CBN Introduces Strict New Security Measures for Digital Banking
The Central Bank of Nigeria (CBN) has rolled out comprehensive new regulations designed to fortify the security of instant payment services and empower customers with greater control over their digital banking transactions. These measures, which specifically target mobile and internet banking platforms, were formally announced in a circular dated March 12 and signed by Musa Jimoh, Director of the Payments System Management Department.
Enhanced Customer Control and Security Protocols
The guidelines, set to take effect on July 1, 2026, will apply to all banks and licensed payment service providers operating within Nigeria. According to the regulator, the primary objective is to significantly reduce fraud risks and bolster security across the nation's rapidly expanding digital payment ecosystem. A cornerstone of the new framework grants customers the definitive authority to decide whether instant payment services are enabled on their accounts.
Financial institutions are now mandated to provide users with a clear option to opt in or opt out of instant payment services at any time. The CBN's circular explicitly states: "Customers shall have the option to opt-out of/opt-in to IP service at any time and for any given period. This process shall be subject to Multi-Factor Authentication (MFA) control. Default setting shall be Opt-in upon on-boarding a new customer."
When a customer chooses to opt out, online fund transfers will be temporarily disabled. "In the opt-out mode, a customer shall not be able to carry out online instant transfer of funds (intra or inter) from his/her account to another customer. However, customer can physically visit the financial institution to effect transfer during this period," the circular clarifies.
Transaction Limits and Advanced Fraud Detection
The new regulations also permit customers to adjust their transaction limits, but within the existing regulatory caps of ₦25 million for individual accounts and ₦250 million for corporate accounts. Any such adjustment must be preceded by a thorough risk assessment conducted by the financial institution. "Any such adjustment shall be subject to enhanced due diligence and appropriate risk assessment by the financial institution," the directive notes, adding that "The new transaction limit shall take effect immediately upon successful completion of multi-factor authentication (customer consent)."
In a significant move to combat financial crime, the CBN has directed all financial institutions to deploy sophisticated, enterprise-level fraud monitoring systems. These systems must be capable of meticulously tracking both inflows and outflows to promptly detect and flag any suspicious or anomalous transaction patterns.
Robust Identity Verification and Device Security
Banks are further required to strengthen their identity verification processes substantially. For all online account openings and reactivations, institutions must now incorporate liveness checks that verify against the official Bank Verification Number (BVN) and National Identification Number (NIN) databases.
Liveness checks are a biometric security feature that requires users to prove they are physically present during verification. This is typically done by performing specific actions like blinking, speaking, smiling, or turning their head in front of a camera, thereby preventing the use of static photos or pre-recorded videos for fraud.
For mobile banking applications, the regulator has introduced a strict device binding requirement to prevent unauthorized simultaneous access. "Binding Mobile financial services applications (apps) shall only be enabled on one device at a time, and customers cannot operate the apps concurrently on multiple devices," the CBN explained. Switching to a new device will trigger a mandatory full re-authentication process: "Migration to another device shall trigger automatic re-activation and authentication."
Temporary Limits for New Activations
The CBN has also imposed temporary transaction limits for newly activated mobile banking apps as an additional security layer. "For new accounts, transaction limits (inflow and outflow) shall be imposed on a newly activated mobile financial services app in the first 24-hours of activation… subject to a maximum transaction limit of ₦20,000.00." This same restriction applies when existing users activate their mobile banking application on a new device for the first time.
Similarly, for internet banking services, any first-time login attempt from a new device must undergo additional multi-factor authentication checks to verify the user's identity securely.
According to the Central Bank, these comprehensive new rules represent the minimum security standard for instant payment systems in Nigeria. They are a critical component of the bank's ongoing strategic efforts to "enhance customer protection, strengthen fraud detection, and improve control over digital payment services" in the face of evolving cyber threats.
