Every licensed financial institution in Nigeria must pass the CBN Technology Risk Assessment to maintain their operating license. Failure can result in license suspension. This guide covers exactly what examiners look for and how to prepare effectively.
The CBN Technology Risk Assessment is conducted under the Risk-Based Supervision framework, aligned with Basel Committee best practices. It evaluates five domains: IT governance, information security, business continuity management, data center operations, and technology risk management. Each domain is scored from 1 (lowest risk) to 5 (highest risk). Institutions scoring above 3 face increased regulatory scrutiny and may be required to submit monthly remediation progress reports. The assessment uses a standardised checklist covering over 150 control objectives. Understanding this checklist before applying is the key to passing on your first submission.
IT governance is where most institutions fail their first TRA. Your board must have a designated IT committee that meets at least quarterly, reviewing IT strategy alignment with business objectives, risk appetite, and significant technology investments. Minutes of every meeting must be formally documented and available for examiner review. Your organisation needs a board-approved IT strategy covering a three-year forward horizon with clearly defined milestones. A Chief Information Officer or equivalent with clearly defined roles and responsibilities should report directly to the CEO or board. A technology risk management framework defining risk appetite thresholds, assessment methodology, and escalation procedures must be documented, approved, and actively used in decision-making. Fintech startups operating with informal governance structures will not pass the TRA. Even if the same two or three people fill multiple governance roles, the organisational structure, committee charters, and meeting documentation must be formally established and maintained.
The CBN expects your information security programme to align with ISO 27001 standards and best practices. Required policies must cover access control, cryptography, data classification, incident response, vendor risk management, and security awareness training. Each policy must be board-approved, reviewed annually, and actively enforced across the organisation. Access control requires role-based access on a least-privilege basis with quarterly access reviews and immediate revocation when employees leave. Multi-factor authentication is mandatory for all administrative system access and high-value transaction authorisation. Audit logs capturing all user and system activity must be retained for a minimum of five years and be tamper-evident.
Encryption standards require TLS 1.2 or higher for all data in transit between systems and AES-256 for all data at rest in databases and storage. Encryption keys must be managed through a hardware security module or a certified cloud key management service, and must never be stored in the same database as the encrypted data. Security monitoring must be in place through a Security Operations Centre or equivalent managed service, with 24/7 coverage required for high-volume institutions. Incident response procedures must be documented in detail and tested annually through tabletop exercises, with explicit notification procedures defined for reporting to the CBN and the Nigerian Financial Intelligence Unit within mandated timeframes.
The CBN expects a comprehensive Business Continuity Management programme. Your Business Impact Analysis must identify all critical business processes with defined Recovery Time Objectives and Recovery Point Objectives. For payment systems, the CBN expects RTO under 4 hours and RPO under 15 minutes. Plans must be tested at least annually at three levels: tabletop exercises for decision-making, technical tests for system restoration, and full-scale tests including failover to the disaster recovery site. Every test must produce a formal report identifying gaps and remediation actions. Maintain a secondary data centre in a geographically different location with equivalent security controls.
Your data centre needs redundant power with automatic failover, UPS providing at least 30 minutes runtime, and a generator capable of sustaining operations for 72 hours. Physical access controls must include biometric authentication, mantrap entry, 24/7 CCTV surveillance with 90-day retention, and visitor logs. Fire detection and suppression systems appropriate for electronic equipment are mandatory. If using cloud providers like AWS, GCP, or Azure, the provider must hold SOC 2 Type II certification. Your cloud architecture must include multi-region redundancy, automated backup and restore, and all customer data must reside in Nigeria or CBN-approved jurisdictions.
Prepare these documents organised by domain. Governance: board IT committee charter, last four meeting minutes, IT strategy document, technology risk management framework. Security: information security policy, access control policy, encryption policy, incident response plan, security awareness training records. Business Continuity: BCM policy, business impact analysis, BCP document, last two DR test reports, crisis communication plan. Data Center: audit report, power and cooling maintenance logs, last six months of physical access logs, CCTV retention policy. Risk Management: risk register, risk assessment methodology document, vendor risk management policy, IT audit reports. All documents must be reviewed and approved within the last 12 months.
The most common CBN TRA findings are consistent across institutions. Inadequate IT governance is the leading finding, remedied by establishing a board IT committee with formal charter and documented quarterly meetings. Missing or outdated BCP is second, treated by reviewing annually, testing annually, and updating after every significant infrastructure change. Insufficient security awareness training requires mandatory annual training with phishing simulations. Weak vendor risk management requires formal due diligence and ongoing monitoring with a vendor register. Incomplete incident response documentation means the IR plan must be documented and tested annually with CBN and NFIU notification procedures included.
Three to six months before assessment, conduct a gap analysis against the TRA checklist, update governance documents, begin the BCP process, and engage a compliance consultant. Two to three months before, complete all documentation, conduct a pre-assessment internal audit, test DR infrastructure, and run a tabletop exercise. One month before, run a mock assessment with an external consultant, prepare document binders, and brief the management team. During assessment week, CBN examiners review documents, interview staff, inspect facilities, and test controls. Be transparent about known issues and present remediation plans. After assessment, address high-risk findings within 30 to 90 days, medium-risk within 6 months, and low-risk within 12 months. Submit your remediation plan to the CBN within 30 days of the final report.
A regulatory evaluation all licensed financial institutions must undergo, assessing IT governance, information security, business continuity, data center operations, and technology risk management.
On-site review takes 1-2 weeks. Preparation takes 3-6 months. Full cycle from preparation to report receipt is typically 4-8 months.
IT policy framework, information security policy, business continuity plan and test results, data center audit reports, risk management framework, incident response plan, and board-approved IT strategy.
Inadequate IT governance, missing business continuity plan, lack of data center redundancy, insufficient security awareness training, weak vendor risk management.
