Free Guide · June 2026

NFIU STR / CTR Rejection Codes
Reference Guide

Every common NFIU filing rejection — in plain English. Root causes identified, fixes documented, and a pre-submission checklist to stop rejections before they happen. Built for Nigerian compliance teams filing via goAML.

vantrace.io Current as of goAML upgrade — February 2026

When a report reaches the NFIU via goAML, it goes through automated validation before a human analyst ever sees it. Every submission gets one of three outcomes. Most compliance teams only discover a rejection after the 24-hour correction window has already passed. That is when a fixable filing error becomes a regulatory exposure.

This guide documents the ten rejection categories your team will encounter, what causes each one, and exactly how to fix it.

Submission Outcomes

Status What it means What to do
Accepted Report passed validation and is with the NFIU Nothing — file and track internally
Failed Validation Report has errors and cannot be reviewed Correct and resubmit — same reference number
Rejected Insufficient or incorrect information Correct and resubmit within 24 hours — same reference number

Rejection Categories

The 10 reasons your NFIU filings get rejected

01 Wrong report type selected
Error

Report type mismatch / invalid report classification

As of February 2026, the NFIU enforces strict report type separation. Submitting the wrong type is an automatic rejection. The most common mistake is filing a CTR for a cross-border transaction (should be FTR), or using STR (General) for fraud and corruption cases that now have dedicated categories.

Transaction typeCorrect report
Domestic cash — individual ≥ ₦5 millionCTR
Domestic cash — corporate ≥ ₦10 millionCTR
Cross-border — any amount ≥ USD 10,000FTR
Suspicious activity — fraud, corruption, terrorism, kidnapping, drugsSpecific STR category
Suspicious activity — outside all named categoriesSTR (General)
Politically exposed person transactionPEP Transaction Report (monthly)
Fix

Before selecting a report type, confirm whether the transaction is domestic or cross-border, and whether the suspicious activity maps to one of the five named STR categories. STR (General) is now a residual category only.

02 Missing predicate offense
Error

STR rejected — predicate offense required

Since February 2026, every STR must include at least one predicate offense from the NFIU's 21 defined categories. A blank field is an automatic rejection. If the offense is genuinely unknown, you must select UnknownPO and include a written explanation.

Fix

Map your suspicious activity types to the 21 NFIU predicate offense categories and build the selection into your case workflow. Train staff on which activity patterns correspond to which offense. Review mappings after every NFIU platform update.

03 Indicator missing or misaligned with offense
Error

Indicator required / indicator does not match selected offense

Every STR needs at least one indicator linked to the predicate offense. For the five high-risk categories (Terrorism Financing, Kidnapping for Ransom, Corruption, Fraud, Drug Trafficking), required indicators are specific and must match. Using OtherIndctr as a default without justification is flagged.

Fix

Each predicate offense has applicable indicators in the NFIU lookup table. Only select OtherIndctr if no applicable indicator exists, and always include a written justification. Re-check indicator lists after each platform update — the NFIU revised these in the 2026 upgrade.

04 Incomplete customer identification data
Error

Failed validation — party data incomplete / mandatory identifier missing

goAML requires specific identification fields for every party. Common gaps:

  • BVN not included (required for all Nigerian bank customers)
  • NIN field blank
  • Passport number missing for non-Nigerians
  • Customer name in the report doesn't match KYC records exactly
Fix

Map your core banking system's KYC fields to the corresponding goAML party data elements. Test the mapping with sample records before a live filing event. Field length limits and character restrictions in goAML can cause silent failures even when data appears correct in your CBS.

05 Incomplete address or nationality fields
Error

Failed validation — required party fields missing

goAML address fields are more granular than most Nigerian institutions capture in KYC. Required: street address, LGA, state, country, and nationality as a separate field. Legacy KYC records often have partial address data that fails goAML validation silently.

Fix

Run a data quality audit on customer records against goAML's required address fields. For customers with incomplete data, trigger an update request before a filing event — not during it.

06 Transaction data errors
Error

Failed validation — transaction fields invalid or missing

Every transaction needs: amount, date, currency (ISO code), and transaction mode. Common failures:

  • Currency field blank or using a non-ISO code (e.g. "Naira" instead of "NGN")
  • Transaction date in wrong format (goAML requires ISO 8601: YYYY-MM-DD)
  • Transaction mode field missing (cash, transfer, cheque, etc.)
  • Amount field contains formatting characters (commas, currency symbols)
Fix

Validate all transaction fields programmatically before submission. Amount: numeric only. Date: YYYY-MM-DD. Currency: ISO 4217 code (NGN, USD, GBP — not plain text).

07 XML schema and formatting errors
Error

XML validation failed / schema error at line [n]

Applies to B2B/system-to-system XML filers. Common causes:

  • XML does not conform to the current goAML schema version (updated February 2026)
  • Element names are wrong — goAML XML is case-sensitive
  • Wrong data type in a field (text in numeric field; "yes" instead of "true" for boolean)
  • File exceeds the 10MB upload limit
  • Non-UTF-8 characters in customer name fields
Fix

Download the current goAML schema from the NFIU portal and validate your XML against it locally before uploading. For large volumes, build schema validation into your pre-submission pipeline. Split files that exceed 10MB. Re-test B2B integrations after every NFIU platform update.

08 Undefined or deprecated lookup codes
Error

Invalid code / lookup code not recognised

goAML uses lookup tables for occupation codes, country codes, transaction mode, identification type, and more. When the NFIU updates these tables — without always notifying reporting entities — previously valid codes become invalid and cause rejection.

Fix

Download the current NFIU lookup tables from the goAML portal and reconcile against your system's code mappings after every NFIU platform update announcement. If using B2B integration, automate a lookup table version check as part of your pre-submission validation.

09 Missing supporting documents
Error

Report incomplete — required attachments missing

STRs submitted without supporting documentation are rejected. Required attachments:

  • Customer account mandate documents
  • Account statement(s) covering the period of suspicious activity

These must be attached before submission — they cannot be sent separately or after the fact.

Fix

Make document attachment a mandatory step in your STR workflow. The report should not be submittable until both attachments are confirmed. Ensure documents are in PDF format and within the 10MB file size limit.

10 Filing outside the required SLA window
Error

Report rejected — submission outside required timeframe

The MLPPA sets strict filing windows. The clock starts from when the institution detects the activity — not when the case is closed or the report is approved internally.

Report typeFiling windowClock starts from
STR96 hoursDetection of suspicious activity
CTR7 daysTransaction date
FTR7 daysTransaction date

Internal review and maker-checker approval must fit inside the 96-hour STR window — they do not pause the clock.

Fix

Track SLA from the moment an alert is raised. Display a countdown timer at case level and alert the case owner and supervisor when SLA is at risk. Any compliance system should surface breach risk before it occurs, not after.


February 2026 Platform Upgrade

What changed — and what's now causing rejections

If your team hasn't updated internal processes since the NFIU's goAML upgrade, these are the specific changes generating new rejections.

CHANGE 01

Hard rejection for wrong report type. Previously a warning. CTR for cross-border and FTR for domestic transactions now auto-reject.

CHANGE 02

Predicate offense is now mandatory. No STR is accepted without one. UnknownPO requires a written explanation.

CHANGE 03

Six specific STR categories. Terrorism Financing, Kidnapping for Ransom, Corruption, Fraud, Drug Trafficking, and STR (General) — which is now residual only.

CHANGE 04

New PEP Transaction Report. A monthly report covering all PEP transactions. Not filing it is a separate compliance gap.

CHANGE 05

21 consolidated predicate offense categories. The list was reorganised. Old internal mappings may now be incorrect.

CHANGE 06

goAML XML schema updated. Any B2B integration not updated to the new schema will fail on every submission until corrected.

Pre-Submission Checklist

12 things to verify before you file

Use before submitting any STR, CTR, or FTR. All 12 must be confirmed.

Report type
Confirmed domestic (CTR) or cross-border (FTR) — not mixed
For STRs: correct category selected — not defaulting to STR (General) for named offenses
STR-specific
Predicate offense selected from 21 categories (UnknownPO only if genuinely unknown, with explanation)
At least one indicator selected and aligned with predicate offense
Documents & timing
Account mandate documents attached
Account statements covering the suspicious period attached
Filing within 96-hour SLA window (STR) or 7-day window (CTR/FTR)
Party data
BVN / NIN or passport number present for all parties
Customer name matches KYC records exactly
Full address: street, LGA, state, country
Nationality field populated
Transaction data
Amount is numeric — no commas, symbols, or spaces
Date is YYYY-MM-DD format; currency is ISO 4217 code (NGN, USD)