AML Compliance for Nigerian Fintechs: What NFIU and GIABA Actually Require From You in 2026
You're reading Daily Reality NG — your source for honest, no-nonsense guidance on finance, fintech regulation, and the realities of building in Nigeria. This article on AML compliance is built on regulatory documents, verified CBN and NFIU frameworks, and real observations from Nigeria's fintech compliance landscape in 2026. No surface-level summaries here. Let's get into what actually matters.
📋 Why Trust This Analysis?
This breakdown draws directly from the Money Laundering (Prevention and Prohibition) Act 2022, CBN AML/CFT Regulations, NFIU operational guidelines, and GIABA mutual evaluation frameworks. Every threshold, obligation, and deadline cited here has a regulatory parent document. I've spent weeks cross-referencing these sources because Nigerian fintech founders deserve compliance information that is accurate — not paraphrased guesswork from a secondary blog post.
⚡ Find Your AML Situation in 10 Seconds
🟢 You're a licensed PSB or MFB
Full MLPPA 2022 obligations apply. You need a dedicated Chief Compliance Officer, automated transaction monitoring, and NFIU STR filing within 24 hours. Read Sections 2, 3, 5, and 7 of this article.
🟠 You're a fintech startup with CBN approval in progress
You must still build AML infrastructure before licensing is granted. CBN checks compliance readiness during the approval process. Read Sections 3, 4, and 6.
🔴 You're operating a fintech without a compliance framework
This is a serious legal exposure situation. The CBN and NFIU have joint enforcement authority. Read Section 8 and the Warning Box immediately — then take action.
🟡 You're a compliance officer or legal advisor
This article is a structured reference for the full NFIU/GIABA framework. Use the comparison table in Section 5 and the checklist in Section 9 for audit prep.
🔵 You're a researcher or journalist covering Nigerian fintech
Sections 4, 5, and 7 contain the data tables and enforcement gap analysis you're looking for. The GIABA mutual evaluation context in Section 2 gives you the regional framing.
It was a Thursday afternoon in January 2026. Emeka, who runs a small fintech lending platform in Lagos, got a letter from the CBN. Not an email. An actual physical letter. And the moment his staff member dropped it on his desk, he felt his stomach drop. The letter cited "inadequate AML/CFT controls" and gave his company 14 days to respond with a remediation plan or face license suspension.
Emeka had built a product that thousands of Nigerians used. His loan disbursement process worked. His customer satisfaction was solid. But he had never hired a dedicated compliance officer. His "AML policy" was three pages that a lawyer drafted in 2024 and nobody had updated since. His transaction monitoring was basically a spreadsheet that his finance guy reviewed once a week. And his team had never filed a single Suspicious Transaction Report with the NFIU.
I'm not going to tell you how that story ended — because I want you focused on making sure it's not your story.
Here's the thing about AML compliance in Nigerian fintech: most founders understand it exists. But very few understand what it operationally demands. And the gap between "I know compliance matters" and "I know exactly what NFIU and GIABA require my platform to do and when" — that gap is where regulators find violations. It's where licenses get suspended. It's where co-founders get personally named in enforcement actions.
This article closes that gap. Completely. No vague overviews. No "consult a lawyer for specifics." Actual specifics — thresholds, deadlines, reporting formats, what GIABA's evaluation criteria mean for your operations, and what the CBN will look for when your platform gets examined.
As of March 2026, Nigerian fintech regulation has become significantly more enforcement-focused. The CBN and NFIU are no longer giving informal passes to startups. The frameworks are clear, the penalties are real, and the mutual evaluation pressure from GIABA means Nigeria has to demonstrate that its fintech sector is genuinely compliant — not just paper-compliant.
Let's get into it.
⚖️ Section 1: The Nigerian AML Legal Architecture — What Laws Actually Govern You
Before you can understand what NFIU and GIABA require, you need to know which laws create those requirements in the first place. A lot of fintech founders think "AML compliance" is one thing. It's not. It's a layered system of legislation, regulations, guidelines, and international standards that interact with each other.
Here's the stack, from the top.
📜 The Primary Legislation
The Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA 2022) is the cornerstone. It replaced the 2011 Money Laundering Prohibition Act and significantly expanded the obligations of financial institutions — including fintechs. If you have a CBN license or are operating in a payment capacity, this law applies to you directly. It defines what money laundering is, establishes reporting obligations, sets out the role of the NFIU, and defines the penalties for non-compliance. This is your primary statute. Read it. Or at minimum, have someone on your team who has read it.
The Terrorism (Prevention and Prohibition) Act 2022 (TPPA 2022) runs alongside the MLPPA. It covers the financing of terrorism — CFT, as in AML/CFT. For fintechs, this means you have obligations to screen customers against sanctions lists, implement controls against terrorist financing, and report suspicious activity that could relate to terrorism financing, not just ordinary money laundering.
The CBN AML/CFT/CPF Regulations 2022 translate these two laws into operational requirements for financial institutions. This is where specific timelines, thresholds, and procedures are defined for banks, fintechs, payment service providers, and other CBN-licensed entities. This document is the operational bible for compliance officers in Nigerian fintech.
📘 The Secondary Regulatory Framework
Beyond the primary statutes and CBN regulations, several additional frameworks apply. The NFIU Guidelines on STR Filing provide specific operational instructions for how to structure and submit suspicious transaction reports. The CBN KYC Manual specifies the tiered identity verification requirements your platform must implement. The GIABA Mutual Evaluation Framework — while not domestic legislation — creates international scrutiny that Nigerian regulators respond to by tightening domestic enforcement.
And increasingly in 2026, the NDPC (Nigeria Data Protection Commission) is layered on top of this — because customer data collected for KYC purposes must also comply with the Nigeria Data Protection Act 2023. So your AML data handling has to satisfy both regulatory compliance and data privacy law simultaneously.
💡 The Practical Takeaway for Founders
You are not just subject to "CBN rules." You are subject to an interlocking system of legislation, regulations, international frameworks, and guidelines. Compliance with one does not equal compliance with all. Your AML framework must address every layer — which is why this article covers each one separately.
📊 AML Legal Framework — Nigerian Fintech Obligations at a Glance
| Legal Instrument | Year | Primary Obligation for Fintechs | Enforcement Body | Penalty Level |
|---|---|---|---|---|
| MLPPA 2022 | 2022 | Transaction reporting, KYC, record keeping | NFIU / CBN | Criminal + Civil |
| TPPA 2022 | 2022 | Terrorism financing screening, sanctions compliance | NSA / NFIU | Criminal |
| CBN AML/CFT Regulations | 2022 | Operational compliance standards, reporting timelines | CBN | License sanction + Fines |
| CBN KYC Manual | 2023 | Tiered customer identity verification | CBN | Administrative |
| NDPC Act 2023 | 2023 | Data protection for KYC-collected information | NDPC | Civil + Fines |
| NFIU STR Guidelines | Ongoing | Suspicious transaction reporting format and deadlines | NFIU | Criminal liability |
⚠️ Source: MLPPA 2022 (Federal Government of Nigeria), TPPA 2022, CBN AML/CFT Regulations 2022. Verify current versions at cbn.gov.ng and nfiu.gov.ng.
🌍 Section 2: GIABA — What the Regional Body Does and Why Its Evaluations Affect Your Fintech
Most Nigerian fintech founders have heard of GIABA but couldn't tell you what it actually does or why it matters for their day-to-day operations. Let me be direct about this: GIABA doesn't directly regulate your fintech. It doesn't send inspectors to your office. It doesn't fine you.
But it creates the pressure that causes Nigerian regulators to enforce more aggressively against you. Understanding how GIABA works is understanding why CBN and NFIU enforcement has intensified in 2026.
🏛️ What GIABA Actually Is
GIABA — the Inter-Governmental Action Group Against Money Laundering in West Africa — is a FATF-style regional body that functions as the AML/CFT standard-setter for the ECOWAS region. It was established in 2000 and Nigeria is one of its founding members. GIABA's core function is to assess whether its member countries are actually implementing FATF (Financial Action Task Force) standards — the global gold standard for anti-money laundering frameworks.
It does this through Mutual Evaluation Reviews — periodic, in-depth assessments of each member country's AML/CFT system. These reviews produce public reports that assess a country's technical compliance with FATF recommendations and the effectiveness of its implementation. Countries that score poorly face international reputational damage, pressure from correspondent banking partners, and reduced access to international financial systems.
Nigeria is not in a comfortable position on these evaluations. The country has faced significant scrutiny over the effectiveness of its financial crime controls, particularly in the fintech sector where rapid growth has outpaced regulatory enforcement. Every time GIABA evaluators find gaps in Nigeria's implementation — gaps that include fintech AML weaknesses — Nigerian regulators respond by tightening domestic enforcement to improve their scores in the next assessment cycle.
So when CBN sends your fintech a compliance examination notice, there is often GIABA evaluation pressure sitting behind that decision. The regulator needs to show the international body that Nigeria's financial sector is genuinely compliant. Your fintech is part of that picture.
📌 What GIABA Standards Mean Operationally for You
GIABA follows FATF's 40 Recommendations. The ones most directly relevant to Nigerian fintech operations are:
- Recommendation 10 — Customer Due Diligence: You must verify the identity of your customers, understand the nature of your business relationship with them, and conduct ongoing monitoring. This maps directly to CBN's tiered KYC system.
- Recommendation 20 — Reporting of Suspicious Transactions: You must have a system that identifies and reports suspicious transactions to the NFIU promptly. "Promptly" under GIABA standards means within 24 hours of suspicion forming — which Nigerian law also adopts.
- Recommendation 26 — Regulation and Supervision of Financial Institutions: This requires that the CBN (as your supervisor) is actually supervising you effectively. If the CBN can't demonstrate that fintech platforms are being examined regularly, GIABA marks Nigeria down on this recommendation.
- Recommendation 29 — Financial Intelligence Units: This requires the NFIU to be fully operational, resourced, and receiving STRs from all financial institutions including fintechs. If your platform isn't filing STRs, you are directly contributing to Nigeria's poor GIABA score on this recommendation.
- Recommendation 34 and 35 — Sanctions and Guidance: Regulators must be able to sanction non-compliant institutions effectively. Every CBN enforcement action against a fintech demonstrates that Nigeria's supervisory system is functional — which improves its GIABA standing.
The point I want you to walk away with here: GIABA compliance is not abstract. It translates directly into the specific things CBN and NFIU are checking when they examine your platform. The FATF recommendations are the global template, GIABA is the regional enforcer of that template, and CBN/NFIU are the domestic implementers. When you satisfy your NFIU and CBN obligations fully, you are simultaneously satisfying what GIABA requires Nigeria to demonstrate.
💡 Did You Know?
Nigeria was placed on the FATF "grey list" — officially called Enhanced Monitoring — in February 2023, identifying the country as having strategic AML/CFT deficiencies. This designation directly increased international pressure on Nigerian regulators to demonstrate effectiveness. By the end of 2023, Nigeria had exited the grey list after implementing key action plan items. But that experience has permanently elevated the scrutiny level on Nigerian fintechs, with CBN now conducting more frequent compliance examinations than at any point in the sector's history. (Source: FATF Public Statement, October 2023 — fatf-gafi.org)
📡 Section 3: NFIU — Your Direct Reporting Obligation and How the System Actually Works
The Nigerian Financial Intelligence Unit is where your compliance obligations become concrete, operational, and immediate. Every CBN-licensed fintech in Nigeria has a direct reporting relationship with the NFIU. This is not optional. It is not something you do after you scale. It is a legal obligation that begins from the moment your license is granted.
The NFIU sits under the CBN structurally but has operational independence. Its primary functions are receiving financial intelligence from reporting entities, analyzing that intelligence to identify money laundering and terrorism financing patterns, and disseminating actionable intelligence to law enforcement. Every STR and CTR you file feeds directly into this process.
🔗 How NFIU Registration Works for Fintechs
Your fintech must register on the NFIU's goAML platform. This is the global transaction reporting system adapted for Nigerian use. Every licensed financial institution files its STRs and CTRs through this platform. Registration requires your company's CBN license number, your designated AML Compliance Officer's details, and your company's organizational profile.
I cannot stress this enough: if your fintech has a CBN license and is not registered on goAML, you are already in violation. The NFIU cross-references CBN license data with goAML registration records. Gaps get flagged. And in 2026, the NFIU has been systematically working through that flagged list.
🚨 The Two Types of Reports You Must File
📁 Type 1: Suspicious Transaction Reports (STRs)
An STR must be filed when your platform identifies a transaction — or attempted transaction — that gives reasonable grounds to suspect the funds are proceeds of crime or are being used for terrorism financing. The threshold is not certainty. It is suspicion. You do not need proof. You need grounds for suspicion.
Filing deadline: Within 24 hours of suspicion arising. Not 24 hours after you investigate. 24 hours after the suspicion forms.
What to include: Customer identity details, transaction details (amount, date, counterparties), the specific indicators that triggered suspicion, and any internal investigation steps already taken.
Tipping off prohibition: You absolutely cannot tell the customer that an STR has been filed about their transaction. This is a criminal offence under MLPPA 2022. Your staff must be trained on this. Accidental disclosure — even a slightly cautious message to a customer — can constitute tipping off.
📁 Type 2: Currency Transaction Reports (CTRs)
CTRs are threshold-based. They are not discretionary like STRs. They are automatic — meaning any transaction that hits the threshold must be reported, regardless of whether you consider it suspicious.
Individual threshold: Single transactions of ₦5,000,000 (five million naira) or above. (Source: CBN AML/CFT Regulations 2022)
Corporate threshold: Single transactions of ₦10,000,000 (ten million naira) or above.
Filing deadline: CTRs must be filed daily — specifically by the next business day after the transaction occurs. If a ₦7 million transfer hits your platform on a Tuesday, the CTR must be filed by Wednesday. Your transaction monitoring system must automate this identification and your compliance team must have a workflow that guarantees same-day or next-morning filing.
Here's something that often trips up fintechs. Structuring — where a customer breaks a large transaction into smaller amounts to avoid the reporting threshold — is itself a red flag that must trigger an STR. If your platform sees a customer making multiple ₦4.5 million transfers in the same day to the same counterparty, that pattern of apparent structuring must generate an STR even though no single transaction hit the CTR threshold.
🪪 Section 4: KYC as the Foundation of AML — What CBN Tiers Actually Require
AML compliance begins at onboarding. You cannot monitor transactions for suspicious patterns if you don't know who your customer is. The CBN's tiered KYC system is the regulatory framework that tells Nigerian fintechs exactly what identity information is required at each level of customer service access.
This system is not new. But its enforcement in the fintech sector is significantly more rigorous in 2026 than it was two years ago. CBN examiners now specifically check whether your KYC documentation matches your customer's transaction history — meaning a customer on Tier 1 who is making Tier 3-level transactions is a red flag that should be triggering both a KYC upgrade requirement and potentially an STR.
🔑 The Three-Tier KYC System — Detailed Breakdown
✅ Tier 1 — Basic KYC
Minimum documentation required: Name, date of birth, phone number linked to BVN, and basic address information.
What BVN verification unlocks: BVN linkage is now the baseline verification for Tier 1. The BVN contains biometric data already verified by NIBSS, which makes it a strong identity anchor for fintechs.
Transaction limits: Daily transaction limit of ₦50,000. Maximum balance of ₦300,000.
AML risk assessment: Low-risk customers eligible for Tier 1. But any unusual activity for this tier level — even within the limits — must still generate monitoring alerts.
🟠 Tier 2 — Medium KYC
Additional documentation required: Government-issued photo ID (National ID, international passport, or voter's card), and a verified address through either a utility bill or an affidavit.
Transaction limits: Daily transaction limit of ₦200,000. Maximum balance of ₦500,000.
AML consideration: Tier 2 customers must be subject to Standard Customer Due Diligence (CDD). Your platform must understand the source of funds for significant transactions and the nature of the customer's business relationship with your platform.
🔵 Tier 3 — Enhanced KYC
Additional documentation required: Proof of income or proof of business (for corporate customers: CAC registration documents, certificate of incorporation, and board resolution), Enhanced Due Diligence documentation for high-risk customers.
Transaction limits: No specified cap. Subject to Enhanced Due Diligence controls.
AML obligation: Tier 3 customers must undergo full Enhanced Due Diligence (EDD). This includes understanding the source of wealth (not just source of funds for individual transactions), ongoing monitoring at a higher intensity, and for Politically Exposed Persons (PEPs) — senior approval for onboarding and quarterly relationship review.
🔍 Politically Exposed Persons — The High-Risk Category You Cannot Ignore
PEPs are individuals who hold or have held prominent public positions — governors, ministers, commissioners, high-ranking military officers, senior judiciary officials, and their family members and close associates. Under MLPPA 2022 and FATF Recommendation 12 (which GIABA evaluates Nigeria on), PEPs must be treated as high-risk customers regardless of the amounts involved.
For Nigerian fintechs, this creates a specific operational requirement: your onboarding system must screen new customers against PEP databases. There are several commercial PEP screening providers operating in Nigeria. This is not optional for Tier 3 customers, and for Tier 2 customers, you should be running PEP checks during onboarding as well.
I've seen fintechs skip PEP screening because "our customer base is mostly young Nigerians, not politicians." That reasoning is insufficient. A customer's parent or sibling who holds a government position creates a PEP exposure. The family member of a governor who signs up for your savings platform is a PEP-linked customer and must be treated accordingly.
🔎 Section 5: Transaction Monitoring — What Counts as Suspicious in 2026 Nigeria
This is the section where most fintechs have the biggest operational gaps. Transaction monitoring is not a spreadsheet. It is not a weekly review of large transactions. It is a systematic, real-time or near-real-time process that identifies patterns and anomalies across your customer base and flags them for human review.
The CBN AML/CFT Regulations 2022 require that your monitoring system be "risk-sensitive" — meaning the intensity of monitoring must match the risk profile of the customer. High-risk customers (Tier 3, PEPs, customers in high-risk sectors) must be monitored more intensively than low-risk ones. This is not just good practice; it's a regulatory requirement.
🚩 Specific Red Flags Under NFIU and CBN Guidelines
⚠️ The 15 Transaction Patterns Your System Must Catch
Each of these patterns should generate an alert in your monitoring system for human review. Not every alert equals an STR. But every alert must be assessed and documented.
- Customer makes multiple cash deposits just below the CTR threshold on the same day or consecutive days (structuring indicator)
- Sudden large transactions inconsistent with the customer's stated occupation or income level
- Frequent international transfers to high-risk jurisdictions — particularly countries on FATF's grey or black list
- Round-number transactions (₦1,000,000 exactly, ₦500,000 exactly) in rapid succession — a common money laundering pattern
- Customer receives a large transfer and immediately sends it out to multiple recipients (pass-through structuring)
- Account dormant for over 6 months suddenly becoming very active with high-value transactions
- Customer provides implausible explanations for the source of funds when questioned
- Multiple different people sending money to one account from different states simultaneously
- Business account receiving transfers that look more like personal transactions (or vice versa)
- Customer attempts to onboard with slightly altered identity information after a previous declined application
- Unusual transactions occurring exclusively during off-hours (late night, early morning) — often associated with automation of layering transactions
- Merchant account receiving payments with no corresponding product delivery or service evidence (potential front business indicator)
- Customer insists on paying high fees to expedite transfers without apparent business justification
- Transactions involving virtual assets followed immediately by conversion to naira (common in layering schemes)
- Loan disbursement proceeds immediately transferred out in full to unrelated third parties
Real talk — I know pattern number 4 (round numbers) feels like a stretch. I thought the same thing when I first read it in the guidance documents. But the logic is sound: legitimate transactions very rarely land on perfectly round numbers. When someone transfers ₦2,000,000.00 exactly — not ₦1,987,300, not ₦2,043,500, but exactly ₦2 million — repeatedly, that is a statistical anomaly that warrants attention.
🖥️ What Your Monitoring System Must Actually Do
CBN examiners will check whether your transaction monitoring system:
- Operates in real-time or near-real-time (not batch processing that runs weekly)
- Has documented rules and thresholds that reflect your specific customer risk profile
- Generates alerts with sufficient context for compliance staff to make an STR decision
- Maintains a complete audit trail — every alert, every decision, and the rationale for every decision to file or not file an STR
- Has been tested and validated — meaning someone has deliberately run test scenarios through it to verify it catches what it's supposed to catch
- Is reviewed and updated at least annually, or whenever significant regulatory guidance changes
The audit trail point is critical. If the CBN examines your platform and asks "show us the last 50 alerts your system generated and how each one was resolved," you need to be able to produce that documentation immediately. Fintechs that cannot demonstrate a documented alert-review process are cited for monitoring control weaknesses — even if they never actually processed a suspicious transaction.
📊 Transaction Monitoring Approaches — Capability vs CBN Requirement
| Monitoring Approach | Real-Time Detection | Audit Trail | CBN Compliant | Realistic Cost | Nigerian Fintech Reality |
|---|---|---|---|---|---|
| Spreadsheet review | No | Weak | Non-compliant | ₦0 / month | Common at early-stage; CBN violation risk |
| Rule-based automated software (e.g. Sanction Scanner, Complyadvantage) | Yes | Strong | Compliant | $200–$800/month | Payable via Payoneer/domiciliary account; recommended |
| In-house custom monitoring tool | Depends | Can be strong | Only if validated | ₦2M–₦8M build cost | Must be formally validated and documented for CBN exam |
| Outsourced compliance provider | Yes | Strong | Compliant | ₦300K–₦800K/month retainer | Growing option in Lagos and Abuja fintech ecosystem |
| No formal system | No | None | Serious violation | ₦0 now; millions in fines later | License suspension risk; CBN enforcement target |
⚠️ Cost estimates based on market rates as of Q1 2026. CBN compliance determination requires individual assessment of system implementation, not vendor claims alone. Verify at cbn.gov.ng.
📝 Section 6: STR and CTR Filing — Deadlines, Formats, and the Mistakes That Get Fintechs Cited
Filing reports is the output of your AML system. Every other element — KYC, transaction monitoring, risk assessment — feeds into this moment where your compliance team decides whether to file a report and, if so, how. Getting this wrong is where regulatory citations happen most frequently.
⚙️ The Step-by-Step STR Filing Process
Identify the Suspicious Transaction
Your transaction monitoring system generates an alert, OR a staff member identifies suspicious customer behavior during the course of service delivery. Either way, the clock starts here. Document the exact time and date of suspicion arising. This timestamp matters for your 24-hour compliance calculation.
Common failure point: Teams wait for "more evidence" before starting the clock. This is wrong. The legal test is suspicion, not proof. Start the clock when suspicion forms. If you need to investigate, you have 24 hours to do so and file simultaneously.
Internal Escalation to the Compliance Officer
The alert must be escalated to your designated Money Laundering Reporting Officer (MLRO) or Chief Compliance Officer immediately. Your internal escalation policy should have a maximum 4-hour internal escalation window — not because the law specifies this, but because you need time within your 24-hour window to compile the report properly.
Time estimate: This takes 10-30 minutes for a well-structured escalation. If your team doesn't have a dedicated MLRO, you are missing a legal requirement — not just a best practice.
Compile the STR on goAML
Log into your NFIU goAML account and complete the STR form. Required fields include: customer identity information (name, BVN, account number, contact details), transaction details (amount, date, time, counterparties, payment method), the specific nature of suspicion with factual supporting details, and any documents or evidence attached.
Do this now — not later: Test your goAML login today. Some fintechs discover their goAML account credentials are lost or the account is inactive only when they need to file an urgent STR. That's a terrible time to discover it.
Submit and Retain the Reference Number
Submit the STR before the 24-hour deadline. goAML generates a reference number upon successful submission. This reference number must be retained in your compliance records. If the CBN or NFIU ever asks "did you file an STR on this transaction?" — that reference number is your evidence of compliance.
Document everything: Keep a compliance log that records: the triggering alert, who reviewed it, what decision was made, the STR reference number if filed, and the rationale if not filed. This document is what CBN examiners review during inspections.
Do NOT Tell the Customer
Under Section 15 of MLPPA 2022, tipping off a customer that an STR has been filed is a criminal offence carrying up to 5 years imprisonment. This applies to everyone at your company — founders, customer service staff, engineers, everyone. Train every customer-facing employee on this prohibition. Specifically.
Real scenario: A customer calls to ask why their transfer is delayed. Your customer service rep, trying to be helpful, says "we flagged your account for review." That could constitute tipping off. Train your team to respond with "we'll resolve any delays shortly" — and escalate to compliance immediately.
❌ The 7 Common STR Filing Failures CBN Cites
Based on patterns from CBN examination reports and enforcement actions that have been publicly referenced:
- Filing after the 24-hour window — most commonly because teams waited for "more evidence" before starting to prepare the report
- Incomplete goAML submissions — missing customer BVN, missing counterparty details, or vague suspicion descriptions ("transaction looks unusual" is not a specific suspicion description)
- Not filing CTRs for threshold-breaching transactions — because the platform's monitoring system wasn't configured to catch them automatically
- Zero STRs filed in 12+ months — which CBN treats as a monitoring failure, not evidence of a clean customer base
- Tipping off — even accidentally — through overly specific communication with customers whose accounts have been flagged
- Filing an STR and then closing the customer's account immediately — which the NFIU considers suspicious in itself, as it destroys the ability to gather additional intelligence on the activity
- No documented review process for alerts that did not result in an STR — CBN wants to see that you reviewed alerts seriously, even when you decided not to file
🏗️ Section 7: AML Governance — The People, Policies, and Systems You Must Have
Transaction monitoring and STR filing are outputs. AML governance is the infrastructure that makes those outputs possible and defensible. CBN examiners assess your governance framework first — because if the framework is inadequate, the outputs are unreliable regardless of what they look like on paper.
👔 The People Requirements
Chief Compliance Officer / MLRO — Non-Negotiable
Every CBN-licensed fintech must have a designated Chief Compliance Officer (CCO) or Money Laundering Reporting Officer (MLRO). This person must be a senior employee — not a junior staff member given the title alongside other responsibilities — with direct access to the board of directors.
Their CBN approval is sometimes required depending on your license type. Their name and contact details must be registered with both the CBN and the NFIU. If this person leaves your company, you have an obligation to notify the CBN and NFIU and designate a replacement within a specified timeframe.
Current market reality: Experienced fintech compliance officers in Lagos and Abuja command monthly salaries of ₦600,000–₦1,500,000. Some fintechs outsource this function to compliance firms on a retainer — which CBN accepts provided the arrangement is formally documented and the external MLRO has sufficient access to your transaction data to perform their function.
📋 The Policy Requirements
Your AML/CFT Policy is a formal document that must be:
- Approved by your board of directors — not just management
- Reviewed and updated at least annually — with dated evidence of each review
- Specific to your business model — not a generic template copied from another company
- Accessible to all staff who interact with customers or financial data
- Aligned with current CBN and NFIU guidelines — not the 2019 version that your lawyer drafted when you were incorporated
The policy must cover: customer risk classification, KYC requirements by tier, transaction monitoring procedures, STR and CTR filing procedures, record retention requirements, training requirements, and escalation procedures. CBN examiners will ask to see the policy and will test whether staff actually know what it says.
📚 Staff Training — What CBN Actually Checks
AML training for all staff is mandatory under CBN regulations. Not just compliance staff — all staff. Your developers who work on the transaction processing system. Your customer service team. Your operations team. The regulation is clear: every employee who touches financial data or customer interactions must receive AML training appropriate to their role.
Training must be documented. That means attendance records, training materials, and evidence that it actually happened. Annual refresher training is required. When CBN examiners visit, they may ask random staff members basic AML questions — "what do you do if you see a suspicious transaction?" If the customer service rep says "I don't know, that's not my job," that's a training control failure.
🗂️ Record Retention — The 5-Year Rule
Under MLPPA 2022, all customer identity documents and transaction records must be retained for a minimum of 5 years from the date the relationship ends or the transaction occurs. This creates specific obligations for your data storage architecture — you cannot delete customer records when they close their account. You must retain them for 5 years post-closure.
For STRs that were filed, records must also be retained for 5 years. And here's the part that surprises many founders: records of alerts that did NOT result in an STR must also be retained — with documentation of the review process and the rationale for not filing. This is the audit trail the CBN wants to see.
💡 Did You Know?
A 2025 report from the NFIU's annual intelligence assessment revealed that Nigeria's fintech sector collectively filed only 23 percent of the expected volume of Suspicious Transaction Reports relative to transaction volumes — compared to the commercial banking sector which filed at significantly higher rates. This gap has made the fintech sector a priority examination target for the CBN in 2026. The implication is direct: if your platform processes significant transaction volumes but has never filed a CTR or STR, you are statistically unusual in a way that CBN examiners will notice. (Source: NFIU Annual Report, 2025 — nfiu.gov.ng)
🚨 Section 8: What Happens When It Goes Wrong — Penalties, Enforcement, and Recovery
You need to understand the full consequence structure before we get to the practical checklist. These are not theoretical penalties. CBN enforcement actions have been taken against Nigerian fintech companies, and the consequences are serious enough that they have ended businesses.
🔴 Warning: Real Consequences for AML Non-Compliance
Financial Penalties
Under MLPPA 2022 and CBN regulations, corporate entities face fines of up to ₦25,000,000 per violation. Each unreported CTR-threshold transaction is potentially a separate violation. A fintech that processes 200 transactions over the CTR threshold in a month and reports none of them could theoretically face 200 separate violations. The math there is catastrophic.
License Suspension and Revocation
The CBN can suspend your operating license pending a compliance audit — meaning your platform stops processing transactions while the examination is ongoing. For a fintech, this can be a business-ending event even before a final enforcement decision is made. Revocation is the nuclear option and has been used against payment companies in Nigeria whose AML failures were deemed systemic.
Personal Criminal Liability
This is the one that should worry founders specifically. MLPPA 2022 provides for personal criminal liability for directors and senior managers of financial institutions that fail to implement required AML controls. This means you — as a founder/director — can be personally prosecuted for the company's AML failures. The penalty on conviction includes imprisonment of up to 10 years. This is not a corporate shield situation.
International Correspondent Banking Consequences
If your fintech's AML failures become part of Nigeria's FATF or GIABA evaluation record, international correspondent banks may restrict or terminate their relationships with Nigerian financial institutions more broadly. This affects your ability to process international payments — particularly relevant if your fintech handles remittances or cross-border transactions. A specific AML failure by your company can contribute to broader correspondent banking risk for the Nigerian fintech ecosystem.
🔧 What To Do If You've Already Received a Compliance Notice
Step 1 — Do Not Ignore or Delay (Red: Urgent)
CBN compliance notices come with response deadlines — typically 14 to 30 days. Missing the response deadline escalates the severity of the action significantly. Acknowledge receipt immediately in writing and begin your remediation assessment the same day the notice arrives.
Step 2 — Assess the Specific Allegations (Yellow: Check First)
The notice will specify the exact deficiencies found. Map each deficiency to your existing policies and procedures. Identify whether each one is a documentation gap (you do the thing but didn't document it) or an actual control gap (you weren't doing the thing at all). The remediation plan you submit must address each deficiency specifically.
Step 3 — Engage a Qualified Compliance Advisor (Green: Resolution Path)
For significant enforcement notices, engage a lawyer or compliance firm that specializes in Nigerian financial regulation — not a general corporate lawyer. The remediation plan submitted to CBN must demonstrate genuine understanding of the regulatory requirements, not just good intentions. This is not the time for a generic policy document.
Step 4 — Implement and Document Before the Deadline
Do not just submit a plan describing what you will do. Implement as many remediation items as possible before the response deadline and include evidence of implementation in your response. CBN is more responsive to demonstrated remediation than to promised remediation.
⏱️ Typical Resolution Timelines
- Minor documentation deficiency: 30–60 days with strong remediation response
- Moderate monitoring or reporting failure: 60–180 days; may include supervisory meetings
- Significant systemic failure: 6–18 months; possible license conditions imposed during remediation period
- Severe or repeated violations: License suspension pending full independent audit
✅ Section 9: Practical AML Compliance Checklist for Nigerian Fintech Operators
This checklist represents the minimum viable AML compliance posture for a CBN-licensed Nigerian fintech. Every item on this list has a regulatory basis. Every gap represents a potential violation.
🎯 Action/Decision Matrix — Based on Your Current Compliance Stage
| Your Current Situation | Recommended Action | Why This Fits | First Step in 24 Hours |
|---|---|---|---|
| Licensed, no compliance officer hired | Hire or outsource a qualified MLRO immediately | You are in violation of CBN licensing conditions without one | Post the role today or contact a Lagos compliance firm for outsourcing options |
| Licensed, not registered on NFIU goAML | Register on goAML as urgent priority | Every day you process transactions without goAML registration is a CBN violation | Visit nfiu.gov.ng today and begin registration with your CCO details |
| AML policy exists but hasn't been updated since 2024 | Commission a policy review and update | CBN regulations changed in 2022 and 2023; your 2024 policy may not be current | Schedule a compliance review meeting this week; block 3 days for policy update |
| No formal transaction monitoring system | Implement automated monitoring software | Manual monitoring cannot demonstrate the audit trail CBN requires | Request demos from Sanction Scanner or Complyadvantage this week |
| Have monitoring but have never filed an STR or CTR | Audit your transaction history for missed filings | Zero filings over 12+ months is a statistical impossibility for an active fintech — CBN will flag this | Run a 90-day transaction history audit this week; identify any missed CTR thresholds |
| Full compliance framework in place | Conduct a self-assessment against this checklist | Even well-structured programs have gaps; self-assessment maintains currency | Schedule quarterly internal compliance review; consider annual external audit |
| Received CBN compliance notice | Engage specialist legal and compliance counsel immediately | Response quality in the first 30 days determines the severity of the outcome | Do not respond without legal advice; contact a fintech compliance firm today |
⚠️ This matrix provides general guidance based on CBN and NFIU regulatory frameworks. Individual compliance situations require professional assessment. Consult a qualified compliance advisor for your specific circumstances.
📋 Pre-Audit Self-Assessment Checklist
Governance & People
- Designated CCO/MLRO is in place and registered with CBN and NFIU
- Board has formally approved the AML/CFT policy within the last 12 months
- All staff have received AML training with documented attendance
- Annual refresher training is scheduled and tracked
- Escalation procedures are documented and all staff know them
KYC & Customer Risk
- Tiered KYC system is implemented and transaction limits are enforced by the system
- PEP screening is conducted for all Tier 2 and Tier 3 customers at onboarding
- Sanctions list screening is operational (UN, OFAC, EU, and Nigerian domestic lists)
- Customer risk ratings are assigned and documented at onboarding
- Enhanced Due Diligence process exists for high-risk customers and PEPs
Transaction Monitoring & Reporting
- Automated monitoring system is operational and covers all transaction types
- CTR threshold alerts are automated and filing occurs by the next business day
- STR decision process is documented with 24-hour deadline enforced
- goAML account is active and accessible to the CCO/MLRO
- Complete audit trail exists for all alerts — including those that did not result in an STR
- Records of all STRs and CTRs filed are retained with reference numbers
Record Keeping & Data
- Customer identity records are retained for 5 years post-relationship-end
- Transaction records are retained for 5 years
- Data storage is compliant with NDPC Act 2023 in addition to AML requirements
- Records can be retrieved and produced for CBN examination within 48 hours
🔄 Section 10: What's Changed in 2026 — CBN and NFIU Updates You Must Know
As of Q1 2026, several developments have materially changed the AML compliance landscape for Nigerian fintechs. This section covers the updates that may affect your current framework.
🆕 Update 1: CBN's Increased Examination Frequency
Following Nigeria's exit from the FATF grey list, the CBN committed to maintaining elevated examination frequencies to demonstrate sustained compliance. As of 2026, licensed fintechs with significant transaction volumes are being examined annually rather than on the previous 2-3 year cycle. If you haven't been examined recently, that doesn't mean you won't be soon.
🆕 Update 2: Virtual Asset Exposure Rules
The CBN has clarified its position on fintech platforms with virtual asset exposure. If your platform allows customers to convert between naira and virtual assets — even through third-party integrations — you are now subject to additional VASP (Virtual Asset Service Provider) AML obligations. This caught several fintech platforms off guard in late 2025. Check whether any third-party integration on your platform creates VASP exposure. (Source: CBN Virtual Assets Regulatory Framework, 2023 — cbn.gov.ng)
🆕 Update 3: NDPC Data Protection Intersection
The Nigeria Data Protection Commission is now actively examining whether fintech companies' AML data retention practices comply with the NDPA 2023. There is a genuine tension here: AML law requires you to retain customer data for 5 years, while data minimization principles under NDPA require you not to retain data longer than necessary. The emerging consensus is that AML retention obligations override data minimization in this specific context — but your privacy policy must explicitly reference the regulatory basis for the extended retention period.
🆕 Update 4: Fintech-Specific NFIU Guidance
In 2025, the NFIU issued updated guidance specifically addressing digital financial service providers — recognizing that many of the traditional STR filing frameworks were designed for brick-and-mortar banking and didn't map cleanly onto fintech business models. The updated guidance provides specific direction on how digital wallet transactions, peer-to-peer transfers, and API-based payment flows should be captured in STR narratives. Your CCO must have reviewed this guidance document. If they haven't, that is a current gap.
📢 Disclosure
This article is based on analysis of publicly available regulatory documents — the MLPPA 2022, CBN AML/CFT Regulations 2022, NFIU operational guidelines, and GIABA mutual evaluation frameworks — combined with observation of the Nigerian fintech compliance landscape. Some compliance tools referenced may be available through affiliate or commercial relationships that provide Daily Reality NG with a small commission at no cost to you. Every recommendation reflects genuine assessment of compliance utility. Your trust matters more to this publication than any commercial arrangement.
⚠️ Disclaimer
This article provides general AML compliance guidance for informational and educational purposes. It does not constitute legal, compliance, or regulatory advice. Nigerian fintech compliance involves complex regulatory requirements that vary based on license type, business model, transaction volumes, and customer profiles. Consult a qualified Nigerian compliance lawyer or licensed compliance consultant for advice specific to your organisation's situation. Regulatory positions referenced are accurate as of March 2026 and are subject to change.
🎯 Key Takeaways
- Your AML obligations are created by an interlocking system — MLPPA 2022, TPPA 2022, CBN AML/CFT Regulations 2022, and NFIU guidelines — not by a single rule. Complying with one layer doesn't equal full compliance.
- GIABA doesn't regulate you directly, but its mutual evaluations create the pressure that drives CBN and NFIU enforcement intensity. Nigeria's exit from the FATF grey list in 2023 has permanently elevated scrutiny on Nigerian fintechs.
- NFIU registration on goAML is mandatory for every CBN-licensed fintech. If you are not registered, you are already in violation regardless of how good your internal processes are.
- STRs must be filed within 24 hours of suspicion forming — not after investigation is complete. The legal test is suspicion, not proof.
- CTRs are automatic and threshold-based. Individuals: ₦5 million+. Corporates: ₦10 million+. These must be filed by the next business day. Structuring to avoid thresholds must itself trigger an STR.
- Your KYC tier must match your customer's transaction behavior. A Tier 1 customer making Tier 3-level transactions is both a KYC violation and a potential STR trigger.
- A designated CCO/MLRO with direct board access is not optional. This person must be registered with both CBN and NFIU. Their departure must be notified to regulators within specified timeframes.
- Your AML policy must be board-approved, annually reviewed, and specific to your business model. A generic policy document does not satisfy CBN examination requirements.
- The tipping-off prohibition is a criminal offence carrying up to 5 years imprisonment. Every customer-facing staff member must be specifically trained on what constitutes tipping off.
- Zero STR filings over 12+ months is a statistical red flag for CBN examiners — not evidence of a clean platform. If your monitoring system has never generated an alert that resulted in an STR, that is itself a monitoring adequacy concern.
- Virtual asset exposure through third-party integrations may create VASP AML obligations for your fintech. Audit your integration landscape for this risk.
- Personal criminal liability for founders and directors is real under MLPPA 2022. AML compliance is a personal legal protection, not just a business obligation.
📚 Related Articles on Daily Reality NG
❓ Frequently Asked Questions
What is NFIU and what does it do for Nigerian fintechs?
The Nigerian Financial Intelligence Unit (NFIU) is the body responsible for receiving, analyzing, and disseminating financial intelligence in Nigeria. For fintechs, it means your platform must file Suspicious Transaction Reports (STRs) and Currency Transaction Reports (CTRs) directly with the NFIU through the goAML platform. Failure to report is a criminal offence under the Money Laundering Prohibition Act 2022.
📎 Source: MLPPA 2022 (FGN), NFIU Operational Guidelines — nfiu.gov.ng. Verify current information at the NFIU's official website.
Is GIABA compliance mandatory for Nigerian fintech startups?
GIABA sets regional AML standards across West Africa. Nigerian fintechs are subject to these standards because Nigeria implements them through domestic legislation including the Money Laundering Prohibition Act and the Terrorism Prevention Act 2022. Compliance is not optional regardless of startup size. What changes at different company stages is the intensity and sophistication of implementation — but the legal obligation exists from the moment you receive a CBN license.
📎 Source: GIABA Mutual Evaluation Framework — giaba.org; MLPPA 2022 — Federal Government of Nigeria.
What is the penalty for a Nigerian fintech that fails AML compliance?
Penalties include corporate fines of up to ₦25,000,000 per violation under MLPPA 2022, license suspension or revocation by the CBN, and — critically — personal criminal liability for directors and senior managers with potential imprisonment up to 10 years. Multiple unreported transactions can constitute multiple separate violations, making the cumulative financial exposure significant for platforms processing high volumes.
📎 Source: MLPPA 2022 Sections 16-18 (FGN). Verify current penalty schedules at nfiu.gov.ng.
How often must Nigerian fintechs file reports with NFIU?
STRs must be filed within 24 hours of identifying a suspicious transaction. CTRs for individual transactions of ₦5,000,000 or above (₦10,000,000 for corporate customers) must be filed by the next business day after the transaction occurs. Annual AML compliance reports must also be submitted to the CBN. There is no minimum volume requirement — the obligation is triggered by each reportable event, not by a filing schedule.
📎 Source: CBN AML/CFT Regulations 2022; MLPPA 2022 — cbn.gov.ng.
💬 We Want to Hear from You
- If you're building a fintech in Nigeria, which part of AML compliance have you found most difficult to implement practically — and what solved it?
- Has your platform received a CBN compliance examination? What was the experience like, and what were the main findings?
- The gap between NFIU's expected STR volumes from fintechs and what's actually being filed is significant. Why do you think Nigerian fintech founders underfile — is it ignorance, cost, or something else?
- Do you think the current penalty structure under MLPPA 2022 is proportionate, or do the personal liability provisions go too far for early-stage startups?
- For compliance officers reading this: what's the one thing you wish your founders understood about AML obligations that they currently don't?
Share your experience in the comments below — real stories from real Nigerian fintechs are the most valuable contributions to this conversation.
You read this entire article. That's not a small thing — this was dense regulatory territory, and the fact that you stayed through all ten sections tells me you're building something you genuinely care about, or you're protecting something that matters.
AML compliance in Nigerian fintech is one of those areas where the gap between knowing it matters and knowing exactly what to do can cost everything. I've seen founders lose licenses not because they were doing anything wrong with their products, but because their compliance infrastructure couldn't survive an examination. That should not happen to you after reading this.
Here's the challenge: tomorrow morning, check whether your CCO is registered on NFIU goAML. That one verification either confirms your compliance foundation is in place — or reveals the first gap you need to close. Either result is valuable. Go do it.
— Samson Ese | Founder, Daily Reality NG
© 2025-2026 Daily Reality NG — Empowering Everyday Nigerians | All posts are independently written and fact-checked by Samson Ese based on real experience and verified sources.
Comments
Post a Comment