The Central Bank of Nigeria (CBN) has issued new rules to strengthen security and improve customer control over instant payment services, including mobile and internet banking.
The guidelines, which will take effect on July 1, were contained in a circular dated March 12 and signed by Musa Jimoh, director of the payments system policy department at the CBN.
In the circular addressed to all banks and payment service providers, the CBN said the measures are aimed at reducing fraud and giving customers greater control over how they transact digitally.
Under the new framework, all financial institutions offering instant payments must provide customers with the option to opt in or opt out of the service at any time, with default enrolment set to opt-in for new customers.
“Customers shall have the option to opt out of or opt in to IP services at any time and for any given period. This process shall be subject to Multi-Factor Authentication (MFA) control. The default setting shall be opt-in upon onboarding a new customer,” the CBN said.
“In the opt-out mode, a customer will not be able to carry out online instant transfers of funds (intra- or inter-bank) from their account to another customer. However, the customer can physically visit the financial institution to effect a transfer during this period.”
The CBN also said customers will be allowed to adjust transaction limits within the existing caps of N25 million for individuals and N250 million for corporate accounts, provided financial institutions conduct enhanced due diligence before approving the changes.
“Any such adjustment shall be subject to enhanced due diligence and appropriate risk assessment by the financial institution,” the circular added.
“The new transaction limit shall take effect immediately upon the successful completion of multi-factor authentication and customer consent.”
CBN directs banks to implement multi-factor authentication
The CBN also directed banks and payment providers to implement enterprise fraud monitoring systems to track inflows and outflows, ensuring suspicious transactions are flagged and restricted.
In addition, the financial regulator said online account openings and reactivations must now include “liveness checks” against the Bank Verification Number and National Identification Number databases.
Enhanced authentication measures such as multi-factor authentication and biometric verification must also be applied to validate account access.
Liveness checks are a type of authentication that require users to interact with their device such as blinking, smiling, turning their head, or speaking to prove they are physically present.
For mobile financial services, the CBN mandated device binding, restricting app usage to a single device at a time.
“Mobile financial services applications shall only be enabled on one device at a time, and customers cannot operate the apps concurrently on multiple devices,” the apex bank said.
“Migration to another device shall trigger automatic reactivation and authentication. For new accounts, transaction limits (inflow and outflow) shall be imposed on a newly activated mobile financial services app within the first 24 hours of activation.
“The limit shall be determined by the financial institution, subject to a maximum transaction limit of N20,000.
“For existing accounts, transaction limits (outflow) shall be imposed on a newly activated mobile financial services app within the first 24 hours of activation. The limit shall be determined by the financial institution, subject to a maximum transaction limit of N20,000.
“For internet banking access, the first-time log-in on a new device shall require additional MFA.”
The CBN said the new provisions set the minimum standard for instant payments in Nigeria and reflect its ongoing mandate to enhance customer protection, strengthen fraud detection, and improve control over digital payment services.
