Following reforms to its anti-money laundering, counter-terrorism financing, and counter-proliferation financing (AML/CFT/CPF) framework, Nigeria was removed from the Financial Action Task Force (FATF) list of “Jurisdictions Under Increased Monitoring” (Grey List) in 2025. Subsequently, in January 2026, the European Commission (EC) followed with a formal delisting of Nigeria from its list of “High-Risk Third Country Jurisdictions for Money Laundering and Terrorism Financing.”
These developments reflect measurable regulatory progress. However, delisting does not eliminate scrutiny. It places an ongoing obligation on Nigeria to maintain the effectiveness of its AML/CFT/CPF regime in order to avoid renewed listing. Within this context, the Central Bank of Nigeria’s Baseline Standards for Automated Anti-Money Laundering Solutions (the “CBN Baseline Standards”) represent a key regulatory instrument for sustaining compliance.
This edition of TALP’s Tech Brief examines the CBN Baseline Standards and outlines the obligations they place on financial institutions operating in Nigeria.
Background to The Circular
Nigeria’s payment system has expanded rapidly, driven by digital adoption across multiple channels. Instant Payment volumes processed through NIBSS have increased significantly, with fintech platforms processing trillions of naira in transactions annually. Mobile money services have moved from a peripheral product to a mainstream channel. IMTOs’ remittance inflows are reaching record highs.
The CBN Baseline Standards recognise that, as financial services become more complex and transaction volumes increase, manual AML/CFT/CPF controls are no longer sufficient to manage evolving risks.
In practice, many institutions continue to rely on manual alert review processes despite high transaction volumes, creating operational constraints. Automated AML solutions are designed to address this gap by enabling risk-based monitoring, timely detection of suspicious activity, and more efficient reporting to regulators.
Such systems may incorporate rules-based approaches, artificial intelligence, machine learning, or a combination of these technologies, provided they operate within defined governance and validation frameworks.
The CBN Baseline Standards
On March 10, 2026, the Central Bank of Nigeria (CBN) issued Circular BSD/DIR/PUB/LAB/019/002, titled “Issuance of Baseline Standards for Automated Anti-Money Laundering (AML) Solution for Financial Institutions in Nigeria.” (The “CBN Baseline Standards”) The Baseline Standards establish minimum functional, governance, and control requirements for automated AML/CFT/CPF solutions. They do not replace existing legal obligations but clarify regulatory expectations for the technology used to support compliance. The Framework is designed to:
- ensure proactive, risk-based monitoring in line with FATF principles.
- promote interoperability between AML solutions and core banking or payment systems.
- leverage Artificial Intelligence (AI) and Machine Learning (ML) to improve detection quality and reduce false positives.
- provide a framework for continuous system improvement through regular tuning, validation, back-testing, and governance.
All CBN-regulated institutions are required to implement automated AML/CFT/CPF solutions. These systems must support core functions including customer due diligence, risk assessment, sanctions and PEP screening, transaction monitoring, case management, reporting, audit, and data protection. Implementation is expressly risk-based. The CBN requires that the extent, configuration, and sophistication of AML solutions be adjusted to each institution’s size, transaction volumes, operational complexity, and documented ML/TF/PF risk profile. Accordingly:
- institutions with higher transaction volumes or risk exposure are expected to deploy more advanced and integrated systems;
- smaller or lower-risk institutions may implement proportionate solutions; and
- institutions operating in higher-risk sectors must apply enhanced monitoring regardless of size.
Scope
The CBN Baseline Standards apply to all CBN-regulated institutions in Nigeria, including:
- Deposit Money Banks;
- Other Financial Institutions, including Payment Service Providers (PSPs), Mobile Money Operators (MMOs), International Money Transfer Operators (IMTOs), Fintechs, Microfinance Banks (MFBs), Finance Companies, Mortgage Institutions; and
- Any other CBN-regulated entity
Applicable Timelines
The circular sets the following (fixed) compliance timelines from the date the CBN Baseline Standards were issued:
What are the CBN Baseline Standards?
The CBN Baseline Standards prescribe minimum functional, governance, and control requirements for automated AML/CFT/CPF solutions. At a minimum, compliant systems must support the following core capabilities:
1. Customer Due Diligence (CDD), KYC, and KYB: The AML solution must support automated, risk-based onboarding and ongoing due diligence for individuals and legal entities. This includes integration with national identity infrastructure, such as BVN and NIN, for real-time identity corroboration. Customer profiles must incorporate attributes such as occupation, income, geography, and business activity, and must be continuously synchronised with transactional behaviour. The system must ensure that identity data and transactional activity are assessed holistically, not in isolation.
2. Risk Assessment: The AML solution must support automated and configurable risk assessment at both customer and enterprise levels. Risk scoring must be dynamic, adjusting to behavioural changes, new data inputs, and external risk indicators. Institutions are required to conduct periodic ML/TF/PF risk assessments and ensure that system configurations (i.e., rules, scenarios, and thresholds) are aligned with documented risk appetite and risk assessments. Where AI or machine learning models are used, they must operate within a governed framework with validation, explainability, and human oversight.
3. Sanctions, Watchlist, and PEP Screening: The solution must integrate with domestic and international sanctions lists (including UN and other applicable global lists), internal watchlists, and PEP registers, and support real-time or near real-time screening at onboarding and during transactions. Matching logic must detect name variations using advanced techniques (e.g., fuzzy matching). The system must also support adverse media monitoring. Confirmed matches must trigger appropriate controls, including automated blocking or restriction of onboarding or transactions, in line with regulatory requirements.
4. Transaction Monitoring for ML/TF/PF: The solution must enable real-time or near real-time, risk-based monitoring of transactions and customer activity, with the capability to detect suspicious patterns and fraud indicators using advanced analytics where appropriate. AML and fraud systems may be separate, but must exchange risk signals seamlessly, with higher-risk institutions expected to adopt unified financial crime frameworks. Automated closure is limited to clearly defined low-risk alerts under strict governance and back-testing, while high-risk alerts require timely human review.
5. Case Management: The AML solution must include an Enterprise Case Management (ECM) capability that automates the lifecycle of alert investigation, including case creation, assignment, prioritisation, escalation, and closure. Role-based workflows, including maker-checker controls, must be enforced.
6. Regulatory and Internal Reporting: The solution must support automated or semi-automated generation of regulatory reports, including STRs, SARs, Currency Transaction Reports (CTRs), Foreign Currency Transaction Reports (FTRs), and other required returns, in CBN-prescribed formats. Reports must be accurate, complete, and submitted within the required timelines to the NFIU. Manual reporting processes, where they persist, must not compromise timeliness or accuracy. The system must also support internal management reporting for oversight by senior management and the board.
7. Audit and Governance: The AML solution must maintain a comprehensive, tamper-proof, and immutable audit trail of all system and user activities, including configuration changes, access events, user identities, alert handling, and reporting actions. Maker-checker controls must ensure segregation of duties, such that initiation and approval functions are performed by different users. The system and its governance processes must be subject to periodic independent audit.
8. Security and Data Protection: The AML solution must implement robust security controls to protect the confidentiality, integrity, and availability of data. This includes encryption of data at rest and in transit, role-based access controls, and multi-factor authentication. Institutions must ensure compliance with the Nigeria Data Protection Act and other applicable data protection and data sovereignty requirements. Data retention, recovery, and destruction policies must be clearly defined and implemented.
9. Other Requirements (Third-Party and Operational Controls): Institutions must implement a comprehensive third-party risk management framework for AML solutions, covering procurement, implementation, support, change management, incident response, and exit. All supporting vendors, including cloud and shared service providers, must comply with the Baseline Standards and applicable CBN regulations. Institutions are also required to align with recognised AI governance standards, including ISO 42001 where applicable.
Sanctions and Enforcement
Sanctions under existing CBN and general AML/CFT/CPF laws will extend to individuals, including Boards and executive management where controls are found inadequate. Enforcement mechanisms will include off-site surveillance (where CBN monitors data remotely), on-site examinations (physical audits by CBN), and thematic regulatory reviews (where CBN carries out sector-wide assessments).
Immediate Priorities For Compliance
To meet regulatory expectations, institutions should prioritise the following actions:
- Conduct a comprehensive gap assessment of existing AML systems against the Baseline Standards.
- Determine whether to upgrade current infrastructure or deploy new solutions capable of end-to-end AML functionality.
- Map and validate all relevant data sources and system integrations, including KYC and transaction data.
- Strengthen governance frameworks covering oversight, vendor management, data protection, and model validation.
- Develop and obtain board approval for implementation roadmaps aligned with regulatory timelines.
- Establish ongoing controls, including periodic validation of AI/ML models, back-testing of automated decisions, and documentation of system tuning.
Key Takeaway
Nigeria’s removal from the FATF Grey List in 2025 and the European Commission’s high-risk list in 2026 marks progress, but not completion. These developments signal a transition from achieving compliance to sustaining it. For financial institutions, the central issue is no longer whether to comply, but whether their systems, controls, and implementation strategies are sufficiently robust to meet ongoing regulatory scrutiny.
