PSC) can be provided:

  1. during the incorporation process of a new company or LLP;
  2. when any changes in control details occur;
  3. when filing annual returns; or
  4. in any other case CAC may determine.

5. How does the PSC Register help fight corruption and promote transparency?

This register helps fight corruption and promote transparency in the following ways:

  1. Transparency of Ownership: By requiring companies to disclose their significant owners, the PSC register helps reveal the true beneficiaries behind corporate entities, making it difficult for individuals or entities to hide their involvement in potentially corrupt activities.
  2. Prevention of Shell Companies: It discourages the creation of shell companies used for money laundering or concealing corrupt practices since the ultimate beneficial owners must be disclosed.
  3. Enhanced Due Diligence: The register aids law enforcement agencies, financial institutions, and other stakeholders in conducting due diligence to identify potential corruption risks associated with a company’s ownership structure.
  4. Deterrent Effect: The existence of the PSC Register acts as a deterrent to corruption, as individuals engaged in corrupt practices may fear exposure and legal consequences.
  5. Facilitating Investigations: When corruption allegations arise, law enforcement agencies can use the PSC Register to quickly identify and investigate the individuals or entities with significant control over a company.
  6. Promoting Fair Competition: Transparency in ownership can help level the playing field for businesses, preventing unfair advantages gained through corruption.

6. Are there any penalties for non-compliance with the provisions of the PSC Regulations?

Yes, there are. Some penalties and consequences imposed by the CAC for failure to submit, submitting late, or providing false information in the PSC include:

  1. Daily monetary fines between the ranges of N5,000 to N50,0000 on the PSC, Company or LLP, as well as on each of its officers.
  2. Reflecting the company or LLP’s status as “INACTIVE” on the PSC Register and other pertinent online platforms of the Commission.
  3. Refusing to process any post-registration application submitted by the Company or LLP.
  4. Withholding the issuance of a “Letter of Good Standing” to the Company or LLP.
  5. In the event of false statements made to the Commission, convicting any officer of the Company or LLP and subjecting them to a two-year imprisonment sentence.
  6. Refusing to process any post-registration application submitted by the Company or LLP.
  7. Withholding the issuance of a “Letter of Good Standing” to the Company or LLP.
  8. In the events of late or non-submission of PSC information or false CAC made to the CAC, conviction of a two-year imprisonment sentence.

 

CONCLUSION

By shedding light on the ultimate individuals who wield significant influence or control, the PSC Register serves as a powerful tool in uncovering illicit activities and preventing the misuse of corporate entities for nefarious purposes. The stringent timelines and sanctions for non-compliance underscore the government’s determination to ensure accountability.

It is important for registered business organizations to note that on the 31st of July, 2023, the Corporate Affairs Commission announced that any company that fails to comply with the provisions of Companies and Allied Matters Act 2020 by taking steps to file its annual returns up to date within 90 days of publication on the Commission’s website shall be struck off the Register. Once a company is struck off , it shall be unlawful for it to carry on business unless it is first restored to the Register by an order of the Federal High Court.

The 90 days timeline is expected to elapse by the end of October 2023. Business owners are advised to contact their lawyers or relevant officers to ensure their annual returns filings are up to date.

[1] Section 119(3) CAMA,2020

[2] Section 14 Of Persons with Significant Control Regulations, 2022

MERGER AND ACQUISITION CONTROLS; DEMYSTIFYING THE REGULATORY TERRAIN IN NIGERIA.

/in /by

MERGER AND ACQUISITION CONTROLS; DEMYSTIFYING THE REGULATORY TERRAIN IN NIGERIA.

BY ADERONKE ALEX-ADEDIPE AND SHARON OKPO

DOWNLOAD PUBLICATION

INTRODUCTION

The spotlight has been cast on Nigeria’s merger and acquisition scene since 2021, owing largely to the increase of mergers and acquisitions (M&A) deals and increased activities by regulators to enforce compliance with established merger controls in Nigeria.

While Nigeria has witnessed a boom in the M&A space, both in value and number of deals, the mergers controls obtainable in Nigeria are not immediately understood by many. The objective of establishing M&A controls ultimately seek to discourage and clamp down on mergers that significantly reduce or prevent competition by ensuring that restructuring of companies in a given market caused by a merger deal does not cripple or damage the competitive structure of that particular market.

In this newsletter, we highlight the various regulatory and enforcement regimes obtainable in the Nigerian M&A space.

  1. What Constitutes a Merger or Acquisition?

The Federal Competition and Consumer Protection Act (FCCPA) 2018 recognizes that a merger occurs when one or more entities directly or indirectly acquire or establish direct or indirect control over the whole or part of the business of another undertaking. The FCCPA further provides that a merger can be achieved in different ways including through-

  1. the purchase or lease of the shares, interests, or assets of the other entity who is a party to the merger
  2. the amalgamation or any combination with the other entity who is a party to the merger, or
  3. a joint venture.

The FCCPA has also provided the parameters to determine whether an entity ultimately has control over another entity, such as, whether the entity:

  1. beneficially owns more than half of the issued share capital or assets of the other entity;
  2. is entitled to cast a majority of the votes that may be cast at a general meeting of the other undertaking, or has the ability to control the casting of a majority of those votes either directly or indirectly;
  3. is able to appoint or veto the appointment of a majority of the directors of the other entity;
  4. is a holding company, and the entity is a subsidiary of that holding company as contemplated under the Companies and Allied Matters Act, 2020;
  5. in the case of an entity that is a trust, has the ability to control the majority of the votes of the trustees, to appoint the majority of the trustees or to appoint or change the majority of the beneficiaries of the trust;
  6. has the ability to materially influence the policy of the undertaking.

Minority Assets

Often times, control in an M&A deal is considered in terms of acquisition of majority interest, shares or assets. There are however instances where acquisition of minority interests in an entity will result in control of that entity. Where the acquisition of minority interests, shares, or assets will result in the acquiring entity exercising significant influence over the acquired entity, such transaction will be considered a merger within the scope of the FCCPA.

2. What is the Regulatory Framework Governing M&A transactions in Nigeria?

In considering the regulatory framework governing M&A in Nigeria, the laws, guidelines, and rules governing mergers, and the regulators/authorities charged with the responsibility of enforcing these laws, rules, and regulations are identified below;

  1. Legal Framework- the main legislations governing M&A in Nigeria are:
  1. Federal Competition and Consumer Protection Act (2018)– this is the primary regulation governing M&A transactions in Nigeria and it sets forth the main merger control legislations for both public and private entities. Following the provisions of the FCCPA, the Federal Competition and Consumer Protection Commission (FCCPC) is empowered to issue certain merger control regulations and guidelines such as the FCCPA Merger Review Regulations, 2020 (“Merger Review Regulations”), the FCCPA Merger Review Guidelines, 2020 (“Merger Review Guidelines”), the FCCPA Notice of Merger Review Timeframe (“Notice”), etc. These subsidiary legislations make provisions for the types of mergers, notification requirements, merger thresholds, merger review process, etc.
  2. The Investment and Securities Act, 2007(ISA)- the provisions of the ISA and the Securities and Exchange Commission Rules on Mergers, Take-overs and Acquisition (“SEC Rules”), 2013 (as amended) apply to mergers involving public companies and every merger, acquisition, combination, or other affected transactions between or among companies involving acquisitions of shares, assets, business, or subsidiaries of a public company.
  3. The Companies and Allied Matters Act, 2020 (CAMA) The CAMA is generally applicable to all companies in Nigeria (whether public or private), and makes such provisions relating to sale, acquisition and transfer of shares and a company’s assets, protection of minority rights, filing of returns with the Corporate Affairs Commission (CAC), etc.
  4. Sector Specific Regulations: other prominent regulations which are applicable to their specific sectors include-The Central Bank of Nigeria (CBN) Revised Operational Guidelines for Bureaux de Change (BDCs) in Nigeria, 2015 (“Operational Guidelines”); The banks and Other Financial Institutions Act (2020); The Insurance Act (2003) which require participants to seek applicable regulatory approval before entering into a merger and/or acquisition.
  1. Regulatory Authorities

The Key regulators of the relevant merger control regulations include (i) The FCCPC, (ii) The Central Bank of Nigeria, (iii) The Securities and Exchange Commission (SEC) (iv) The CAC.

3. What are the Merger Controls in Place in Nigeria?

  1. Classification of Mergers

In order to understand the merger control measures in place in Nigeria, and the obligations imposed on parties to an M&A deal, it is important to understand how the FCCPA has classified mergers.  The FCCPA classifies mergers in Nigeria into 2- small mergers and large mergers. This classification is determined by the financial value of the merger based on the threshold stipulated by the FCPPC under the provisions of the FCCPA Notice of Threshold for Merger Notification, 2019 (“Notice of Threshold”). In the Notice of Threshold  a merger shall be considered a large merger where-

    1. Combined annual turnover of the acquiring undertaking and the target undertaking (combined figure) in, into or from Nigeria equals or exceed One Billion Naira (#1,000,000,000); or
    2. The annual turnover of the target undertaking (alone) in, into or from Nigeria equals of exceeds Five Hundred Million Naira (#500,000,000).

While the Notice of Threshold makes no provision for what constitutes a small merger, it is safe to infer that a merger will be considered a small merger where the financial value of the merger falls below the amounts stated above.

  1. Notification Requirement

The Merger Review Regulations provide that where an undertaking is involved in a large merger, it must make an application to the FCCPC for prior approval. The FCCPA expressly provides that a proposed merger shall not be implemented unless it has first been notified to and approved by the FCCPC.  While it is mandatory for parties to a large merger to notify the FCCPC of such merger, this mandatory obligation is not imposed on parties to a small merger. Participants of small mergers are however, encouraged to notify the FCCPC of their merger transactions.

Notwithstanding the classification of a merger, the FCCPC may also compel notification where it considers that the merger may substantially prevent or lessen competition. Parties are also encouraged to request for pre-notification consultations with the FCCPC to assist in determining the course of a case, at least 2 weeks before the submission of a formal notification is contemplated by parties. The pre-notification consultation will enable the parties and the FCCPC to clarify matters such as-

    1. Whether or not the notification of the merger is required;
    2. The calculation of annual turnover, value of assets, market shares, etc;
    3. Whether a simplified or expedited procedure may be required;
    4. Whether notifications have been made to other jurisdictions, including other member countries of ECOWAS or AFCFTA, etc.

Pending the approval (or otherwise) of the merger following notification to the FCCPC, parties are required to suspend implementation of the merger.

It is also important to note that the obligation to notify the FCCPC rests on both parties to the merger transaction, and both parties shall be liable to any penalties imposed for failure to notify the FCCPC as required. Where a party to a merger transaction is not a Nigerian entity, it is required to appoint a local representative to make the notifications on its behalf.

Notification to the FCCPC shall be by way of an application for a detailed review (Phase 1 and 2) of the merger to determine whether or not the merger is likely to significantly prevent or lessen competition. The parties shall also be required to pay the appropriate merger filing fees for the different reviews as may be prescribed by the FCCPC from time to time.

  1. Merger Review by the FCCPC

Following the receipt of the notification/application by the parties to a merger transaction, the FCCPC shall conduct a review.

In conducting a review and assessments, the FCCPC may call for witness interviews, conduct surveys, site visits, etc. The time frame varies for small mergers and large mergers, and is also dependent on the activity being conducted at each stage.

Upon conclusion of review and assessment, the FCCPC will issue a report signifying the disposition of the notification process. The report shall convey the decision of the FCCPC either approving the merger, approving the merger subject to conditions, or prohibiting the implementation of the merger. Where parties are not satisfied with the outcome of the reviews, they can appeal to the Competition and Consumer Protection Tribunal for a review.

 

Conclusion

In this publication, we have provided a simplified approach to understanding merger controls, and obligations of  parties to a merger transaction. To comply with all relevant requirements of the law in relation to M&As, we strongly recommend that parties seek legal assistance for adequate guidance.

MVNO AGREEMENTS: KEY LEGAL CONSIDERATIONS FOR SUSTAINABLE PARTNERSHIPS.

/in /by

MVNOs IN NIGERIA: KEY CONTRACTING TERMS FOR SUSTAINABLE PARTNERSHIPS

BY SEUN TIMI-KOLEOLU AND QASIM OGUNJIMI

DOWNLOAD PUBLICATION

INTRODUCTION

Further to the issuance of the License Framework for the Establishment of Mobile Virtual Network Operators (MVNOs) (the “Framework”) in Nigeria by the Nigerian Communications Commission (the “Commission”), the Commission recently announced the allocation of 25 licences to MVNOs. The introduction of MVNOs marks a significant milestone in the telecom industry. Not only does it facilitate the extension of telecom services to rural and underserved areas of the country, but it also promises to infuse healthy competition into a market traditionally dominated by four national operators: MTN, Globacom, Airtel, and 9Mobile.

However, the success of MVNOs heavily relies on well-structured and legally sound agreements with Mobile Network Operators (MNOs). In this newsletter, we explore the nuances of MVNO agreements in Nigeria, highlighting essential legal considerations that both MVNOs and MNOs must address to establish sustainable and mutually beneficial partnerships in the telecom industry.

UNDERSTANDING MVNO AGREEMENTS

As explained in further details in our previous newsletter, an MVNO, despite not owning the physical infrastructure, provides telecom services by utilizing existing MNO’s network infrastructure. In the context of MVNO operations in Nigeria, any entity seeking to become an MVNO is required to obtain a license from the Commission. As part of this licensing process, an applicant is mandated to file a comprehensive agreement with an MNO at the Commission. This agreement is the linchpin of MVNO operations, as it defines the terms, conditions, and obligations governing the partnership between the MVNO and the MNO. In essence, MVNO agreements are not merely legal documents; they are the bedrock upon which successful MVNO operations are built. Moreover, they are an indispensable prerequisite for securing the MVNO license itself.

KEY COMPONENTS OF MVNO AGREEMENTS

The following key components form the foundation upon which MVNO agreements are built and have a profound impact on the operations and sustainability of MVNOs in Nigeria:

  1. Service Provisions: The heart of any MVNO agreement lies in the specifics of the services to be provided by the MNO. This includes the scope of network access, the types of services (voice, data, messaging), and the quality-of-service levels that must be maintained. Clarity in defining these provisions is vital to ensure that MVNOs can deliver a seamless and competitive service to their customers.
  1. Pricing Models: Pricing structures are vital in any MVNO agreement. The chosen pricing model can take various forms, such as wholesale rates, revenue sharing arrangements, or cost-plus pricing. Each model has its advantages and implications, directly impacting the MVNO’s business model, profitability, and competitiveness in the market.
  1. Duration and Termination Clauses: MVNO agreements outline the duration of the partnership and the conditions for its termination. These clauses provide both parties with a clear understanding of the commitment period and the processes and repercussions of ending the agreement. Carefully crafted termination clauses account for various scenarios, including early termination, renegotiation, and dispute resolution.
  1. Obligations and Responsibilities: Effective collaboration between MVNOs and MNOs necessitates a clear definition of each party’s obligations and responsibilities. These include network maintenance, customer support, compliance with regulatory requirements, and more. Clarity on roles and responsibilities fosters smooth operations and avoids potential conflicts.
  1. Service Level Agreements (SLAs): Service Level Agreements (SLAs) are crucial components that set performance standards. They outline measurable metrics for network reliability, uptime, and response times for customer inquiries. SLAs are vital for ensuring a consistent and high-quality customer experience.
  1. Data Access and Privacy Terms: In an era of heightened data sensitivity, MVNO agreements include terms related to data access and privacy. These terms address data sharing, storage, protection, and compliance with data privacy regulations. Ensuring data security and privacy is paramount to maintain consumer trust and meet legal requirements.
  1. Dispute Resolution Mechanisms: Inevitably, disputes may arise during the course of the MVNO-MNO partnership. Agreements often incorporate dispute resolution mechanisms, which may involve mediation, arbitration, or other methods to amicably resolve conflicts and avoid costly litigation.

 

LEGAL CONSIDERATIONS IN MVNO AGREEMENTS

Drafting a comprehensive MVNO agreement requires a keen awareness of the regulatory landscape, industry standards, and the unique dynamics of the Nigerian telecommunications sector. Some of the legal nuances that shape MVNO agreements include:

  1. Adhering to Regulatory Framework: The Nigerian telecom sector operates within a well-defined regulatory framework set by the Commission. MVNO agreements must align with the Framework and other relevant laws and regulations, ensuring compliance with licensing requirements, spectrum allocation, consumer protection, and data privacy laws.
  1. Addressing Intellectual Property Rights: Intellectual property (IP) considerations are vital in MVNO agreements, particularly regarding the use of trademarks, patents, and other proprietary technologies. Clarity on IP rights and usage is crucial to prevent disputes and protect each party’s interests.
  1. Consumer Rights and Data Privacy: MVNO agreements must incorporate provisions that safeguard consumer rights and data privacy. This includes clear terms regarding data collection, usage, and protection in accordance with the relevant data protection laws.
  1. Mitigating Legal Risks: MVNO agreements should carefully allocate risks between the MVNO and the MNO. This includes risks related to network outages, data breaches, changes in regulatory environment, and more. Clearly defined risk allocation mechanisms and mitigation strategies are vital to safeguard both parties’ interests.
  1. Change in Management: The dynamic nature of the telecommunications industry requires MVNO agreements to account for changes in technology, regulations, or market conditions. It is pertinent to include clauses that address how such changes will be accommodated within the agreement.

CONCLUSION

As the telecommunications landscape in Nigeria undergoes continuous transformation, grasping the intricacies of MVNO agreements becomes imperative for entities aiming to thrive in this dynamic sector. Whether you are an aspiring MVNO seeking to establish your presence or an MNO contemplating a partnership, the legal insights shared in this newsletter offer invaluable guidance on forging enduring and mutually advantageous alliances within the telecommunications industry. If you have any further questions or require legal guidance regarding MVNO agreements or any other aspect of telecommunications law, please do not hesitate to contact us.

FREQUENTLY ASKED QUESTIONS (FAQS): OPERATING A BUSINESS IN NIGERIA

/in /by

By Aderonke Alex-Adedipe and Nuratulahi Yishawu

DOWNLOAD PUBLICATION 

Introduction

Commencing a business in Nigeria can be a promising venture, given the country’s large population, growing economy, and various business opportunities. Like any other country, however, Nigeria has its own unique set of regulations and hurdles which entrepreneurs must navigate.
Operating a business in Nigeria involves several steps, such as registering the business with the Corporate Affairs Commission (CAC), tax registration with the Federal Inland Revenue Service (FIRS), obtaining necessary permits and licenses, amongst others.
To assist aspiring entrepreneurs in navigating the environment, we have summarised in this article, a list of frequently asked questions (FAQs) in respect of which entrepreneurs often require answers before proceeding to do business in Nigeria.

1. What are the relevant business structures for operating in Nigeria?
In Nigeria, the law requires that any individual or entity intending to engage in commercial activities in Nigeria must register with the Corporate Affairs Commission (CAC). The Companies and Allied Matters Act (CAMA) 2020 is Nigeria’s primary legislation governing the formation and operation of companies. Under CAMA, businesses can adopt various legal structures such as:

  • Private Limited Company: This is the most common structure for small to medium-sized businesses. The company is required to have at least two shareholders (one shareholder in the case of a small company) and two directors.
  • Public Limited Company: This structure is suitable for larger enterprises and it allows for the public sale of shares. It is required to have at least two shareholders and two directors.
  • Limited Liability Partnership (LLP): This is a more recent option provided for under CAMA. It combines the characteristics of partnerships and corporations such that all the partners participate in the management of the partnership and also have limited liability protection.
  • Limited Partnership: It consists of at least two persons, one limited partner and one general partner in which the liabilities of the limited partner are limited to the amount of his investment in the partnership while the general partner’s liabilities are unlimited. It is suitable where one of the partners desires to be a mere sponsor and will not partake in the daily running of the partnership business.
  • Business Name: This structure is ideal for sole proprietors/entrepreneurs. It does not provide limited liability protection and the owner is personally liable for the obligations of the business.

2. What are the key regulatory bodies for businesses in Nigeria?
There are several regulatory bodies in Nigeria and whether or not a business falls within their purview may depend on the nature of the business. Some of the prominent regulatory bodies include;

  • The Corporate Affairs Commission (CAC): responsible for regulating all corporate matters.
  • The Federal Competition and Consumer Protection Commission (FCCPC): responsible for ensuring that the interests of Nigerian consumers of goods and services are protected.
  • The Central Bank of Nigeria (CBN): responsible for regulating financial services in Nigeria.
  • The Federal Inland Revenue Service (FIRS): responsible for enforcing tax regulations as they relate to businesses.

3. What are the tax implications for operating in Nigeria?
Nigeria has a tax system which includes federal, state, and local taxes. Businesses in Nigeria are subject to a number of taxes, including Companies Income Tax (CIT), Value-Added Tax (VAT), Withholding Tax (WHT) and Personal Income Tax (PIT) for employees. It should be noted that upon incorporation with the CAC, companies are now automatically given a tax identification number which is shown on the Certificate of Incorporation.

4. Can foreigners own businesses in Nigeria?
Yes, foreigners can fully own and operate businesses in Nigeria except in specific sectors such as oil and gas, aviation, domestic coastal carriage, etc, which require majority local ownership and control.

5. Are there immigration requirements for foreign business owners and employees?
Yes, there are. For foreign business owners and employees, Nigeria has specific immigration requirements. One of the most vital immigration requirements is the Combined Expatriate Residence Permit and Aliens Card (“CERPAC”) which employers of foreign employees must obtain on their behalf to enable them lawfully work and reside in Nigeria.

6. How long does it take to register a business in Nigeria?
The time frame for registering a business may vary depending on the nature of the business and relevant regulations applicable to the business. On the average, however, it typically takes about 5 to 10 business days to register a business at the CAC.

Conclusion

In conclusion, establishing a business in Nigeria offers significant opportunities, but also requires careful planning to ensure compliance with existing regulatory frameworks. By addressing these FAQs and seeking professional guidance, entrepreneurs can embark on a successful business journey in this dynamic and profitable market.

IMPORTANT DATA PROTECTION OBLIGATIONS AND PRACTICES FOR COMPANIES IN NIGERIA

/in /by

IMPORTANT DATA PROTECTION OBLIGATIONS AND PRACTICES FOR COMPANIES IN NIGERIA

BY SEUN TIMI-KOLEOLU AND OLAWALE ATANDA

DOWNLOAD PUBLICATION 

INTRODUCTION

In our previous newsletter, we highlighted the key provisions of the recently signed Nigeria Data Protection Act 2023 (NDPA 2023). Following the passage of the NDPA 2023, as well as the Nigeria Data Protection Regulation 2019, it is vital that companies that process the data of their customers assess their data processes in view of the NDPA. This is to ensure good data protection practices and to avoid penalties which could be as high as 1-2% of their annual revenue. In this newsletter, we write about some steps companies should take to ensure proper compliance with the NDPA 2023.

 

 

1. Seeking Consent
Companies are responsible for proving that their customers gave their consent for their personal data to be processed. The following about consent must be noted:
• Consent must be freely and intentionally given, and it cannot be a condition for fulfilling a contract or providing a service if it is not necessary for that purpose.
• Silence  inactivity does not count as consent;
• The customer must be informed of their right to withdraw their consent before giving
it, and withdrawing consent does not affect the lawfulness of any processing that happened before the withdrawal;
• Consent must be given in an affirmative manner, not through pre-selected
confirmation, and can be provided in writing, orally, or through electronic means;
• requests for consent must be in clear and simple language and in an accessible
format;
• minors or persons lacking capacity to consent – if a customer is a child or lacks the legal capacity to consent, a company must obtain consent from the parent or legal guardian before relying on consent under the NDPA 2023. The company must use appropriate mechanisms to verify age and consent, such as presenting governmentapproved identification documents. However, this requirement does not apply if the processing of person’s data is necessary to protect the vital interests of the child or person lacking legal capacity, is carried out for education, medical, or social care purposes by a professional or similar service provider with a duty of confidentiality, or is necessary for court proceedings relating to the individual.

2. Appointing a Data Protection Officer
Any company that meets the following criteria is expected to appoint a Data Protection
Officer (DPO) within 6 months of commencing operation. If the company:
a. processes personal information of over 10,000 Nigerians;

b. processes sensitive personal information in the regular course of its business;
c. processes critical national information; or
d. is a government agency or ministry.

The DPO is to be knowledgeable in data protection and will be responsible for monitoring compliance with the NDPA 2023; advising the management, employees and third-parties privy to personal information; and acting as the primary contact person for the Nigeria Data Protection Commission (NDPC). Companies may outsource the duties of a DPO to a Data Protection Compliance Organization (DPCO).

3. Conducting Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is a process carried out by the DPO to assess and minimise the possible risk to a data processing activity. For a company launching a new business process or activity which would involve the use of sensitive information or heavy use of personal information of individuals, it is advisable for the DPO of the company to carry out a DPIA to identify, evaluate and minimize possible data protection risks. This will help the company address the risks in the processes and ensure continuous compliance with the NDPA. Where the result of a DPIA indicates that the processing of the data would result in a high risk to the rights and freedoms of a data subject, the company must inform the NDPC before processing personal data.

4. Carrying Out Regular Internal Audit
Companies may monitor their data protection compliance level by carrying out periodic internal audits of their data protection practices to map, identify faults and improve protective practices.

5. Data Processing Agreements with Third Parties
The NDPA 2023 provides that there must be a written data processing agreement between a company which collects the data of their customers and third parties which process the customers’ data at the company’s request (i.e., data processors). The NDPA 2023 also imposes a duty on such a company to ensure that third party processors abide by its provisions.

6. Conducting Periodic Due Diligence on Third Parties
Companies will be responsible for the actions of its data processors. Consequently, companies are expected to conduct due diligence on these data processors to ensure their data processing practices are in line with the NDPA 2023

7. Yearly Data Audit Submission
All companies that collect or process the personal information of over 1,000 individuals are required to submit to a yearly data protection audit by a DPCO. The DPCO will review the data protection documentation of the company, assess the systems and practices of the company and assess the knowledge of the staff before providing recommendations. The DPCO will thereafter submit a summary of the audit to the NDPC not later than the 15th of March of the following year. Penalty Fees Under the NDPA 2023 Where a company breaches the provisions of the NDPA 2023, the NDPC may issue and enforcement order requiring it to pay a penalty fee. The following penalty fees under the NDPA will apply:
• For ‘Data Controllers and Data processors of Major Importance’, a fine equal to 2% of their annual gross revenue of the previous year or a sum of ₦10 million, whichever is greater.
• For ‘Data Controllers and Data Processors Not of Major Importance’, a fine equal to 2% of their annual gross revenue of the previous year or a sum of ₦2 million, whichever is greater. Data Controller and Data Processor of Major Importance means:
• A company that is based, lives, or operates in Nigeria and processes or plans to process the personal data of a certain amount of data subjects which is more than the number of data subjects within Nigeria (as determined by the NPDC); or
• one that processes personal data of particular value or importance to Nigeria’s economy, society, or security (as designated by the NDPC).

Conclusion
In conclusion, it is important for companies to continuously monitor their data protection practices to ensure they are compliant with the NDPA 2023 and to avoid penalties. Just as importantly, doing this protects the data rights of their customers, builds trust with them,and helps the company maintain a strong reputation of data compliance within its industry.