Nigeria’s payment sector has witnessed significant growth over the past decade. Driven by financial inclusion, the sector has experienced rapid technological innovations. As payments solutions expands, payment solutions companies must navigate a complex regulatory landscape and also maintain efficiency, security and consumer protection.
The Central Bank of Nigeria (“CBN”) being the regulator for this sector, continues to play a central role in shaping operations through licensing requirements, supervisory oversight, guidelines and policy frameworks.
This article outlines key best practices for payment solutions companies operating in Nigeria with a focus on regulatory compliance.
- Alignment with Licensing Framework
A foundational requirement for any payment solutions company is strict adherence to the scope of its licence. The CBN has categorised payment system providers into the following classes:
a. Payment Solution Service Providers (“PSSPs”)
b. Payment Terminal Service Providers (“PTSPs”)
c. Mobile Money Operators (“MMOs”)
d. Switching and Processing Companies
Each category comes with clearly defined permissible activities. E.g only MMOs are permitted to hold customers’ funds while PSSPs are restricted to processing and facilitating transactions. Companies should ensure that all products and services remain within the scope of their licence and they must seek prior regulatory approval before introducing new products or expanding into additional service areas.
2. Corporate Governance Structures
Strong corporate governance is important not only as a best practice, but also for sustainability. Some key components of best corporate governance practices, are as follows:
a. The Board must comprise of a minimum of five members and must have the appropriate balance of executive and non-executive directors and the combination of their experiences must be diverse enough to produce an effective Board.
b. The Board must consist of at least one independent non-executive director to provide objective opinion and unprejudiced judgment.
c. At a minimum, the Board must have Board Committees comprising of Audit, Risk and Governance.
d. Annual trainings on Anti-Money Laundering and Countering Proliferation Financing must be conducted for Board members.
e. Companies must engage an independent consultant to conduct annual Board appraisal.
f. The Board must have a Charter and a conflict-of-interest policy. The conflict-of-interest policy may be included into the Board Charter as a clause.
g. The Board must hold a minimum of four Board meetings annually.
h. The company must maintain the independence of control functions by ensuring that the Compliance Officer, Chief Information Security Officer and Risk Officer report directly to the Board.
3. Maintenance of Minimum Share Capital
Beyond the initial licensing requirement, payment companies are required to continuously maintain the minimum share capital applicable to their licence category. This is a prudential requirement and it also shows financial soundness. To maintain minimum share capital, payment companies must put measures in place to monitor capital adequacy on an ongoing basis and ensure that paid-up share capital is not affected by operating losses.
4. Periodic Regulatory Filings and Reporting Obligations
Timely and accurate regulatory reporting is a core expectation of the CBN. Failure to meet filing obligations is treated as a serious compliance breach, regardless of sound operations. Payment solutions companies must ensure that they submit monthly, quarterly and annual returns to the relevant regulators. The submissions must be done within the regulatory timelines. Some periodic returns are as follows:
a. Volume and value of transaction which must be submitted to the CBN monthly
b. Fraud forgeries report which must be submitted to the Nigerian Financial Intelligence Unit (“NFIU”) monthly. Even where there are no records of fraud, companies must fil nil returns monthly.
c. Audited Financial Statements (“AFS”) which must be submitted on or before the 31st of March every year. Companies must ensure that only Board approved AFS are submitted to the CBN.
d. Consumer protection compliance report
e. AML/CFT compliance report including proof of staff and Board trainings on AML/CFT compliance.
f. Monthly management accounts which must be submitted to the CBN monthly.
g. Notice of changes in the Board and Management structure.
h. Notice of change in share structure.
i. Suspicious activity reports to the NFIU
j. Annual data protection compliance audit report to the Nigeria Data Protection Commission (“NDPC”) which must be submitted on or before the 31st of March every year.
k. Tax filings to the State Internal Revenue and the Nigerian Revenue Service.
l. Companies are also to promptly notify the CBN of material incidents, including system failures, security breaches or significant operational disruptions.
5. Appointment of Internal and External Auditors
Payment companies must engage in periodic internal and external audits, as these are essential for ensuring transparency and regulatory compliance. Regulators expect payment companies to maintain independent and effective audit functions capable of identifying operational, financial, regulatory, and technology-related risks.
Accordingly, payment companies are required to appoint external auditors to review their financial records and assess compliance. In addition, companies are expected to establish an internal audit function to conduct ongoing reviews of internal controls, risk management systems, operational processes, and compliance.
Regular audits assist in detecting deficiencies and ensuring that the company’s operations remain aligned with regulatory expectations.
6. Cybersecurity and Data Protection
Digital transactions comes with increased exposure to fraud and cyber threats. Payment companies are expected to deploy advanced security measures to protect customer data and financial assets. To prevent a security breach, companies must do the following:
a. Encrypt sensitive customer and transaction data
b. Implement real time fraud detection systems.
c. Conduct vulnerability assessment and penetration testing from time-to-time.
d. Implement multi-layered security and authentication standards
e. Register with the Nigeria Data Protection Commission as a Data Processor/Controller and carry out regular data protection compliance audit.
7. Prioritising Consumer Protection
The confidence of consumers is central to payments systems companies. best practices requires that payment companies implement efficient mechanisms for complaint resolution. There must be transparency in pricing and support channels must be easily accessible. Customer complaints must be addressed within defined timelines.
8. Maintenance of Up-to-date Compliance and Operational Manuals
Well documented and regularly updated operational policies are mandatory for regulatory compliance and effective risk management. Regulators expect payment companies to maintain an all-encompassing, current and enforceable policy framework. The frameworks must reflect the actual business operations of the company.
At a minimum, payment companies should have the following documented policies:
a. Corporate Governance Policy
b. Compliance Policy
c. Anti-Money Laundering/Counter Terrorism Financing/Countering Proliferation Financing (AML/CFT/CPF) Policy.
d. Data Protection Policy
e. Enterprise Risk Management Framework
f. Business Continuity/Disaster Recovery Plan
g. Information Security Policy
h. Privacy Policy
i. Dispute Resolution Policy
j. Third Party Transaction Policy
k. Code of Conduct/Ethics
l. Internal Control Policy
m. Audit Charter
n. Access Control Policy
These policies should not exist merely as documentation. They must be implemented.
9. Solidifying Control Mechanisms
Payment companies should embed regulatory compliance into core operations. For effective solidifying of control mechanisms, companies are required to implement sound Know Your Customer (“KYC”) and AML/CFT/CPF Controls. This also requires that they conduct staff trainings and awareness regularly.
10. Implementation of Automated Anti-Money Laundering Solutions
By a Circular dated 10th March, 2026, the CBN released Baseline Standards for Automated Anti-Money Laundering (“AML”) Solutions for Financial Institutions in Nigeria, 2026 (“the Standards”). It applies to all financial institutions under the supervision of the CBN.
The obligations imposed by the Standards is a mandatory regulatory compliance obligation which are as follows:
a. A statutory and supervisory obligation requiring financial institutions to implement automated AML/CFT/CPF systems.
b. A continuous compliance obligation as institutions are not to only deploy the technology. They are required to also maintain, monitor, update and ensure the continuous effectiveness of the AML solutions.
c. A risk-based obligation because institutions must tailor their AML frameworks to the nature, size, complexity and risk exposure of their operations.
d. A technology driven operational obligation, requiring the integration of automated tools for customer due diligence, sanctions screening, transaction monitoring, fraud detection, reporting, audit and governance.
11. Proactive Regulatory Engagement
Payment companies are required to maintain a transparent and cooperative relationship with the regulators especially where there have been any material changes in the company’s operations. In such instances, regulatory approvals will be required.
In conclusion, operating a payment solutions company in Nigeria requires more than innovation. Companies must stay within their licence scope, maintain required capital, keep accurate regulatory filings, and implement governance, audit, and operational controls.
Non-compliance carries severe consequences. The regulator or any other relevant agency may impose regulatory sanctions including monetary penalties, restrictions on operations, suspension of certain services, or in extreme cases, revocation of licence. Beyond regulatory sanctions, companies also face reputational damage, loss of customer trust, disruption to business relationships, and potential financial losses.
Companies that put the relevant structures in place are better positioned to remain compliant, earn the confidence of stakeholders and build sustainable businesses in Nigeria’s payments sector.
