Blog

Latest Updates and News

NIGERIA’S NEW PAYMENT DATA LOCALISATION REQUIREMENT: WHAT FINANCIAL INSTITUTIONS AND FINTECH COMPANIES MUST DO BEFORE JANUARY 2027

Introduction

In a significant policy shift that is set to reshape Nigeria’s financial services landscape, financial institutions and payment ecosystem participants have been directed by the Central Bank of Nigeria (“CBN”) to ensure that all payment transaction data generated within Nigeria are stored and managed within Nigeria. The Directive provides that:

“All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payments transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria. Accordingly, all affected Financial Institutions shall fully comply with this requirement effective January 1, 2027.”

  • Understanding the Directive: Data Localisation vs Data Residency

Under data protection law, a requirement that data must reside or be stored within a particular country falls under one of two categories, depending on the stringency of that requirement. Data residency applies when data has a primary physical location, but copies can legally be transferred, processed, or stored abroad. Data localisation on the otherhand is a strict mandate requiring data to remain exclusively within a specific jurisdiction.

Both concepts stem from data sovereignty, which means data is governed by the laws of the jurisdiction where it is physically located. This reflects a global trend of governments seeking greater control over strategic data, especially in sectors critical to national security and economic stability.

  • Applicable Laws: NDPA 2023 and CBN Directive

The Nigeria Data Protection Act 2023 (“NDPA”) is the primary legislation on data protection in Nigeria does not prohibit cross-border data transfers. It establishes a framework under which personal data may be transferred outside Nigeria where certain safeguards or legal grounds exist. These safeguards include lawful basis, adequacy of protection, and presence of alternative grounds for transfer. (See Part VIII, sections 41-43 of the Act which govern international transfers of personal data.) Furthermore, the Nigeria Data Protection Commission (NDPC) as the regulator under the Act is empowered to impose restrictions on data processing in Nigeria and make regulations governing cross-border transfer of data.

The CBN, as regulator of the banking industry, is statutorily empowered to regulate the activities of financial sector participants and the control of payments data comes within its purview. The CBN’s Directive goes beyond a mere obligation to keep customers payments data within Nigeria. By mandating that payment transaction data be both “stored and managed” in Nigeria, the CBN is emphasising local control, administration, and governance of critical payment infrastructure and information assets. Therefore, From a regulatory interpretation perspective, this may be described as a mandatory local storage and management (data localisation) requirement. The requirement means that financial institutions and fintech companies will need to examine the following:

  1. Where their data is hosted;
  2. Whether backups are maintained abroad;
  3. Whether cloud providers replicate data outside Nigeria;
  4. Where data administrators and management functions are located; and
  5. Whether existing hosting arrangements align with the regulator’s expectation. This is particularly important because a company may use a global cloud provider such as Amazon Web Services, Microsoft, or Google and still comply with localisation requirements if the relevant data is stored in servers located in Nigeria and managed in Nigeria.

The CBN Directive seeks to control the storage and management of personal data. While the requirement of the Directive may appear straightforward, its implications are nevertheless far-reaching. For banks, fintech companies, payment service providers, switching companies, mobile money operators, and other stakeholders within the payments ecosystem, the directive signals a transition towards a more robust data localisation framework and raises important legal, operational, technological, and compliance considerations. The message of the CBN is clear: payment transaction data generated in Nigeria must have a primary home within Nigeria.

  • What Entities are Affected by the CBN Directive?

The directive applies to two broad categories of entities: financial institutions and participants facilitating payments within Nigeria. Financial institutions typically include the Deposit Money Banks (commercial, merchant, non-interest banks), Microfinance Banks, Payment Service Banks (PSBs) and Mobile Money Operators (MMOs).

The second category captures a significant portion of the Nigerian payments ecosystem and includes Payment Solution Service Providers (PSSPs), Payment Terminal Service Providers (PTSPs), Payment Terminal Service Aggregators (PTSAs), Super-agents involved in payment services, Switching and processing companies, Payment gateways, Finance Companies and Fintech companies that facilitate electronic payments and any other CBN-licensed entity involved in initiating, processing, clearing, settling, switching, transmitting, or facilitating payment transactions within Nigeria.

  • What Risks Do Companies Face if They Fail to Comply?

Affected entities are given till 1st of January 2027 to comply with the new data localisation requirement. Failure to comply with the Directive may expose affected entities to various regulatory consequences, including:

– Regulatory sanctions and penalties by the CBN and NDPC;

– Licence-related enforcement actions by the CBN;

– Restrictions on operations by CBN and NDPC;

– Increased supervisory scrutiny by CBN and NDPC;

– Reputational damage to business;

– Potential contractual and litigation risks.

Given the strategic importance of payment data, regulators are likely to treat non-compliance as a serious regulatory breach.

  • What Practical Steps Should Financial Institutions and Fintechs Take?

The directive introduces several compliance challenges, particularly for fintech companies that do not currently maintain significant local data storage infrastructure. Many of these firms rely heavily on international cloud service providers and globally distributed data architectures. To meet the compliance deadline, financial institutions and fintech companies should begin taking proactive measures immediately. Key steps include:

  1. Data Mapping & Review Existing Technology Infrastructure: Affected entities should conduct a comprehensive mapping of payment transaction data flows and review existing infrastructure. Identify the types of payment data collected, where they are stored, the countries involved, who manages the data, and whether any components are hosted outside Nigeria. Based on the findings, institutions may need to establish local technical teams, security operations, and governance structures to demonstrate that data management functions are genuinely performed within Nigeria.
  • Renegotiate Vendor Agreements: Existing agreements with foreign cloud providers may require review and renegotiation to ensure compliance with the Directive. Contracts with cloud service providers and technology vendors should be reviewed to ensure that localisation requirements can be met before the implementation deadline.
  • Infrastructure Migration: Redesign systems, relocate databases, and establish local servers or partner with Nigerian data centre providers. This may require a significant overhaul of existing infrastructure. Fintech companies, in particular, should develop a phased migration roadmap that identifies where data currently resides abroad and sets clear timelines, governance structures, and accountability mechanisms for relocation.
  • Strengthen Data Governance Frameworks: Update internal policies on data classification, storage, and cross-border transfers. Boards of Directors and senior management must ensure that compliance with data localisation becomes an integral part of enterprise risk management and regulatory compliance programmes.
  • Compliance Gap Assessment: Conduct a gap analysis to identify changes required under the CBN Circular, especially in relation to data localisation, beneficial ownership (UBO) disclosure, market-share thresholds, and monthly reporting obligations. 
  • Operational & Cybersecurity Risk Assessment: Evaluate risks associated with local storage or hosting arrangements. Implement appropriate mitigation measures to enhance resilience, cybersecurity, and business continuity. 
  • Beneficial Ownership (UBO) Review: Assess corporate and shareholding structures, particularly where offshore entities or complex arrangements may affect disclosure. Verify UBO records to ensure they are accurate, complete, and readily available for CBN review.

Conclusion

The future of Nigeria’s digital economy will increasingly be shaped not only by how data is generated and used, but also by where that data is stored and who ultimately controls it. For financial institutions and fintech companies, the period between now and January 1, 2027 should be viewed as a critical transition window. Organisations that begin planning early will be better positioned to manage costs, reduce regulatory risk, and maintain operational continuity. Those that delay may find themselves facing significant compliance challenges as the implementation deadline approaches.