BVN, NIN Sale: A Threat to National Security
By Shuaib S. Agaka
Just weeks ago, national alarm bells rang over the dangers of SIM recycling—where inactive mobile numbers are reassigned without proper verification, sometimes leading to unauthorized access to bank accounts and sensitive platforms. Now, with the Economic and Financial Crimes Commission (EFCC) revealing that thousands of Nigerian youths are trading Bank Verification Numbers (BVNs) and National Identification Numbers (NINs), a far more disturbing pattern is taking shape: Nigeria’s digital identity infrastructure is dangerously compromised.
The implications are staggering. The country’s cybersecurity framework, already riddled with loopholes, is now showing deeper fractures. Trust—the bedrock of any digital system—is evaporating fast. Ironically, while palliatives are now scarce and heavily guarded, Nigerians’ personal data floats freely across black markets and rogue platforms. The very act of surrendering biometric and personal details to the state—under promises of security and service delivery—has become the gateway to exploitation.
Nigeria’s digital identity architecture is built on three core pillars: the NIN managed by the National Identity Management Commission (NIMC), the BVN under the Central Bank of Nigeria (CBN), and the SIM-NIN linkage enforced by the Nigerian Communications Commission (NCC). Together, these systems were intended to unify identity verification, enhance financial inclusion, curb fraud, and support digital governance.
In theory, it’s a sound framework. In practice, however, it’s falling apart.
Corruption and insider leaks have created cracks in what should be secure systems. Reports show that agents and insiders at registration centers and financial institutions are illicitly selling registered NINs, BVNs, and even biometric data. The EFCC’s findings that over 12,000 youths were caught selling their identities is only the visible tip of a deeper and more institutionalized rot. The black market for digital identities is supplied not just by desperate youth—but also by compromised insiders working within supposedly secure government and financial agencies.
Verification protocols, the first line of defense, are routinely sidestepped. At many third-party registration centers, biometric authentication is either skipped or falsified with fake inputs. Some SIM registration agents reuse previously registered identities to meet sales quotas. These practices undermine the system’s reliability and leave Nigerians exposed to fraud and criminal impersonation.
Even worse is the fragmentation across Nigeria’s digital identity ecosystem. Different institutions—NIMC, CBN, NCC, and the Nigeria Data Protection Commission (NDPC)—operate in silos, with inconsistent standards and little interoperability. Data isn’t cross-verified in real time, allowing fraud to slip through blind spots between disconnected databases. This dysfunction not only causes inefficiencies but also creates a breeding ground for identity theft, digital loan fraud, and money laundering through online platforms.
Regulatory enforcement is another weak link. While multiple agencies issue guidelines, few conduct rigorous, coordinated audits or impose timely sanctions. Telecoms, fintech startups, and even banks suffer minimal consequences for lapses in data security—even after public breaches. Regulatory response is usually reactive—coming only after scandals break, long after victims have been exploited and criminals have vanished.
The result is a thriving underground economy of stolen identities. Unlike traditional cyberattacks that hack into databases, modern fraudsters simply purchase valid identity profiles and walk through the front doors of banks and digital platforms. They use stolen data to access quick loans, launder money, or hijack social media and financial accounts. Many victims only learn they’ve been compromised when loan default messages arrive or when they are flagged for crimes they didn’t commit. Meanwhile, perpetrators operate anonymously, using basic smartphones and internet access to inflict national-scale damage.
What’s most chilling is the normalization of this digital exploitation. Among tech-savvy but jobless youth, identity theft has become just another hustle. It’s a symptom of a larger socioeconomic failure—one where trust in institutions is low, opportunity is scarce, and crime has become enterprise.
Yet amid this chaos, the root problem lies not just with the fraudsters or fintech firms but with the government itself. It mandated mass biometric registration—under NIN, BVN, and SIM linkages—without building a secure, unified system to safeguard the data. Citizens were made to trust a system that lacks the capacity and accountability to protect them.
There are, however, glimmers of hope. The National Information Technology Development Agency (NITDA) recently convened Nigeria’s first National Cybersecurity Conference, gathering key stakeholders from government, tech, and law enforcement. It was a promising step toward a more coordinated national cybersecurity policy. But symbolic events must now translate into structural reforms.
First, Nigeria must establish a unified digital identity oversight mechanism to harmonize data security standards across NIMC, CBN, NCC, and NDPC. Real-time interoperability and data-sharing protocols must be enforced. Second, all telecoms, fintechs, and banks should undergo mandatory cybersecurity compliance audits. Institutions found to mishandle user data should face stiff penalties, including license suspensions or financial sanctions. Third, a national public education campaign must be launched to raise awareness about digital identity theft and promote cyber hygiene at the grassroots.
Ultimately, Nigeria’s digital future will not be secured by technology alone. It will be secured by building trust—trust that personal data will be respected, identities protected, and breaches punished. Until then, Nigeria’s digital economy remains a house built on shaky foundations, where the trade of identities is more seamless than access to palliatives, and fraudsters are more empowered than the citizens they exploit.
Shuaib S. Agaka is a tech journalist based in Kano State