The Central Bank of Nigeria (CBN) has directed banks, fintech firms, mobile money operators and other payment service providers to store all payment transaction data generated within Nigeria on local servers, as part of a broader regulatory push to strengthen oversight, improve transparency and reduce concentration risks in the country’s fast-growing digital payments ecosystem.
- +CBN mandates banks, fintechs to store payment data in Nigeria
The directive was contained in a circular issued by the apex bank on Monday and signed by the Director of the Payments System Supervision Department, Rakiya O.
The directive was contained in a circular issued by the apex bank on Monday and signed by the Director of the Payments System Supervision Department, Rakiya O. Yusuf.
According to the circular, all financial institutions and payment system participants facilitating transactions in Nigeria must ensure that payment transaction data generated within the country are stored and managed locally in compliance with Nigerian data protection laws and regulations.
The CBN stated that affected institutions must fully comply with the requirement by January 1, 2027.
The move is expected to have significant implications for banks, fintech companies, payment processors and other digital finance operators that currently rely on foreign data infrastructure for parts of their operations.
The circular read, “All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payments transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria. Accordingly, all affected Financial Institutions shall fully comply with this requirement effective January 1, 2027.”
The apex bank said the new measures were introduced following significant structural changes in Nigeria’s payments landscape, driven by rapid growth in electronic transactions, increased adoption of digital financial services and the emergence of dominant operators across key payment segments.
According to the CBN, while these developments have improved financial inclusion and innovation, they have also created concerns around market concentration, operational dependence on external infrastructure, ownership transparency and the location of critical payment data.
The regulator added that localising payment data would help safeguard the integrity of the financial system while ensuring that critical transaction records remain within Nigeria’s jurisdiction.
Beyond data localisation, the CBN introduced new ownership transparency requirements for institutions operating within the payments ecosystem.
The measure is designed to improve transparency within the financial system and strengthen efforts to combat illicit financial flows, money laundering and the use of complex ownership structures to conceal control of regulated entities.
The CBN said the circular seeks to improve transparency through beneficial ownership disclosure while promoting a more resilient payments ecosystem.
The apex bank also introduced measures aimed at preventing excessive market concentration in key segments of the payments industry.
Merchant acquiring refers to the processing of card payments on behalf of merchants, while card issuing involves the issuance of debit, credit and prepaid cards to customers.
To facilitate monitoring, all regulated entities are required to submit monthly market share returns using templates prescribed by the CBN.
Affected institutions must implement the necessary structural adjustments and achieve full compliance with the market structure requirements by December 31, 2026.
The CBN noted that it would closely monitor compliance and could impose supervisory sanctions where necessary.
Earlier in April 2026, the Nigeria Data Protection Commission (NDPC) raised concerns over coordinated cyber threats targeting Nigeria’s financial systems and key digital infrastructure, warning organisations to urgently strengthen their data security architecture.
NDPC said its technical assessment revealed that “shadowy threat actors” have launched coordinated operations aimed at critical systems in the country.
The warning signals growing regulatory concern over the vulnerability of institutions that power payments, banking services, telecommunications, cloud platforms and public sector digital services.
The latest measures form part of the regulator’s broader efforts to create a fairer and more competitive payments ecosystem as digital transactions continue to expand across Africa’s largest economy.
