CBN fintech regulations 2026: Licensing & compliance guide

The CBN rolled out more than a dozen policy changes affecting Nigerian fintech in 2025 alone, and 2026 is the year they all come due for enforcement simultaneously.

Key takeaways

• 87.5% of Nigerian fintechs say compliance costs are actively limiting their ability to innovate.
• 2026 is an enforcement year: Open Banking, anti-money laundering (AML) automation, APP fraud rules, and cash policy changes are all live or approaching hard deadlines simultaneously.
• Real-time transaction monitoring is now mandatory, and the rollout timeline includes audit requirements with teeth.
• Fintechs may now share or fully absorb losses from Authorized Push Payment fraud, even when the user initiated the transaction.
• Nearly 11 billion NIBSS Instant Payment transactions were processed in 2024, which explains exactly why the CBN is no longer willing to let compliance slide.

For most of the last decade, the unofficial playbook for fintech was to build fast, scale aggressively, and treat compliance as a problem to solve later, preferably after the product had enough users to justify the legal bill. That playbook has expired.

In 2025, the Central Bank rolled out a concentrated wave of policy: 

• Open Banking standards.
• AML automation mandates.
• APP fraud liability reforms. 
• Revised cash handling rules.
• Data protection enforcement.

In 2026, all of it is being actively enforced, with deadlines, audit windows, and penalties.

This guide breaks down the licence your fintech actually needs, the compliance stack you’re required to build, and what specifically changed this year.

CBN fintech regulatory stack 2026

Which CBN licence does your fintech need?

Nigeria’s fintech licensing framework is segmented, strict, and tied directly to what your product does functionally, not what you call it.

1. Switching and Processing license 

This licence covers transaction routing, clearing, and settlement infrastructure. The fintech products in this category operate payment infrastructures, sitting between transaction senders, processors, and receivers.

For this license, CBN mandates a ₦2 billion capital requirement and a non-refundable application fee of ₦100,000. Payment gateways and core infrastructure players operate here. Examples include Flutterwave, Remita, and Paystack. 

2. Mobile Money Operator (MMO) license 

Products that operate using an MMO licence can hold customer funds, operate wallets, or issue e-money balances. This is the category most consumer-facing fintechs that build wallet products (e.g., Opay and Palmpay) fall into. 

It’s the one most commonly operated without proper licensing in Nigeria’s early fintech wave. The application fee and capital requirement match Switching and Processing.

3. Payment Solution Services (PSS) license 

This category covers two distinct authorisations that serve different functions. 

1. The Payment Solution Service Provider (PSSP) authorisation covers businesses offering payment solutions, such as aggregators, payment facilitators, and similar intermediaries. 
2. The Payment Terminal Service Provider (PTSP) authorisation applies to businesses that deploy and manage payment terminals and POS infrastructure. 

These are separate authorisations under the same umbrella, and conflating them is a common compliance error. Both authorizations require a minimum capital of ₦100 million. 

4. Payment Service Banks (PSBs) 

PSBs can accept deposits, transfer funds, operate savings products, and issue debit cards. This structure was designed primarily to provide banking services to the unbanked and underbanked, often in rural areas. 

Typically, they have agent banking networks operating at scale in underserved markets. It has a ₦5 billion capital threshold.

Other licenses include the Super-Agent license, a payment service holding, and the CBN Regulatory Sandbox (which serves as an entry point for products in development, allowing testing for up to six months under a controlled framework).

Four 2026 compliance priorities every Nigerian fintech needs to address

Licensing gets you in the door, but compliance determines whether you stay. These four priorities are active obligations with timelines, audit requirements, and financial consequences.

1. Automated AML systems 

Real-time transaction monitoring, customer risk profiling, sanctions screening, and integrated identity verification using BVN and NIN data are now required infrastructure. 

What you need to know:

• AI-powered monitoring systems are permitted under the framework, but must be independently audited annually.
• Deploying an AI system and treating it as self-certifying is a compliance gap the CBN has specifically anticipated and closed.
• CBN has given banks 18 months and fintechs 24 months to achieve full implementation, but implementation roadmaps must be submitted within 3 months of the directive.

2. APP fraud liability

Authorized Push Payment (APP) fraud, where a user is manipulated into sending money to a fraudulent recipient, has now become a balance sheet problem for Nigerian fintechs. 

Under the incoming guidelines:

• Customers may be reimbursed even when they personally approved and initiated the transaction. 
• Liability can be split between the sending and receiving institutions depending on where the control failure occurred. 
• Any institution that failed to flag a suspicious account used in the fraud chain may be held fully liable for the resulting loss.

Operational timelines to watch:

3. KYC, AML, and data protection stack

This is two regulatory frameworks hitting simultaneously.

CBN side (AML/CFT)

• Risk-based KYC using BVN and NIN verification is mandatory.
• Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) must be filed consistently with the Nigerian Financial Intelligence Unit (NFIU).

NDPC side (Data protection)

The Nigeria Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025 impose:

• Data Protection Impact Assessments (DPIAs) for high-risk processing.
• Strict controls on cross-border data transfers.
• Data breach notification within 72 hours.

4. Open banking and ISO 20022 migration

Open banking

The CBN introduced the Open Banking framework in 2021 and issued operational guidelines in 2023. Adoption, however, has been slowed by unresolved technical gaps. 

Access is restricted exclusively to licensed entities. If your product depends on data connectivity across the Nigerian financial system and you are not properly licensed, you are structurally locked out.

ISO 20022 migration

The global financial messaging standard is now mandatory for payment systems operating in Nigeria. The National Payment Stack (NPS) launched in November 2025 on ISO 20022 standards.

Consequences for non-compliance include:

• Fines.
• License suspension.
• Potential revocation. 

Both frameworks require technical readiness, but Open Banking access requires formal licensing first. 

What the cash policy shift means for agency banking

Individual weekly cash withdrawals are now capped at ₦500,000, with corporates limited to ₦5 million. Withdrawals beyond those limits attract excess fees of 3% for individuals and 5% for corporates. 

Daily and weekly ATM withdrawals are capped at ₦100,000 and ₦500,000, respectively. Cash deposit limits, notably, have been removed entirely. Essentially, the policy tightens outflows without restricting inflows.

How does this affect fintech business models?

Agency banking networks and POS-dependent business models feel this most directly. High-volume cash-out operations, a core revenue driver for many agent banking plays, become structurally less profitable when weekly limits constrain transaction throughput. 

The timing adds another layer of complexity. POS terminal deployment has grown 129% in recent years, from 2.4 million in 2023 to 5.5 million terminals in 2024 nationally. That expansion means the policy affects a significantly larger ecosystem than previous cash directives have. 

And from April 2026, POS agents will operate under tightened geo-tagging requirements, stricter location compliance rules, and renewed enforcement of exclusivity.

FAQs

Do I need a CBN licence to launch a fintech in Nigeria? 

Yes, if your product touches payments, wallets, or fund custody in any form. 

What is APP fraud liability? 

It means your fintech may be required to reimburse users for losses from fraud, even when the user personally initiated and approved the transaction. Liability can be split between sending and receiving institutions, and failure to flag suspicious accounts can result in your institution bearing the full loss.

How do CBN and FCCPC regulations differ? 

The CBN governs financial operations, such as licensing, payments infrastructure, AML, and monetary policy compliance. The FCCPC handles consumer protection, particularly for digital lenders. Most Nigerian fintechs have obligations to both.

Conclusion

CBN regulations for fintech startups in 2026 are sharper, faster to enforce, and significantly harder to outrun. The era of building first and fixing compliance later ended with AML mandates, shifts in APP fraud liability, data protection enforcement, and a licensing framework.

Compliance in 2026 is part of the architecture from day one. The fintechs that come out of this regulatory cycle strongest will be the ones that learned to treat regulation as infrastructure rather than friction.

Citations 

• https://financeinafrica.com/insights/nigerias-fintech-regime/
• https://openbanking.ng/open-banking-in-nigeria/
• https://businessday.ng/news/article/banks-to-share-liability-for-fraud-losses-under-cbns-new-push-payment-rules/
• https://www.cbn.gov.ng/PaymentsSystem/PSPs.html
• https://businessday.ng/life/article/regulation-compliance-cbns-new-aml-technology-standards-signal-stronger-compliance-era-for-nigerias-financial-sector/?amp
• https://webiis08.mondaq.com/nigeria/white-collar-crime-anti-corruption-fraud/1720474/#authors
• https://webiis08.mondaq.com/nigeria/data-protection/1769986/#authors
• https://businessday.ng/technology/article/cbn-to-fast-track-open-banking-rules-eyes-passporting-deals-in-africa/
• https://nibss-plc.com.ng/national-payment-stack/?__cf_chl_rt_tk=CIUtsX5yhDYDxcshzNR2bbCsGFmErnodPaK2jx2P3IA-1777449629-1.0.1.1-cl3sV6kX5518.xDuHJlWjHZEnJwKIxQ2TnnKCedK0yI
• https://www.cnbcafrica.com/2025/nigeria-tightens-cash-withdrawal-limits-to-curb-money-laundering-risk
• https://nairametrics.com/2025/02/04/pos-transactions-surge-to-18-trillion-in-2024-as-fintechs-expand-terminal-deployment/#back-to-top
• https://nairametrics.com/2025/10/07/pos-geo-tagging-cbn-sets-n5-million-minimum-penalty/#jeg_forgotform

Disclaimer!

This publication, review, or article (“Content”) is based on our independent evaluation and is subjective, reflecting our opinions, which may differ from others’ perspectives or experiences. We do not guarantee the accuracy or completeness of the Content and disclaim responsibility for any errors or omissions it may contain.

The information provided is not investment advice and should not be treated as such, as products or services may change after publication. By engaging with our Content, you acknowledge its subjective nature and agree not to hold us liable for any losses or damages arising from your reliance on the information provided.

Always conduct your research and consult professionals where necessary.