As the curtain falls on Yellow Card Financial’s retail operations in Nigeria, what was touted as a standard “market sunset” has devolved into a chaotic and potentially illegal data privacy crisis. While the US-backed fintech giant publicly assures users of a smooth transition, a dark underbelly of failed transactions, unauthorized data sharing with obscure third-party aggregators like “Eded Technologies,” and the forced creation of unsolicited financial accounts has emerged.
This report uncovers how Yellow Card is allegedly bypassing the Nigeria Data Protection Regulation (NDPR), leaving thousands of users exposed, and why victims venting on Trustpilot and Nairaland must now organize to seek justice.
On the surface, Yellow Card’s exit seems procedural. The company announced it would be winding down its retail app to focus on enterprise solutions, giving users a deadline of December 31, 2025, to withdraw their funds.
In their official “App Closure” documentation (published at help.yellowcard.io), the company explicitly instructs users to “withdraw funds to your bank account.” The implication is clear: a direct settlement from the Yellow Card wallet to the user’s registered Commercial Bank Account (e.g., GTBank, Zenith, Wema).
However, for a significant number of users, this promise is a mirage. Investigations reveal a systemic failure in Yellow Card’s direct-to-bank payment rails. Instead of fixing these failed transactions, Yellow Card appears to have engaged a third-party liquidation strategy that bypasses user consent entirely.
Users who initiated withdrawals to their verified bank accounts, specifically those using Wema Bank virtual accounts, found that the transactions were flagged as “Failed” or “Pending” indefinitely. Then, without warning, the funds were routed to mobile money wallets (specifically Paga) linked to their phone numbers.
Many of these users never had Paga accounts.
The smoking gun in this scandal is a company that appears on transaction receipts but nowhere in the user’s contract: “Eded Technologies Limited.”
When users receive these unsolicited refunds via Paga, the sender is not identified as “Yellow Card Financial.” The sender is identified as Eded Technologies. This raises a critical legal question: How did Eded Technologies get the user’s personal phone number and financial data?
Under the Nigeria Data Protection Regulation (NDPR) (2019) and the Nigeria Data Protection Act (2023), the transfer of personally identifiable information (PII) from a Data Controller (Yellow Card) to a Third Party (Eded Technologies) requires explicit, informed consent.
The Violation Breakdown:
- Unauthorized Transfer: Users signed up with Yellow Card. They did not sign up with Eded Technologies. By handing over user lists to this aggregator to settle debts, Yellow Card has arguably committed a “Data Breach by Unauthorized Disclosure.”
- Lack of Transparency: There was no email, no in-app notification, and no updated Terms of Service informing users that their repayment would be handled by an obscure third-party entity.
- Exposure Risk: Who owns Eded Technologies? What are their data retention policies? Do they delete the user’s phone number after the transaction, or is it stored in a database that could be sold to loan sharks or marketing spammers later?
Perhaps the most disturbing aspect of this saga is the creation of “Shadow Wallets.”
When Yellow Card (via Eded) sends money to a phone number that is not registered on Paga, Paga’s system automatically creates a “ghost” wallet to hold the funds. The user receives an SMS saying, “You have received N20,000.”
Why is this dangerous?
- Forced KYC Exposure: To retrieve their own money, users are forced to enter a legal relationship with a financial institution (Paga) that they did not choose.
- Biometric & Data Harvesting: Paga may require facial verification or BVN linkage to unlock the funds. Yellow Card has effectively held the user’s funds hostage, releasing them only if the user agrees to give their data to another company.
- The “Zombie” Account Risk: If a user misses the SMS or the phone number is old/lost, that money sits in a shadow wallet indefinitely. Who claims it after 5 years?
Yellow Card attempts to shield itself with its Help Center article: “Yellow Card App Closure – What you need to know.” Let us fact-check their claims against the evidence provided by victims.
Claim 1: “We are ensuring all customer funds are safe and withdrawable.”
- Rebuttal: Funds trapped in a Paga wallet linked to a lost SIM card are not withdrawable. Funds sent to a third party without the user’s knowledge are not safe; they are exposed.
Claim 2: “Withdrawals will be processed to your registered bank account.”
- Rebuttal: False. Evidence shows withdrawals to registered accounts (like Wema Bank) failing, only to be re-routed to mobile money numbers. This is a “Bait and Switch” tactic.
Claim 3: “Our support team is available to assist.”
- Rebuttal: Victims report generic, automated responses. When confronted with the “Eded Technologies” screenshot, support agents often go silent or claim it is a “payment partner,” failing to acknowledge the lack of consent.
For victims who feel helpless, it is vital to understand that Nigerian law is on your side.
In May 2024, the Federal High Court in Lagos delivered a landmark judgment in Folashade Molehin v. United Bank for Africa (UBA) (Suit No: FHC/L/CS/2625/2023). The court ruled that opening an account for a customer without their explicit consent constitutes a violation of their fundamental right to privacy. UBA was ordered to pay NGN 8 Million in damages.
Yellow Card’s actions mirror this case perfectly. By facilitating the opening of Paga wallets for users who did not request them, they are replicating the exact violation that the Federal High Court has already penalized.
Questions must also be directed at Wema Bank. Yellow Card utilized Wema’s “Virtual Account” infrastructure to collect deposits from Nigerian users.
As a licensed Commercial Bank, Wema has a Duty of Care to ensure its Fintech partners do not use its rails to defraud or disadvantage customers.
- Why did Wema Bank allow Yellow Card to stop reversing funds to source accounts?
- Is Wema Bank aware that its partner is offloading liability to a third-party aggregator?
- Victims are encouraged to report Wema Bank to the Central Bank of Nigeria (CBN) Consumer Protection Department for failing to monitor their Virtual Asset Service Provider (VASP) partner.
A cursory glance at Nairaland, Trustpilot, and Twitter (X) reveals a pattern of despair. Users are posting under threads titled “Yellow Card Scammed Me” or “Where is my Refund?”
Yellow card is a scam
— Compass Prince (@PrinceCompass) October 11, 2025
After depositing money it’s not showing in my account and I have complained serval times but no response pic.twitter.com/RHyOzfMCQv
Many of these users are shouting into the void, leaving 1-star reviews that are ignored by Yellow Card’s bot-armies. This ends now.
Yellow Card is betting on the fact that the refund amounts (N5,000, N20,000, N50,000) are “too small” for Nigerians to fight over. They are banking on user fatigue. They expect you to take the money (if you can access it) and forget the data violation.
But your data is worth more than N20,000. If they can share your banking details with “Eded Technologies” today, who will they sell your KYC data to tomorrow when they fully leave Nigeria?
Introducing Cyber Smart Empire. We are consolidating the complaints of all affected users to present a unified class-action petition to the NITDA, NDPC, FCCPC, and the EFCC.
If you have:
- Received a refund via Paga/Eded Technologies that you did not authorize.
- Lost money because it was sent to an old phone number.
- Left a negative review on Trustpilot or Nairaland but received no help.
- Felt your data privacy was violated.
We want to hear from you.
Do not fight this alone. Individual complaints are easily ignored. A collective petition backed by evidence of data breaches is impossible to ignore.
CONTACT US IMMEDIATELY: Email: press@cybersmartempire.com
Subject Line: Yellow Card Data Breach – [Then Include Your Name]
We will assist you in:
- Filing the correct “Data Purge” demand with the NDPC.
- Structuring your complaint for the FCCPC.
- Ensuring your case is included in the collective report to the media and international regulators.
Yellow Card may be leaving Nigeria, but they will not leave with our dignity or our data intact without answering for it.
