Nigeria Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in Nigeria?

The Central Bank of Nigeria (CBN) is the primary AML/CFT supervisor for all licensed financial institutions: deposit money banks, microfinance banks, payment service banks, and mortgage institutions. Its authority derives from the Banks and Other Financial Institutions Act (BOFIA) 2020 and the Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA 2022). The CBN issues compliance directives, conducts AML/CFT examinations, and levies sanctions against institutions that fall short. It also maintains AML/CFT/CPF Compliance Regulations that define specific control obligations for licensed entities. Sector-specific guidance for Bureau de Change operators, mobile money operators, and payment service banks adds tailored obligations on top of the baseline MLPPA 2022 requirements. CBN circulars carry binding regulatory force even where they do not have the weight of primary statute.

The Nigerian Financial Intelligence Unit (NFIU) is Nigeria's financial intelligence unit and the mandatory filing destination for all suspicious transaction reports (STRs) and currency transaction reports (CTRs). Established under the NFIU Act 2018, it operates the goAML platform for electronic submission, analyzes financial disclosures, and shares intelligence with domestic law enforcement and international FIU partners through the Egmont Group.

The Economic and Financial Crimes Commission (EFCC) investigates and prosecutes money laundering, advance-fee fraud, cybercrime, and related financial crimes. It holds powers of arrest, asset freezing, and prosecution before the Federal High Court, and coordinates mutual legal assistance with foreign agencies.

The Special Control Unit against Money Laundering (SCUML) supervises designated non-financial businesses and professions (DNFBPs): accountants, lawyers, real estate agents, and dealers in precious metals. SCUML registration is a prerequisite for any DNFBP to open or maintain a bank account for business proceeds. Financial institutions must verify SCUML registration when onboarding DNFBP clients.

Together, these four bodies cover the full supervisory perimeter. CBN examines financial institutions; NFIU processes disclosures; EFCC prosecutes; SCUML extends the regime beyond banking.

What are the key AML and fraud laws in Nigeria?

The Money Laundering (Prevention and Prohibition) Act 2022 (MLPPA 2022) is the foundation. It replaced the Money Laundering (Prohibition) Act 2011 and brought Nigeria's framework in line with FATF's 2012 Recommendations. The Act defines money laundering offences, sets out CDD obligations for all reporting entities, establishes the STR and CTR filing regime, prohibits tipping-off, and creates the legal basis for asset forfeiture and international cooperation. Corporate convictions carry fines of not less than ₦25 million; individual convictions carry up to 14 years imprisonment, a fine of not less than five times the value of the funds involved, or both.

The Terrorism (Prevention and Prohibition) Act 2022 covers counter-financing of terrorism (CFT) obligations. It designates terrorist entities, requires institutions to freeze assets linked to designated persons without a prior court order, and mandates disclosure to the NFIU.

The Proceeds of Crime (Recovery and Management) Act 2022 (POCA) established a dedicated regime for civil and criminal asset recovery. It created the Proceeds of Crime Management Office and gave the EFCC a cleaner legal path to confiscation than the previous framework allowed.

The Banks and Other Financial Institutions Act (BOFIA) 2020 gives the CBN independent authority to issue AML regulations and levy sanctions against licensed institutions, operating alongside the MLPPA.

The Nigeria Data Protection Act 2023 (NDPA) has direct consequences for Customer Due Diligence (CDD) and Know Your Customer (KYC) operations. The NDPA requires that personal data of Nigerian residents be stored within Nigeria or in a jurisdiction the National Data Protection Commission (NDPC) designates as adequate. For banks running cloud-based compliance platforms, this requires specific legal analysis before deployment and affects vendor selection for digital onboarding infrastructure.

Under FATF Rec 10 (FATF), beneficial ownership identification is a core CDD element. The MLPPA 2022 adopts this directly: an Ultimate Beneficial Owner (UBO) is any natural person holding or controlling 5% or more of a legal entity, or exercising ultimate effective control. The Corporate Affairs Commission (CAC) maintains a beneficial ownership register under the Companies and Allied Matters Act 2020 (CAMA), which institutions must cross-reference during corporate client onboarding.

What controls do Nigeria regulators expect?

Customer Due Diligence is mandatory at onboarding and on a risk-triggered basis throughout the customer relationship. The CBN requires all financial institutions to collect and verify a Bank Verification Number (BVN) and National Identity Number (NIN) before opening an account. These biometric-linked credentials are the backbone of identity verification in Nigeria. CDD extends to beneficial owners, authorised signatories, and control persons of corporate clients. Enhanced due diligence applies to politically exposed persons, high-risk jurisdictions, non-face-to-face onboarding, and complex corporate structures.

The NFIU requires CTRs for cash transactions exceeding ₦5 million for individuals and ₦10 million for corporate entities, submitted within 24 hours of the transaction. Transaction Monitoring must be automated and risk-based; the CTR volumes generated by major Nigerian banks make manual review operationally impossible. Suspicious transactions trigger an STR (Suspicious Transaction Report) obligation, with filings due within 7 days of suspicion arising. There's no de minimis threshold for STR reporting.

Sanctions Screening must cover Nigerian domestic designation lists, the UN Security Council consolidated list, and other relevant international sanctions regimes. The CBN requires screening at onboarding and on an ongoing basis for all existing customers, including all transaction parties, not just account holders.

PEP screening is a material operational challenge in Nigeria, which has a large domestic PEP population across federal and state government, the military, and state-owned enterprises. FATF Recommendation 12 applies in full, and the CBN's examination teams specifically test whether institutions have documented PEP classification rationale.

Record-keeping under MLPPA 2022 requires a minimum of 5 years from the end of a business relationship or from the date of a transaction. Records must be sufficient to reconstruct individual transactions for potential prosecution. The CBN requires that compliance records be made available to examiners on request without undue delay.

What is unique about compliance in Nigeria?

Nigeria was added to the FATF Increased Monitoring list in June 2023. The 2021 Mutual Evaluation Report identified deficiencies in beneficial ownership transparency, DNFBP supervision, and the prosecution of high-value, complex money laundering cases. Any institution with a Nigerian correspondent relationship or subsidiary must now factor this into its Enhanced Due Diligence posture. Several European banks have initiated recertification processes for their Nigerian correspondent portfolios as a direct consequence.

The grey-list designation has practical payment-rail effects. Correspondent banks using transaction surveillance analytics flag Nigerian wire flows at elevated sensitivity levels, which can delay or reject legitimate transfers. Institutions with significant outbound wire volumes to or from Nigeria need to factor this into their correspondent banking management.

The BVN/NIN mandatory linkage is a structural feature of the Nigerian compliance environment. The CBN has directed financial institutions to restrict accounts not linked to a valid BVN and NIN. That creates an effective national identity layer, but it also generates exception queues: newly registered individuals, diaspora customers, and persons whose biometric data has not yet been captured. Managing these exceptions within CBN timelines is a live operational challenge.

Nigeria's cash economy generates extremely high CTR volumes. Cash remains the dominant exchange medium outside major urban centres, and transaction monitoring systems calibrated to European norms will produce unmanageable false-positive rates. Alert rules need tuning to local transaction patterns and cash-handling norms.

The CAC beneficial ownership register, introduced under CAMA 2020, is improving but patchy. Institutions need secondary verification processes alongside the register; relying on it alone doesn't meet the evidentiary standard the CBN expects.

On crypto: the CBN banned financial institutions from servicing crypto exchanges in 2021, then reversed course in December 2023 with a dedicated VASP regulatory framework. The Securities and Exchange Commission (SEC) Nigeria simultaneously issued its own digital asset rules. Any bank or fintech with crypto-linked customers operates under dual supervision, and the two regimes don't always align neatly.

Recent enforcement actions in Nigeria

The CBN publishes enforcement notices against licensed institutions for AML/CFT deficiencies identified during regulatory examinations. These notices, accessible at cbn.gov.ng, have resulted in financial penalties, remediation directives, and, in some cases, restrictions on specific business activities. Since the MLPPA 2022 came into force, the CBN's examination reports have become more granular: they cite specific control failures (inadequate CDD on corporate clients, insufficient STR filings relative to transaction volumes, weak UBO verification) rather than generic AML deficiency findings. This shift signals higher evidentiary expectations from examiners.

Nigeria's inclusion on the FATF Increased Monitoring list in June 2023 is the most consequential jurisdictional enforcement signal in recent years. It is a direct consequence of systemic deficiencies in the 2021 Mutual Evaluation: weak DNFBP oversight, gaps in UBO data quality, and insufficient prosecution of complex laundering. Correspondent banks globally responded with heightened due diligence requirements for Nigerian institutions.

The EFCC publishes annual enforcement statistics. Its reports document thousands of convictions for financial crimes each year, spanning advance-fee fraud, cybercrime, identity theft, and money laundering. Institutional cases are fewer but growing in complexity. The EFCC's Asset Management Office has become more active in pursuing civil recovery against corporate vehicles used to layer proceeds offshore.

For correspondent banking context, the Standard Chartered 2019 enforcement action is a useful benchmark. Standard Chartered's $1.1 billion global settlement with US and UK regulators covered sanctions violations that touched its African operations. It shows that Nigerian franchises are within scope for group-level enforcement proceedings when a parent institution faces a multi-jurisdiction examination.

What foreign banks operating in Nigeria need to know

The CBN licenses foreign bank operations primarily through the subsidiary structure. New entrants must meet minimum capital requirements set by the April 2024 recapitalization directive: ₦500 billion for international-authorization commercial banks and ₦200 billion for national-authorization commercial banks. The compliance deadline is March 31, 2026. Fit-and-proper assessments apply to all directors and key management, and disclosure of the parent group's beneficial ownership structure is mandatory.

Every licensed institution must appoint a dedicated Chief Compliance Officer (CCO) and a Money Laundering Reporting Officer (MLRO). Both must be Nigeria-based, CBN-approved, and cannot hold operational line roles simultaneously. The MLRO is the named point of contact with the NFIU for all STR and CTR filings via the goAML platform.

Outsourcing AML functions to a parent institution or shared-service centre does not transfer regulatory responsibility. The CBN's outsourcing guidelines require notification for material arrangements and documented senior management oversight. Where a global compliance platform processes Nigerian customer data outside Nigeria, NDPA 2023 localization requirements apply to the data hosting arrangement.

Reporting timelines are strict: CTRs within 24 hours, STRs within 7 days. Tipping off the subject of an STR is a criminal offence under MLPPA 2022. The NFIU monitors filing patterns; both gaps in coverage and implausibly low STR volumes attract supervisory attention.

Annual compliance reporting is mandatory. The MLRO must submit an annual compliance report to the board and to the CBN. Examination cycles typically cover governance, CDD file quality, STR filing rates relative to transaction volumes, and training records.

Correspondent banking relationships with Nigerian institutions must satisfy FATF Rec 13 (FATF) standards. Given Nigeria's grey-list status, most global correspondents now require updated AML program documentation, independent audit sign-off, and periodic recertification from their Nigerian counterparts before maintaining or extending the relationship.

How FluxForce supports Nigeria compliance

FluxForce helps compliance teams handle the volume and velocity Nigerian supervisors demand: automated CTR flagging at ₦5 million and ₦10 million thresholds, real-time Sanctions Screening against Nigerian and international designation lists, and PEP screening calibrated to Nigeria's large domestic PEP population. Automated STR drafting cuts the time from detection to NFIU submission. Every decision generates a full audit trail, ready for CBN examination. For foreign banks managing grey-list enhanced due diligence requirements, Regulatory Compliance Automation keeps evidence structured and accessible. Book a demo to see how it works in a Nigerian regulatory context.