Roadmap deadline: June 10, 2026 — All CBN-regulated institutions must submit an implementation plan to the Compliance Department. Get your free gap assessment →
Issued March 10, 2026 · CBN Compliance Dept.

The CBN Baseline Standards
for Automated AML Solutions

The Central Bank of Nigeria has set binding minimum standards for every automated AML/CFT/CPF system deployed by a regulated financial institution. They include 12 standards and 100 requirements. Most existing AML systems in Nigeria do not meet these standards.

Standalone AML tools are NOT compliant under CBN standards

"AML Solutions without effective linkage to CDD/KYC/KYB information… will not be regarded as compliant."


Start My Gap Assessment Will You Pass Examination?
12Standards
100Requirements
18 moDMB Deadline
24 moOther FI Deadline
FreeAll Resources
What Are They?

A New Minimum Bar for Every CBN-Regulated Institution

The Baseline Standards define exactly what technology and governance your institution must have in place, not just in policy, but demonstrably in practice.

Legally Enforceable

Anchored in the MLPPA 2022, TPPA 2022, and CBN AML/CFT Regulations. This is regulation with sanctions attached.

Technology-Focused

These standards specifically govern your automated AML system, what it must do, how it must integrate with other systems, and how it must be governed.

Examination-Ready

CBN examiners will use these as their rubric. Institutions must demonstrate each capability with contemporaneous evidence.

The Hard Truth

Why Most AML Systems in Nigeria
Will Fail CBN Examination

The CBN has set a higher bar than most institutions realise. Here are the most common and most critical reasons institutions will fail.

📋
"AML Solutions without effective linkage to CDD/KYC/KYB information and customer risk assessments will not be regarded as compliant."
— CBN AML/CFT Baseline Standards, Section 5.2 · Issued March 10, 2026
❌ Automatic Fail

No KYC Linkage

Your transaction monitoring system flags activity in isolation without connecting to your customers' verified identity, risk profile, or onboarding data.

Standard 5.2 requires continuous sync between KYC records, risk profiles, and transaction monitoring. Disconnected systems = non-compliant, regardless of how many alerts they generate.
❌ Automatic Fail

No Audit Trail

Examiners will ask: "Show me the alert, who reviewed it, what they decided, and why." If you cannot produce this in real time, you fail Standard 5.9.

An immutable, tamper-proof audit trail with forensic linkages between customer data, alerts, and user actions is mandatory. Spreadsheet logs do not qualify.
❌ Automatic Fail

Manual Workflows

Alert reviews done in Excel. STRs filed manually. Case notes stored in email threads. These workflows will not survive a live system demonstration.

Standards 5.7 and 5.8 require automated case management with maker-checker controls and auto-generation of STRs, SARs, CTRs, and FTRs in CBN-prescribed formats.
❌ Automatic Fail

Standalone Transaction Monitoring

A transaction monitoring/fraud detection tool, that receives only raw transaction data, without real-time integration to core banking and KYC is explicitly non-compliant for high-risk institutions.

Standard 5.10 prohibits standalone transaction feeds for High and Above-Average risk institutions. All institutions must have bidirectional real-time integration.
❌ Automatic Fail

No AI/ML Model Validation

If you use AI or machine learning in your AML system for risk scoring, alert generation, or name matching, and you cannot show annual independent validation, you fail.

Standard 5.5 mandates annual independent validation of all AI/ML models for accuracy, bias, and drift. ISO 42001 AI governance compliance is a cross-cutting requirement under Section 6.
❌ Automatic Fail

Fragmented Vendor Landscape

Using one vendor for KYC, another for transaction monitoring/fraud detection, a third for sanctions screening, and a fourth for case management, with no integration between them.

The CBN requires effective linkage across all functions. Fragmented systems where data does not flow in real time between CDD, monitoring, and reporting cannot satisfy the integration requirements of Standards 5.2 and 5.10.

The CBN requires a single integrated AML system; not a collection of tools.

System Type CBN Compliant?
Transaction Monitoring OnlyNo KYC/CDD linkage
❌ No
KYC System OnlyNo transaction monitoring
❌ No
Sanctions Screening OnlyNo risk profiling or monitoring
❌ No
Disconnected Multi-Vendor ToolsNo real-time data integration
❌ No
Manual / Spreadsheet-Based ProcessesNo automated case management or reporting
❌ No
Integrated AML Lifecycle SystemKYC + transaction monitoring + screening + case mgmt + reporting, unified
✅ Yes
Are You Already Non-Compliant?

If your current AML setup looks like this,
you are likely non-compliant.

Read this carefully and tick the ones that apply to your institution right now.

🚨 Signs your AML system will fail CBN examination

If you ticked even one of these, you have a compliance gap the CBN will find. Examiners look at evidence, live system demonstrations, investigation logs, regulatory filings. Policy documents and good intentions do not count.

Get a personalised gap assessment
Scope

Who Must Comply?

All CBN-licensed financial institutions.

🏦

Deposit Money Banks

Commercial, merchant & non-interest banks

🏪

Microfinance Banks

State, national & unit MFBs, with proportionate requirements

📱

Payment Service Providers

PSPs, switching companies, gateways & super-agents

💸

Money Transfer Operators

IMTOs and domestic cross-border operators

🏢

Finance Companies

Mortgage institutions, finance houses & non-bank FIs

💳

Mobile Money Operators

CBN-licensed MMOs and payment service banks

Proportionality principle: Implementation depth is calibrated to your institution's size, risk profile, and transaction volumes. A unit MFB and a Tier-1 bank will comply differently, but both must comply. Institutions in high-risk sectors must apply enhanced monitoring regardless of size.

Key Dates

Your Compliance Timeline

Issued March 10, 2026. The clock is already running.

Deposit Money Banks
Commercial, Merchant & Non-Interest Banks
September 2027
18 months from issuance · Full compliance required
All Other Financial Institutions
MFBs, PSPs, IMTOs, MMOs & Finance Companies
March 2028
24 months from issuance · Full compliance required
📅
Universal deadline: June 10, 2026 (all institutions)

Every CBN-regulated institution must submit a formal implementation roadmap to the CBN Compliance Department within 3 months of issuance.

Sections 5.1–5.12

The 12 Standards at a Glance

95 requirements across 12 standards, plus 5 cross-cutting obligations in Section 6. Here's what each standard covers.

5.1

AML Solution

Sets the minimum functional footprint every AML system must cover.

  • Customer ID & verification, risk profiling, sanctions screening
  • Transaction monitoring, case management, regulatory reporting
  • Audit trails, governance logs, and data protection controls
  • Fraud on the same platform must be clearly segregated
1 Functional
5.2

CDD / KYC / KYB

Automated due diligence that stays live — even post-onboarding.

  • Automated risk profiling for individuals and entities
  • Continuous sync between KYC records, risk profiles & transactions
  • Integration with BVN & NIN systems where available
  • Institutions must notify CBN of all AML Solutions in use
4 Functional4 Governance
5.3

Sanctions Lists & PEP Screening

Real-time screening that goes well beyond simple name matching.

  • Integrated with domestic & global sanctions lists and PEP registers
  • AI/fuzzy-matching for name variations and transliterations
  • Adverse media and negative news monitoring included
  • Automated transaction block on confirmed sanctions matches
8 Functional3 Governance
5.4

Risk Assessment

Dynamic scoring that reflects how risk actually evolves over time.

  • Configurable to the institution's documented risk appetite
  • Dynamic customer risk profile updates as behaviour changes
  • Enterprise-level risk measurement across products & channels
  • AI/ML models require documented governance with human oversight
6 Functional2 Governance
5.5

Transaction Monitoring & Risk-Based Analyses

The most requirement-dense section — 13 requirements in total.

  • Multi-scenario monitoring using KYC/KYB attributes, not just raw data
  • Related-party mapping, network analysis & peer-group comparisons
  • Annual independent AI/ML model validation (accuracy, bias, drift)
  • Automated alert closure requires CBN notification & strict governance
6 Functional7 Governance
5.6

Fraud Monitoring & Detection

Applies where your AML system also handles fraud.

  • Real-time / near-real-time monitoring across cards, e-channels & deposits
  • Clear AML/fraud separation of responsibilities in all workflows
  • High/Above-Average risk institutions must roadmap unified architecture
  • Material fraud indicators must feed into ML/TF/PF risk profiles
6 Functional2 Governance
5.7

Case Management

Every alert must be tracked, reviewed, and documented.

  • Enterprise Case Management (ECM) with automated case creation
  • Maker-Checker functionality and role-based escalation paths
  • Full audit trail: user, timestamp, decision, and rationale
  • Management reports on volumes, ageing & outcomes for the Board
4 Functional2 Governance
5.8

Reporting

Automated, structured reporting to regulators and internal stakeholders.

  • Auto-generation of STRs, SARs, CTRs & FTRs in CBN-prescribed formats
  • Internal MI reporting to CCO, senior management & Board
  • External reports go only to regulators with a lawful mandate
  • Internal governance required for review & approval before submission
3 Functional2 Governance
5.9

Audit & Governance

Tamper-proof records that can withstand regulatory scrutiny.

  • Immutable audit trail of all system & user activities incl. config changes
  • End-to-end search & retrieval without disrupting live operations
  • Forensic linkages: customer data, alerts, user actions & returns
  • Documented governance framework with segregated access rights
7 Functional4 Governance
5.10

System Integration & Scalability

Your AML system cannot be an island — it must connect to everything.

  • Bidirectional integration with core banking & KYC systems in real time
  • Well-documented, standards-based APIs and standardised data formats
  • High/Above-Average risk institutions cannot use standalone transaction feeds
  • Shared AML arrangements require prior CBN approval
7 Functional2 Governance
5.11

Security & Data Protection

Data security that meets NDPA and CBN cybersecurity requirements.

  • Encryption at rest, in use, and in transit for all AML data
  • Role-based access controls and Multi-Factor Authentication (MFA)
  • NDPA compliance and Nigerian data sovereignty obligations
  • Defined RTO & RPO based on a Business Impact Analysis
6 Functional3 Governance
5.12

User Interface & Customisation

The system must support the people who use it, not hinder them.

  • Real-time dashboards showing key metrics, alerts & case status
  • User-friendly interface for compliance, monitoring & investigation teams
  • Multi-entity, multi-currency & multi-jurisdiction configurations
  • Documented processes for updating rules, thresholds & workflows
4 Functional2 Governance
+5
Section 6

Section 6: Cross-Cutting Governance Requirements

  • Vendor/Third-Party Management Policy for all AML Solutions
  • Third-party providers must comply with all applicable CBN regulations
  • ISO 42001 compliance for AI/ML governance
  • CBN Cybersecurity Framework & Shared Services compliance
  • Heightened vendor due diligence (pending CBN third-party regulations)
100
Total requirements
62 functional · 38 governance
Implementation Roadmap

How to Get There

A phased approach is essential. Start with a gap assessment, then build from there.

Now
🔍 Phase 1 · Weeks 1–4
Gap Assessment
  • Self-assess against all 100 requirements
  • Score each of the 12 standards
  • Identify critical gaps & quick wins
  • Draft CBN roadmap submission
  • Submit by June 10, 2026
P2
🏗 Phase 2 · Weeks 4–12
Foundation
  • Update AML/CFT governance framework
  • Board approval of revised policies
  • Formalise AML governance committee
  • Document risk assessment methodology
  • Establish vendor management policy
P3
⚙ Phase 3 · Months 2–5
System Build
  • Deploy or upgrade automated AML solution
  • Configure sanctions & PEP screening
  • Integrate core banking & KYC systems
  • Set up ECM, reporting & audit trails
  • Configure fraud monitoring segregation
P4
✅ Phase 4 · Month 5+
Assurance
  • Independent audit of all 12 standards
  • AI/ML model validation completed
  • Staff training records documented
  • Evidence file built per standard
  • Annual self-assessment cycle set up

Critical reminder: The CBN explicitly states that AML Solutions without effective linkage to CDD/KYC/KYB information and customer risk assessments will not be regarded as compliant. Spreadsheet-based monitoring, standalone transaction feeds (for high-risk institutions), and systems that cannot produce contemporaneous evidence per standard will fail examination.

Free Resources from Regfyl

Start Your Compliance Journey Today

Everything you need to assess your gap, build your plan, and get examination-ready.

Bespoke Gap Assessment

  • Personalised to your institution type and risk profile
  • Every requirement mapped to your current position
  • Specific gaps identified with actionable next steps
  • Phased roadmap tailored to your compliance deadline
  • Delivered to your inbox 100% free, in under 15 minutes
Start My Gap Assessment

See Regfyl in Action

  • Live walkthrough of all 12 standards in a working platform
  • See automated AML, screening & reporting in action
  • Tailored to your institution type and product mix
  • Leave with a clear, prioritised implementation plan
  • 30-minute session with no obligation
Book a Free Demo

Most AML tools meet some requirements. Regfyl meets all 12.

Regfyl is built end-to-end around the CBN Baseline Standards. KYC linkage, real-time transaction monitoring, sanctions & PEP screening, automated case management, regulatory reporting, and full audit trails: all 12 standards, one integrated platform, zero fragmentation.

Book a Demo Learn More →
FAQs

Common Questions Answered

What Nigerian financial institutions ask most about the CBN Baseline Standards.

The Regulations set out your legal obligations. The Baseline Standards define the minimum technology and operational capabilities the CBN expects to see when they assess whether you're meeting those obligations. Think of the Regulations as the law and the Baseline Standards as the examiner's rubric for assessing whether you're genuinely living by it.
Yes, all 12 standards apply to all CBN-regulated institutions. The proportionality principle means the depth and sophistication of implementation is calibrated to your size and risk profile. A unit MFB and a Tier-1 bank will implement transaction monitoring very differently — but both must be able to demonstrate the capability. The CBN does not grant exemptions by institution type.
Expect: live system demonstrations (your AML solution running); transaction testing (walking through specific alerts and how they were investigated and closed); document review (policies, Board minutes, training records, model validation reports); and staff interviews with your MLRO and compliance team. Contemporaneous evidence per standard is critical — documentation written in anticipation of examination carries little weight.
Yes, and for most institutions, using a specialist platform is recommended. The standards do not require in-house technology. However, your institution remains accountable for the outputs and governance of any third-party system. You must understand how it works, validate its outputs, and be able to produce evidence for examiners. The CBN also requires heightened vendor due diligence for all AML solution providers.
Non-compliant institutions may face monetary sanctions, remedial directives, restrictions on business activities, and in serious cases licence revocation. Individual accountability for MLRO officers is also on the table under the MLPPA 2022 and BOFIA. Beyond regulatory sanctions, non-compliance risks loss of correspondent banking relationships — existential for institutions involved in cross-border activity.
The circular requires a formal implementation roadmap submitted to the CBN Compliance Department by June 10, 2026. It should outline how and when you plan to achieve compliance with each of the Baseline Standards. Starting with a structured gap assessment against all 12 standards gives you the foundation to build a credible, defensible roadmap.
Still have questions?

Book a free 30-minute session with the Regfyl compliance team. We'll walk you through where your institution stands and what to prioritise first.

Book a Free Session
The Most Important Thing to Understand

AML compliance is an end-to-end system —
not just onboarding, fraud detection,
or reporting alone.

The CBN Baseline Standards treat AML as a single, connected lifecycle. A customer's risk profile flows from onboarding into every transaction they make. Every suspicious transaction creates a case. Every case produces a report. Every report leaves an audit trail. Institutions that treat these as separate functions — separate tools, separate teams, separate data — will fail examination. The standard requires them to be one integrated system.

🪪
KYC / CDD
Risk profiling
📡
Screening
Sanctions & PEPs
📊
Transaction Monitoring
Real-time alerts
🗂️
Case Management
Audit trail
📨
Reporting
STRs, CTRs, SARs
🔐
Governance
CBN examination-ready
Proven in Practice

Regfyl has already helped financial institutions align with regulatory requirements; including real-time monitoring, STR reporting, and audit-ready workflows.

These are not future promises. They are deployed capabilities, working in 100+ Nigerian financial institutions right now.

See It for Yourself — Book a Demo Start My Free Gap Assessment →