A group of data protection advocates has sued the Central Bank of Nigeria (CBN) over a controversial directive restricting Nigerians to a one-time change of phone numbers linked to their Bank Verification Numbers (BVN), arguing that the policy is unconstitutional and exposes millions to fraud risks.
According to a report by The Nigeria Lawyer on Saturday, April 11, the Incorporated Trustees of the Data Privacy Lawyers Association (DPLA) and Etisang Solomon, Esq. filed the fundamental rights enforcement suit at the Federal High Court, Kaduna Judicial Division.
The case, lodged on April 7 and stamped by the court on April 8, 2026, challenges a CBN circular dated March 12, 2026, titled “Addendum to the Revised Regulatory Framework for Bank Verification Number (BVN) Operations and Watchlist for the Nigerian Banking Industry.”
Pinnacle Daily reports that the one-time change of phone numbers linked to BVN is among the about 17 new banking rules the CBN introduced recently.
Under the new rule, CBN directed that a phone number connected to a BVN can only be changed once, a move aimed at reducing identity fraud.
At the centre of the dispute is clause (c) of the circular, which provides that amendments to phone numbers linked to a BVN shall be permitted only once, with implementation scheduled to begin on May 1, 2026.
The applicants contend that the restriction violates constitutional and statutory protections, including Section 37 of the 1999 Constitution on the right to privacy, as well as Sections 24(1)(e) and 34(1)(c) of the Nigeria Data Protection Act (NDPA) 2023.
They are asking the court to declare the policy unlawful, nullify the disputed provision, restrain the CBN from enforcing it, and compel a review of the framework.
READ ALSO:
- CBN Tightens Cybersecurity Oversight, Demands Compliance from Banks
- CBN Debunks Polaris Bank Liquidation Rumour
- Nigeria Must Privatise Now, Tap Markets or Face Fiscal Squeeze — Expert
- Banks Raise ₦4.65trn as CBN Wraps Up Recapitalisation Exercise
In a 25-paragraph affidavit sworn by Christopher Yange, a member of the DPLA, the claimants outlined what they described as the real-world implications of the policy.
The affidavit stressed that phone numbers are inherently dynamic, subject to loss, theft, recycling, deactivation, and reassignment by telecom operators.
Yange told the court that telecom providers routinely recycle inactive numbers, making them available to new users, and cited a report from the Foundation for Investigative Journalism to support the claim.
The suit argues that once a BVN holder exhausts the single permitted update, any subsequent loss or compromise of their phone number would leave them permanently unable to correct their records.
This, the applicants warned, could expose customers to identity theft, unauthorised access to banking information, and interception of sensitive alerts and authentication codes.
In their written address spanning over 12 pages, counsel to the applicants, Olumide Babalola, Esq., Emmanuel Okpara, Esq., and Frank Ijege, Esq. of Olumide Babalola LP, framed the dispute around three key legal questions.
On the first issue, they argued that a BVN-linked phone number constitutes sensitive personal data and a critical channel for financial authentication, rather than mere administrative information.
They cited appellate decisions, including Digital Rights Lawyers Initiative vs National Identity Management Commission (NIMC) (2021) and Omotayo vs Airtel Networks (2025), to support the position that personal data and telephone communications are protected under the constitutional right to privacy.
On the second issue, the lawyers contended that the one-time amendment rule violates the right to data rectification under Section 34(1)(c) of the NDPA.
They argued that the law guarantees data subjects the ability to correct inaccurate or outdated personal information, and that the CBN’s restriction effectively overrides that right.
They also referenced Rebecca Temitope Bonje v Guaranty Trust Bank Plc (2024) as judicial backing for enforcing data accuracy obligations.
On the third issue, the applicants maintained that the policy is arbitrary and disproportionate, describing it as a blanket rule that fails to consider legitimate scenarios such as SIM loss, network changes, number recycling, or security concerns.
They argued that less restrictive measures—such as enhanced identity verification and multi-factor authentication—could address fraud risks without infringing on citizens’ rights.
The affidavit further accused the CBN of failing to act in good faith in issuing the circular, citing the absence of a clear evidential basis, lack of stakeholder consultation, the absence of a defined exception mechanism, and failure to align the directive with existing data protection laws.
The Data Privacy Lawyers Association, the first applicant, is a non-governmental organisation incorporated on December 10, 2024, with a mandate to promote and defend privacy rights in Nigeria.
The second applicant, Etisang Solomon, Esq., reportedly stated that he is directly affected as a BVN holder.
The suit seeks, among other reliefs, a mandamus compelling the CBN to establish a more flexible and verifiable framework for updating BVN-linked phone numbers.
The case, filed at the Federal High Court in Kaduna, is yet to be assigned a hearing date.
The CBN, listed as the sole respondent, is to be served at its Kaduna office on Yakubu Gowon Way, the report added.
Alex is a business journalist cum data enthusiast with the Pinnacle Daily. He can be reached via ealex@thepinnacleng.com, @ehime_alex on X
