Every common NFIU filing rejection — in plain English. Root causes identified, fixes documented, and a pre-submission checklist to stop rejections before they happen. Built for Nigerian compliance teams filing via goAML.
When a report reaches the NFIU via goAML, it goes through automated validation before a human analyst ever sees it. Every submission gets one of three outcomes. Most compliance teams only discover a rejection after the 24-hour correction window has already passed. That is when a fixable filing error becomes a regulatory exposure.
This guide documents the ten rejection categories your team will encounter, what causes each one, and exactly how to fix it.
Submission Outcomes
| Status | What it means | What to do |
|---|---|---|
| Accepted | Report passed validation and is with the NFIU | Nothing — file and track internally |
| Failed Validation | Report has errors and cannot be reviewed | Correct and resubmit — same reference number |
| Rejected | Insufficient or incorrect information | Correct and resubmit within 24 hours — same reference number |
Rejection Categories
The 10 reasons your NFIU filings get rejected
Report type mismatch / invalid report classification
Root cause
As of February 2026, the NFIU enforces strict report type separation. Submitting the wrong type is an automatic rejection. The most common mistake is filing a CTR for a cross-border transaction (should be FTR), or using STR (General) for fraud and corruption cases that now have dedicated categories.
| Transaction type | Correct report |
|---|---|
| Domestic cash — individual ≥ ₦5 million | CTR |
| Domestic cash — corporate ≥ ₦10 million | CTR |
| Cross-border — any amount ≥ USD 10,000 | FTR |
| Suspicious activity — fraud, corruption, terrorism, kidnapping, drugs | Specific STR category |
| Suspicious activity — outside all named categories | STR (General) |
| Politically exposed person transaction | PEP Transaction Report (monthly) |
Before selecting a report type, confirm whether the transaction is domestic or cross-border, and whether the suspicious activity maps to one of the five named STR categories. STR (General) is now a residual category only.
STR rejected — predicate offense required
Root cause
Since February 2026, every STR must include at least one predicate offense from the NFIU's 21 defined categories. A blank field is an automatic rejection. If the offense is genuinely unknown, you must select UnknownPO and include a written explanation.
Map your suspicious activity types to the 21 NFIU predicate offense categories and build the selection into your case workflow. Train staff on which activity patterns correspond to which offense. Review mappings after every NFIU platform update.
Indicator required / indicator does not match selected offense
Root cause
Every STR needs at least one indicator linked to the predicate offense. For the five high-risk categories (Terrorism Financing, Kidnapping for Ransom, Corruption, Fraud, Drug Trafficking), required indicators are specific and must match. Using OtherIndctr as a default without justification is flagged.
Each predicate offense has applicable indicators in the NFIU lookup table. Only select OtherIndctr if no applicable indicator exists, and always include a written justification. Re-check indicator lists after each platform update — the NFIU revised these in the 2026 upgrade.
Failed validation — party data incomplete / mandatory identifier missing
Root cause
goAML requires specific identification fields for every party. Common gaps:
Map your core banking system's KYC fields to the corresponding goAML party data elements. Test the mapping with sample records before a live filing event. Field length limits and character restrictions in goAML can cause silent failures even when data appears correct in your CBS.
Failed validation — required party fields missing
Root cause
goAML address fields are more granular than most Nigerian institutions capture in KYC. Required: street address, LGA, state, country, and nationality as a separate field. Legacy KYC records often have partial address data that fails goAML validation silently.
Run a data quality audit on customer records against goAML's required address fields. For customers with incomplete data, trigger an update request before a filing event — not during it.
Failed validation — transaction fields invalid or missing
Root cause
Every transaction needs: amount, date, currency (ISO code), and transaction mode. Common failures:
Validate all transaction fields programmatically before submission. Amount: numeric only. Date: YYYY-MM-DD. Currency: ISO 4217 code (NGN, USD, GBP — not plain text).
XML validation failed / schema error at line [n]
Root cause
Applies to B2B/system-to-system XML filers. Common causes:
Download the current goAML schema from the NFIU portal and validate your XML against it locally before uploading. For large volumes, build schema validation into your pre-submission pipeline. Split files that exceed 10MB. Re-test B2B integrations after every NFIU platform update.
Invalid code / lookup code not recognised
Root cause
goAML uses lookup tables for occupation codes, country codes, transaction mode, identification type, and more. When the NFIU updates these tables — without always notifying reporting entities — previously valid codes become invalid and cause rejection.
Download the current NFIU lookup tables from the goAML portal and reconcile against your system's code mappings after every NFIU platform update announcement. If using B2B integration, automate a lookup table version check as part of your pre-submission validation.
Report incomplete — required attachments missing
Root cause
STRs submitted without supporting documentation are rejected. Required attachments:
These must be attached before submission — they cannot be sent separately or after the fact.
Make document attachment a mandatory step in your STR workflow. The report should not be submittable until both attachments are confirmed. Ensure documents are in PDF format and within the 10MB file size limit.
Report rejected — submission outside required timeframe
Root cause
The MLPPA sets strict filing windows. The clock starts from when the institution detects the activity — not when the case is closed or the report is approved internally.
| Report type | Filing window | Clock starts from |
|---|---|---|
| STR | 96 hours | Detection of suspicious activity |
| CTR | 7 days | Transaction date |
| FTR | 7 days | Transaction date |
Internal review and maker-checker approval must fit inside the 96-hour STR window — they do not pause the clock.
Track SLA from the moment an alert is raised. Display a countdown timer at case level and alert the case owner and supervisor when SLA is at risk. Any compliance system should surface breach risk before it occurs, not after.
February 2026 Platform Upgrade
What changed — and what's now causing rejections
If your team hasn't updated internal processes since the NFIU's goAML upgrade, these are the specific changes generating new rejections.
Hard rejection for wrong report type. Previously a warning. CTR for cross-border and FTR for domestic transactions now auto-reject.
Predicate offense is now mandatory. No STR is accepted without one. UnknownPO requires a written explanation.
Six specific STR categories. Terrorism Financing, Kidnapping for Ransom, Corruption, Fraud, Drug Trafficking, and STR (General) — which is now residual only.
New PEP Transaction Report. A monthly report covering all PEP transactions. Not filing it is a separate compliance gap.
21 consolidated predicate offense categories. The list was reorganised. Old internal mappings may now be incorrect.
goAML XML schema updated. Any B2B integration not updated to the new schema will fail on every submission until corrected.
Pre-Submission Checklist
12 things to verify before you file
Use before submitting any STR, CTR, or FTR. All 12 must be confirmed.