What are the CBN transaction limits for fintech apps?

Level 1: ₦50,000 daily, ₦300,000 cumulative. Level 2: ₦200,000 daily, ₦500,000 cumulative. Level 3: ₦1,000,000+ daily with higher cumulative limits.

CBN Compliance Checklist for Fintech Startups in Nigeria 2026

Q: What are the KYC levels required by CBN?

CBN mandates three KYC tiers: Level 1 requires basic info with ₦50,000 daily limit. Level 2 adds BVN or NIN with ₦200,000 daily limit. Level 3 requires physical address with ₦1,000,000+ daily limit.

Q: What SSL/TLS requirements does CBN mandate?

CBN mandates TLS 1.2 or higher for data in transit, AES-256 for data at rest, and annual penetration testing for all licensed PSPs.

The Central Bank of Nigeria fined 18 fintech companies in 2025 totalling over ₦500 million for compliance violations. This checklist covers every regulatory requirement your fintech must meet to operate legally in 2026.

Key Point	Insight
Fined fintechs in 2025	18 fined totalling over ₦500 million.
Sandbox processing time	3 to 4 months initial approval.
KYC Level 3 daily limit	₦1,000,000+ with full verification.
Security audit frequency	Annual penetration testing for all PSPs.

CBN Regulatory Sandbox

The CBN Regulatory Sandbox allows you to test your product with up to 2,000 users before committing to a full license. Application requires a product description, risk assessment, and exit strategy. Processing takes 3 to 4 months. The sandbox period lasts 6 to 12 months with monthly progress reports required. Successful sandbox completion significantly improves full license approval chances.

Payment Service Bank Licensing

PSB licensing requires ₦5 billion minimum capital. Most digital payment apps operate under a Payment Solution Service Provider (PSSP) license with ₦100 million minimum capital. Full license processing takes 6 to 12 months. Legal and licensing costs range from ₦5 million to ₦10 million.

SSL/TLS and Encryption Requirements

The CBN Technology Risk Assessment mandates TLS 1.2 or higher for data in transit. TLS 1.0 and 1.1 are non-compliant. Sensitive data at rest must use AES-256 encryption. Encryption keys must be managed through an HSM or cloud key management service. Annual penetration testing by a CBN-approved firm is required.

KYC Levels and Transaction Limits

CBN mandates three KYC tiers. Level 1 requires name, phone, and date of birth with ₦50,000 daily limit. Level 2 adds BVN or NIN verification with ₦200,000 daily limit. Level 3 requires physical address verification with ₦1,000,000+ daily limit. Your app must support all three tiers and enforce limits programmatically.

AML/CFT Compliance

All fintechs must implement customer due diligence, automated transaction monitoring, and suspicious transaction reporting to the NFIU within 24 hours. Maintain audit trails for five years. Conduct annual AML training. Appoint a CBN-registered compliance officer.

NDPR Data Protection

Register with NITDA and implement data protection by design. Collect minimum necessary data. Implement access controls and maintain processing records. Notify NITDA within 7 days of a data breach. Fines can reach 2% of annual revenue for non-compliance. Read our NDPR compliance guide for details.

Reporting Obligations

Monthly reports include transaction volumes, customer onboarding stats, and complaint metrics. Quarterly reports add financial statements and AML summaries. Annual reports include audited financials and penetration test results. Maintain audit logs for all transactions for at least five years.

Frequently Asked Questions

What is the CBN Regulatory Sandbox?

The CBN Regulatory Sandbox allows fintech startups to test innovative financial products with up to 2,000 users without requiring a full license. It provides a controlled testing environment.

What are the KYC levels required by CBN?

Level 1: basic info, ₦50,000 daily limit. Level 2: BVN or NIN, ₦200,000 daily limit. Level 3: physical address, ₦1,000,000+ daily limit.

What SSL/TLS requirements does CBN mandate?

TLS 1.2 or higher for data in transit, AES-256 for data at rest, and annual penetration testing for all licensed PSPs.

What AML/CFT obligations do Nigerian fintechs have?

Customer due diligence, transaction monitoring, suspicious transaction reporting to NFIU within 24 hours, annual AML training, and a registered compliance officer.