The Central Bank of Nigeria (CBN) has tightened the rules for account opening and reactivation, mandating that all such processes must now include liveness verification and be validated in real time against the Bank Verification Number (BVN) or National Identity Number (NIN) database.
The directive, issued in a circular to banks, fintechs, and payment service providers dated March 12, 2026, sets the minimum baseline security requirements for instant payment systems in Nigeria. Financial institutions have until July 1, 2026, to comply.
Under the new rules, newly activated mobile banking applications will also face a ₦20,000 ($14.58) transaction cap on both inflows and outflows within the first 24 hours after activation, a measure designed to reduce the risk of fraud immediately after accounts or devices are set up.
The new framework marks the regulator’s latest effort to strengthen Nigeria’s digital banking infrastructure against a surge in fraud that has accompanied the country’s instant payments boom.
Instant payments in Nigeria reached ₦284.99 trillion ($185.66 billion) in the first quarter of 2025. But the growth in transaction volume has also been accompanied by a surge in fraud. Data from the Financial Institutions Training Centre (FITC) shows fraud losses jumped 603% year-on-year to ₦3.29 billion in Q1 2025, with more than 12,000 cases reported during the period.
The new framework forms part of the CBN’s broader effort to tighten fraud oversight across the financial system as digital banking adoption accelerates. The CBN is now tightening controls around online account opening, device access, and transaction authentication to limit how quickly fraudsters can exploit digital banking channels.
Earlier this week, the regulator also formally recognised artificial intelligence (AI) and machine learning as tools for financial crime detection, embedding them into new compliance standards for financial institutions.
New security rules for mobile and online banking
Mobile banking applications must now operate under mandatory device binding rules, according to the new rules, meaning a customer’s banking app can only be active on one device at a time.
If a customer migrates to a new phone, the application must trigger additional authentication checks before it becomes operational again.
Similarly, first-time internet banking logins from a new device will require additional multi-factor authentication (MFA).
For newly activated mobile banking apps, financial institutions must impose transaction limits of ₦20,000 ($14.58)during the first 24 hours after activation. These limits apply to both new and existing accounts using a newly installed banking app.
The regulator also directed financial institutions to introduce enterprise-level fraud monitoring systems capable of detecting suspicious inflows and outflows in real time.
Customers can disable instant transfers
Another change under the new framework allows customers to opt out of instant payment services entirely.
Banks will be required to provide opt-in and opt-out functionality that lets users disable real-time transfers from their accounts if they choose. However, the default setting will remain opt-in.
Customers who disable instant payments will be unable to initiate digital transfers during that period, although transactions can still be carried out at bank branches.
The CBN also directed banks to allow customers to adjust their own transaction limits, subject to enhanced due diligence and authentication checks, and the existing ceilings of ₦25 million ($18,228) for individuals and ₦250 million ($182,280) for corporate accounts.