“They just show up and look at our books,”fintech executives reveal stricter CBN compliance checks

In a January 2024 letter, the CEO of one of Nigeria’s most prominent fintech startups told employees the company’s focus for the year would be ‘growth and compliance.’ For an industry focused on hypergrowth in the last five years, it marked a major shift in response to regulatory scrutiny and rising fraud concerns. 

After an April ban on onboarding new customers, the central bank increased the frequency of impromptu inspections on the offices of fintech companies. “They just show up and go through our books looking for any anomaly,” one person familiar with the matter told TechCabal. 

“We know that they’ve increased the frequency [of the inspections] because [the greylist] is a clear and present danger for the financial space. The only way you get off the grey list is to ensure regulated entities fulfil their compliance obligations,” Tunde Ibidapo-Obe, the CEO of Regfyl, a Nigerian fraud detection company, told TechCabal. 

Those inspections led to the Central Bank fining at least six fintech startups in the second quarter of 2024 after audits revealed compliance issues, with Moniepoint and OPay being hit the hardest. 

The heightened focus on fintechs is partly due to Nigeria’s goal of getting delisted from the Financial Action Task Force (FATF) greylist—a list of countries with weak anti-money laundering and counter-terrorism financing measures—by January 2025. 

Being on the FATF greylist signals to global investors that a country’s financial systems are vulnerable to money laundering and terrorist financing, and can impair a country’s reputation, hinder access to international capital, and increase business costs

The regulators tightened their grip on fintechs after a 2023 report from Nigeria’s Financial Intelligence Unit (NFIU), the financial crime intelligence agency, showed that over 90% of fintechs failed to report suspicious transactions and were not compliant with anti-money laundering practices, making them likely conduits for money laundering.

The regulators are also responding to the rise in fraud in the banking sector, with fraud via digital channels becoming a significant challenge. In the first half of 2024, 96% of bank fraud happened through web, mobile, and POS systems. 

As fintechs operate mostly through digital channels, they have found themselves in the thick of the fight against fraud, as banks often blame fintechs for these fraud attempts. It reached its tipping point in October 2023, when Fidelity Bank, a Nigerian commercial bank, blocked transfers to several fintechs over concerns that their weak KYC processes made them a conduit for fraudulently obtained funds. 

That block legitimised the perception that fintechs help bad actors get away with fraud and the criticism for the fintech’s lax KYC measures. It also put a spotlight on fintechs that regulators have followed as they try to reduce fraud in Nigeria and prevent fintechs from becoming a weak link exploited by bad actors.

The evolution of KYC and Compliance in Nigeria’s fintech industry 

In 2013, Nigeria’s central bank introduced a three-tiered Know Your Customer (KYC) system, lowering the barriers to onboarding customers. Backed by this circular, fintechs helped cut financial exclusion by 20% and brought millions into the financial system.

Despite the relaxed onboarding requirements, fintech startups are mandated by law to confirm customers’ identities, physical addresses, and risk profiles. They cannot onboard politically exposed persons, individuals on sanctions lists, or those under investigation for fraud or facing legal proceedings. 

However, as the fintechs scaled rapidly, many prioritised growth over compliance, making tradeoffs in areas like risk profiling, transaction monitoring, anti-money laundering, and KYC, leaving some restrictions unimplemented. In some extreme cases, Nigerians could open accounts with information about popular celebrities and random phone numbers

“Many fintechs did not have processes in place to do [the necessary checks]. If you’re onboarding tens of thousands of customers and you have a small compliance team, they can’t keep up,” Ibidapo-Obe said.

The loopholes created safe havens for bad actors, and with little information on the bad actors, the fintechs quickly lost billions to fraud. Before the April 2024 ban was lifted, fintechs were asked to fulfill strict conditions, including restricting peer-to-peer crypto transactions and mandating ID verification and physical address verification for all account tiers. 

“Compliance is no longer just a backroom thing. A lot of fintechs are now taking compliance very seriously. Before now, big fintechs would have one young graduate out of school with just two years of experience heading their compliance team—but that is shifting. Now you’re having more senior people, and there’s a lot more scrutiny as well,” Oyindolapo Olusesi, a tech-focused lawyer, told TechCabal. 

The Central Bank did not immediately respond to a request for comments.

The cost and challenges of compliance

In response to the increased scrutiny, fintech companies have increased the hiring of compliance staff, conducted extensive KYC checks on customers, and blocked crypto transactions where possible. They have also created internal guardrails that flag and report large and suspicious transactions, but some have balked at the price of more stringent KYC requirements. 

Address verification for POS agents alone could cost the industry $1 million, while full KYC checks now range from ₦1500 to ₦2000 per customer—a steep increase from the ₦400 to ₦700 costs before the April ban. The cost of compliance software, which charges per user and transaction, along with the expenses of hiring experienced compliance staff from banks, also increases operational costs for fintechs.

For fintechs with millions of customers, these costs quickly increase and divert scarce resources. Some fintechs analysed the cost-benefit of full compliance and decided to operate in certain grey areas, but that decision negatively affected fintechs when they reached a certain scale, as they became targeted by bad actors. “Startups are aware when they are making infractions, but they make trade-offs when it doesn’t cost them too much,” Olusesi said.

However, after the conditions of the April ban were met, the fintechs have improved their compliance processes, which has pleased regulators who are “happy” that fintechs are now “taking steps in the right direction,” a policy expert told TechCabal.

It’s not been all gloom for Nigerian startups, as fintechs have turned to startups like Regfyl, SmileID, Dojah, Youverify, and Seamfix for compliance and customer identity management solutions that allow the fintechs to properly onboard and manage customer data. 

This has created a market for these startups, as they have raised over $8 million in the past year and onboarded over 100 million digital identities combined. “They are gaining more traction quickly than they would have two years ago,” Olusesi said about the compliance startups. 

Nigerian fintechs have responded to the increased regulatory scrutiny with improved compliance efforts, but for the fintechs, the measure of success is for regulators to ease their scrutiny, which has diverted resources and attention as the January 2025 deadline to exit the greylist approaches.

Get the best African tech newsletters in your inbox