CBN Regulation

CBN AML/CFT requirements for Nigerian financial institutions

The Central Bank of Nigeria enforces AML/CFT compliance through BOFIA 2020, the MLPPA 2022, and circulars including the 2026 Baseline Standards for Automated AML Solutions. All CBN-licensed institutions must maintain active, technology-driven compliance programmes.

Regulatory basis

The CBN derives its AML/CFT enforcement authority from three sources. Section 66 of the Banks and Other Financial Institutions Act 2020 (BOFIA) requires all licensed institutions to comply with AML/CFT obligations. The Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA) sets out the substantive requirements. CBN circulars and guidelines implement the detailed standards.

Nigeria is a member of the Inter-Governmental Action Group against Money Laundering in West Africa (GIABA), the FATF-style regional body for West Africa, and is assessed against FATF's 40 Recommendations. CBN requirements are aligned with FATF standards.

The 10 core CBN AML/CFT requirements

CBN Circular BSD/DIR/PUB/LAB/019/002, issued 10 March 2026, identifies 12 categories of mandatory minimum standards for automated AML solutions. These build on the core requirements that have been in place since the CBN's earlier AML/CFT guidelines:

  • Customer identification and verification (KYC)
  • Customer risk assessment and profiling
  • Beneficial ownership identification and verification
  • Identification and enhanced due diligence of politically exposed persons (PEPs)
  • Real-time screening against sanctions lists (UN, OFAC, EU, Nigerian terrorism list)
  • Transaction monitoring with dynamic risk scoring
  • Suspicious transaction reporting to the NFIU via goAML
  • Currency transaction reporting for cash above NGN 5M/NGN 10M
  • Staff AML training programmes
  • Board-approved AML compliance programme

2026 automated AML baseline standards

The CBN's 2026 circular represents a structural shift from manual to automated compliance. Institutions are required to deploy systems that can perform real-time transaction monitoring, dynamic risk scoring, automated PEP and sanctions screening, case management, audit trail maintenance, and direct integration with goAML for regulatory reporting.

Institution typeFull compliance deadline
Deposit money banks (DMBs)September 2027 (18 months from March 2026)
Fintechs, PSPs, mobile money operatorsMarch 2028 (24 months from March 2026)
Implementation roadmap submission10 June 2026 (all institutions)

Penalties for non-compliance

The CBN has substantially increased enforcement activity since 2024. Zenith Bank was fined NGN 15.42 billion in 2025. Access Bank was fined NGN 35 million in 2026. The 2026 circular explicitly states that penalties apply to both the institution and accountable individuals, meaning compliance officers and senior management carry personal regulatory exposure.

Frequently asked questions

What is CBN Circular BSD/DIR/PUB/LAB/019/002?
It is the CBN's March 2026 circular establishing baseline standards for automated AML/CFT/CPF solutions. It mandates all CBN-regulated institutions to deploy automated systems for transaction monitoring, risk scoring, sanctions screening, and goAML reporting. Institutions were required to submit implementation roadmaps by 10 June 2026, with full compliance deadlines of 18-24 months depending on institution type.
Does the CBN requirement apply to fintechs?
Yes. The 2026 circular applies to all CBN-licensed institutions, including fintechs, payment service providers, mobile money operators, and microfinance banks. Fintechs and PSPs have a 24-month compliance window (full compliance by March 2028) compared to 18 months for deposit money banks.
Who enforces AML compliance in Nigeria — CBN or NFIU?
Both. The CBN supervises and examines financial institutions for AML/CFT compliance. The NFIU receives and analyses STR, CTR, and FTR filings submitted via goAML, and may refer cases to the EFCC or other law enforcement bodies. The EFCC enforces the MLPPA 2022 through prosecution.
What is a risk-based approach to AML in Nigeria?
A risk-based approach means allocating compliance resources proportionate to the money laundering risk each customer, product, or geography presents. The CBN requires institutions to conduct institution-wide risk assessments, customer risk profiling, and enhanced due diligence for high-risk customers such as PEPs, non-residents, and customers in high-risk sectors.

Free resource for Nigerian compliance teams

The NFIU STR/CTR Rejection Codes Reference Guide — every common goAML rejection explained with root causes and fixes.

Download the free guide