Nigeria’s digital identity system is rapidly advancing. The introduction of NINAuth, the National Identity Management Commission’s official app for identity verification, and NITDA’s upcoming Digital Public Infrastructure (DPI) standards have switched the focus from paperwork to real-time consent and auditability. In effect, this means that any time your National Identification Number (NIN) is used to open a bank account, obtain a new SIM card, or access a government function, it must be with your explicit agreement and is recorded for subsequent review. Consent becomes the new security barrier, replacing traditional checks and balances.

That’s the theory, at least. In practice, inadequate identification checks and ambiguous consent trails can cause serious threat, not simply hypothetical problems. Consider SIM-swap fraud, for example. Criminals deceive or bribe telecom agents into transferring a victim’s phone number to a new SIM. With the phone line hijacked, they receive all one-time passwords and login messages intended for the legitimate owner. They can reset bank passwords, empty savings accounts, and take over social media profiles in minutes without producing a valid identification document.

In an article I published on June 2, 2025, for BusinessDay titled “Why SIM Swap Scams Are Nigeria’s Silent Cyber War”, I described SIM swap fraud as a growing threat that continues to steal millions of naira from unsuspecting victims each year. Public reports and victim accounts highlight the scale of the problem: many people wake up to find their phone lines suddenly inactive, only to discover that criminals have taken control of their numbers and emptied their bank accounts through a scheme they never anticipated.

These identity theft techniques exploit the very gaps that NINAuth and the new standards seek to address. Until now, Nigeria’s databases have been fragmented. Someone may open many bank accounts with minor differences in their information, or register multiple SIM cards under the same identity. Fragmented databases, poor verification systems, and weak enforcement make impersonation almost effortless for hackers. Worse, when data leaks occur, which they frequently do, criminals steal personal information (BVN, NIN, dates of birth) from one source and use it to avoid checks elsewhere. It’s a simple fact: if consent and verification are not enforced throughout the process, you’ll get fraudulent onboarding, unpaid loans, and accounts locked under pretences.

The new DPI guidelines and NIMC reforms attempt to flip the script. Under the current drafted guidelines, every digital identification service, whether government or private, must meet security and quality standards. That includes strong encryption, biometric verification, and extensive logs for each identity check. NINAuth is designed to give citizens control: you use your phone to grant or revoke permission, so no one can see your profile until you say so. Consider it the digital equivalent of presenting your ID in person. If it works, no clerk can falsely sign you up for a service without your knowledge.

However, rules do not influence the outcome on their own. The weak point is enforcement. Consent is already embedded as a legal right under Nigeria’s Data Protection Act and the NDPR; you must expressly consent to the use of your data and have the ability to revoke it. Unauthorised disclosure of identifying data is also illegal under the new NIMC Act.

However, those standards may be neglected in the absence of audits and careful supervision. What happens if someone secretly accesses your NINAuth app? What happens if a public organisation discreetly searches people’s profiles in bulk without logging requests? Who in the government observes anomalous increases in access or imposes sanctions when regulations are violated? The new perimeter is only as strong as the guards if systems aren’t monitored.

The tools being developed must be used by regulators and policymakers. Performance benchmarks, accountability reports, and interoperable systems are specifically required by the draft DPI framework. That is encouraging since it implies that, in theory, identification checks should have metrics. Regulators might, for instance, search for organisations that neglect to log consent data or identify trends such as hundreds of verifications linked to a single phone number or email address in a brief period of time.

User response is equally vital. There needs to be a fast way for citizens to contest transactions when they say, “I didn’t authorise this transaction.” Data governance guidelines and clear audit trails are only beneficial if they are supported by action. Globally, standards are shifting in this direction. Accountability and user control are mandated by Europe’s GDPR and data protection agencies. Nigeria is moving in the direction of a more secure model by incorporating consent in technology and legislation. However, it will only be successful if the entire system and procedure hold up.

Every NIN check in Nigeria today has a connection to actual money and real people. A mistake in verification could result in fake loans, stolen funds, or the wrong person receiving confidential information like a ID cards. It can also mean a deserving citizen is locked out when a system thinks they are someone else. Data protection is the cornerstone of trust in a digital economy, not just a catchphrase used by bureaucrats. The new rules and regulations promise to restore trust, but we must insist on them being followed. Consent can indeed serve as the security perimeter. But only if we build robust walls behind it, and never let the door be open to fraud.

. Adesola, CISSP, Cybersecurity Professional

Join BusinessDay whatsapp Channel, to stay up to date

Open In Whatsapp