There is a common misunderstanding about how NCC enforcement works. It sounds like this: fraud happens, the NCC investigates, and the fine follows the fraud.
That is not how it works.
The fine follows the regulator asking whether the operator had the right controls in place — and finding that they did not. The fraud is the trigger for the audit. The controls gap is what the fine is actually for.
This distinction matters enormously for how operators should think about registration compliance. Because it means the financial exposure is not conditional on fraud occurring. It is conditional on the operator’s system being unable to demonstrate that it enforced the right controls. An operator can have no known fraud incidents and still face a significant NCC enforcement action — if the system cannot prove compliance.
Two recent enforcement actions illustrate exactly how this plays out.
2015: ₦1.04 trillion. One process. One deadline missed.
In October 2015, the NCC imposed a fine of ₦1.04 trillion on MTN Nigeria. It was, and remains, the largest telecoms fine in African history.
The violation was not a cyberattack. It was not a data breach. It was SIM registration non-compliance: 5.2 million subscriber SIM cards that had not been properly registered by the NCC’s deadline.
The consequence was immediate and cascading. The MTN Group CEO resigned within weeks. MTN’s share price fell more than 20% in a single day — wiping billions from the company’s market capitalisation. The fine was eventually negotiated down and paid in tranches, but the boardroom disruption, the regulatory relationship damage, and the reputational impact endured for years.
The fine was ultimately negotiated to ₦330 billion. Seamfix was brought in to help MTN Nigeria rebuild their registration infrastructure. The platform built from that engagement is BioSmartX.
“In 2015, one fine. ₦1.04 trillion. One registration process. Is yours any different?”
What the MTN case established was a precedent every Nigerian operator should have taken seriously: the NCC will impose fines at a scale that is existentially threatening to an operator’s financial stability and leadership continuity. And it will do so for registration process failures, not just fraud outcomes.
2025: ₦104 million. 407 registrations. One state.
In May 2025, the NCC fined Airtel Nigeria ₦104 million for SIM registration violations in Kano State.
The violations were specific and granular:
- 8,275 SIM registrations conducted outside verified Airtel shops using 198 unapproved devices
- 63 MSISDNs activated prematurely before proper registration was completed
- 407 fraudulent SIM registrations with multiple NINs, passed through because eyeballing was not conducted correctly
The NCC did not ask whether Airtel had a policy requiring agents to use authorised devices. It asked whether the system enforced it. It did not ask whether Airtel’s compliance guidelines required eyeballing for borderline facial match scores. It asked whether the system mandated it. It did not.
407 registrations. In one state. Counted individually.
The fine was ₦104 million. At scale, across a national network, the arithmetic is straightforward.
What the NCC is actually measuring
Both enforcement actions share the same underlying logic. The NCC is not primarily investigating whether fraud occurred on the operator’s network. It is investigating whether the operator’s registration system enforces the controls the NCC’s Business Rules require.
The NCC’s July 2025 Business Rules (2nd Amendment) are specific. They mandate:
- Real-time NIN verification against NIMC on every registration — not batch, not deferred
- Biometric capture with live facial portrait and liveness detection
- Facial match score routing: above 80% auto-approve, 70–79% mandatory eyeballing, below 70% hard rejection with no override
- Device governance: only registered, geo-fenced devices may conduct registrations
- Daily device cap of 100 registrations, with automatic eyeballing trigger at 50
- Registration hours enforcement: no registrations outside 06:00–23:59
- Geo-fence: registrations must occur within 25 metres of the agent’s registered outlet
- Append-only audit logs retained for a minimum of two years
The NCC expects to verify each of these controls against a specific MSISDN, on demand, instantly. If the system cannot demonstrate compliance for any individual registration — by producing a complete, tamper-proof audit record — the operator is exposed.
Policy documents are not evidence. Training records are not evidence. An agent’s assurance that they followed the process is not evidence.
The audit log is evidence. And the audit log has to come from a system that was built to produce it.
The controls gap is the fine
This reframes the compliance conversation in an important way. Operators who think of NCC compliance as “having the right procedures” are measuring the wrong thing. The NCC is not auditing procedures. It is auditing whether the system enforces them — and whether the evidence of enforcement is permanently on record.
An operator with clear internal policies and well-trained agents, running on a legacy registration system that does not enforce the NCC’s specific controls as system gates, is exposed. Not potentially exposed. Exposed. Because if the NCC audits a specific MSISDN and finds that the eyeballing step was not completed correctly, or that the registration was conducted on an unregistered device, or that the geo-fence was not enforced at login — the fine follows.
The fraud does not have to happen. The controls gap is enough.
The question every compliance team should be asking
If the NCC contacted you today and asked for the complete compliance record for the last 1,000 registrations your network processed — how long would it take to produce it? And when you produced it, would it show that every one of those registrations went through the full compliance sequence your system is required to enforce?
If the honest answer is anything other than “minutes, and yes” — the controls gap is open.
Not as a risk that might materialise. As a liability that exists right now, in the delta between what the NCC requires and what your current system can demonstrate.
| BioSmartX was built after the MTN Nigeria fine.
Seamfix was brought in to help rebuild MTN Nigeria’s registration infrastructure after the 2015 enforcement action. The platform that came from that work enforces every NCC Business Rule as a system gate — not a policy, not a guideline, not a training requirement. A gate the system controls and the audit trail proves. What would your system show if the NCC looked at your last 407 registrations? BioSmartX will give you the confidence to open that audit, hand it to the regulator, and already know what they’ll find. |


