Kolisa Microfinance Bank Limited — Privacy Policy

← Back to Home

This Privacy Policy (“Policy”) sets out the framework through which Kolisa Microfinance Bank Limited (Kolisa MFB) collects, processes, stores, secures, transfers, discloses, and otherwise manages personal data and confidential information obtained from customers, prospective customers, employees, vendors, service providers, digital banking users, website visitors, agents, consultants, and other stakeholders.

As a licensed Nigerian Microfinance Bank operating within an evolving financial technology ecosystem, the Bank recognizes that privacy, cybersecurity, customer confidentiality, digital trust, and responsible data governance are fundamental pillars of modern banking operations. Accordingly, Kolisa MFB is committed to maintaining robust data protection systems that align with Nigerian law, international banking standards, regulatory expectations, digital finance realities, cybersecurity risks, and emerging technological developments as applicable in 2026 and beyond.

1.0 Legal and Regulatory Framework

1.1 This Policy is prepared in compliance with applicable laws, regulations, regulatory directives, and industry standards including but not limited to:

1. The Nigeria Data Protection Act 2023 (NDPA);
2. The Nigeria Data Protection Commission (NDPC) Guidelines and Directives;
3. The Central Bank of Nigeria (CBN) Consumer Protection Framework;
4. The Banks and Other Financial Institutions Act (BOFIA);
5. Anti-Money Laundering and Counter-Terrorism Financing regulations;
6. Cybercrimes (Prohibition, Prevention, etc.) Act;
7. Applicable Know-Your-Customer (KYC) obligations;
8. Financial Reporting Council requirements;
9. Digital banking and fintech compliance obligations;
10. International cybersecurity and information security best practices.

1.2 The Bank continuously reviews and updates its privacy and cybersecurity framework to comply with evolving legal obligations, fintech integration standards, open banking requirements, artificial intelligence governance principles, cloud computing regulations, and emerging digital banking realities.

2. Our Privacy Commitment

2.1 Kolisa MFB is committed to ensuring that all personal data processed by the Bank is handled lawfully, fairly, transparently, securely, and responsibly.

2.2 Our commitments include:

1. Protecting customer confidentiality and banking secrecy;
2. Preventing unauthorized access, disclosure, misuse, or alteration of personal information;
3. Maintaining secure digital banking platforms and transaction systems;
4. Implementing enterprise-wide cybersecurity safeguards;
5. Processing personal data only for legitimate and lawful purposes;
6. Ensuring accountability and responsible governance across all data processing activities;
7. Conducting periodic privacy impact assessments and security reviews;
8. Training employees and contractors on confidentiality and data protection obligations;
9. Maintaining business continuity and disaster recovery frameworks to protect customer data.

3.0 Scope of This Policy

3.1 This Policy applies to all data subjects and all processing activities conducted by or on behalf of Kolisa MFB including:

1. Savings and current account operations;
2. Loan applications and credit assessment;
3. Agency banking services;
4. Mobile banking and USSD banking channels;
5. ATM, POS, and payment gateway transactions;
6. Internet banking services;
7. Fintech partnerships and embedded finance integrations;
8. Customer onboarding and KYC verification;
9. Employee and recruitment processes;
10. Vendor management and procurement systems;
11. CCTV surveillance and physical access systems;
12. Website and mobile application interactions;
13. Call centre, customer support, and complaint management systems;
14. Social media engagement platforms and digital communication channels.

4.0 Types of Personal Data We Collect

Depending on the nature of our relationship with you, the Bank may collect and process the following categories of information:

A. Identification Data

• Full names;
• Date of birth;
• Gender;
• Passport photographs;
• Signatures;
• National Identification Number (NIN);
• Bank Verification Number (BVN);
• International passport details;
• Driver’s licence information;
• Tax Identification Number (TIN).

B. Contact Information

• Residential and business addresses;
• Telephone numbers;
• Email addresses;
• Emergency contact information.

C. Financial Information

• Bank account information;
• Transaction records;
• Loan and repayment history;
• Salary details;
• Investment and savings profile;
• Debit and credit card information;
• Wallet and digital payment records.

D. Technical and Digital Information

• IP addresses;
• Device identifiers;
• Browser information;
• Login activity;
• Session analytics;
• Geolocation information;
• Cookies and online identifiers.

E. Biometric Information

• Facial recognition data;
• Fingerprints;
• Voice authentication records.

F. Employment and Business Information

• Employer details;
• Source of income;
• Business registration records;
• Financial statements;
• Corporate documentation.

5. Methods of Data Collection

5.1 The Bank may collect personal data through various lawful channels including:

1. Account opening documentation;
2. Mobile and online banking platforms;
3. ATM and POS interactions;
4. Loan applications and credit assessment forms;
5. Regulatory databases and identity verification systems;
6. CCTV systems within Bank premises;
7. Website forms and cookies;
8. Customer support calls and emails;
9. Social media engagement platforms;
10. Third-party fintech service providers;
11. Publicly available databases;
12. Payment processors and card schemes;
13. Recruitment applications and employment records.

5.2 In certain circumstances, personal data may also be obtained from authorized third parties including credit bureaus, regulators, law enforcement agencies, identity verification providers, or financial institutions where legally permissible.

6. Purposes of Processing Personal Data

6.1 Kolisa MFB processes personal data for legitimate business, operational, legal, regulatory, and security purposes including:

1. Customer onboarding and account administration;
2. Identity verification and KYC compliance;
3. Loan processing, credit scoring, and risk assessment;
4. Fraud prevention, cybersecurity monitoring, and transaction authentication;
5. Compliance with anti-money laundering and counter-terrorism financing obligations;
6. Regulatory reporting and statutory compliance;
7. Customer relationship management;
8. Product development and service improvement;
9. Financial analytics and operational efficiency;
10. Employee administration and payroll management;
11. Debt recovery and dispute resolution;
12. Internal audits, investigations, and compliance reviews;
13. Personalized banking services and digital banking innovations;
14. AI-assisted customer support and transaction monitoring.

6.2 The Bank shall process personal data only to the extent reasonably necessary and proportionate for legitimate banking purposes.

7. Legal Basis for Processing

7.1 The Bank processes personal data on one or more lawful grounds including:

1. Consent of the data subject;
2. Performance of contractual obligations;
3. Compliance with legal and regulatory obligations;
4. Legitimate business interests;
5. Protection of vital interests;
6. Exercise of official authority or public interest obligations.

7.2 Where consent is relied upon, the Bank shall ensure that such consent is freely given, specific, informed, and capable of being withdrawn.

8. Data Sharing and Disclosure

8.1 Kolisa MFB may disclose personal data where necessary and lawful to:

1. The Central Bank of Nigeria;
2. Nigeria Inter-Bank Settlement System (NIBSS);
3. Credit bureaus;
4. Payment processors and switching companies;
5. Law enforcement agencies;
6. Regulatory authorities;
7. Auditors, legal advisers, and consultants;
8. Cloud hosting providers;
9. Fintech integration partners;
10. Debt recovery agencies;
11. Insurance providers;
12. Fraud monitoring service providers.

8.2 The Bank shall ensure that all third-party recipients maintain adequate confidentiality, cybersecurity, and data protection safeguards.

9. Cross-Border Data Transfers

9.1 As part of modern banking operations and cloud-based digital banking infrastructure, personal data may be transferred outside Nigeria where reasonably necessary.

9.2 Such transfers may occur for:

1. Cloud hosting and disaster recovery;
2. Payment processing;
3. Fraud prevention and cybersecurity monitoring;
4. Fintech integrations;
5. International transaction processing;
6. Business continuity management.

9.3 Where cross-border transfers occur, the Bank shall implement appropriate safeguards including contractual protections, encryption standards, access restrictions, adequacy assessments, and regulatory compliance mechanisms.

10. Artificial Intelligence, Automation, and Digital Banking

10.1 In line with evolving 2026 financial technology realities, the Bank may deploy artificial intelligence, machine learning systems, and automated analytics tools for operational efficiency, fraud detection, transaction monitoring, cybersecurity management, customer support automation, and credit risk assessment.

10.2 Such systems may analyze:

1. Transaction patterns;
2. Customer behavior;
3. Device activity;
4. Geolocation anomalies;
5. Risk indicators;
6. Financial history.

10.3 Where legally required, data subjects may request human review of significant automated decisions affecting them.

11. Data Retention

11.1 The Bank shall retain personal data only for as long as necessary to fulfill lawful banking purposes, regulatory obligations, audit requirements, litigation management, dispute resolution, and statutory retention obligations.

11.2 Retention periods shall be determined based on:

1. Nature of the banking relationship;
2. Regulatory and legal requirements;
3. Risk exposure;
4. Tax and financial reporting obligations;
5. Ongoing investigations or litigation.

11.3 Upon expiration of applicable retention periods, personal data shall be securely deleted, anonymized, archived, or destroyed.

12. Information Security and Cybersecurity

12.1 Kolisa MFB implements comprehensive administrative, technical, organizational, and physical safeguards designed to protect personal data and confidential banking information.

12.2 Security measures include:

1. Encryption technologies;
2. Multi-factor authentication;
3. Secure firewalls and intrusion detection systems;
4. Endpoint protection and vulnerability assessments;
5. Access controls and role-based permissions;
6. Cybersecurity awareness training;
7. Continuous network monitoring;
8. Security audits and penetration testing;
9. Business continuity and disaster recovery frameworks;
10. Secure cloud architecture and data backup systems.

12.3 Despite reasonable safeguards, no digital system can guarantee absolute security. Customers are encouraged to maintain confidentiality of passwords, OTPs, and authentication credentials.

13. Data Breach Response

13.1 In the event of any actual or suspected data breach, cybersecurity incident, unauthorized disclosure, or compromise of personal data, the Bank shall:

1. Investigate and assess the incident promptly;
2. Contain and mitigate the impact;
3. Notify relevant regulators where legally required;
4. Notify affected individuals where necessary;
5. Implement corrective and remediation measures;
6. Maintain incident logs and forensic records;
7. Review internal controls and security frameworks.

13.2 The Bank maintains a cybersecurity incident response structure to manage emerging digital threats and evolving financial sector cyber risks.

14. Rights of Data Subjects

14.1 Subject to applicable law and regulatory limitations, data subjects may exercise the following rights:

1. Right to be informed;
2. Right of access;
3. Right to rectification;
4. Right to withdraw consent;
5. Right to object to processing;
6. Right to restrict processing;
7. Right to data portability;
8. Right to erasure;
9. Right to complain to the Nigeria Data Protection Commission;
10. Rights relating to automated decision-making.

14.2 Requests relating to personal data rights may be directed to the Bank’s designated Data Protection Officer.

15. Customer Responsibilities

15.1 Customers and users of the Bank’s platforms are expected to:

1. Maintain confidentiality of account credentials;
2. Protect passwords, PINs, OTPs, and authentication devices;
3. Promptly notify the Bank of suspicious activity;
4. Provide accurate and updated information;
5. Avoid sharing sensitive banking information with unauthorized persons;
6. Exercise caution when using third-party fintech applications.

15.2 The Bank shall not be liable for losses resulting from customer negligence, unauthorized credential disclosure, or fraudulent third-party activities outside the Bank’s reasonable control.

16. Policy Review and Amendments

16.1 Kolisa MFB reserves the right to amend, revise, or update this Privacy Policy periodically to reflect:

1. Regulatory developments;
2. Technological advancements;
3. Cybersecurity realities;
4. Changes in banking operations;
5. Emerging fintech and open banking practices;
6. Evolving legal obligations.

16.2 Updated versions of this Policy shall become effective upon publication through the Bank’s official communication channels.

17. Contact Information

17.1 For questions, complaints, requests, or concerns regarding this Privacy Policy or the processing of personal data, please contact:

Head, Information & Technology
Kolisa Microfinance Bank Limited

17.2 Email: praisegod.ngegwe@kolisamfb.com
Telephone: +234 (0) 8137322863
Registered Office Address: 124B, Umejei Road, Ibusa, Delta State

Complaints may also be directed to the Nigeria Data Protection Commission (NDPC) in accordance with applicable law.

Acknowledgment and Acceptance of Privacy Policy

By engaging with Kolisa Microfinance Bank Limited, using any of the Bank’s services, or interacting with any of the Bank’s digital or physical platforms, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy.

← Back to Home