The Central Bank of Nigeria (CBN) has unveiled new regulations aimed at boosting fraud control and digital banking security across Nigeria.
The apex bank issued a circular to all banks, financial institutions, and payment service providers detailing amendments to the Revised Regulatory Framework for Bank Verification Number operations, alongside enhanced requirements for instant payment services.
Under the updated BVN framework, financial institutions are required to maintain a temporary watchlist for BVNs linked to suspected fraudulent transactions. Any BVN placed on this list will remain for a maximum of 24 hours, during which the account holder will be contacted for clarification.
The circular also imposes age restrictions for BVN enrolment, limiting registration to individuals 18 years and above, and restricts phone number amendments linked to BVNs to one change only.
Access to BVN databases will now be restricted exclusively to CBN-licensed financial institutions, with the central bank retaining the discretion to grant access in exceptional circumstances under existing laws. These provisions take effect from 1 May 2026.
In addition, the CBN introduced guidelines for instant payment (IP) services to enhance security and customer control.
Financial institutions must implement voluntary opt-in/opt-out functionality, allowing customers to decide whether to participate in instant payment services. Customers who opt out will still be able to conduct transfers at physical bank branches.
Customers can also set voluntary transaction limits, with maximum thresholds of ₦25 million for individuals and ₦250 million for corporates, while adjustments require enhanced due diligence and risk assessment.
To further combat fraud, the CBN mandated that all financial institutions activate enterprise fraud monitoring for both inflows and outflows, and introduce liveliness checks for online account opening or reactivation. This ensures real-time validation of accounts against BVN/NIN databases and uses authentication measures such as soft or hard tokens.
For mobile financial services, apps must now be device-bound, allowing operation on only one device at a time. Migration to another device will trigger automatic reactivation and authentication. New and existing accounts using mobile apps will face transaction limits for the first 24 hours, capped at ₦20,000, while first-time logins on a new device will require multi-factor authentication.
“These measures are intended to reinforce security, enhance fraud detection and give customers greater control over digital transactions,” the CBN stated. Implementation of the new instant payment provisions begins on 1 July 2026.
The circular emphasised: “Financial institutions are mandated to establish and maintain a temporary watchlist for BVNs implicated in suspected fraudulent transaction(s). A BVN may remain on this temporary watchlist for a maximum period of twenty-four (24) hours; during this period, the BVN owner shall be contacted to provide clarification regarding the identified transaction(s).”
