FCCPC’s new consumer lending regulation

On July 25, 2025, the Federal Competition and Consumer Protection Commission (FCCPC) brought into effect the Digital, Electronic, Online, or Non-Traditional Consumer Lending Regulations, 2025. These rules mark a turning point in how digital lending is regulated in Nigeria, affecting not just direct lenders but also mobile money operators, fintech companies, and third-party vendors who play any role in the lending value chain.

The regulations are made under the FCCPC Act of 2018 and are designed to set enforceable standards for transparency, consumer protection, and fair competition. They apply to a broad range of transactions, covering both cash and non-cash credit, and they bring with them a licensing-style framework that requires formal approval before operating.

This guide breaks down what these regulations mean, who they apply to, and how affected businesses can prepare.

Also read: Download the FCCPC Digital Consumer Lending Regulations 2025

Who falls under the new rules?

At the centre of the new rules is what the FCCPC calls the “benefit test”. This is the standard that determines whether a business must comply.

The benefit test is intentionally broad. It applies to any lending activity conducted digitally, electronically, online, or through non-traditional channels, whether the loan is secured or unsecured, and whether the operator is based in Nigeria or abroad. If the business gains any benefit from the lending transaction; cash, goods, services, commissions, barter, or other advantages, the rules apply.

This reach extends far beyond licensed lending companies. A telecommunications provider offering airtime loans, an agricultural technology platform allowing farmers to take seeds on credit, or a retailer offering instalment payments through a digital channel could all be covered. Even if lending is incidental to the main business, the FCCPC’s interest is triggered as long as value is exchanged.

This wide reach means the rules apply to:

• Digital lenders and fintech companies
• Mobile money operators offering credit services
• Telecommunications companies providing airtime or data advances
• Agricultural platforms extending inputs on credit
• Vendors or service providers partnering with lenders and earning from the transaction

For businesses operating in the digital space, it is also important to note the geographic trigger. The regulations are designed to cover lenders operating in more than one state within Nigeria. In a physical lending model, that might mean deliberate expansion. In a digital model, it often happens by default, most apps and platforms are accessible across state lines, even if that was not the original business plan.

Also read: How to get your FCCPC license as a Nigerian digital lender

The new approval process

Perhaps the most significant operational shift in the new regulations is the move toward a formal registration and approval process. Before offering loans or continuing to operate, every business that meets the benefit test must register with the FCCPC and secure formal approval. The application requires the submission of documents that goes beyond basic incorporation details. Businesses will need to provide:

• Corporate Affairs Commission (CAC)  records and constitutional documents
• Full disclosure of directors, key management, and shareholders, including beneficial ownership details
• Sector-specific licences where applicable
• Standard terms and conditions used in lending contracts
• Policies for privacy, data protection, and customer service
• Evidence of tax compliance
• A Compliance Audit Report and a Data Protection Impact Assessment (DPIA) conducted by an accredited Data Protection Compliance Organisation

Applicable fees:

• Application fee: ₦100,000 (non-refundable)
• Approval fee for digital lenders: ₦1,000,000 (covers two apps)
• Extra apps: ₦500,000 each (up to five apps in total)
• Renewal fee: ₦500,000

Approvals are valid for one year initially. After that, renewals are required every 36 months, subject to a renewal levy. For compliance teams and founders, this changes registration from a once-off administrative step into an ongoing licensing-style obligation, with timelines, costs, and renewal cycles that must be budgeted for.

There is only one explicit exemption: licensed microfinance banks (MFBs). Even then, the exemption is not automatic. MFBs must apply to the FCCPC for a formal waiver. The choice to exempt only this category of banks has raised questions, especially since other types of banks also engage in consumer lending but remain subject to the full process.

Partnerships now require FCCPC oversight

Beyond individual operators, the FCCPC is asserting authority over partnerships and vendor relationships connected to lending.

Any partnership, joint venture, fee-sharing model, or third-party arrangement that is material to consumer lending must be captured in a Consumer Lending Services Agreement and submitted to the Commission for approval. Existing agreements must be regularised and any modification, assignment or subcontract requires prior FCCPC consent. The Commission can reject agreements that are unfair or anticompetitive.

For lending that involves airtime or data provisioning, regulated undertakings must have at least two intermediaries or service providers for service activation, and one intermediary must be a fully Nigerian-owned provider, within 60 days of commencement. This is an explicit competition measure to avoid single points of failure and dominance.

Fast-moving growth teams that sign exclusivity deals with activation vendors will now face rejection risk. Procurement and legal must add FCCPC approval as a mandatory gating item. Commercial teams should build fallback suppliers into every deal.

Data protection and audits

As part of registration, applicants must provide a Compliance Audit Report and a Privacy Impact Assessment from a registered Data Protection Compliance Organisation, and the Regulations reference the Audit Trust mark from the NDPC. The Regulations therefore build data protection proof into the FCCPC approval process.

Expect overlapping scrutiny from FCCPC and NDPC. Obtain DPIAs and DPCO audit reports early. Harden encryption, access controls, retention policies and breach response. Make sure your systems can produce a consumer usage statement within 24 hours.

Reporting, records, and deadlines

Under the new regulations, digital lenders and other covered entities face strict reporting, record-keeping, and response obligations. Twice a year, they must submit operational reports to the FCCPC detailing the number of consumer lending transactions, their total value, the interest and fees collected, as well as a breakdown of complaints received and how they were resolved. In addition, an annual return is due by 31 March each year for the preceding calendar year. This annual filing must include the total volume and value of transactions, a summary of all complaints, and audited financial statements that clearly show income derived from lending activities. All records relevant to these submissions must be preserved for at least five years.

The FCCPC also retains the power to request records at short notice and expects them to be provided within 48 hours of a valid demand. This makes it essential for organisations to maintain an incident response and legal hold process capable of quickly extracting and delivering the required information. From a systems perspective, this means building and maintaining sound data models that capture transactions, revenues, fees, complaint statuses, and case outcomes in a way that can be easily retrieved and audited. Profit and loss lines for lending must be clearly identifiable, and both data retention and retrieval processes must be reliable, tested, and embedded into day-to-day compliance operations.

Penalties for non-compliance

Natural persons can face administrative penalties up to ₦50,000,000. Corporates risk penalties up to ₦100,000,000 or 1% of turnover from the previous year, whichever is higher. Directors may also be disqualified for up to five years. The Commission has the authority to suspend operations, delist registrants, revoke approvals, or order the termination of partnerships. Approvals may be withdrawn if an applicant submits false or misleading information, breaches the Regulations or the FCCPC Act, or engages in conduct deemed harmful to consumers. In some cases, if a sector licence expires or becomes restricted after an agreement is in place, the related contract may be terminated within five days.

Compliance is now a board-level responsibility. Directors must ensure active oversight and maintain documented evidence of remedial action. Legal and compliance teams should have direct lines to senior management and the board. Beyond monetary fines, the reputational damage from public sanctions in a regulated market can be lasting.

Grey areas and likely pain points

Overlap with NDPC: The FCCPC’s requirement for DPIAs and NDPC audit traces will create paperwork overlap and possible jurisdictional friction. Practically, applicants must satisfy both regulators or risk delay.

MFB exemption: Microfinance banks have a waiver route, not a blanket escape. Other banks remain subject to their sectoral regulators. The selective exemption may create uneven compliance incentives.

Vendor financing scope: The Regulations bring vendor financing and incidental credit under the same regime as dedicated lenders. That raises both fairness questions and proportionality concerns for small merchants who only occasionally extend credit. Expect industry pushback or guidance from the Commission on proportionality down the line.

Operational friction: The prior approval requirement for vendor agreements will slow partnerships and require procurement and legal teams to plan for regulatory review time in every commercial timeline.

What lenders and partners should be doing now

Given the breadth and enforceability of the regulations, every affected business should be acting immediately:

• Assess whether you meet the benefit test, and if so, prepare to register.
• Gather the necessary documentation, including compliance and data protection reports.
• Budget for application, approval, and renewal fees.
• Review all existing partnership agreements and prepare them for FCCPC submission.
• Update loan terms, contracts, and customer service processes to meet the consumer protection requirements.
• Establish internal reporting systems to meet annual and bi-annual filing deadlines.

Also read: How to secure your Finance House license in Nigeria

A new compliance reality for digital lending

While it makes sense for the FCCPC to set clear, enforceable standards for digital lending, the way these Regulations are structured will demand far more from operators than a simple registration exercise. The combination of annual and multi-year renewals, partnership approvals, detailed reporting, and overlapping data protection requirements will change how lenders and vendors plan, hire, and launch products.

That said, the rules are already in effect, and the FCCPC has made it clear that failure to comply will not be taken lightly. For digital lenders, MMOs, fintech founders, and their partners, this is now part of the cost of doing business. The choice is simple: adapt your operations, embed compliance into decision-making at the board and management level, and keep your paperwork and processes invulnerable, or risk being shut out of a sector that is only getting more competitive.