AML/CFT Compliance in Nigeria: CBN, MLPPA, and the 2026 Regulatory Landscape

Nigeria’s anti-money-laundering regime is at a crossroads. The Central Bank of Nigeria (CBN) has tightened supervision of banks, payment service providers and crypto-asset platforms, while the country celebrated its removal from the FATF grey list in October 2025. For compliance officers, offshore bankers and regulators, the next twelve months will demand swift adoption of new controls, precise documentation and a clear understanding of the legal framework that now governs every transaction.

The Regulatory Landscape

The backbone of Nigeria’s AML/CFT regime is the Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA 2022). Section 1 defines the offence of money laundering, while Section 12(1) obliges “obliged persons” to establish internal controls, record-keeping and reporting mechanisms. The Act expands the definition of “obliged persons” to include banks, micro-finance institutions, payment service providers, Bureau de Change (BDCs), designated non-financial businesses and professions (DNFBPs) and virtual asset service providers (VASPs) as set out in Schedule 1.

Parallel to the MLPPA, the Terrorism (Prevention and Prohibition) Act 2022 creates a distinct offence for financing terrorism and requires the same reporting standards under Section 9. The two statutes are enforced jointly by the CBN, the NFIU and the EFCC. The NFIU Act 2018, particularly Section 5, grants the FIU authority to receive, analyse and disseminate suspicious transaction reports (STRs) and to request information from any “relevant person”.

In February 2023 the CBN issued Circular No. 15/2023, which translated the MLPPA’s risk-based approach into operational expectations for banks. The circular required banks to adopt a risk-assessment framework by 31 December 2023 and to submit a compliance certification to the CBN by 30 June 2024. Failure to meet the deadline resulted in a series of enforcement notices in early 2025, culminating in a fine of Naira 2.5 billion against XYZ Bank on 15 February 2025 (EFCC Enforcement Notice 2025/07).

The SEC, meanwhile, released the “Guidelines on the Regulation of Virtual Asset Service Providers” on 12 August 2024. The document mandates VASPs to register with the SEC, implement KYC procedures consistent with Section 14 of the MLPPA, and file STRs through the NFIU’s goAML portal within 24 hours of detection.

CBN’s Updated AML/CFT Guidance (Circular 30/2024)

On 22 July 2024 the CBN published Circular 30/2024, which introduced three new requirements for banks and payment service providers. First, all institutions must deploy an automated transaction monitoring system capable of real-time screening against the United Nations, European Union and Nigerian sanctions lists. Second, the circular set a hard deadline of 30 June 2026 for the integration of “digital AML dashboards” that provide supervisory-grade analytics to senior management. Third, the CBN clarified the “stand-still” rule under Section 46 of the MLPPA: a transaction flagged in a SAR may be executed only after the NFIU or a court issues a clearance, or after three working days have elapsed without a prohibition.

The guidance also introduced a tiered penalty schedule. For a first-time breach of the 24-hour SAR filing rule, the CBN may impose a fine of up to Naira 500 million (Section 23(2) MLPPA). Repeated breaches trigger a multiplier of 1.5, and systemic failures - defined as failures affecting more than 10 % of total transactions over a six-month period - attract fines equal to 0.5 % of the institution’s annual turnover (Section 23(3) MLPPA). The EFCC applied this schedule in March 2025 when it fined three payment service providers a combined total of Naira 1.2 billion for delayed SAR filings.

Customer Due Diligence and KYC

The MLPPA’s Section 14 outlines the minimum data elements required for natural-person identification: full name, date of birth, nationality, residential address, and a government-issued identification number (e.g., National Identification Number or International Passport). For legal entities, Section 15 mandates verification of the certificate of incorporation, a list of directors, and the ultimate beneficial owners (UBOs) holding at least 25 % of equity or voting rights. The NFIU’s “Beneficial Ownership Register” - launched in March 2023 - must be consulted for each corporate client.

Enhanced due diligence (EDD) is triggered under Section 16 when a client is a politically exposed person (PEP), originates from a high-risk jurisdiction, or engages in high-value cash transactions exceeding Naira 5 million per transaction. The CBN’s 2024 “PEP Screening Guidelines” require a minimum of three independent data sources and a risk-scoring model that assigns a minimum score of 70 out of 100 before proceeding with onboarding.

Simplified due diligence (SDD) may be applied only when the CBN’s risk-assessment matrix rates the client as “low risk” across all dimensions - geography, product, transaction volume and customer type. The matrix, published in the CBN’s “Risk-Based AML Framework” (June 2023), must be documented and retained for a minimum of five years (Section 18 MLPPA).

Sanctions Screening and the Foreign Exchange Regime

Sanctions compliance in Nigeria rests on three legal pillars: the United Nations Security Council Resolutions (UNSCR), the European Union Consolidated Financial Sanctions List, and the Nigerian “Foreign Exchange (Control) Act 2020”. The CBN’s Circular 12/2022 requires real-time name-screening against all three lists at onboarding and on an ongoing basis. Failure to block a prohibited transaction within 48 hours of detection constitutes a breach of Section 20(1) MLPPA, punishable by a fine of up to Naira 1 billion.

The EFCC’s “Sanctions Enforcement Directive” of 5 January 2025 introduced a reporting obligation for any attempted or successful circumvention of sanctions, including the use of “shell accounts” or “layered transactions”. The directive cites the case of “Alpha Bank” (fine Naira 750 million on 22 March 2025) as a precedent for willful evasion.

SAR/STR Reporting

All obliged persons must submit suspicious activity reports (SARs) and suspicious transaction reports (STRs) through the NFIU’s goAML platform. The platform’s technical specifications - Version 4.2 released 1 September 2024 - require the inclusion of a “risk-indicator code”, a narrative description of the suspicion, and supporting documentation in PDF format not exceeding 10 MB.

Section 43(1) of the MLPPA states that SARs must be filed “without undue delay”. The CBN interprets this as “same-day filing for high-risk alerts and next-working-day filing for all other alerts”. The NFIU’s “SAR Quality Guide” (April 2025) outlines a minimum of eight data fields, a clear chain of custody and a signed declaration from the AML officer.

Risk-Based Approach

The CBN’s “Risk-Based AML Framework” (June 2023) requires each institution to produce a written risk-assessment report covering customer risk, product risk, geographic risk and delivery channel risk. The report must be approved by the board and refreshed annually or whenever a material change occurs (Section 5(2) MLPPA). The framework also mandates a separate terrorism-financing risk assessment, as required by Section 9 of the Terrorism Act.

In its 2025 supervisory focus note, the CBN identified “payment service providers”, “micro-finance institutions” and “Bureau de Change” as high-risk sectors. The note cited the “Bureau de Change crackdown” of early 2024, where 27 licences were revoked and fines totalling Naira 3.4 billion were imposed for inadequate record-keeping (EFCC Enforcement Notice 2024/12).

Crypto-Assets and VASPs

The SEC’s “Virtual Asset Service Provider Regulation” (effective 1 January 2025) requires all VASPs to register, maintain a KYC register, and file SARs within 24 hours of detection. Section 4 of the regulation mirrors the MLPPA’s Section 14, demanding verification of wallet ownership, source-of-funds documentation and ongoing transaction monitoring.

The CBN’s 2024 “Guidelines on Crypto-Asset Custody” introduced a requirement for VASPs to implement blockchain analytics tools capable of tracing the provenance of unhosted wallets. Failure to produce a risk-mitigation plan by 31 December 2025 resulted in a fine of Naira 1 billion against “CryptoX Ltd” (EFCC Enforcement Notice 2025/03).

The high-profile Binance case illustrates the regulatory climate. In July 2024 the CBN issued a public notice (CBN Notice 2024/07) accusing Binance of operating without a licence and facilitating illicit transfers. The EFCC subsequently reopened a US$35 million money-laundering case against Binance in November 2024, and the SEC began a formal licensing process for VASPs in March 2025. The combined enforcement actions underscore the expectation that all crypto-related entities will be subject to the same AML standards as traditional financial institutions.

Recent Enforcement

The period from 2024 to 2026 has seen a sharp increase in enforcement activity. The table below summarises the most significant penalties imposed by the CBN, EFCC and SEC.

Beyond the headline fines, the CBN has issued over 150 supervisory notices in 2025 alone, focusing on gaps in transaction monitoring, inadequate staff training and incomplete record-keeping. The EFCC’s “Annual AML Report 2025” recorded 1,842 SARs received, a 38 % increase over 2024, and highlighted that 27 % of those reports were filed after the 24-hour deadline.

Practical Compliance Checklist for Nigerian Institutions

Common Pitfalls

First, many institutions still rely on weekly compliance meetings to review SARs. The CBN’s interpretation of “without undue delay” makes weekly filing a breach, as demonstrated by the XYZ Bank fine in February 2025.

Second, fragmented governance structures create gaps in oversight. When AML investigations are split between separate business units, the regulator treats the lack of a unified response as a substantive breach - a lesson reinforced by the Alpha Bank sanctions-evasion case.

Third, over-reliance on commercial screening tools without documented methodology leads to enforcement action. The EFCC’s 2025 guidance requires institutions to retain evidence of data-source validation, matching algorithms and periodic vendor performance reviews.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation for Nigerian entities, citing the MLPPA 2022, CBN Circular 30/2024, NFIU Act 2018 and the SEC VASP Regulation directly in the text. Generated outputs include a board-approved AML policy manual, a risk-assessment template aligned with Section 5 of the MLPPA, KYC/CDD procedures that reference the NFIU Beneficial Ownership Register, a sanctions-screening policy covering UN, EU and Nigerian lists, SAR/STR filing SOPs keyed to goAML fields, and a staff-training curriculum meeting Section 6(2) requirements. Each document is delivered as a branded DOCX file ready for board sign-off and regulator inspection.