Barrister and Solicitor of the Supreme Court of Nigeria, Lydia Ehisuoria Ohonsi, Esq.
ABSTRACT
On 12 March 2026, the Central Bank of Nigeria (CBN) issued three separate circulars to banks, other financial institutions, and payment service providers, constituting the most comprehensive overhaul of Nigeria’s digital banking regulatory architecture in recent years. The directives address three distinct but interconnected domains: the operational standards for instant payment services; the framework governing Bank Verification Number (BVN) operations and fraud watchlisting; and the management of dormant accounts, unclaimed balances, and other financial assets. This article provides a systematic legal analysis of each circular, examining the statutory basis for the CBN’s powers, the rights and obligations created for financial institutions and their customers, and the constitutional, consumer protection, and data privacy dimensions of the new regime. It argues that while the directives represent a welcome and overdue tightening of Nigeria’s digital financial infrastructure against the surge in electronic fraud, several aspects of the framework raise unresolved tensions with constitutional rights to fair hearing, property, and privacy that demand careful judicial and legislative attention.
Keywords: CBN circulars; Bank Verification Number; instant payment services; dormant accounts; BOFIA 2020; Nigeria Data Protection Act 2023; fraud watchlist; constitutional property rights; right to fair hearing; financial inclusion
1. INTRODUCTION
The Central Bank of Nigeria occupies a position of supreme regulatory authority over Nigeria’s banking and financial system, a role conferred and circumscribed by the CBN Act and reinforced by the Banks and Other Financial Institutions Act 2020 (BOFIA 2020). The exercise of this authority through circulars and guidelines — the preferred instrument of apex bank regulation — has produced a dense and rapidly evolving body of secondary financial law governing the daily operations of every bank, fintech, and payment service provider in the country.
On 12 March 2026, the CBN released three circulars in quick succession, each targeting a distinct vulnerability in Nigeria’s digital financial ecosystem. The first established minimum operational standards for instant payment services. The second amended the regulatory framework for BVN operations, introducing a fraud watchlist mechanism and new enrolment conditions. The third revised the guidelines on dormant accounts, unclaimed balances, and other financial assets, removing certain procedural barriers while imposing enhanced disclosure obligations on financial institutions.
The regulatory backdrop against which these circulars emerge is instructive. Fraud losses in Nigeria’s banking system rose by 603% year-on-year in Q1 2025 alone, reaching N3.29 billion across over 12,000 reported cases. Social engineering attacks, SIM-swap fraud, Authorised Push Payment (APP) scams, and insider compromise have exploited gaps in identity verification and device security, driving the CBN to introduce the layered technical and procedural safeguards now codified in the March 2026 circulars. The legal implications of these safeguards — for financial institutions, their customers, and the Nigerian legal order more broadly — form the subject of this analysis.
2. THE STATUTORY AND REGULATORY FRAMEWORK
The CBN’s power to issue the three circulars derives from a constellation of primary legislation. Section 9 of BOFIA 2020 empowers the CBN to issue directives with which all financial institutions operating in Nigeria must comply. Section 72(11) of the same Act specifically authorises the CBN to make guidelines for the administration of unclaimed funds held by financial institutions — the direct statutory basis for the dormant accounts circular. The CBN Act further confers a general mandate to promote a sound financial system, which the courts have consistently interpreted as a broad enabling power for regulatory action.
Layered upon this financial services architecture are two statutes of general application with significant implications for the new rules. The Nigeria Data Protection Act 2023 (NDPA 2023) governs the processing and disclosure of personal data, including by financial institutions acting under regulatory compulsion. The Constitution of the Federal Republic of Nigeria 1999 (as amended) (CFRN 1999) guarantees the rights to fair hearing (Section 36), privacy (Section 37), and property (Section 44) — rights that are engaged, to varying degrees, by each of the three circulars.
3. MINIMUM OPERATIONAL STANDARDS FOR INSTANT PAYMENT SERVICES
3.1 Overview of the New Standards
The first circular introduces a suite of minimum-security requirements for instant payment services, taking effect from 1 July 2026. Its principal measures are: (a) a mandatory voluntary opt-out mechanism for instant transfers, operable through multi-factor authentication; (b) real-time validation of all digitally onboarded accounts against the BVN and NIN databases, accompanied by liveness checks; (c) the binding of mobile financial services applications to a single device at a time; and (d) a transaction cap of N20,000 on both inflows and outflows for new accounts, and on outflows for existing accounts migrating to a new device, within the first 24 hours of activation.
3.2 The Opt-Out Mechanism and Consumer Rights
The introduction of a voluntary opt-out feature for instant transfers is a significant and welcome departure from the prior regulatory landscape, which effectively required all account holders to remain permanently enrolled in the instant payment system. The legal significance of this provision lies in its recognition of customer autonomy over one’s own digital financial profile — a principle with roots in the CBN Consumer Protection Framework of 2016 and, more broadly, in the right to freedom from compelled financial exposure. A customer who opts out of instant payment services is effectively rendered incapable of performing online instant transfers — whether intra-bank or inter-bank — for the duration of the opt-out.
Financial institutions must therefore ensure that their customer service infrastructure provides adequate notice of this consequence before processing opt-out requests. The Federal Competition and Consumer Protection Act 2018 (FCCPA) impose obligations on service providers to ensure consumers are fully informed before exercising rights that may limit their access to services. A failure to discharge this notice obligation may expose a financial institution to regulatory sanction under both the FCCPA and the CBN’s Consumer Protection Framework.
3.3 Device Binding, Liveness Checks, and Biometric Identity Assurance
The requirement that mobile banking applications operate on only one device at a time represents a fundamental restructuring of the device access paradigm in Nigerian digital banking. Previously, users could operate banking apps simultaneously on multiple devices — a vulnerability actively exploited through SIM-swap attacks and account takeover schemes. Device binding creates an immutable link between a banking profile and a single physical device, such that any migration to a new device automatically triggers full re-authentication before access is restored.
The liveness check requirement — compelling users to interact physically with their device through blink detection, head movement, or speech recognition to confirm biological presence — introduces a biometric layer of identity assurance into the account opening and reactivation process. All such accounts must also be validated in real time against the BVN and NIN databases. This dual-database validation requirement operationalises the multi-layered identity architecture linking Nigeria’s financial sector with the National Identity Management Commission (NIMC) system established under the NIMC Act.
The N20,000 transaction cap in the first 24 hours of device activation engages the right of account holders to full and unrestricted access to their own funds — a right grounded in the banker-customer contractual relationship and the implied term, recognised in Joachimson v Swiss Bank Corporation, that a bank shall honour its customer’s instructions without unreasonable restriction. The CBN’s authority to impose temporary transaction limits as a measure of general application is, however, well established, and will likely withstand challenge provided the limits remain proportionate and time-limited, as they presently are. Financial institutions must ensure that the cap is prominently communicated to customers at the point of device migration so as not to generate legitimate grievances arising from unexpected transactional limitations.
4. AMENDMENTS TO THE BVN REGULATORY FRAMEWORK: WATCHLISTS, AGE LIMITS, AND DATA ACCESS
4.1 The Temporary Fraud Watchlist
The most operationally significant change introduced by the BVN addendum is the creation of a temporary fraud watchlist. Financial institutions are now required to establish and maintain a watchlist for BVNs implicated in suspected fraudulent transactions reported by any financial institution in the system. A BVN placed on this watchlist may remain flagged for a maximum of 24 hours, during which the institution must contact the BVN owner for clarification. The mechanism is designed to enable swift, system-wide fraud response while limiting exposure to the risk of permanent or disproportionate restriction on a customer’s financial identity.
The legal implications are considerable. The watchlist mechanism permits a de facto temporary restriction on a customer’s financial identity — and potentially on transactions across all accounts linked to that BVN — on the basis of suspicion, without prior notice, judicial authorisation, or formal determination of wrongdoing. This engages Section 36(1) of the CFRN, which guarantees the right to fair hearing in the determination of civil rights and obligations. The courts have confirmed that this right extends beyond formal court proceedings to encompass any administrative determination affecting civil rights.
The CBN has, to its credit, capped the watchlist period at 24 hours and mandated customer contact within that window. These safeguards go some way toward satisfying the procedural fairness requirement. However, the absence of a formal right of objection or expedited appeal within the framework remains a notable gap. A customer who is wrongly watchlisted — whether through misidentification, erroneous reporting, or bad faith — has no clearly defined internal or external remedy within the circular’s current terms. A formal objection mechanism, mirroring the administrative review procedures available under other CBN compliance regimes, should be incorporated into the framework as a matter of priority.
4.2 The New Age Requirement: BVN Enrolment Restricted to 18 and Above
The circular restricts BVN enrolment to individuals who have attained the age of eighteen years, bringing the BVN system into alignment with the legal age of majority under Nigerian law. This change, while intelligible as a measure to tighten identity verification, creates a regulatory gap that the CBN has not yet addressed: what becomes of the millions of minors who currently hold junior savings accounts, students’ accounts, and other products designed for persons under 18? Since BVN linkage is mandated for all bank account tiers, the exclusion of under-18s from BVN enrolment effectively leaves a significant segment of the financially active youth population in a regulatory no-man’s land, inconsistent with both the Child Rights Act 2003 and the CBN’s own financial inclusion objectives.
4.3 Restricted Database Access and the Data Privacy Dimension
The circular reinforces the principle that access to the BVN database is exclusively reserved for CBN-licensed financial institutions. From a data protection standpoint, this restriction is consonant with the principle of data minimisation under the NDPA 2023, which requires that personal data be processed only to the extent necessary for the specified lawful purpose. The concern lies in the breadth of the CBN’s discretionary exception: access may be granted in ‘extenuating circumstances and in accordance with the provisions of extant laws’ — language sufficiently broad to permit access by non-licensed entities, including government agencies exercising statutory powers, without clear procedural safeguards or notification requirements for affected data subjects.
The single phone number amendment rule — limiting BVN-linked phone number changes to once only — is a targeted measure against the serial identity manipulation that has enabled fraudsters to re-profile BVNs across multiple accounts. Its legal effect is to impose a quasi-permanent consequence on a customer’s financial identity based on a single administrative act, raising questions about the appropriate remedy where a customer’s phone number must legitimately be changed more than once — for example, following network operator-initiated deactivation or device loss. The absence of any formal exception procedure in the current framework warrants early regulatory attention.
5. DORMANT ACCOUNTS, UNCLAIMED BALANCES, AND THE UBTF: A LEGAL APPRAISAL
5.1 The Revised Reactivation Framework
The third circular, which takes immediate effect and replaces the earlier circular of 17 February 2025, introduces two principal changes to the dormant account reactivation framework. First, it removes the mandatory affidavit requirement for reactivating dormant accounts that have not yet been transferred to the Unclaimed Balances Trust Fund (UBTF) Pool Account. Second, it permits financial institutions to accept reactivation requests through alternative channels — including digital means — provided that robust identity verification and risk management procedures are implemented to confirm the identity of the requesting party.
The removal of the affidavit requirement represents a meaningful reduction in the procedural burden on ordinary Nigerians seeking access to their own funds after a period of account inactivity. The affidavit — a sworn statement before a Commissioner for Oaths or Notary Public — imposes costs in time, money, and legal literacy that are disproportionately burdensome for low-income account holders in rural and semi-urban areas. The CBN has commendably heeded stakeholder representations on this point. However, the removal does not diminish the enhanced due diligence obligations of financial institutions; banks must continue to verify the accuracy and authenticity of all customer information presented. For funds already transferred to the UBTF Pool Account, the affidavit requirement remains fully in force.
5.2 The UBTF Pool Account and the Constitutional Property Rights Question
The Unclaimed Balances Trust Fund Pool Account, established pursuant to Section 72(11) of BOFIA 2020, is the legal repository to which dormant account balances and other unclaimed financial assets are transferred after the stipulated period of inactivity. Funds in the UBTF are to be invested by the CBN in Nigerian Treasury Bills and other approved securities, with principal and accrued interest held in trust for the rightful beneficiaries and refunded within ten working days of a verified claim.
The constitutional property rights dimension of this framework merits careful attention. Section 44(1) of the CFRN prohibits the compulsory acquisition of movable property except in the manner prescribed by law and with prompt compensation. The transfer of dormant account balances to the UBTF is not, strictly speaking, a compulsory acquisition — the beneficial ownership of the funds remains with the account holder, and the CBN holds them as trustee. However, the practical inaccessibility of funds during the transfer process, and the imposition of the affidavit requirement as a condition of reclaiming funds already in the UBTF, represent procedural obstacles that may in individual cases amount to a de facto deprivation of timely access to one’s own property — an outcome that sits uncomfortably with the constitutional guarantee, even if it does not formally constitute a compulsory acquisition.
5.3 Mandatory Disclosure, Public Notice, and the Data Privacy Tension
The disclosure obligations introduced by the circular impose the most significant new burden on financial institutions in the dormant accounts’ framework. Banks must now publish, on their operational websites and annually in at least two national daily newspapers, the names of account holders, account types, institution names, and branch addresses for dormant accounts not yet transferred to the UBTF, and for unclaimed balances already so transferred.
The CBN has sought to pre-empt the obvious data privacy objection by expressly invoking Section 25(1)(b) of the NDPA 2023, which permits the processing of personal data where necessary for compliance with a legal obligation or for the protection of the vital interests of the data subject. It has also cited Section 72(11) of BOFIA 2020 as the direct statutory authorisation for the disclosure regime, characterising publication as a transparency measure aimed at reuniting dormant funds with their rightful owners.
Notwithstanding these justifications, the mandatory public disclosure of account holder names in national newspapers raises a live tension with the NDPA 2023’s requirements of necessity and proportionality and with Section 37 of the CFRN, which guarantees every citizen’s right to privacy in their personal affairs. The fact that a person’s account has become dormant — whether through death, incapacity, economic hardship, or mere neglect — is sensitive personal and financial information. Publication of that fact in national newspapers, even in the limited form permitted by the circular, may stigmatise account holders, expose them to targeted fraud, and constitute a disproportionate interference with the right to privacy, particularly given that the CBN’s own website and the NIBSS infrastructure already offer fewer invasive means of reuniting unclaimed funds with their owners. The CBN’s reliance on Section 25(1)(b) of the NDPA as a blanket justification is arguably too broad; the Act requires not merely a lawful basis, but a demonstration that the processing is necessary and proportionate to the stated purpose — a demonstrably higher standard than mere statutory authorisation.
6. ENFORCEMENT, SANCTIONS, AND THE COMPLIANCE ARCHITECTURE
Each of the three circulars carries the implicit weight of the CBN’s enforcement authority under BOFIA 2020. Section 12 of BOFIA empowers the CBN to revoke the licence of any financial institution that fails to comply with a directive, while Sections 66 and 67 provide for civil monetary penalties for non-compliance with regulatory requirements. The graduated implementation dates — instant payments standards from 1 July 2026, BVN amendments from 1 May 2026, and the dormant accounts framework with immediate effect — reflect a calibrated approach to compliance sequencing that allows financial institutions adequate time to reconfigure their systems without simultaneous exposure across all three regulatory frontiers.
The enterprise fraud monitoring obligation introduced by the instant payments circular — requiring all financial institutions to deploy systems capable of tracking suspicious inflows and outflows in real time — significantly raises the compliance bar. The capital and operational cost implications of these requirements may inadvertently accelerate market consolidation in Nigeria’s payments industry, particularly among smaller mobile money operators and fintech companies whose infrastructure budgets are less able to absorb the costs of rapid system upgrades. This structural effect on market competition is one the CBN should actively monitor alongside its primary fraud-reduction objectives.
7. CRITICAL APPRAISAL: STRENGTHS, GAPS, AND RECOMMENDATIONS
The March 2026 circulars represent a commendable and technically sophisticated regulatory response to the alarming escalation of digital financial fraud in Nigeria. The device binding rule, liveness check requirement, BVN fraud watchlist, and dual-database validation measures collectively close significant loopholes that fraudsters have exploited at scale. The removal of the affidavit requirement for dormant account reactivation reflects responsiveness to stakeholder concern and a recognition of the consumer protection dimension of dormant account governance.
Four areas of concern nonetheless emerge from this analysis. First, the BVN watchlist framework lacks adequate procedural safeguards: the circular provides no formal mechanism for a customer to object to, or seek expedited review of, a watchlist designation beyond the informal 24-hour clarification process. A formal right of objection — mirroring the administrative review procedures available under other CBN compliance regimes — should be incorporated into the framework without delay.
Second, the age restriction on BVN enrolment creates an unaddressed financial inclusion gap for minors in the banking system. The CBN should issue supplementary guidance on the identity and account management framework applicable to persons under 18 who are already banked or seek to open accounts, in a manner consistent with the Child Rights Act 2003 and the CBN’s own financial inclusion targets.
Third, the mandatory newspaper publication of dormant account holder details requires more rigorous engagement with the NDPA 2023’s proportionality requirements. The CBN should restrict newspaper publication to cases where digital means have demonstrably failed to reunite funds with their owners, thereby minimising the privacy intrusion to the minimum necessary for the legitimate purpose pursued. This tiered approach would align the disclosure regime with the data minimisation principle and reduce the risk of constitutional challenge under Section 37 of the CFRN.
Fourth, the one-time phone number amendment restriction on BVNs, while understandable as an anti-fraud measure, requires a clear and accessible exception process for customers who face legitimate reasons for more than one number change. The absence of any such process in the current framework risks penalising genuine customers and warrants immediate regulatory attention through supplementary guidance or a formal waiver procedure.
8. CONCLUSION
The CBN’s triple circulars of 12 March 2026 represent a landmark moment in the evolution of Nigeria’s digital financial regulatory architecture. Taken together, they construct a more robust, layered, and technically sophisticated framework for the governance of instant payments, customer identity verification, and dormant account administration — one that is better aligned with the realities of a rapidly digitising financial system under severe fraudulent pressure.
Yet regulation is only as strong as its legal foundations are sound. The constitutional right to fair hearing demands that the BVN watchlist mechanism be accompanied by formal procedural safeguards affording affected customers a meaningful right of objection. The right to privacy commands that mandatory disclosure of dormant account information be proportionate and not more invasive than necessary to achieve its purpose. The financial inclusion imperative requires that the age-based restriction on BVN enrolment be matched with a coherent framework for minor account holders. And the banker-customer relationship demands that the N20,000 transaction cap be clearly communicated as a temporary and proportionate security measure rather than a permanent restriction on access to funds.
Nigeria’s banking sector stands at an inflection point where the imperatives of security, inclusion, and rights-based governance must be held in productive tension. The CBN has taken a bold and necessary step. The law must now ensure it is a step taken on firm constitutional ground — and that the rights of Nigeria’s banking public are not sacrificed at the altar of regulatory efficiency.
Lydia Ehisuoria Ohonsi, Esq.
Barrister and Solicitor of the Supreme Court of Nigeria
About the Author
