November 26, 2025 / admin

We Analyzed Yellow Card’s User Agreement, and It Proves They Are Violating Their Own Contract

Following our explosive exposé on the “Shadow Wallet” Scandal, which revealed how Yellow Card Financial is routing user refunds through unauthorized aggregators like “Eded Technologies,” Cyber Smart Empire has been inundated with reports from victims. The question on everyone’s lips is:

“Is this legal? Did I sign up for this?”

To answer this, our investigative team spent the last 48 hours dissecting Yellow Card’s User Agreement and Yellow Pay Terms.

What we found is damning. The documents intended to protect the company actually serve as evidence of their breach. Yellow Card is not just violating the Nigeria Data Protection Regulation (NDPR); they are in direct breach of the contractual promises they made to every Nigerian user.

This report breaks down the specific clauses Yellow Card is violating, exposes the “loophole” they are trying to exploit, and explains why their defense will crumble in court.

The “Termination” Clause Deception

The primary defense Yellow Card offers for the current chaos is that they are “winding down” operations. However, a “wind-down” is a legal process governed by the User Agreement.

What The User Agreement Says: While the specific clause numbering may vary by jurisdiction, standard termination clauses in Yellow Card’s agreement state that upon termination:

“Yellow Card will return any remaining Digital Assets or Fiat funds to the User, less any applicable fees, to the User’s designated bank account or external wallet address.”

The Violation: Yellow Card did not send funds to the “User’s designated bank account.” In the case of our verified victims, the designated account was a Wema Bank or a standard commercial bank account (GTB, Zenith, etc.).

By routing funds to Paga (a mobile money wallet) via Eded Technologies, Yellow Card violated the specific performance required by their own termination clause. A “designated bank account” is a specific legal destination. A mobile number linked to a third-party fintech is not a designated bank account.

In contract law, if Party A (Yellow Card) promises to pay Party B (You) via Method X, but pays via Method Y, causing distress or data exposure, Party A is in Breach of Contract. You did not agree to receive funds via Paga. Therefore, legally, you have not been refunded in accordance with the terms.

The “Privacy & Data Sharing” Lie

This is the smoking gun for the NDPC investigation. We analyzed how Yellow Card defines its relationship with third parties.

What The User Agreement Says: Usually found under “Data Protection” or “Privacy,” the agreement typically allows sharing data with:

“Third-party service providers who assist us with… payment processing, banking partners, and identity verification.”

However, the NDPR requires that these third parties be essential to the service.

The Violation: Yellow Card is using “Eded Technologies” to process refunds.

Is Eded Technologies a bank? No.
Is Eded Technologies essential? No. Yellow Card has direct integration with NIBSS (Nigeria Inter-Bank Settlement System) and major payment gateways that could pay directly to Wema Bank.

Using an obscure, unlisted aggregator like Eded Technologies is not a “necessity”; it is a convenience for Yellow Card. By handing your phone number and transaction history to an entity not listed in their sub-processor list, they have exceeded the scope of the consent you gave when you clicked “I Agree.”

The Yellow Pay Terms Connection: In the Yellow Pay Terms, the company defines how it handles “Remittances.” It states that the sender is responsible for providing accurate recipient details.

The Twist: In this refund scenario, Yellow Card is the Sender, and you are the Receiver.
By sending money to a Paga wallet you didn’t create, Yellow Card (as the Sender) failed to provide “accurate recipient details” to their own processor.

The “Third-Party Liability” Trap

We found a clause that Yellow Card is likely relying on to wash their hands of the “Shadow Wallet” issue.

The “We Are Not Liable” Clause: Most Fintech agreements contain a clause stating:

“We are not responsible for any losses, errors, or delays caused by third-party payment processors or financial institutions.”

Yellow Card will likely tell the FCCPC: “We sent the money to Eded Technologies. If Eded sent it to Paga and Paga created a ghost wallet, that is Eded’s fault, not ours.”

Why This Defense Fails: You cannot outsource liability for a partner you selected.

You (the user) did not choose Eded Technologies.
Yellow Card chose Eded Technologies.

Under the principle of Vicarious Liability, Yellow Card is responsible for the actions of the agents they employ to settle their debts. If their agent (Eded) mishandles your data or traps your funds in a shadow wallet, Yellow Card is liable. They cannot hide behind a “Third Party” clause when they are the ones who hired the Third Party.

The “Anti-Money Laundering” (AML) Contradiction

This is the angle that will interest the EFCC.

What The User Agreement Says: Yellow Card prides itself on strict KYC (Know Your Customer) and AML compliance. Their terms state they will not facilitate anonymous transactions or payments to unverified parties.

The Violation: By forcing refunds into Paga Shadow Wallets, Yellow Card is inadvertently creating a compliance nightmare.

A “Shadow Wallet” is a semi-verified account.
By dumping millions of Naira into thousands of newly created, unsolicited wallets, Yellow Card is behaving like a “money mule” operation rather than a regulated entity.
If a user’s phone number was recycled (common in Nigeria), Yellow Card has just sent funds to a stranger without KYC checks on the recipient.

They are violating their own rigorous AML standards in a rush to exit the market.

The “Force Majeure” Excuse: Anticipating Their Defense

In their response to regulators, Yellow Card will likely cite Force Majeure (events outside their control).

The Argument: “The Nigerian banking rails (NIBSS) were down, or our Wema Bank virtual accounts were restricted. We had to use Paga/Eded to ensure customers got paid.”

The Counter-Argument:

Network downtime is temporary. A temporary network failure does not justify a permanent data breach. They could have waited 24 hours.
Alternative Rails Exist. They could have asked users to provide an alternative bank account. They did not. They unilaterally decided to dump funds into mobile money.
Consent is King. Even in an emergency, you cannot share data without consent. They could have sent an email: “Direct bank transfers are failing. Click here to approve a transfer to your phone number via Paga.” They did not do this. They chose the path of least resistance, regardless of the law.

Our analysis of the User Agreement and Yellow Pay Terms confirms what victims have suspected:

Yellow Card has no contractual right to substitute your “Designated Bank Account” with a “Paga Wallet.”
Yellow Card has no legal basis to share your data with “Eded Technologies” for refunds.
Yellow Card is liable for the incompetence of the third parties they hired to clean up their mess.

This is not just bad customer service. It is a breach of contract.

If you are reading this and you have been affected, whether you got your money via Paga or your money is still missing, you are now an unwilling participant in this breach.

Your Terms of Service have been violated. Yellow Card expects you to stay silent because the amounts are small (N5,000, N20,000). But the precedent is dangerous. If a US company can come to Nigeria, harvest our data, and then dump it with unknown aggregators on their way out, no Nigerian is safe.

Cyber Smart Empire is building a comprehensive dossier of evidence to present to the NDPC and the FCCPC Enforcement Unit. We are proving that this was not a mistake; it was a calculated strategy to exit Nigeria quickly, regardless of the cost to user privacy.

We need your evidence. If you have: