Nigeria’s financial sector is preparing for one of its most significant regulatory changes in recent years. The Central Bank of Nigeria has issued a directive requiring all banks, fintech companies, mobile money operators, and other licensed payment operators to store and manage payment transaction data generated within Nigeria on local servers, with a firm deadline of January 1, 2027, for full compliance.
The directive was contained in a circular signed by Rakiya O. Yusuf, Director of the Payments System Supervision Department, and was addressed to deposit money banks, microfinance banks, mobile money operators, switching and processing companies, payment terminal service providers, payment solution service providers, super agents, and other licensed payment operators across the country. The apex bank has stated clearly that it will monitor compliance and impose supervisory sanctions on any institution that fails to meet the requirement.
ALSO SEE:Why Nigeria’s Central Bank Mentioned Stablecoins 68 Times in Its New Payments Blueprint
Beyond data storage, the circular also introduced market structure requirements designed to prevent dangerous concentration of power within the payments ecosystem. Under the new framework, any single institution that controls more than 25 percent of the card-issuing market within any rolling 12-month period will not be permitted to simultaneously hold more than 15 percent of the merchant-acquiring market during the same window. The reverse also applies, with merchant-acquiring dominance capped against card-issuing activity. These market structure rules carry a slightly earlier deadline of December 31, 2026, one day before the data localisation requirement kicks in.
The CBN has framed the broader package of measures as a necessary response to structural risks that have quietly accumulated as Nigeria’s digital payments market expanded at pace. The rapid growth of electronic transactions, mobile banking, and digital wallets has produced a handful of dominant operators whose scale now raises concerns around market concentration, operational dependence, and the sovereignty of critical financial data. The regulator has also introduced a separate requirement compelling all financial institutions with digital payments operations to disclose the ultimate beneficial ownership of significant shareholders, with accurate records to be made available to the CBN on request.
The compliance challenge facing the industry is real and immediate. For institutions that currently rely on offshore cloud infrastructure through global providers, full compliance will mean either migrating workloads to local data centres or negotiating local availability zones within Nigeria with those same providers, and neither option is simple or cheap. The costs cut across capital expenditure on local storage infrastructure, ongoing operational and security audit requirements, and the live migration risk of transferring active transaction data without disrupting payment systems that millions of Nigerians depend on every day.
The burden falls unevenly across the industry. Larger banks with existing technology infrastructure have a manageable, if uncomfortable, runway to the January 2027 deadline. For smaller fintechs, super agents, microfinance banks, and payment solution service providers, the directive sets a firm compliance clock without any accompanying framework on how costs will be absorbed or whether technical support will be made available. That gap is one the regulator will likely need to address as the deadline draws closer.
Nigeria’s move mirrors similar data localisation pushes by regulators in India, Kenya, and other markets seeking to assert domestic jurisdiction over the financial data of their citizens. What remains unclear from the circular is whether international cloud providers that operate local availability zones physically inside Nigeria will qualify as compliant infrastructure. That single clarification could significantly alter the cost and feasibility calculation for a large portion of the payments industry, and the CBN will need to provide that guidance well before compliance planning can be finalised across the sector.
