Follow Us on Google
By Uzodinma Onyewuchi
The Central Bank of Nigeria (CBN) is intensifying its fight against internet fraud with a recent guidance it issued on instant payment operations. The guidelines as contained in this policy document introduce sweeping measures to strengthen Instant Payment (IP) operations, enhance security protocols, improve consumer protection, and align with global best practices.
These new rules for instant payment services, will hopefully curb electronic fraud and give customers greater control. These rules allow customers to voluntarily disable instant transfers on their accounts for any period, though they may still make transfers in person at the bank.
In a recent circular, the CBN stated that the opt-in and opt-out processes must be protected with multi-factor authentication. Similarly, all new accounts are expected to be automatically enrolled in instant payments, but customers can later change this preference.
On the part of banks, they are also expected to mandatorily comply with the directive and allow customers to set lower personal transaction limits, subject to verification and risk assessment, while existing regulatory ceilings remain unchanged. Furthermore, financial institutions are required to deploy real-time enterprise fraud monitoring systems and strengthen identity verification for online account opening and reactivation.
The apex bank further directed that mobile banking apps may only be linked to one device at a time, and when activated on a new device, they will carry a temporary N20,000 transaction limit for the first 24 hours.
Under the existing framework, Financial institutions are not mandated to provide a feature in their mobile banking applications that enables customers to voluntarily opt in or out of IP services.
The new guidelines, however, require FIs to allow customers to opt out at any time, subject to Multi-Factor Authentication (MFA).
By the provisions of the new guidelines customers will be onboarded in opt-in mode by default. While opted out customers cannot perform instant online fund transfers from their accounts. However, such transfers remain available via a physical branch visit.
Prior to establishing the guidelines, the maximum transaction limits of N25,000,000.00 for individuals and ₦250,000,000.00 for corporate entities, were fixed, with no option for customers to set personalized limits within those thresholds.
The guidelines will subsequently allow both individuals and corporate entities to adjust these limits as needed, subject to enhanced due diligence and appropriate risk management by the FI.
To ensure security, the new transaction limit takes effect only after the customer completes Multi-Factor Authentication (MFA).
Financial analysts aver that the guidelines also take care of situations where a customer seeks to open an account online or reactivate an online account in which case the following enhanced security measures shall apply:
liveliness check of the online account;
Other News
real-time validation of BVN/NIN database for online account openings/reactivations;
enhanced authentication mechanisms such as biometric authentication, soft tokens, and hard tokens for online account reactivations.
They also define a liveliness check as a biometric security measure which confirms that a user is a live, physically present human rather than a photo, video, or deepfake—by analyzing facial traits like skin texture, eye movement, and depth during remote onboarding or transactions, thereby preventing spoofing attacks.
The guidelines also have an inbuilt fraud monitoring functionality that mandates Fis to implement and activate enterprise-wide fraud monitoring functionality covering both in-flows and out-flows. This measure restricts suspicious transactions in real-time while enabling prompt fraud detection and response.
In the old-order framework, customers can use their mobile banking application concurrently on multiple devices. But the new guidelines restrict mobile banking applications to one active device at a time, prohibiting concurrent use across devices. Switching to a new device triggers automatic deactivation of the previous one, followed by re-activation and authentication.
The CBN in these guidelines, introduces the following measures for mobile financial services applications and internet banking:
New account owners: upon activation of a mobile banking application, inflow and outflow transactions are limited for the first 24 hours, and FI’s shall set the limit not to exceed N20,000.00 (Twenty Thousand Naira).
Existing account owners: Upon activation of a mobile banking application, outflow transactions are limited for the first 24 hours, and FI’s shall set the limit not to exceed N20,000.00 (Twenty Thousand Naira)
Interestingly, first-time login on a new device for internet banking requires enhanced Multi-Factor Authentication (MFA).
It is pertinent to emphasise the relevance of these guidelines in the fight against internet fraud and related infelicities that tend to lower customer confidence in the financial system.
It is also important to commend the Central Bank of Nigeria’s (CBN) for its foresight in putting in place these new Guidelines on Instant Payment Functionalities for Financial Institutions as it mark a significant advancement in safeguarding digital transactions nationwide.
From that date (1 July 2026), financial institutions (FIs) must implement these measures. Among other requirements, the guidelines necessitate comprehensive security and Data Protection Impact Assessments (DPIAs) to ensure compliance with the Nigeria Data Protection Act 2023 particularly resulting from mandatory features like multi-factor authentication (MFA), facial recognition, and continuous transaction monitoring.
• Onyewuchi writes from Magnificat Synergy, Abuja
