The Central Bank of Nigeria (CBN) has introduced fresh guidelines for banks and payment service providers. The measures aim to improve the security of instant payment services such as mobile and internet banking.
The directive is contained in a circular dated March 12. Musa Jimoh, director of the payments system policy department at the apex bank, signed the document. The new rules will take effect from July 1.
In the circular sent to financial institutions, the CBN said the new framework seeks to reduce fraud and allow customers greater control over their digital transactions.
Under the policy, financial institutions that offer instant payment services must allow customers to decide whether to participate in the service. Customers will be able to opt in or opt out at any time, although new customers will automatically be enrolled when their accounts are opened.
“Customers shall have the option to opt-out of/opt-in to IP service at any time and for any given period. This process shall be subject to Multi-Factor Authentication (MFA) control. Default setting shall be Opt-in upon on-boarding a new customer,” the CBN said.
The regulator explained that customers who opt out of the service will not be able to make online instant transfers to other accounts during that period. Such customers will only be able to carry out transfers by visiting their financial institution physically.
“In the opt-out mode, a customer shall not be able to carry out online instant transfer of funds (intra or inter) from his/her account to another customer. However, customer can physically visit the financial institution to effect transfer during this period.”
The apex bank also directed financial institutions to permit customers to modify their transaction limits. The changes must remain within the existing ceilings of N25 million for individual accounts and N250 million for corporate accounts.
According to the circular, banks must conduct enhanced due diligence and risk assessment before approving any adjustment.
“Any such adjustment shall be subject to enhanced due diligence and appropriate risk assessment by the financial institution,” the circular added.
“The new transaction limit shall take effect immediately upon successful completion of multi-factor authentication (customer consent).”
The CBN further instructed banks and payment providers to deploy enterprise fraud monitoring systems that will track inflows and outflows in customer accounts. The systems must detect suspicious transactions and restrict them when necessary.
The regulator also introduced stricter procedures for opening or reactivating accounts online. These processes must now include liveness checks that verify information in the bank verification number and national identification number databases.
Liveness checks require users to interact with their devices through actions such as blinking, smiling, turning their heads, or speaking. The process confirms that the user is physically present.
For mobile financial services, the CBN said applications must be linked to only one device at a time.
“Binding Mobile financial services applications (apps) shall only be enabled on one device at a time, and customers cannot operate the apps concurrently on multiple devices,” the apex bank said.
The circular added that switching to another device will trigger a fresh activation and authentication process. The CBN also placed temporary limits on transactions within the first 24 hours after a mobile banking app is activated.
“Migration to another device shall trigger automatic re-activation and authentication. For new accounts, transaction limits (inflow and outflow) shall be imposed on a newly activated mobile financial services app in the first 24-hours of activation.
“The limit shall be as determined by the financial institution, subject to a maximum transaction limit of N20,000.00.
“For existing accounts, transaction limits (outflow) shall be imposed on a newly activated mobile financial services app in the first 24-hours of activation. The limit shall be as determined by the financial institution, subject to a maximum transaction limit of N20,000.00.
“For internet banking access, first-time log on a new device shall require additional MFA.”
The CBN said the guidelines represent the minimum standards for instant payment services in Nigeria. The regulator added that the measures align with its responsibility “to enhance customer protection, strengthen fraud detection, and improve control over digital payment services”.
