Governance and Policy ManagementNigeria’s CBN Data Localisation Directive: What Banks and Fintechs Must Do Before 2027
On June 15, 2026, the Central Bank of Nigeria (CBN) released circular PSS/DIR/PUB/CIR/001/004, and it changed the compliance calculus for every payment service provider operating in the country. Banks, fintechs, mobile money operators, and switching companies now have until January 1, 2027 to ensure that all payment transaction data generated within Nigeria is stored and managed on local servers, in line with Nigerian data protection laws. The directive also introduces ultimate beneficial ownership (UBO) disclosure requirements, market concentration caps, and systemic oversight measures that reshape how the CBN supervises critical payment infrastructure.
For compliance teams, this is not a distant regulatory signal. It is a live obligation with a hard deadline.
What the Circular Actually Says
The circular, signed by Rakiya Yusuf, Director of Payments System Supervision, was addressed to deposit money banks, microfinance banks, mobile money operators, switching companies, payment terminal service providers, super agents, and all other licensed payment operators. It covers four distinct areas:
Data Localisation. All entities facilitating payment transactions in Nigeria must store and process that data within the country’s borders. Any organisation currently relying on offshore cloud infrastructure, foreign data centres, or cross-border processing arrangements must restructure before January 1, 2027. The CBN stated plainly: “All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payment transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria.”
Ultimate Beneficial Ownership Disclosure. Payment operators must disclose the individuals who ultimately own or control them, even where ownership is layered through holding companies or complex corporate structures. Institutions must maintain accurate, up-to-date UBO records and make them available to the CBN on request. This requirement must align with existing anti-money laundering and counter-terrorism financing regulations.
Market Structure Limits. The circular introduces hard concentration caps: no single institution can hold more than 25% of the card issuing market while simultaneously holding more than 15% of the merchant acquiring market, and vice versa. All affected institutions must submit monthly market share returns to the CBN. The market structure compliance deadline is December 31, 2026, one day before the data localisation requirement kicks in.
Systemic Oversight Measures. Certain payment service providers, those whose scale makes them critical to the functioning of Nigeria’s financial system, will face enhanced supervisory scrutiny. The CBN has signalled that it will monitor compliance closely and impose supervisory sanctions where necessary.
The Rationale Behind the Directive
The CBN’s own framing is instructive. The regulator noted that Nigeria’s payments sector has seen “significant structural developments characterised by rapid growth in electronic payments, increasing adoption of digital financial services, and the emergence of operators with substantial market presence across key payment activities.” It acknowledged that this growth improved financial inclusion and innovation, but also created concerns around market concentration, operational dependence, ownership transparency, and the storage of critical payment data.
There is a practical regulatory dimension too. When payment data sits on servers in the United States or Europe, the CBN cannot access it directly during a fraud investigation or a financial crime inquiry. It must go through foreign companies or foreign legal processes, adding time, cost, and uncertainty to every supervisory action. Localisation removes that bottleneck by keeping data within Nigerian jurisdiction.
The Association of Licensed Telecommunications Operators of Nigeria (ALTON) has backed the directive. ALTON Chairman Gbenga Adebayo pointed out that hosting data outside the country increases communication latency and retrieval costs for every transaction, and that local hosting means paying in naira rather than foreign currency, reducing the forex exposure that currently inflates many tech infrastructure contracts. He also dismissed concerns about infrastructure readiness, noting that Nigeria already has approximately six Tier III data centres, some of which currently host data for organisations in other jurisdictions.
What This Means for Compliance Teams
The compliance implications cut across technology, legal, and operational functions simultaneously.
Infrastructure review. Any organisation using foreign cloud providers, AWS, Google Cloud, Azure, or equivalent, to store transaction data must determine whether that infrastructure can be reconfigured to meet local storage requirements, or whether migration to Nigerian-hosted alternatives is necessary. One open question the circular has not yet answered is whether international cloud providers operating local availability zones within Nigeria would qualify as compliant infrastructure, a distinction that significantly changes the cost calculus for many firms and one the CBN will need to clarify.
Contract review. Existing agreements with offshore data processors and cloud vendors likely contain terms that conflict with this directive. Compliance and legal teams need to identify those contracts now, not in December 2026.
UBO mapping. For payment companies with layered ownership structures, particularly foreign-backed players like Flutterwave and Paystack, which are ultimately controlled by foreign investors, producing an accurate and auditable UBO disclosure requires gathering information across multiple entities and jurisdictions. This process takes longer than most organisations expect.
Data protection alignment. The directive explicitly requires that localised data be managed in line with Nigerian data protection laws, which means the Nigeria Data Protection Act 2023 (NDPA) is directly in scope. Organisations that have not yet completed their NDPA compliance framework need to address both obligations in parallel. The NDPA governs how personal data, including payment transaction data, is collected, stored, processed, and protected, so the CBN directive and the NDPA are not separate compliance tracks; they are the same track.
Market share reporting. Institutions must begin submitting monthly market share returns to the CBN. For organisations currently operating across multiple payment segments, this means building a reporting infrastructure that does not yet exist in most compliance teams.
The Broader Regulatory Picture
This directive does not exist in isolation. It sits alongside the NDPA 2023, the CBN’s existing cybersecurity frameworks for financial institutions, the Financial Action Task Force (FATF) recommendations on beneficial ownership, and the NITDA regulatory environment. Taken together, the direction is clear: Nigeria is asserting sovereign control over its financial data infrastructure, and that posture is only going to deepen.
For organisations still in the early stages of their compliance programmes, this is the moment to build properly, not to patch. Complyan’s compliance platform is built specifically for Nigerian regulatory requirements, helping financial institutions and fintechs structure their data governance, NDPA obligations, and regulatory reporting in one place rather than managing disconnected workstreams.
The January 2027 Timeline
The CBN has been explicit: it will monitor compliance and impose sanctions on defaulting institutions. Nigeria’s regulator has shown increasing willingness in recent years to follow through on enforcement across AML, foreign exchange controls, and consumer protection. The December 31, 2026, and January 1, 2027 deadlines are consecutive, and the window between today and those dates is narrower than it appears when infrastructure migration, contract renegotiation, and UBO mapping are all on the same compliance list.
Payment service providers that start this work now have a workable path to full compliance. Those who defer into the second half of 2026 will find themselves making rushed decisions on infrastructure that should have been thought through carefully, and facing a regulator that has already said it is watching.