On 10 March 2026, the Central Bank of Nigeria issued its Baseline Standards for Automated Anti-Money Laundering Solutions, and the financial sector’s relationship with manual compliance controls effectively came to an end.
The circular applies to every institution under CBN oversight: banks, fintechs, mobile money operators, payment service providers, and international money transfer operators. No exceptions, no opt-outs. Deposit money banks have 18 months to achieve full compliance. Other financial institutions have 24. And every institution must submit an implementation roadmap to the CBN’s Compliance Department within three months of issuance. That clock is already running.
What makes this circular different from previous guidance is its specificity. The CBN has not issued a general principle that institutions should “have strong AML controls.” It has defined 12 functional areas, set minimum capabilities for each, and made explicit what it will look for during examinations. This article translates those requirements into what they actually mean for your technology stack and your compliance team.
The starting point: identity is not a formality
Everything in the CBN’s standards begins with the customer record — and the standards treat KYC not as a one-time onboarding step but as a living data layer that feeds every other compliance function.
For individual customers, this means your platform must perform real-time identity verification against the Bank Verification Number (BVN) database via NIBSS and the National Identity Number (NIN) database via NIMC at the point of account opening, not as a back-office batch process. A BVN verification API call at onboarding is now a baseline expectation, not a differentiator. The same applies to NIN verification API for Tier 2 and Tier 3 accounts.
But the CBN goes further than most institutions currently operate. KYC data cannot sit in a static onboarding record. The standards require continuous synchronisation between KYC/KYB records, customer risk profiles, and transactional data, so that when an alert fires in your transaction monitoring system, the analyst reviewing it can see not just the transaction, but who the customer is, what their declared income and occupation are, what their risk classification is, and what their history of alerts looks like. All of it, in a single interface, in real time.
Institutions whose customer due diligence software layer is disconnected from their monitoring layer have a structural compliance gap that will be visible to a CBN examiner. The standard is explicit: an AML solution without effective linkage to KYC/KYB data will not be considered compliant.
The monitoring core: where most institutions have the biggest gap
Transaction monitoring is where the CBN’s requirements become most demanding, and where the distance between what most institutions currently operate and what is now required tends to be largest.
The baseline is risk-based monitoring that goes well beyond raw transaction volumes. Your AML transaction monitoring capability must incorporate customer attributes (occupation, declared income, geographic footprint, product profile, delivery channel) alongside transactional patterns. Scenarios must be configurable, segmented by customer type, and aligned to your documented risk assessment. Peer-grouping and network analysis, mapping related parties and identifying unusual patterns across connected accounts are listed as required capabilities, not advanced features.
On the fraud side, the standard shifts to real-time fraud detection for card and electronic channels. Fraud monitoring must operate faster than AML transaction monitoring, because the intervention window for card and e-channel fraud is measured in seconds, not hours. Where a single platform handles both AML and fraud, logical separation of rules is required, but the CBN expects the two systems to share risk signals without blind spots.
The governance dimension of these requirements is equally demanding. False-positive and false-negative thresholds must be defined, documented, and reviewed at least annually. Where AI or machine learning is used for risk scoring or anomaly detection, independent validation is required every year, covering accuracy, performance drift, bias, and explainability. Your institution must also define internal SLAs for how quickly high-risk alerts are reviewed and resolved, and senior management must sign off on those SLAs.
The screening perimeter: sanctions, PEPs, and adverse media
A parallel requirement runs alongside transaction monitoring: continuous screening of your customer base against sanctions lists, PEP registers, internal watchlists, and adverse media sources.
The CBN requires that sanctions screening software integrates with both domestic and global lists, updates in real-time or near-real-time when new entries are added, and includes matching logic capable of detecting name variations, fuzzy matching, or AI-based techniques are explicitly contemplated. Pep screening software must automatically flag politically exposed persons and high-risk individuals at onboarding and throughout the relationship. Adverse media screening is a baseline requirement, not an enhancement.
Where there is a confirmed sanctions match, the system must be capable of automatically blocking transactions or placing accounts on hold, not after manual review. And your institution must be able to demonstrate, on request, that screening processes are effective: resolved alerts, decision rationale, and actions taken must all be documented and retrievable.
Watchlist screening software that only operates onboarding is insufficient under these standards. Screening must be ongoing, periodic, and event-driven throughout the entire customer lifecycle.
Case Management and Reporting: The Accountability Layer
Every alert, from transaction monitoring, sanctions screening, fraud detection, or any other source, must flow into a case management system that creates an auditable record of what happened, who reviewed it, what they decided, and why.
The CBN’s requirements for AML case management software cover automated case creation, role-based workflows with maker-checker functionality, full audit trails with timestamps, and management reporting on case volumes, ageing, and outcomes. Periodically reviewing closed cases to feed findings back into scenario tuning is explicitly required case management is not just an operational tool; it is the feedback loop that keeps your monitoring system calibrated.
On the reporting side, AML reporting software must support automated or semi-automated generation of STRs, SARs, CTRs, and FTRs, and the suspicious transaction reporting output must be consistent with underlying case management data. Regulators will compare your STR submissions against your alert and case records. Inconsistencies between the two will be a red flag in any examination.
Integration, security, and the infrastructure question
Underneath all of these functional requirements sits an infrastructure demand that is harder to retrofit than any individual capability: your AML solution must be fully integrated with your core banking system, your KYC repositories, your onboarding platform, and your fraud systems, bidirectionally and in real time.
The CBN has explicitly stated that institutions rated High or Above Average risk within their subsectors cannot operate AML solutions that rely solely on standalone transaction feeds. Full integration with KYC and KYB repositories and customer risk profiles is required, not a roadmap item. It is a requirement.
On the security side, the standards mandate encryption at rest, in use, and in transit; multi-factor authentication; role-based access controls; and full compliance with the Nigeria Data Protection Act. Recovery Time Objectives and Recovery Point Objectives must be defined through a Business Impact Analysis and be commensurate with your risk profile.
What this means practically
Taken together, the 12 areas of the CBN’s Baseline Standards describe a compliance architecture that most Nigerian financial institutions do not currently operate in full. For many, the challenge is not a single missing feature; it is a fragmented stack of point solutions that each do one thing adequately but cannot produce the unified customer view the CBN now requires.
The proportionality principle in the standards acknowledges that a community bank and a tier-1 commercial bank do not start from the same place. But proportionality applies to depth and sophistication, not to the requirement itself. Every regulated institution must have an automated AML solution. Every regulated institution must submit a roadmap within three months.
For institutions that need to move quickly, the most defensible approach is to prioritise the four areas where the CBN’s examination lens is sharpest: KYC/BVN/NIN integration, real-time sanctions and PEP screening, transaction monitoring connected to customer risk profiles, and case management with full audit trails. These form the compliance core that examiners will look for first and they are also the capabilities that, when working together, make every other requirement easier to meet.
Archer was built for exactly this architecture, combining real-time transaction monitoring, BVN and NIN-linked customer risk profiling, sanctions and fraud screening, and auditable case management in a single platform designed for the operational reality of African financial markets. If you are building your CBN implementation roadmap, speak to our team.
Frequently Asked Questions
Who do the CBN Automated AML Solution requirements apply to?
Every institution under CBN oversight – banks, fintechs, mobile money operators, payment service providers, and international money transfer operators – regardless of size. The depth of implementation is proportional to each institution’s risk profile, but no institution is exempt.
What are the compliance deadlines?
Deposit money banks have 18 months from 10 March 2026. Other financial institutions have 24 months. All institutions must submit implementation roadmaps to the CBN’s Compliance Department within 3 months of issuance.
Does the CBN require a single unified AML and fraud platform?
Not explicitly, but institutions rated High or Above Average risk must demonstrate a credible roadmap toward a unified financial crime architecture. All institutions must ensure their AML and fraud systems exchange risk signals without creating blind spots.
What does the CBN require for KYC and identity verification?
Real-time BVN and NIN verification at onboarding, continuous synchronisation between KYC data and customer risk profiles, and linkage to transaction monitoring so that analysts reviewing alerts can see the full customer context. Static, one-time onboarding checks are not sufficient.
What are the consequences of non-compliance?
Remedial directives, administrative sanctions, and financial penalties under BOFIA, the MLPPA, and the CBN AML-CFT-CPF Administrative Sanctions Regulations 2023 – including potential sanctions on accountable individuals within the institution.
