Nigeria’s new anti-money laundering rules are among the world’s best

The Central Bank of Nigeria has issued a landmark framework for automated financial crime detection that puts this country ahead of Europe and America in one crucial respect.

Every Bank, Fintech & Payment Company in Nigeria has 18 months to prove it can meet the standard.

There is a particular kind of regulatory document that arrives looking like paperwork and turns out to be something far more consequential.

MoreStories

Culture is no longer soft power, it is economic infrastructure

April 3, 2026

Ten risks in Nigeria’s new AML rules and what banks must do about them

April 2, 2026

The Central Bank of Nigeria’s (CBN) Baseline Standards for Automated Anti-Money Laundering (AML), Combating the Financing of Terrorism (CFT) and Countering Proliferation Financing (CPF) Solutions, issued on the 10th of March 2026, is that kind of document.

At 25 pages, it is dense, technical and to a casual reader easy to hand to the Compliance team and forget about. That would be a serious mistake.

These Standards will fundamentally reshape how every Bank, Mobile Money Operator, International Money Transfer Operator & Payment Service Provider in Nigeria detects, investigates and reports financial crime.

They establish, for the first time, specific and binding governance requirements for the use of Artificial Intelligence (AI) and Machine Learning (ML) in compliance functions.

And they tie personal accountability (not just institutional liability) to whether those systems actually work.

The compliance clock is running, and Deposit Money Banks have 18 months from the date of issuance. Other Financial Institutions have 24.

All regulated institutions must submit implementation roadmaps to the CBN’s Compliance Department within three months by the 10th of  June 2026.

Before examining what this demands and where the dangers lie, something deserves to be said plainly – by any serious international comparison, the CBN has produced something genuinely exceptional.

Where Nigeria Now Stands

In the United States, the primary law driving AML modernisation (the Anti-Money Laundering Act of 2020) is still being translated into operational rules six years after its passage.

The Financial Crimes Enforcement Network (FinCEN), the US Treasury’s Financial Intelligence unit, published a proposed rule to modernise AML programme requirements in June 2024. It remains a proposal.

A March 2024 report by the New York City Bar Association’s Compliance Committee (examining AI and machine learning (ML) in AML and CFT compliance) found that existing US AML regulations, being traditionally technology-neutral, create genuine ambiguity around the deployment of AI for compliance purposes and questioned whether current laws and regulatory guidance are sufficient to govern it.

On Artificial Intelligence specifically, US Regulators have encouraged banks to explore its use but have issued no binding, institution-level governance requirements of comparable detail to what the CBN has now produced.

In Europe, the landmark AML package (built around a new supervisory authority, the Anti-Money Laundering Authority (AMLA), which began operations in Frankfurt in July 2025) centres on a unified regulation that does not take full effect until July 2027.

The European Banking Authority (EBA), in reports published in July and August 2025, found that while EU national regulators are beginning to deploy supervisory technology for AML purposes (with nearly half of identified tools already in production), adoption remains uneven, and Regulators are only “moderately prepared” to fully integrate AI into their supervisory functions.

More pointedly, the EBA’s own AML database showed that more than half of serious compliance failures reported by member institutions stemmed not from failure to adopt technology, but from its improper implementation – a finding that underscores the governance challenge rather than the adoption one.

Across Africa, momentum is real but uneven. Ghana’s Bank of Ghana operates a regulatory sandbox (established around 2021 and 2022) that admits FinTech innovators, including those developing AI-powered AML and fraud detection tools, with a new cohort admitted in May 2024.

Kenya passed significant AML legislative amendments in 2025, when President William Ruto signed the Anti-Money Laundering and Combating of Terrorism Financing Laws (Amendment) Act into law on 14 June, marking a significant strengthening of Kenya’s AML/CFT framework following its own placement on the Financial Action Task Force (FATF) Grey List in February 2024.

South Africa (which, like Nigeria, was removed from the FATF Grey List in October 2025 after 33 months of sustained reform) has robust AML legislation and genuine institutional depth. But none of these jurisdictions has yet produced technology-specific standards at the level of operational detail the CBN has now set.

The CBN’s new Standards are ahead of the regulatory curve – more technically specific than anything currently binding in the United States, more operationally detailed than the EU framework not yet in force and more prescriptive on AI governance than any comparable African regulator has produced.

Nigeria’s removal from the Financial Action Task Force (FATF) Grey List in October 2025 (secured through reforms led by the CBN under Governor Olayemi Cardoso, alongside the Nigerian Financial Intelligence Unit (NFIU), the Economic and Financial Crimes Commission (EFCC) and the Federal Ministry of Justice) provides essential context.

These Standards are the continuation of a structural reform trajectory that has already demonstrated, to the global financial community, that Nigeria’s commitment to financial system integrity is real and sustained.

For institutions with international correspondent banking relationships or foreign investors, that matters in ways that show up directly in the cost of doing business.

What the Framework Actually Requires

The Standards cover twelve functional areas – Customer Identification & Verification; Risk Profiling; Sanctions & Watchlist Screening; Politically Exposed Persons (PEP) Screening; Transaction Monitoring; Fraud Detection; Case Management; Regulatory Reporting; Audit & Governance; System Integration; Data Security; and Configuration Governance.

Running through all of them is one architectural principle that Section 4 states without ambiguity – the AML solution must assess transactions in the context of the full customer profile. The Standards are explicit, “AML Solutions without effective linkage to Customer Due Diligence (CDD), Know Your Customer (KYC) and Know Your Business (KYB) information and customer risk assessments will not be regarded as compliant”. That single sentence has significant infrastructure implications for institutions whose monitoring systems are not currently integrated with their KYC repositories.

On Artificial Intelligence, the Standards take a position that is encouraging but conditional.

AI and machine learning are explicitly supported for anomaly detection, behavioural pattern recognition, dynamic risk scoring and adaptive learning.

But their use requires a documented governance framework covering human oversight and explainability (§5.4a.iv), independent validation at least annually covering accuracy, performance drift, fairness and bias (§5.5b.i), and adherence to ISO 42001 – the International Standard for AI Management Systems published by the International Organisation for Standardisation (ISO) (§6d).

These are not aspirational guidelines. They are binding, examinable obligations backed by enforcement provisions that include sanctions on institutions and on named individuals within them.

Two provisions in the Standards deserve particular recognition.

1. The prohibition in Section 4 on systems that monitor transactions without customer context closes a long-standing gap that has allowed box-ticking compliance systems to pass regulatory inspection for years while missing the contextual analysis that genuine risk detection requires.
2. The framework in §5.5b.vii for automated alert closure (which permits machines to close low-risk alerts without human review, subject to board-approved ceilings, CBN notification and mandatory escalation when those ceilings are exceeded) is more carefully structured than equivalent provisions in several European jurisdictions.

The Stakes

The enforcement provisions in Section 7 are unambiguous. Institutions that fail to meet the Standards, or that operate systems resulting in ineffective controls, face remedial directives, administrative sanctions and penalties under the Banks and Other Financial Institutions Act (BOFIA), the Money Laundering (Prevention and Prohibition) Act (MLPPA) 2022 and the CBN AML-CFT-CPF Administrative Sanctions Regulations 2023.

Those sanctions extend to accountable individuals, not just to institutions as corporate entities.

This is not a compliance exercise that can be safely delegated and forgotten.

The personal accountability dimension means that Boards and Executive Management are directly in the frame if controls are found to be inadequate.

The CBN has been explicit about what it will be assessing: “demonstrable effectiveness and not merely feature-based compliance or vendor-driven implementation”.

That phrase is a statement of supervisory intent. It means that having a system in place is not enough. Having one that works is what matters.

The CBN has built something of genuine substance. The question is whether Nigeria’s Financial Institutions will meet it with equivalent seriousness or whether the roadmap submissions of June 2026 will turn out to be the beginning of a longer story rather than the end of a compliance exercise.

The risks embedded in this framework and what institutions must honestly do about them are the subject of the second part of this analysis, published tomorrow.

This article draws on the CBN Baseline Standards for Automated Anti-Money Laundering Solutions (Circular BSD/DIR/PUB/LAB/019/002, 10 March 2026); FinCEN’s Notice of Proposed Rulemaking on AML Programme Effectiveness (June 2024); the EU Anti-Money Laundering Regulation 2024/1624; the EBA SupTech Report (August 2025) and EBA Fifth Biennial AML Opinion (July 2025); the New York City Bar Association Compliance Committee Report on AI and Machine Learning in AML/CFT (March 2024); and publicly available reporting on AML regulatory developments in Ghana, Kenya and South Africa. It does not constitute legal or regulatory advice.

_Henry Nduka Onyiah is a Cyber Risk Advisor and an Independent Non-Executive Director of a Nigerian Financial Institution. He writes in a personal capacity. _

The views expressed are entirely his own and do not represent the position of any institution with which he is associated. He welcomes reactions, views and engagement. He can be reached at onyiah@tuta.io or on LinkedIn at linkedin.com/onyiah.