What the CBN 2026 circular requires
Circular BSD/DIR/PUB/LAB/019/002 identifies twelve categories of mandatory minimum standards for automated AML solutions. These are not aspirational guidelines — they are minimum requirements. An institution whose system cannot demonstrate each capability will be found non-compliant during CBN examination.
- Real-time transaction monitoring with configurable rule sets
- Dynamic customer risk scoring that updates based on transaction behaviour
- Automated PEP screening against domestic and international PEP lists
- Real-time sanctions screening against UN, OFAC, EU, and Nigerian terrorism designation lists
- Beneficial ownership identification and verification
- Customer due diligence (CDD) and enhanced due diligence (EDD) workflow management
- Case management with full audit trail from alert to resolution
- Direct integration with the NFIU's goAML platform for STR, CTR, and FTR filing
- Regulatory reporting and management information system (MIS) reporting
- Staff training records and compliance programme documentation management
- Adverse media screening
- System availability and audit log integrity (the system must maintain tamper-evident records)
Compliance deadlines
| Institution type | Deadline | Status |
| All regulated institutions — implementation roadmap submission | 10 June 2026 | Passed |
| Deposit money banks (DMBs) | September 2027 | 18 months from circular date |
| Fintechs, PSPs, mobile money operators, microfinance banks | March 2028 | 24 months from circular date |
Why manual compliance no longer works
Before the 2026 circular, many Nigerian financial institutions — particularly smaller banks, microfinance institutions, and fintechs — managed AML compliance through spreadsheets, manual transaction reviews, and periodic batch reports. The regulatory landscape has moved decisively away from this model for three reasons.
- The STR filing window requires suspicious activity to be detected and reported within 96 hours. Manual review of transaction logs cannot reliably achieve this at scale
- The FTR filing window is 24 hours — impossible to meet manually for institutions processing significant international payment volumes
- The CBN 2026 circular explicitly mandates real-time monitoring and automated goAML submission, which by definition cannot be manual
What to look for in an automated AML solution
When evaluating an automated AML platform for compliance with the CBN 2026 standards, Nigerian institutions should assess the following:
- Nigerian regulatory alignment: does the platform support goAML integration natively, or does it require custom middleware?
- Real-time vs batch processing: does the platform monitor transactions in real time or in end-of-day batches?
- KYC tier support: does the platform support the CBN three-tier KYC framework including BVN and NIN verification?
- Sanctions list coverage: does it screen against all four required lists (UN, OFAC, EU, and the Nigerian terrorism designation list)?
- Audit trail completeness: does every alert, case, and filing decision produce an immutable audit record?
- Implementation timeline: can the institution achieve full compliance within the CBN deadline from the date of procurement?
Frequently asked questions
Can a Nigerian fintech use a global AML platform not built for Nigeria?
A global platform can be used if it meets all CBN requirements, but there are practical challenges. Most global platforms do not support goAML integration natively, do not screen against the Nigerian terrorism designation list, and are not configured for the CBN three-tier KYC framework. Significant customisation is typically required, which adds cost, implementation risk, and time. A platform built specifically for the Nigerian regulatory environment removes these obstacles.
What does a CBN AML examination look for?
CBN examiners assess whether the institution's AML programme meets the requirements of the MLPPA 2022 and the CBN guidelines. Following the 2026 circular, this includes verifying that automated systems are in place, reviewing audit trails for alert dispositions, checking STR and CTR filing volumes and timeliness, and testing whether dynamic risk scoring is operational. Personal liability of the compliance officer is assessed where systemic failures are identified.
Is there a CBN-approved list of AML software vendors?
The CBN does not maintain a published approved vendor list. The circular specifies the capabilities that a compliant system must have — institutions are responsible for procuring solutions that meet those specifications and demonstrating compliance through their implementation roadmap and subsequent examination. Vendor selection is the institution's responsibility.