CBN’s Data Localisation Mandate: What Nigerian Fintechs Need to Know

Introduction

For over ten years, Nigeria’s fintech companies have grown rapidly by storing their data and running their apps on massive foreign tech platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud. These global platforms, usually based in Europe or America, made it very easy for local startups to scale up smoothly, protect their data, and launch software updates quickly. However, a new directive from the Central Bank of Nigeria (CBN) is changing the rules. Moving forward, financial data must stay within Nigeria, a shift that introduces new rules every financial tech company must follow immediately.

This edition of TALP’s TechBrief breaks down the new CBN rules in plain language. We will look at what the mandate means, how it impacts local fintech businesses, where companies can safely move their data within Nigeria, and the practical steps leaders must take to protect their operating licenses before the 2027 deadline.

 

The Localisation Mandate

On June 15th, 2026, the CBN issued a directive stating that all payment and financial transaction data created in Nigeria must be processed, stored, and managed inside Nigeria. The CBN has set a strict deadline of January 1st, 2027. This means fintechs can no longer keep their primary data on servers outside the country. Notably, in the directive, the CBN focuses specifically on “payment transaction data”. In plain terms, this means almost any digital footprint left behind when money moves online. It includes payment receipts, transaction logs, account balance histories, card details, and personal user information linked to Nigerian bank accounts.

 

Who the Circular Affects

While the CBN circular is directed at licensed financial institutions, its actual reach is much broader. The rule is framed to apply not only to regulated entities but also to any party involved in facilitating payments within Nigeria. In practice, this creates both direct and indirect compliance obligations across the fintech ecosystem.

  1. Directly Regulated Entities: The primary obligation sits with CBN-licensed operators. This includes deposit money banks, microfinance banks, mobile money operators, switching companies, and payment solution providers. These entities are explicitly required to ensure that all payment transaction data generated within Nigeria is stored and managed locally. For these players, compliance is mandatory and subject to direct regulatory enforcement by the CBN.
  2. Non-Licensed Fintech Companies: Startups and technology companies that do not hold a CBN licence are not expressly named as primary obligors. However, many of these businesses play a critical role in enabling payments, whether through APIs, embedded finance solutions, payment orchestration layers, or merchant platforms. To the extent that these companies process, store, or otherwise handle payment transaction data, they fall within the broader category of “participants facilitating payments” as used in the CBN’s circular. In effect, this means that while the obligation may not apply to them directly as a matter of licensing, it will apply to them contractually and operationally. Licensed partners (such as banks or PSSPs) will be required to ensure end-to-end compliance and may, in turn, impose data localisation requirements on their partners.

 

What This Means for Fintech Businesses

This shift is going to change how fintechs operate behind the scenes. Here are the four biggest impacts:

  1. Higher Costs: Complying with the localisation requirement is capital-intensive. Many Nigerian fintechs have historically relied on global cloud providers because of their cost efficiency, scalability, and reliability. Transitioning away from these providers will require substantial upfront and ongoing investment. First, companies may incur migration costs, including re-architecting systems, transferring large volumes of data, and potentially paying penalties for early termination of existing foreign cloud contracts. Second, there is the option of building proprietary infrastructure. However, setting up and managing private servers is significantly more expensive than using established cloud platforms. It involves capital expenditure on hardware, data centre space, cooling systems, redundancy architecture, and ongoing maintenance.
  2. Higher Risks: The more critical challenge is infrastructure risk. Nigeria’s data centre ecosystem is still maturing, with many providers lacking the long-term reliability track record of global platforms. This creates a trust gap for fintechs that depend on high availability and data integrity. Persistent infrastructure issues further heighten this risk (i.e., power instability and evolving technical capacity). Given that payment systems rely on real-time processing, any downtime, latency, or data failure can directly impact transaction success rates, customer trust, and regulatory compliance. As a result, data localisation is not just a compliance exercise; it introduces material operational risk that must be actively managed.
  3. Regional Business Separation: For fintech groups operating across multiple jurisdictions, the circular introduces additional complexity. Nigerian operations can no longer rely on shared or centralised data infrastructure hosted outside the country. Instead, companies must isolate Nigerian payment data within local systems, even where they operate unified platforms across several markets. This effectively forces a level of operational ring-fencing and may require restructuring of data architecture, governance frameworks, and internal data flows.
  4. Vendor Supply Chain Risk: Fintechs rely heavily on outside partners for critical services like card payments and identity verification. Where these vendors handle or have access to payment transaction data generated in Nigeria, their systems must align with the localisation requirement. Fintech companies will, therefore, need to conduct detailed vendor audits and, where necessary, renegotiate service arrangements to ensure that no payment data is transferred, processed, or stored outside Nigeria in breach of the directive.

 

The Local Data Infrastructure Landscape

A growing number of domestic data centre providers have emerged in Nigeria, reflecting gradual maturation in the country’s digital infrastructure. Key players include MDXi (MainOne), Galaxy Backbone, and Medallion Data Centres, alongside a new wave of local cloud providers such as Layer3Cloud and Cloudflex offering in-country hosting solutions. While these options collectively expand the availability of secure local storage and processing capabilities, reliability, and service depth still vary across providers, requiring careful evaluation by fintech operators.

 

A Compliance Roadmap for Boards and Management

With the countdown to 2027 underway, regulated fintechs, payment service providers, and any institutions directly handling payment transaction data must treat compliance as a priority business risk. To prepare, boards and management teams should take the following steps:

  1. Comprehensive Data Mapping Audits: Track exactly how data moves through your business. Find out precisely where user information and transaction logs are currently being saved to see if any part of your system relies on foreign servers.
  2. Hybrid Cloud Architecture Design: You do not have to move every part of your business. Keep non-sensitive parts like your marketing tools, customer service dashboards, or website design on global clouds. Only move the core money-handling engines and financial transaction databases onto local Nigerian servers.
  3. Vendor and SLA Renegotiation: Review all contracts with third-party service providers to add clear clauses showing guarantees from these providers that they will process and store your data within Nigeria.
  4. Proactive Regulatory Engagement: Do not wait until the final deadline before sharing your step-by-step data migration plan with the CBN during routine compliance checks to prove that your company is actively working toward full compliance.
  5. Phased Migration Execution Plan: Avoid last-minute disruption by implementing a staged migration approach prioritising high-risk systems first, testing performance in local environments, and gradually decommissioning foreign infrastructure.
  6. Business Continuity and Redundancy Planning: Develop robust disaster recovery and failover strategies within Nigeria. This includes using multiple local data centres or availability zones to reduce the risk of downtime due to power, network, or facility failures.

 

Looking Ahead

The CBN’s data localisation mandate signals a broader policy shift toward tighter regulatory control over national financial data. This approach is not unique to Nigeria, markets such as India, China, and Russia have implemented similar frameworks to ensure that critical financial data remains accessible to domestic regulators and subject to local legal oversight.

For Nigerian fintechs, the path forward is less about resistance and more about strategic adaptation. While localisation introduces short-term cost pressures and technical complexity, early compliance presents a clear competitive advantage. Fintechs that secure their local data infrastructure early will not only protect their business licenses, but win deeper trust from everyday consumers, and prove to international investors that they are built to last in a highly regulated market.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts

26/07/2024
The Would-be Impact of the SEC-NECA Partnership on the Nigerian Capital Market

Did you know that there is a partnership between SEC and NECA? In 2021, the Securities and Exchange Commission (SEC) partnered with the Nigeria Employers’

18/07/2024
Accelerating SaaS Sales through Contract Optimization

The typical Software as a Service (SaaS) Company is fast-paced and driving sales is not just about innovative products and aggressive marketing; it’s also about