Nigeria Data Protection
CBN AML Automation: What Nigerian Fintechs Need to Build Before June 2026
You have 89 days.
On March 10, 2026, the Central Bank of Nigeria issued its Baseline Standards for Automated AML Solutions. Every licensed financial institution and fintech operating in Nigeria now has to implement automated anti-money laundering systems — and submit an implementation roadmap to the CBN by June 10, 2026.
This isn't a suggestion. It's a mandatory standard with enforcement teeth.
Here's the thing: 87.5% of Nigerian fintechs already use some form of AI for fraud detection. Most of you have something running. But the CBN isn't asking whether you have AI. They're asking whether you have documented, governed, auditable AML automation with the right compliance framework around it.
That's a different question entirely. And for most fintechs, the answer is no.
What the CBN Actually Requires
The standards cover both technology and governance. You can't build the system and skip the documentation, and you can't write the documentation without building the system.
Here's what needs to be in place:
- Automated transaction monitoring — real-time detection of suspicious patterns across all transaction types
- Customer risk scoring — dynamic, AI-driven risk profiles that update as customer behaviour changes
- Sanctions screening — automated checks against PEP lists, UN sanctions lists, CBN watchlists, and other designated lists
- Suspicious Activity Report (SAR) generation — automated drafting of reports for the Nigerian Financial Intelligence Unit (NFIU)
- Regulatory reporting — automated generation of returns and compliance reports
- Governance framework — documented policies covering model risk, data quality, human oversight, and audit trails
The last bullet is where most fintechs fall short. You might have a transaction monitoring system. But do you have a document that explains how the AI decides what's suspicious? Can you show an auditor the logic? Can you demonstrate human oversight?
What You Need to Build
Let's break this down into components. If you're building from scratch or upgrading an existing system, here's the architecture you're working toward.
1. Transaction Monitoring Engine
This is the core. It needs to:
- Process transactions in real-time (or near real-time, within minutes)
- Detect pattern anomalies — unusual transaction volumes, unusual timing, unusual counterparties
- Apply scenario-based rules (structuring detection, rapid movement of funds, round-tripping)
- Learn from historical data to reduce false positives over time
- Handle multiple transaction types: transfers, card payments, mobile money, crypto (if applicable)
A rule-based system alone won't cut it. Traditional AML rules generate false positive rates of up to 95%. Your compliance team spends most of their time clearing alerts that turn out to be nothing. The CBN's standards reference "automated solutions" — they expect machine learning, not just if-then rules.
2. Customer Risk Scoring Model
Static risk scores assigned at onboarding are outdated. The CBN expects dynamic scoring that adjusts based on:
- Transaction behaviour over time
- Changes in customer profile (new business activity, new geographies)
- External risk indicators (adverse media, PEP status changes)
- Peer group comparison (how does this customer compare to similar customers?)
The model needs to output an explainable score. Not just "high risk" — but why. This matters for the NDPA compliance layer too (more on that below).
3. Sanctions Screening
Automated checks against:
- CBN watchlists
- UN Security Council sanctions lists
- OFAC SDN list (if you handle dollar transactions)
- EU sanctions lists (if you process euro transactions)
- PEP databases
- Adverse media feeds
This needs to run on every new customer at onboarding and on an ongoing basis against existing customers. Lists change. Someone who was clean last month might be designated today.
Fuzzy matching is essential here — names are transliterated differently, spellings vary, aliases exist. A simple exact-match check will miss real hits and the CBN knows it.
4. SAR Generation
When the system flags a genuinely suspicious transaction, it needs to draft a Suspicious Activity Report for the NFIU. The SAR should include:
- Customer details and risk profile
- Transaction details (amount, counterparty, timing, channel)
- Why the system flagged it (the specific patterns or indicators)
- Supporting evidence from the customer's history
- Recommended action
A human compliance officer reviews and submits. But the system does the heavy lifting — gathering the evidence, structuring the report, and presenting the case clearly.
5. Audit Trail and Logging
Every decision the system makes needs to be logged:
- Every alert generated
- Every alert cleared (and by whom, with what justification)
- Every SAR filed
- Every risk score change
- Every sanctions screening result
- Model version and parameters at the time of each decision
This is non-negotiable. When the CBN examiner asks "why did your system clear this alert on January 15?" you need to pull up the exact record, including which version of the model was running and what data it had.
6. Human Review Workflow
The system flags. Humans decide. You need a proper workflow:
- Alert queue with priority ranking
- Assignment to specific analysts
- Investigation workspace (view the customer's history, related transactions, risk factors)
- Decision recording (clear, escalate, file SAR)
- Escalation paths for complex cases
- Management review for high-risk decisions
No regulator anywhere accepts fully automated decisions on AML without human oversight. The CBN is no exception.
7. Compliance Dashboard
Your Chief Compliance Officer needs visibility:
- Real-time alert volumes and clearance rates
- False positive rate trends
- SAR filing statistics
- System health metrics
- Model performance indicators
- Regulatory reporting status
What It Costs
Let's talk numbers. Two paths: build custom or buy from a vendor.
Custom Build
For a mid-size fintech processing 100,000-500,000 transactions per month:
| Component | Cost (NGN) | Cost (GBP) |
|---|---|---|
| Transaction monitoring engine | ₦3-6M | £3,000-£6,000 |
| Customer risk scoring | ₦1.5-3M | £1,500-£3,000 |
| Sanctions screening integration | ₦1-2M | £1,000-£2,000 |
| SAR generation module | ₦500K-1M | £500-£1,000 |
| Dashboard and reporting | ₦1-2M | £1,000-£2,000 |
| Audit trail and logging | ₦500K-1M | £500-£1,000 |
| Total build | ₦7.5-15M | £7,500-£15,000 |
Monthly running costs:
- Cloud hosting and compute: ₦100-200K (£100-200)
- AI processing (API costs or GPU time): ₦50-150K (£50-150)
- Sanctions list subscriptions: ₦50-100K (£50-100)
- Monitoring and maintenance: ₦50-100K (£50-100)
- Total monthly: ₦250-550K (£250-550)
Vendor Solution
Enterprise AML platforms like ComplyAdvantage, Chainalysis KYT, or NICE Actimize:
- Annual licence: $30,000-100,000+ depending on transaction volume
- Implementation: $10,000-50,000 (3-6 month timeline)
- Customisation: $5,000-20,000 per year for rule tuning
- Total year one: $45,000-170,000
Vendor solutions are faster to deploy but less flexible. You're locked into their models, their update schedule, and their pricing increases. For many Nigerian fintechs, the custom build makes more financial sense — especially if you need tight integration with existing systems.
The ROI Calculation
Consider what you're spending now on manual AML processes:
- 5 AML analysts at ₦400K/month each = ₦2M/month (₦24M/year)
- Manual processes catch fewer suspicious transactions
- False positive rates eat analyst time
- Regulatory reporting takes days instead of hours
A ₦10M custom build with ₦400K/month running costs pays for itself within 6-8 months. You don't eliminate the analysts — you reduce from 5 to 2 and they handle genuinely complex cases instead of clearing false positives all day.
The Compliance Layer: Half the Job
Here's where it gets interesting — and where most fintechs get stuck. Building the AML system is half the work. The other half is the compliance documentation that proves it's governed properly.
CBN Governance Framework
The CBN expects documented policies covering:
- Model risk management — How do you ensure the AI doesn't drift? Who validates model performance? What triggers a model review?
- Data quality standards — What data feeds the system? How do you ensure data accuracy and completeness?
- Change management — How are model updates approved and deployed?
- Testing and validation — How do you test the system before go-live? How do you validate ongoing performance?
- Incident response — What happens when the system fails or misses something?
These aren't optional add-ons. The CBN's standards explicitly require governance documentation alongside the technology.
NDPA Compliance
Your AML system processes personal data. Transaction histories. Customer identities. Risk scores. Behavioural profiles. The Nigeria Data Protection Act applies.
Here's what you need:
Lawful basis: Legal obligation under CBN regulations. This is straightforward — the CBN mandates AML processing, so you have a legal obligation to do it.
Data Protection Impact Assessment (DPIA): Required because this is high-risk automated processing affecting individuals. The DPIA should cover what data the system processes, the risks to individuals (incorrect flagging, account freezing based on false positives), and the safeguards in place.
Section 37 compliance: If your AML system makes automated decisions that significantly affect customers — freezing accounts, blocking transactions, filing SARs — Section 37 of the NDPA applies. Customers have the right to meaningful explanation and human intervention.
Data Processing Agreements: If you're using cloud-based AI providers (OpenAI, Google Cloud AI, AWS), customer data is leaving Nigeria. You need DPAs in place and cross-border transfer safeguards documented.
Data retention: AML regulations require you to keep records for a prescribed period. The NDPA requires you not to keep data longer than necessary. These can conflict. Document your retention schedule and the legal basis for it.
The CBN Sandbox Angle
If you're in the CBN regulatory sandbox or planning to apply, having comprehensive AML compliance documentation — both the tech governance and the NDPA compliance — significantly strengthens your application. The CBN wants to see responsible innovation. Coming to them with a working AML system AND the full compliance stack shows you're serious.
Building the Implementation Roadmap
The June 10 deadline is for the roadmap, not the finished system. But a weak roadmap is worse than none — it signals you haven't thought this through. Here's what the CBN expects to see:
1. Current State Assessment
Document what you have today:
- Existing AML processes (manual and automated)
- Current technology stack
- Current false positive rates and alert volumes
- Staffing levels for AML compliance
- Known gaps and limitations
Be honest. The CBN would rather see a frank assessment of gaps than a varnished picture that falls apart under examination.
2. Target Architecture
Describe what you're building:
- System components (transaction monitoring, risk scoring, sanctions screening, etc.)
- Technology choices and rationale
- Integration points with existing systems
- Data flows and storage
- Security architecture
3. Implementation Timeline
Realistic milestones:
- Month 1-2: Requirements and design, vendor selection (if applicable), data preparation
- Month 3-4: Core build — transaction monitoring and risk scoring
- Month 5-6: Sanctions screening integration, SAR generation, testing
- Month 7-8: Dashboard, reporting, human review workflow
- Month 9-10: UAT, parallel running alongside manual processes
- Month 11-12: Go-live, manual process phase-down
The CBN understands this is a 9-12 month build. They want to see that you have a credible plan, not that you've finished.
4. Governance Framework
Document your approach to:
- Model risk management
- Data quality and validation
- Change control
- Ongoing monitoring and reporting
- Roles and responsibilities
5. Testing and Validation Plan
How will you prove it works?
- Backtesting against historical data
- Parallel running with existing processes
- False positive and false negative rate targets
- Independent validation (internal audit or external review)
- Ongoing model performance monitoring
The Dual Regulatory Problem
Here's what makes this particularly tricky for Nigerian fintechs. You're not dealing with one regulator — you're dealing with two. The CBN mandates the AML system. The NDPC regulates how you handle the personal data that system processes.
Building the system without the NDPA compliance layer means you're satisfying the CBN while creating NDPC exposure. Doing the data protection work without the AML functionality means you're compliant with the NDPA but in breach of CBN standards.
You need both. At the same time. And they need to be consistent with each other.
This is why "we'll sort out compliance later" doesn't work. The compliance requirements should shape the system architecture from day one — not get bolted on after the build is finished.
How We Help
We build AI systems with compliance documentation as standard. For AML automation, that means:
- The transaction monitoring engine, risk scoring, sanctions screening, and reporting tools — built and deployed
- The CBN governance framework — documented and ready for submission
- The NDPA compliance layer — DPIA, Section 37 safeguards, DPAs, data retention policies
- The implementation roadmap — formatted for CBN submission
We understand both the technology and the regulation. You don't need separate vendors for the build and the compliance — we do both, and we make sure they're aligned.
Custom AML automation builds start at ₦7.5 million (£7,500). Compliance documentation packages for existing systems start at ₦1.5 million (£1,500).
Talk to us about your AML automation project — the June 10 deadline isn't moving.
Related reading:
- NDPA Compliance for Nigerian Fintechs: What the Act Means for Your AI Systems — the full breakdown of data protection requirements for fintech AI
- AI Workflow Automation: What It Costs and How to Do It Right — the general framework for AI automation builds and pricing
- Do I Need a DPIA for My AI System? — step-by-step guide to Data Protection Impact Assessments
See our full services and pricing.
Frequently Asked Questions
What are the CBN's new AML automation standards?
On March 10, 2026, the Central Bank of Nigeria issued Baseline Standards for Automated AML Solutions. These require all licensed financial institutions and fintechs to implement automated systems for transaction monitoring, suspicious activity detection, customer risk scoring, and sanctions screening. Implementation roadmaps must be submitted to the CBN by June 10, 2026.
How much does AML automation cost for a Nigerian fintech?
For a mid-size fintech, a custom AML automation system costs ₦5-15 million (£5,000-£15,000) to build. Enterprise solutions from vendors like ComplyAdvantage or Chainalysis start at $30,000-50,000/year. Running costs for a custom build are ₦200-500K/month (£200-500) for AI processing, hosting, and sanctions list updates. Most fintechs see ROI within 6 months through reduced manual review costs and faster processing.
Can I use AI for AML transaction monitoring?
Yes, and the CBN's new standards effectively require it. Traditional rule-based systems generate too many false positives (up to 95% in some cases). AI-based systems use machine learning to learn normal transaction patterns and flag genuine anomalies, reducing false positives by 60-80% while catching more actual suspicious activity. The CBN specifically references automated solutions, not just rule-based systems.
Do I need NDPA compliance for my AML system?
Yes. Your AML system processes personal data — transaction histories, customer identities, risk scores. The NDPA applies regardless of the regulatory purpose. You need a lawful basis (legal obligation under CBN regulations), a DPIA because this is high-risk automated processing, DPAs with any cloud AI providers, and compliance with Section 37 if the system makes automated decisions affecting customers (like freezing accounts or blocking transactions).
What happens if I miss the June 10 deadline?
The CBN has enforcement powers including fines, licence conditions, and in serious cases, licence revocation. Given the CBN's increased focus on fintech regulation and the NDPC's parallel enforcement of data protection, non-compliance with AML automation standards creates dual regulatory risk. Submitting a credible implementation roadmap by June 10 is the minimum requirement.
Need help with this?
We build compliant AI systems and handle the documentation. Tell us what you need.
Get in TouchRelated Articles
Nigeria Data Protection
NDPA Compliance for Nigerian Fintechs: What the Act Means for Your AI Systems
Nigerian fintechs using AI for credit scoring, fraud detection, and KYC need to comply with the NDPA. Here's what the Nigeria Data Protection Act requires and how to get it right.
AI for Business
AI Fraud Detection for Nigerian Fintechs: How to Build It Right
87.5% of Nigerian fintechs use AI for fraud detection. Most can't prove to the NDPC it works fairly. Here's how to build one that does — and document it properly.
AI Development
AI Credit Scoring in Nigeria: How to Build It and Keep the Regulators Happy
37.5% of Nigerian fintechs already use AI for credit scoring. Here's how to build an AI credit scoring system that works, what it costs, and how to satisfy both the NDPA and CBN requirements.