Privacy Policy

Our Privacy Statement

1. National Bank of Malawi plc recognizes the importance of the personal data entrusted to us. We are committed to protecting the privacy and security of your personal information in accordance with applicable data protection laws and regulations.

A. Who we are

2. National Bank of Malawi plc (“We” “Us” “Our”) provides banking and payment services through our website, mobile apps, and online banking platforms (collectively “Our Services”)
Registered Office: NBM Towers, 7 Henderson Street, P.O Box 945, Blantyre, Malawi

B. Scope of this Statement

3. The purpose of this statement is to inform you how we collect, use, store, share, update, safeguard, delete or otherwise deal with (Process) your personal data when you interact with when you visit our website, use our apps, apply for products, or interact with us online. Our statement also explains your rights relating to the privacy and security of your personal information. Our statement does not cover third-party websites or services that we do not control.

C. Personal Information we collect

4. Personal information is any information from which you can be identified. The personal information we may collect about you includes:

  • Name, Age, gender, sex, and identifying numbers
  • Contact details (including physical and email address, telephone number)
  • Employment and income details and other financial information
  • Online identifiers and your online behavior such as cookies and IP addresses
  • Financial information,
  • Applications & service requests: product preferences, support tickets, feedback.
  • Marketing preference and consents
  • Other personal information including your biometric details, race or ethnic origin, criminal history and behavior, medical history and health, and your personal beliefs such as religious, political beliefs

D. How we collect information from you

5. We collect information directly from you, automatically when you use our Services, and from third parties that you or we deal with where lawful and reasonable. These third parties include:

  • Credit bureaus, fraud-prevention agencies, sanctions/PEP screening providers.
  • Payment networks, correspondent banks, and merchant acquirers.
  • Identity verification and KYC vendors, address verification services.
  • Government departments, regulatory authorities, courts of law and law enforcement agencies, and tax authorities
  • Referral partners and affiliates (with appropriate disclosures/consents).
  • Employers, advisers, agents, associates, assignees, successors in title, trustees, executors, and appointed third parties (including lawyers, auditors and other contractors)

6. Information we collect automatically includes:

  • Device & technical data: IP address, device IDs, browser type, OS, app version, language, time zone.
  • Usage data: pages visited, links clicked, session duration, features used.
  • Location data: coarse (IP-based) and, if you grant permissions, precise geolocation.
  • Cookies, pixels, SDKs, and similar technologies (see Cookies & Tracking below).

7. We may process your sensitive personal data where strictly necessary and lawful (e.g., biometric verification for onboarding, identity checks, or accessibility needs). We apply enhanced safeguards and access controls to this sensitive data.

8. If you are a third-party service provider, we will collect personal information about you as a data subject to ensure that the business relationship and all matters relating to the agreement between you and us can be fulfilled. You, therefore, warrant that if you provide us with any personal information about other data subjects such as employees, shareholders or your directors, you are authorized to share their personal information with us for purposes set out in this statement.

9. Whenever you provide us with information about third parties, you must inform them that you need to disclose their personal information with us. We will process the information in accordance with this statement

10. Providing your personal information with us is usually voluntary. However, it may be mandatory under certain circumstances such as when you apply for products and/or services or comply with anti-money laundering legislation. If you fail to provide us with your personal information when requested, we may not be able to provide the products or services to you or comply with our legal and regulatory obligations

E. Why do we process your information

We will process your personal data for any of the following reasons:

11. Contract requirements: We will process your personal information if it is required to conclude or perform under a contract or agreement with you for a product or service that you have applied for either with us or our business partners with whom we have entered into a partnership or other arrangement for purposes of

  1. Providing products and services to you that involve opening and maintaining your account, processing transactions, administering claims where applicable, collecting payments due to us by you, managing our risks and maintaining our overall relationship with you and other operational purposes.
  2. Communicating with you regarding the products or services you have with us including assessing your suitability for products and services
  3. Conducting credit assessments including conducting credit checks, and setting credit limits

12. Lawful Obligations: We may need to process your personal information for the following purposes:

  1. To detect, prevent, investigate and/or aid in the prosecution of crime in any jurisdiction (including, without limitation, theft, money laundering, terrorism financing, fraud, corruption and other financial crimes or other potentially illegal activity or activity that could lead to loss);
  2. To complete checks required for compliance purposes including Identity verification and due diligence checks;
  3. Enforcing financial or other legal obligations, including without limitation the collection of amounts outstanding from you and your provision of security for facilities obtained from the Bank;
  4. To comply with local or foreign law, regulations, directives, judgments or court orders, government sanctions or embargoes, reporting requirements under financial services legislation, and demands of any authority, regulator, tribunal, enforcement agency, or exchange body.

13. Legitimate Interest: We will also process your Personal information in the regular management of our business and to protect the interests of the Bank, its subsidiaries, clients, depositors, shareholders, employees and other third parties, as well as where it is in our legitimate interests to seek professional advice, including, in connection with any legal proceedings (including any prospective legal proceedings), for obtaining legal advice or for establishing, exercising or defending our legal interests.

14. Consent: In addition to the reasons given above, we may process your personal information where we have your specific consent for a defined purpose. We will also seek your consent to process your personal information where applicable laws and regulations require it.

F. How and with whom we share your information

15. We will share your information with any of the following third parties:

  1. Professional advisors, third party service providers, agents or independent contractors providing services to support the Bank’s business;
  2. Our business alliance partners who may provide their product or service to you;
  3. A merchant or a member of a card association where the disclosure is in connection with use of a card;
  4. Upon your death or mental incapacity, your legal representative and their legal advisors, and a member of your immediate family for the purpose of allowing him/her to make payment on your account;
  5. Any security provider or any person legally authorised to operate your account and to act on your behalf in giving instructions, to perform any other acts under our banking agreement or use any of the Bank’s products on your behalf;
  6. Any person to whom disclosure is allowed or required by local or foreign law, regulation or any other applicable instrument;
  7. Any court, tribunal, regulator, enforcement agency, exchange body, tax authority, or any other authority (including any authority investigating an offence) or their agents;
  8. Any debt collection agency, credit bureau or credit reference agency, rating agency correspondents, insurer or insurance broker, direct or indirect provider of credit protection and fraud prevention agencies;
  9. Any financial institution to conduct credit checks, anti-money laundering related checks, for fraud prevention and detection of crime purposes;
  10. Anyone we consider necessary to facilitate requests for services or applications for products with any member of the Bank;

16. We may transfer your personal information to other jurisdictions for any of the purposes outlined in this statement. When we do, we will ensure that appropriate safeguards are in place to protect your personal information

17. We take extra care in sharing your personal information with the third parties and we will enter into suitable contracts with the parties with whom we share your information to ensure that your rights under the relevant data protection laws are upheld

G. Data retention

18. We will keep your personal data only as long as necessary and in line with our legal and regulatory obligations (e.g., AML/KYC record retention) and for business or operational purposes. After retention periods end, we securely delete or anonymize data.

H. Security

19. The security of your Personal Data is important to us and we take reasonable steps to keep your personal information safe and to safeguard against loss, accidental or unlawful destruction, alteration or unauthorized access to and disclosure of your personal data. Regardless of where your Personal Data is transferred or kept, we take all steps reasonably necessary to ensure that personal data is kept securely, and access will be restricted to authorized personnel only.

20. In the event of a data breach, we will notify you and the relevant authority where necessary and as required by law.

21. You should be aware that the Internet is not a secure form of communication and sending us any Personal information over the Internet carries with it risks including the risk of access and interference by unauthorized third parties. You should, therefore, only share your personal information through our authorized channels.

I. Automated Decisions and Profiling

22. We may use automated decision-making processes including profiling, including behavioral analysis, to assist us to provide you with better services, to make decisions and to prevent money laundering, terrorism, fraud and other financial crime, for example using profiling may help us to try and detect whether use of your credit card may be fraudulent. If any profiling will result in an automated decision relating to you, we will let you know and you will have the right to discuss the decision with us

J. How do we use your information for Marketing

23. Whether you are an existing customer or a prospective customer with whom we have had previous interactions, We may use your Personal Data to share information about our products, services and special offers with you (subject to applicable laws)

24. We may use your personal data to conduct market research and surveys with the aim of improving our products and services; for marketing purposes, promotional events, competitions and lucky draws.

25. We process your Personal Data for these purposes because it is in the interest of our business to do so as it helps us to improve our products and services and generating business. If you no longer wish to be contacted for marketing purposes, you may opt out of receiving our marketing communication by following the instructions contained in any marketing communication you receive. You can also opt out by contacting us through any of the channels available on our website at www.natbank.co.mw. If you ask us not to send you marketing material or other promotional or research material, we will retain a record of that request to ensure that you do not receive any more marketing and promotional material.

K. Your Rights

26. Subject to applicable law and regulations, you have the right to:

  1. Access the personal information processed in relation to you. The Bank may charge a fee for this.
  2. Rectify inaccurate or incomplete data
  3. Erase your personal data subject to applicable law and legal data retention requirements
  4. Restrict or object to certain processing under certain conditions and subject to applicable law
  5. Portability: the right to receive your data in a structured, commonly used format.
  6. To be informed about the collection and processing of your personal data
  7. Not to be subjected to Automated decision-making processes. You have a right to appeal automated decision outcomes and request human review where applicable.
  8. To withdraw your consent to our processing your personal data

27. These rights may be restricted where your personal information is being processed for the detection, prevention, investigation or prosecution of a criminal offence or execution of a criminal penalty, judicial proceedings, enforcement of a civil law claim or the protection of your rights or the rights and freedoms of another person.

L. Third Party Links and Integration

28. Our Services may include links to third-party websites or integrations you choose to connect. This Statement does not apply to third- party websites where our online advertisements are displayed or to linked third-party websites which we do not operate or control. Review their policies before using those services.

M. Changes to this Statement

29. We may update this from time to time. We will post the updated version with a new “Last updated” date and, if changes are material, provide additional notice (e.g., email, banner, or in-app message). Your continued use of our Services after changes take effect signifies acceptance.

N. How to Contact Us

30. If you wish to exercise any of your rights under the Data Protection Act, 2024 or if you have any questions, concerns or you would like to submit a complaint regarding the collection, use and protection of your personal data or this Statement please contact us

  • through the Bank’s toll free line 626
  • Visit any of our Service Centres
  • Email at This email address is being protected from spambots. You need JavaScript enabled to view it.

31. If you feel that the Bank has not addressed your concerns to your satisfaction, you have the right to lodge a formal complaint with the Data Protection Authority on
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Phone: +265 991802180

32. Effective Date
This Data Protection Policy is effective from 1st October 2025.

 

mission-vision

 Vision

To be the most successful financial institution in Malawi with an internationally visible presence.

Mission Statement

To provide outstanding and inclusive financial solutions that deliver sustained stakeholder value.

Help Us Serve You Better

Your feedback shapes the future of our digital banking experience.

Take the Survey