Nigerian financial institutions are under significant pressure to meet the Central Bank of Nigeria's (CBN) June 10, 2026, deadline for implementing a new cybersecurity framework. While major commercial banks are expected to comply, many smaller institutions, including microfinance banks and finance houses, are struggling to keep up. Experts warn that the failure of these smaller entities could expose the entire banking system to cyber risks.
Struggles of Smaller Financial Institutions
Industry sources reveal that while top-tier commercial banks have made substantial progress toward meeting the requirements, numerous smaller financial institutions are far behind schedule. This delay, experts caution, could leave the entire banking ecosystem vulnerable to the very cyber threats and financial crimes the policy aims to prevent.
Investigations show that only tier-one banks and a limited number of other operators are likely to fully comply before the deadline. Many smaller institutions, particularly microfinance banks and finance houses, reportedly lack critical cybersecurity leadership roles such as Chief Information Security Officers (CISOs).
Focus of the New Framework
The new framework concentrates on improving systems used for Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT), and Counter-Proliferation Financing (CPF). On March 10, 2026, the CBN issued Circular BSD/DIR/PUB/LAB/019/002, mandating all regulated financial institutions to implement minimum standards for automated AML/CFT/CPF systems. Under this directive, every institution supervised by the apex bank must submit an implementation roadmap to the CBN no later than June 10, 2026.
Expert Warnings on Industry-Wide Risks
Cybersecurity specialist Seun Runsewe explained that the CBN's directive goes beyond simply purchasing software solutions. According to her, the framework covers 12 major operational areas that require strong governance structures and technical oversight. She noted that leading commercial banks are in a better position to comply because they already have established cybersecurity teams, CISOs, and technology vendors supporting their operations.
However, she expressed serious concern about smaller financial institutions, including nearly 900 microfinance banks, over 100 finance houses, and several primary mortgage banks, where most regulated operators fall. She stated: 'Most don't have a CISO, let alone a functioning automated AML solution. Many are starting from near zero with the deadline already on top of them.'
According to Runsewe, many of these institutions are starting almost from scratch, without dedicated cybersecurity leadership or functioning automated AML systems, despite the fast-approaching deadline. She also warned that the weakness of smaller operators could threaten the entire financial system because all institutions are connected through shared platforms such as NIBSS, BVN infrastructure, and agency banking networks.
Earlier, the Association of Chief Audit Executives of Banks in Nigeria had raised fresh concerns about cyber fraud targeting bank accounts.
Related CBN Directive on IMTOs
In a related development, the CBN directed International Money Transfer Operators (IMTOs) to open naira settlement accounts with authorised dealer banks. All remittance-related transactions must now be processed through these designated accounts. The policy aims to improve transparency, monitoring, and efficiency in the foreign exchange market.
