FFS Microfinance Bank is a Tier 1 Unit Microfinance Bank licensed by Central Bank of Nigeria (CBN) to carry out banking services to a wide variety of customers including individuals, small and medium enterprises, large corporates and multinationals, governmental institutions, and non-governmental institutions. Our banking services are provided at our office and through e-channels including the Internet and Mobile App. Customers and potential customers can access our services through these channels including our website www.ffsmfb.com by accessing the Bank’s services through account opening at our office and/or e-channels and/or subscribing to any of our various products such as online banking, instant banking, ATM card services.
We understand customers provide certain personally identifiable information and this document details the policies of the Bank guiding the collection, usage, storage, destruction, disclosure and right of this personally identifiable Information.
The purpose of this document (“FFS MFB Data Protection Policy”) is to inform the public of how FFS Microfinance Bank manages Personal Data (as defined below) which is subject to the Nigeria Data Protection Regulation 2023.
The public is expected to read this Data Protection Policy so as to know and understand the purposes for which we collect, use and disclose Personal Data
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, through a statement or a clear affirmative action signifies agreement to the processing of Personal Data relating to him or her;
By interacting with us, filling out forms/registers (both online and offline), submitting information to us, or signing up for any products or services offered by us, the user agrees and consent to FFS Microfinance Bank Data Protection policy in the manner outlined in this Data Protection Policy.
“Data” means characters, symbols, and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device;
In this Data Protection Policy, “Personal Data” refers to any data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.
Examples of such Personal Data you may provide to us include (depending on the nature of your interaction with us) your name, Bank Verification Number, National Identity Number, passport or other identification numbers, telephone number(s), mailing address, email address, transactional data and any other information relating to any individuals which you have provided us in any form you may have submitted to us (including in the form of biometric data), or via other forms of interaction with you.
Generally, we collect Personal Data in the following ways:
When you browse our website and platforms, you generally do so anonymously but please see the section below on cookies. We do not, at our website and platforms, automatically collect Personal Data, including your email address unless you provide such information or login with your account credentials.
If you provide us with any Personal Data relating to a third party (for example, information of your spouse, children, parents, or a Connected Person), by submitting such information to us, you represent to us that you have obtained the consent of the third party to you providing us with his/her Personal Data for the respective purposes. “Connected Person” may include but is not limited to any beneficial owner, authorized signatory, director, shareholder, an officer of a company, partner or member of a partnership, settlor, trustee, beneficial owner, protector or grantor of trust, mandate holder, power of attorney holder, surety, third party security provider, provider of funds, founder and/or employee, the payee of designated payment, representatives, agents or nominees.
You should ensure that all Personal Data submitted to us is complete, accurate, true and correct. Failure on your part to do so may result in our inability to provide you with the products and services you have requested.
Personal Data: While using our services, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally, identifiable information may include, but is not limited to:
Name and Contact Data: We collect your first, middle and last name, email address, bank verification number, national identity number, home address, phone number, signature, date of birth, an identification document such as a copy of driver’s license, international passport, national identity card, and other similar contact data.
Credentials: when you subscribe to any of our products, particularly our e-channels products (online/mobile Banking) you may be required to provide a User ID, a PIN, details from a token response device, password hints, and similar security information used for authentication and account access. You may or may not also be required or opt to use biometric identification to access your account and authenticate transactions. While this information is required to ensure that you carry out transactions securely, appropriate security measures have been implemented to protect these data including encryption and storage in a secured environment, if required.
Payment Data: If you subscribe to our ATM card products, we will issue you ATM cards each with unique numbers called Personal Access Number (PAN), Personal Identity Number (PIN), and Card Verification Number. You are required to keep your card and these security numbers from access by another person. For ATM cards, a default PIN may be provided by us. In such circumstances, you are required to change the default PIN to a new PIN to enable activation and/or use of the card. When you carry out transactions or enrollment related to card services or online services, these card security numbers or any of them may be required for authentication.
We collect data necessary to process your payment if you make payment/transfers, such as your card number and the security code associated with your payment card. All payment data are processed, transmitted and stored securely in line with PCI DSS requirements.
Usage Data: We may also collect information that your browser sends whenever you access our online services and or when you access the services by or through a mobile device ("Usage Data"). This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data. When you access services by or through a mobile device, this Usage Data may include the following:
Geo-Location information: We may request access or permission to and track location-based information from your mobile device, either continuously or while you are using our mobile application, to provide location-based services. If you wish to change our access or permissions, you may do so in your device's settings.
Mobile Device Access: We may request access or permission to certain features from your mobile device, including your mobile device's camera, calendar, Bluetooth, contacts, storage and other features. If you wish to change our access or permissions, you may do so in your device's setting. Mobile Device Data: We may automatically collect device information (such as your mobile device ID, model and Manufacturer), operating system, version information, IP address and diagnostic data.
Tracking & Cookies Data: We use cookies and similar tracking technologies to track the activity on our Service. Cookies are files with small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyze our Service. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.
Use of Analytics to Collect/Monitor/Analyze Data We may use third-party Service Providers to monitor and analyze the use of our Service. Such service include but is not limited to:
FFS Microfinance Bank uses and discloses your Personal Data for the following purposes:
These purposes may also apply even if you do not maintain any account(s) with us or have terminated these account(s).
We only share and disclose your information in the following situations:
We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements).
We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved.
We may share your data with third-party vendors, service providers, contractors or agents who perform services for us or on our behalf and require access to such information to do that work, which is necessary to provide the envisaged banking services. Examples include but not limited to: payment processing, data analysis, email delivery, hosting services, customer service, and marketing efforts. For the purpose of service improvement, we may allow selected third parties to use tracking technology on the services which will enable them to collect data about how you interact with the services over time. This information may be used to, among other things, analyze and track data, determine the popularity of certain content, and better understand online activity. Unless described in this policy, we do not share, sell, rent, or trade any of your information with third parties for their promotional purposes. Business transfers: we may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company
Transfer of Data: The world today is interconnected and so is the provision of banking services. For instance, there could be many counterparties involved for a card transaction to be successfully completed. These include the personalization companies, the switching companies, processors, acquirers, merchants, and card schemes. Certain personal data will traverse these parties in the normal course of carrying out transactions. Save as related to the provision of banking services and meeting legal, regulatory, contractual, and other uses tangential or incidental to these, FFS Microfinance Bank will not share your personal data with a third party. Where it becomes necessary to do so, adequate security measures will be taken to protect the data from access by recipients other than those for which it is intended. All data we collect will reside in FFS Microfinance Bank’s computer systems in Nigeria. Where cloud services are used, adequate governance measures that apply to such cloud services will be complied with. FFS Microfinance Bank Limited will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. No transfer of your Personal Data will take place to an organization or a country unless there are adequate controls in place including the security of your data and other personal information.
Where Personal Data is to be transferred to a country outside Nigeria, the Bank shall put adequate measures in place to ensure the security of such Personal Data. In particular, The Bank shall, among other things, conduct a detailed assessment of whether the said country is on the National Information Technology Development Agency (NITDA) White List of Countries with adequate data protection laws.
Transfer of Personal Data out of Nigeria would be in accordance with the provisions of the Nigeria Data Protection Regulation, 2023 (NDPR). The Bank will therefore only transfer Personal Data out of Nigeria on one of the following conditions:
(a) The consent of the Data Subject has been obtained (b) The transfer is necessary for the performance of a contract between the Bank and the Data Subject or implementation of pre contractual measures taken at the Data Subject’s request; (c) The transfer is necessary to conclude a contract between the Bank and a third party in the interest of the Data Subject; (d) The transfer is necessary for reason of public interest; (e) The transfer is for the establishment, exercise, or defense of legal claims; (f) The transfer is necessary in order to protect the vital interests of the Data Subjects or other persons, where the Data Subject is physically or legally incapable of giving consent.
Provided, in all circumstances, that the Data Subject has been manifestly made to understand through clear warnings of the specific principle(s) of data protection that are likely to be violated in the event of transfer to a third country, this proviso shall not apply to any instance where the Data Subject is answerable in duly established legal action for any civil or criminal claim in a third country.
The Bank will take all necessary steps to ensure that the Personal Data is transmitted in a safe and secure manner. Details of the protection given to your information when it is transferred outside Nigeria shall be provided upon the Data Subject’s request. Where the recipient country is not on the White List and none of the conditions stipulated in this Privacy Policy are met, the Bank will engage with NITDA and the Office of the Honourable Attorney General of the Federation (HAGF) for approval with respect to such transfer.
FFS Microfinance Bank will take reasonable efforts to protect Personal Data in our possession or our control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. However, we cannot completely guarantee the security of any Personal Data we may have collected from or about you, or that for example, no harmful code will enter our website (for example viruses, bugs, trojan horses, spyware or adware). You should be aware of the risks associated with using websites and take any necessary precautions.
We have implemented technical and organisational security measures to safeguard the personal information in our custody and control. Such measures include, for example, limiting access to personal information only to employees and authorised service providers who need to know such information for the purposes described in this policy; adopting security protocols on networks and systems; using email security settings when sending and/or receiving highly confidential emails; applying physical access controls such as marking confidential documents clearly and prominently, storing confidential documents in locked file cabinets; restricting access to confidential documents on a need-to-know basis; using privacy filters; disposal of confidential documents that are no longer needed, through shredding or similar means; using a mode of delivery or transmission of personal data that affords the appropriate level of security (e.g. registered post instead of the normal post where appropriate); confirming the intended recipient of personal data as well as other administrative, technical and physical safeguards.
While we endeavour to protect our systems, sites, operations and information against unauthorised access, use, modification and disclosure, due to the inherent nature of the Internet as an open global communications vehicle and other risk factors, we cannot guarantee that any information, during transmission or while stored on our systems, will be safe from intrusion by others, such as hackers. We engage various forms of security method like Encryption, Backup and Recovery and Access control, all together put in place to ensure the authentication of users and protection against data breaches. Our web servers are secured under a strong security system with our trained and trusted IT workforce who work hand in hand to ensure confidentiality of data of clients in accordance to our laid down procedures and compliance with the Nigeria Data Protection Regulation.
While we strive to protect your Personal Data, we cannot ensure the security of the information you transmit to us via the Internet or electronic communication or when you use our electronic services, and we urge you to take every precaution to protect your Personal Data when you use such platforms. We recommend that you change your passwords often, use a combination of letters and numbers, and ensure that you use a secure browser.
If applicable, you undertake to keep your username, password and/or pin secure and confidential and shall not disclose or permit it to be disclosed to any unauthorised person, and to inform us as soon as reasonably practicable if you know or suspect that someone else knows your username and password or believe the confidentiality of your username and password has been lost, stolen or compromised in any way or that actual or possible unauthorised transactions have taken place. We are not liable for any damages resulting from any security breaches, on unauthorised and/or fraudulent use of your username and password.
Our website may contain links to other websites operated by third parties. We are not responsible for the privacy practices of websites operated by third parties that are linked to our website. We encourage you to learn about the privacy policies of such third party websites. Some of these third-party websites may be co-branded with our logo or trademark, even though they are not operated or maintained by us. Once you have left our website, you should check the applicable privacy policy of the third party website to determine how they will handle any information they collect from you.
We will only retain your personal data for as long as necessary for the purpose for which that data was collected and to the extent permitted by applicable laws. In general, we will keep your personal data for between five (5) to ten (10) years (depending on the type of information, and in accordance with our internal policies) after your relationship with us is terminated. However, there may be circumstances that mean we must retain your personal information for longer. To determine how long it is necessary to retain your personal information, we calculate retention periods in accordance with the following criteria:
• the currency of your relationship with us and the types of products or services you have with us; • the length of time it is reasonable to keep records to demonstrate that we have fulfilled our obligations to you and under the law; • any limitation periods within which claims might be made; • any retention periods prescribed by law or recommended by regulators, industry bodies or associations; and • the existence of any relevant proceedings.
Our services are not intended to be provided directly to children without parental consent. We will never knowingly collect personal information from individuals under the age of eighteen (18) years without first obtaining verifiable parental consent. If you are under the age of 18 you should not provide information to us. If we become aware that a person under 18 has provided personal information to us without verifiable parental consent, we will remove such personal information from our files.
The data protection laws provide individuals with the following rights:
• Right of subject access: The right to make a written request for details of personal information we hold about you and to request a copy of that personal information. • Right to rectification: The right to have inaccurate information about you rectified. • Right to erasure (‘right to be forgotten’): The right to have certain personal information about you erased. • Right to restriction of processing: The right to request that your personal information is only used for restricted purposes. • Right to object: The right to object to the use of personal information (including the right to object to marketing). • Right to data portability: The right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats. • Right to withdraw consent: You have the right to withdraw any consent you have given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of the use of your personal information before the withdrawal of your consent. These rights may not apply in all cases. If we are not able to comply with your request, we will explain why. In response to a request, we will ask you to verify your identity if we need to and to provide information that helps us to understand your request better. If you would like more information about your rights or to exercise any of your rights, please contact with the details below. • Right to lodge a complaint with a supervising authority: You have the right to lodge a complaint with the National Information Technology Development Agency or a Data Protection Compliance Organisation licensed by the Agency.
The Bank is committed to maintaining the principles in the NDPR regarding the processing of Personal Data. To demonstrate this commitment as well as our aim of creating a positive privacy culture within the Bank, The Bank adheres to the following basic principles relating to the processing of Personal Data:
Lawfulness, Fairness, and Transparency Personal Data must be processed lawfully, fairly, and in a transparent manner at all times. This implies that Personal Data collected and processed by or on behalf of The Bank must be in accordance with the specific, legitimate, and lawful purpose consented to by the Data Subject, save where the processing is otherwise allowed by law or within other legal grounds recognized in the NDPR.
Data Accuracy Personal Data must be accurate and kept up-to-date. In this regard, The Bank shall:
a) ensure that any data it collects and/or processes is accurate and not misleading in a way that could be harmful to the Data Subject; b) make efforts to keep Personal Data updated where reasonable and applicable; and make timely efforts to correct or erase Personal Data when inaccuracies are discovered.
Purpose Limitation The Bank collects Personal Data only for the purposes identified in the appropriate The Bank Privacy Notice provided to the Data Subject and for which consent has been obtained. Such Personal Data cannot be reused for another purpose that is incompatible with the original purpose, except a new consent, is obtained.
Data Minimization:
The Bank limits Personal Data collection and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
The Bank will evaluate whether and to what extent the processing of personal data is necessary and where the purpose allows, anonymized data must be used.