CBN Mandates Enhanced Security Protocols for Instant Payments to Combat Fraud
The Central Bank of Nigeria (CBN) is significantly bolstering its efforts against internet fraud through a comprehensive new guidance on instant payment (IP) operations. This policy document introduces sweeping measures designed to fortify IP operations, elevate security protocols, enhance consumer protection, and ensure alignment with international best practices. These stringent new rules are poised to curb electronic fraud and empower customers with greater control over their digital transactions.
A key provision allows customers to voluntarily disable instant transfers on their accounts for any specified period, while retaining the ability to conduct transfers in person at bank branches. In a recent circular, the CBN stipulated that both opt-in and opt-out processes for these features must be secured with multi-factor authentication (MFA). While all new accounts will be automatically enrolled in instant payment services, customers will have the flexibility to alter this preference subsequently.
Financial institutions are mandated to comply with these directives, enabling customers to set lower personal transaction limits, subject to verification and risk assessment, without altering existing regulatory ceilings. Furthermore, banks are required to deploy real-time enterprise fraud monitoring systems and strengthen identity verification processes for both online account opening and reactivation.
The apex bank has also directed that mobile banking applications will be restricted to a single device at any given time. Upon activation on a new device, such applications will carry a temporary transaction limit of N20,000 for the initial 24 hours. This contrasts with the previous framework, which did not mandate features for customers to voluntarily opt in or out of IP services. The new guidelines, however, require financial institutions (FIs) to permit customers to opt out at any time, contingent upon successful Multi-Factor Authentication (MFA).
Under the new regime, customers will be onboarded in an opt-in mode by default. Customers who have opted out will be unable to perform instant online fund transfers from their accounts, though such transfers will remain accessible via physical branch visits. Previously, transaction limits were fixed at N25,000,000 for individuals and N250,000,000 for corporate entities, with no provision for personalised limits within these thresholds. The revised guidelines permit both individuals and corporate entities to adjust these limits as needed, subject to enhanced due diligence and appropriate risk management by the FI. The new transaction limits will only become effective after the customer completes Multi-Factor Authentication (MFA).
Financial analysts note that the guidelines also address online account opening and reactivation scenarios, introducing enhanced security measures. These include a “liveliness check” of the online account, real-time validation against the BVN/NIN database, and the deployment of advanced authentication mechanisms such as biometric authentication, soft tokens, and hard tokens for online account reactivations. A liveliness check is defined as a biometric security measure that verifies a user is a live, physically present human by analysing facial traits like skin texture, eye movement, and depth, thereby preventing spoofing attacks during remote onboarding or transactions.
The guidelines incorporate a mandatory fraud monitoring functionality, requiring FIs to implement and activate enterprise-wide monitoring for both incoming and outgoing transactions. This measure aims to restrict suspicious transactions in real-time, facilitating prompt fraud detection and response. The previous framework allowed concurrent use of mobile banking applications across multiple devices. The new guidelines restrict mobile banking applications to one active device at a time, prohibiting simultaneous use. Switching to a new device will automatically deactivate the previous one, followed by a re-activation and authentication process.
For mobile financial services applications and internet banking, the CBN has introduced specific measures. New account owners activating a mobile banking application will face an initial 24-hour limit on inflow and outflow transactions, capped at N20,000. Existing account owners activating a mobile banking application will also experience a similar N20,000 outflow transaction limit for the first 24 hours. Notably, first-time logins on a new device for internet banking will necessitate enhanced Multi-Factor Authentication (MFA).
These guidelines are critically important in the ongoing fight against internet fraud and related issues that erode customer confidence in the financial system. The Central Bank of Nigeria’s foresight in introducing these Guidelines on Instant Payment Functionalities for Financial Institutions represents a significant advancement in safeguarding digital transactions nationwide.
From July 1, 2026, financial institutions must implement these measures. The guidelines mandate comprehensive security and Data Protection Impact Assessments (DPIAs) to ensure compliance with the Nigeria Data Protection Act 2023, particularly concerning mandatory features such as multi-factor authentication (MFA), facial recognition, and continuous transaction monitoring.
