CBN Orders Banks and Fintechs to Store Payment Data Locally, Sets January 2027 Deadline

The Central Bank of Nigeria has directed banks, fintech firms, and other payment service providers to store payment transaction data generated within the country on local servers, effective January 1, 2027, as part of new measures to strengthen oversight of the fast-growing digital payments ecosystem. The apex bank issued the directive on Monday, targeting every major player in Nigeria's financial system and signaling a sweeping shift in how the country handles its most sensitive financial records.

This is not a routine circular. It is one of the most consequential data governance directives Nigeria's financial sector has seen in years.

CBN's Circular: What the Directive Actually Says

The directive was contained in a circular issued by the apex bank on Monday and signed by the Director of the Payments System Supervision Department, Rakiya O. Yusuf.

The circular read: "All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payments transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria. Accordingly, all affected Financial Institutions shall fully comply with this requirement effective January 1, 2027."

The language is unambiguous. There are no carve-outs, no provisional waivers, and no grey areas for hybrid cloud arrangements that straddle foreign and local servers.

RELATED

Who Must Comply: A Wide Net Across the Payments Ecosystem

The directive was addressed to deposit money banks, microfinance banks, mobile money operators, switching and processing companies, payment terminal service providers, payment solution service providers, super agents and other licensed operators in the payments industry.

The scope is unusually broad. It captures every layer of Nigeria's payment stack, from the largest commercial banks down to super agents operating in remote communities.

The timeline is expected to trigger significant technology and infrastructure investments across the banking and fintech sectors, particularly among institutions that currently rely on offshore cloud services or overseas data centres to store and process transaction information.

Why the CBN Is Acting Now: Market Concentration and Data Sovereignty

The timing of this directive is deliberate. Nigeria's digital payments industry has grown at a pace that has consistently outrun regulatory frameworks.

The apex bank said the new measures were introduced following significant structural changes in Nigeria's payments landscape, driven by rapid growth in electronic transactions, increased adoption of digital financial services and the emergence of dominant operators across key payment segments.

According to the CBN: "The Central Bank of Nigeria has observed significant structural developments within the Nigerian Payments ecosystem, characterised by rapid growth in electronic payments, increasing adoption of digital financial services, and the emergence of operators with substantial market presence across key payment activities."

The CBN cited rapid growth in electronic payments and concerns around market concentration, operational dependence, and data sovereignty as the core drivers behind the new framework. Keeping payment data onshore gives regulators direct, unimpeded access to transaction records without having to negotiate with foreign data jurisdictions.

New Market Share Caps: No Single Player Can Dominate

The data localisation rule is only one part of a broader structural reset. The CBN simultaneously introduced hard market share limits to prevent monopolistic behaviour across payment segments.

Under the new framework, any financial institution that controls more than 25% of the card issuing market within a rolling 12-month period will be prohibited from holding more than 15% market share in merchant acquiring activities during the same period. Likewise, institutions with more than 25% market share in merchant acquiring activities will not be allowed to hold more than 15% of the card issuing market.

This cross-market ownership cap directly targets institutions that have quietly built dominant positions on both sides of the payment equation, issuing cards to consumers while also processing payments for merchants.

To facilitate monitoring, all regulated entities are required to submit monthly market share returns using templates prescribed by the CBN. Affected institutions must implement the necessary structural adjustments and achieve full compliance with the market structure requirements by December 31, 2026.

Note the difference in deadlines. Market structure compliance is due by December 31, 2026, one day before the data localisation rule takes effect.

Beneficial Ownership Disclosure: Closing the Transparency Gap

The CBN added a third pillar to this reform package, one that targets hidden ownership structures within the payments industry.

The regulator directed deposit money banks, payment service providers and other financial institutions with digital payment operations to disclose the Ultimate Beneficial Ownership (UBO) of significant shareholders in line with existing anti-money laundering and counter-terrorism financing regulations. Institutions are also required to maintain accurate and up-to-date UBO records and make them available to the apex bank upon request.

The measure is designed to improve transparency within the financial system and strengthen efforts to combat illicit financial flows, money laundering and the use of complex ownership structures to conceal control of regulated entities.

The UBO requirement places Nigeria's fintech sector in direct alignment with global anti-money laundering standards, a signal that the CBN is preparing the industry for deeper international regulatory cooperation.

The Compliance Challenge: Smaller Operators Face the Steepest Climb

Large banks with existing technology infrastructure will find this transition difficult but manageable. For smaller operators, the picture is more complicated.

The first challenge is capital expenditure, covering the physical or contracted local storage capacity that many smaller fintechs, microfinance banks, and payment solution service providers do not currently have and cannot easily absorb. The second is operational, covering the ongoing management, security certification, and audit requirements that local data hosting introduces. The third and least visible is transition risk, the period between now and January 2027, during which institutions must migrate live transaction data without disrupting the payment rails that millions of Nigerians depend on daily.

For the long tail of licensed operators, including super agents and smaller switching companies, the directive effectively sets a compliance clock without an accompanying framework for how costs will be absorbed or whether any technical assistance will be available.

This gap, between the mandate and the support mechanism, is where the real implementation risk lives.

Sanctions Are on the Table: CBN Issues a Clear Warning

The CBN left no ambiguity about what happens to institutions that miss the deadlines.

"The CBN shall monitor compliance with the provisions of this Circular and may, where necessary, impose supervisory sanctions in accordance with applicable laws, regulations, and guidelines," the circular stated.

The CBN warned that it would closely monitor compliance and impose sanctions where necessary. The language mirrors previous enforcement postures from the apex bank, which has shown a willingness to fine, restrict, and in some cases suspend operations of non-compliant institutions.

Cybersecurity Context: NDPC Had Already Sounded the Alarm

This directive does not exist in isolation. Nigeria's broader regulatory apparatus has been converging on the same concerns for months.

Earlier in April 2026, the Nigeria Data Protection Commission (NDPC) raised concerns over coordinated cyber threats targeting Nigeria's financial systems and key digital infrastructure, warning organisations to urgently strengthen their data security architecture. NDPC said its technical assessment revealed that "shadowy threat actors" have launched coordinated operations aimed at critical systems in the country.

The CBN's data localisation directive can now be read as a direct regulatory response to that warning. Keeping payment data on Nigerian soil reduces the attack surface for cross-border cyber intrusions and limits exposure to foreign jurisdictional vulnerabilities.

What This Means for Nigeria's Digital Payments Future

The directive, setting a firm deadline for one of the most significant data localisation requirements in the nation's financial services sector, is aimed at strengthening transparency, reducing concentration risks, improving operational resilience and ensuring that critical payments data remains under Nigerian jurisdiction.

The latest measures form part of the regulator's broader efforts to create a fairer and more competitive payments ecosystem as digital transactions continue to expand across Africa's largest economy.

For Nigeria's fintech sector, which has attracted billions in foreign investment over the last decade, this directive redraws the operating rules on three fronts at once: where data lives, who owns the companies processing it, and how much of any single market any one player can control.

The deadline clock is running. Every bank, fintech, mobile money operator, and payment processor now has until January 1, 2027, to comply or face supervisory consequences.