Gabriel Eze, Lead Associate

Introduction

Does your organization procure compliance software merely to satisfy a check-box requirement, yet remain unable to demonstrate that the technology actually detects and prevents financial crime? There is a new framework by the Central Bank of Nigeria (CBN) which directly challenges this approach. The days of feature-based compliance and vendor-driven implementation are over. The CBN now demands demonstrable effectiveness for all financial institutions in Nigeria. Accordingly, the new framework shifts regulatory focus from paper-based compliance to real-time scrutiny. The CBN will no longer just audit written compliance policies; it will actively scrutinize the logic, process, capability, and security of the compliance technology itself.

On 10 March 2026, the CBN released its circular for Baseline Standards for Automated Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing Solutions (“Baseline Standards” or “Standards”) for financial institutions. By this new directive, the CBN has created a basic rulebook for financial technology, outlining the lowest acceptable standard for automated AML/CFT/CPF solutions (AML Solutions) used to fight financial crimes in Nigeria. It clarifies that while financial institutions (FIs), including regulated Fintechs must remain compliant with all existing financial laws, these new standards serve as minimum requirements to ensure compliance effectiveness. The framework provides a clear indication of the future direction of regulatory supervision within Nigeria’s digital finance space. Beyond the regulatory requirement to monitor suspicious transactions, the Baseline Standards show exactly how the technology must be set up for proper monitoring.

This article therefore examines the CBN’s AML Baseline Standards with attention to the market implications for FIs, and emerging Web3 operators navigating Nigeria’s evolving digital economy. 

Scope of the Baseline Standards 

The Baseline Standards apply to all banks and other financial institutions operating under the regulatory purview of the CBN. Recognizing that the financial space comprises institutions of different sizes, the CBN understands that a “one-size-fits-all” approach would crush smaller market players. Compliance technology must scale naturally with a company’s operational size and risk exposure based on five specific characteristics: operational complexity; product scope; customer base; transaction volumes; and risk exposure. This risk-based approach is further contextualized through the following considerations:

1. Transaction Volume and Speed: Typically, a digital payment app processing millions of instant transfers per day would be reasonably required to have an advanced real-time automation engine. Whereas a boutique investment firm handling a few transactions weekly may require a much simpler system.
2. Product Complexity: FIs offering complex cross-border trade finance, multi-currency wallets, or derivative trading require advanced software capable of tracking multi-layered transactions.
3. Customer Base and Footprint: The larger the customer base and the wider the geographic spread, the more sophisticated the FIs’ compliance data-processing capabilities must become.
4. Self-Risk Assessment: The software configuration must directly address the specific financial crime vulnerabilities documented by an institution in its internal risk assessments. Industry players must shun the practice of procuring a generic AML stack and allowing vendors to dictate how internal security infrastructure is set up, while still failing to address unique challenges.

Highlights of the Baseline Standards 

The Baseline Standards place increasing pressure on financial institutions to treat compliance architecture as a core operational and governance function rather than a secondary regulatory obligation as highlighted below.

1. Overlapping Regulatory Requirements: Where conflicting regulatory requirements arise, the CBN mandates market players to apply the most stringent rule. For example, If a law says you must flag transactions over ₦5 million, but the new standards require tracking at ₦1 million, you must follow the stricter ₦1 million rule. This implies that the compliance baseline has tightened with stricter thresholds.

2. Contextual Monitoring: Effectively, the CBN is banning “blind” monitoring architecture. The framework reflects a transition from check-box transaction monitoring toward behavioural and intelligence-driven compliance surveillance. The CBN is signaling that compliance framework adequacy is no longer judged by the mere deployment of software, but by the capacity to interpret customer transactional behavior and evolving financial crime typologies. This demands stronger corporate governance oversight to avoid strict regulatory sanctions.

3. Mandatory Software Linkages: To be considered legally compliant, automated controls must link transaction monitoring directly to three databases: (a) Customer Due Diligence and Know Your Customer (CDD/KYC) to verify personal data such as names, addresses, and Bank Verification Number (BVN) or National Identification Number (NIN); (b) Know Your Business (KYB) to verify data for corporate entities; and (c) Customer Risk Assessment to determine the internal risk score assigned to a user (e.g., low, medium, or high risk). So if a monitoring tool fails to connect customer identity and business databases, the CBN will label that system as non-compliant and reject it during audits.

4. Internal Governance, Vendor Accountability and API Risk: Financial institutions are equally required to maintain a vendor/third-party management policy. The broader implication is that accountability for AML failure increasingly shifts from external vendors to internal governance structures, including compliance leadership and the boardroom. The CBN expects institutions to fully manage and regularly test their own compliance systems internally. Emerging players may increasingly face a strategic choice between investing in scalable compliance infrastructure or pursuing operational partnerships with larger regulated entities. Relying heavily on third-party APIs or outsourced compliance infrastructure without developing internal legal and technical expertise may expose an institution to severe regulatory sanctions and operational risks.

To operationalize these expectations, the Standards require financial institutions to implement a range of core compliance capabilities, including (a) AML solution, (b) Customer Due Diligence (CDD), Know Your Customer (KYC) and Know Your Business (KYB), (c) Sanction Lists & PEP Screening, (d) Risk Assessment, (e) Transaction Monitoring & Risk-Based Analyses, (f) Fraud Monitoring and Detection, (g) Case Management, (h) Reporting, (i) Audit and Governance, (j) System Integration & Scalability, (k) Security & Data Protection, and (l) User Interface and Customisation.

Market Implications Across Nigeria’s Financial Sector

Essentially, while the Baseline Standards apply directly to institutions operating under the regulatory purview of the CBN, their implications extend across Nigeria’s wider financial ecosystem. Banks, Fintechs, Payment Service Providers (PSPs), Mobile Money Operators (MMOs), and Virtual Asset Service Providers (VASPs) should view the Standards as a clear indication of the regulatory direction for technology-driven financial services in Nigeria. 

For banks and Fintechs, the Standards establish what is likely to become the minimum supervisory benchmark for automated compliance architecture across Nigeria’s financial sector. FIs will increasingly be expected to demonstrate that their compliance infrastructure is capable of identifying and mitigating financial crime risks in real time. The Standards also reinforce the principle that compliance technology must be proportionate to an institution’s operational complexity, customer profile, transaction volumes, and risk exposure.

The implications are equally significant for VASPs, particularly those operating within the emerging stablecoin market. As stablecoins increasingly function as payment and value-transfer instruments, the compliance architecture supporting their issuance, custody, and settlement is likely to attract heightened regulatory scrutiny. VASPs seeking to build stablecoin-based products should not view the Baseline Standards as a framework applicable only to traditional financial institutions. Instead, the Standards provide a useful indication of the compliance architecture and technology expectations likely to shape the future regulation of digital asset services in Nigeria. Notably, under the Money Laundering (Prevention and Prohibition) Act 2022, the definition of a financial institution extends to include VASPs.

Reasons the Standards Matter for Financial Institutions, Fintechs, and VASPs

1. The Banking Gateway: As a result of the new heightened regulatory obligations, banks are likely to strengthen due diligence over third-party relationships to avoid inheriting compliance risks through their partners. Consequently, Fintechs, Payment Service Banks (PSBs), PSPs, and VASPs that depend on banking infrastructure may increasingly be required to demonstrate compliance capabilities comparable to those of their banking partners. Institutions that cannot match the new demands of automated AML/CFT/CPF controls may face enhanced onboarding requirements, contractual compliance obligations, or, in some cases, de-risking from critical banking relationships.

2. Regulatory Blueprint: The core capabilities mandated by the CBN—such as AI-driven dynamic risk profiling, instant identity validation (NIN/BVN), and automated cross-border transaction screening—establish a new technological benchmark for Nigeria’s financial sector. As Nigeria moves toward a more coordinated framework for financial services and digital assets, other regulators, including the SEC, may increasingly adopt similar architectural expectations for automated AML/CFT/CPF systems, particularly in relation to fiat-referenced stablecoins and other virtual asset activities.

3. Coordinated Oversight: As Nigeria advances its unified digital asset framework, the technical data protection requirements (aligned with the Nigeria Data Protection Act) and independent annual model validations for predictive analytics set a direct compliance standard that Financial Institutions operating in the Nigerian market must prepare to adopt.

Accordingly, institutions operating within Nigeria’s digital finance space should align their compliance frameworks with the Baseline Standards. And irrespective of the absence of an overarching legislation on VASPs including the complete absence of one for stablecoin-focused businesses in the country, VASPs must also align. Apart from VASPs being classified as FIs in relevant laws and regulations, a comprehensive legislative framework specifically focused on VASPs is presently in the works before the Senate.

Enforcement and Implementation

Existing financial institutions must adopt these automated standards within the CBN’s official timelines, while new market entrants must prove compliance to secure business licenses. Implementation begins immediately from the date of issuance, 10 March 2026. All financial institutions are mandated to submit their formal implementation roadmaps to the CBN Compliance Department by June 2026. To reach full compliance, Deposit Money Banks have until September 2027, while other financial institutions must comply by March 2028. This enforcement measure signals a transition from routine documentary supervision to technology-driven continuous compliance oversight.

Conclusion

The CBN Baseline Standards establish a strict regulatory framework for deploying automated solutions that eliminate manual operational blind spots across all financial products. By mandating secure data integration between compliance transaction surveillance frameworks, the guidelines utilize artificial intelligence and advanced analytics to optimize detection speed and improve alert quality. This new regulatory shift further aligns Nigeria’s financial industry with evolving FATF expectations. 

For players in Nigeria’s financial sector, compliance can no longer function as a peripheral control function or vendor-led exercise. Under the Baseline Standards, effective compliance is no longer measured by the sophistication of the software purchased, but by the institution’s ability to demonstrate that its systems can identify and mitigate financial crime risks in real time. It is the end of feature-based AML compliance. Is your financial institution, Fintech, or VASP aligning?