The Central Bank of Nigeria (CBN) has introduced new security rules for digital banking platforms, including a N20,000 transaction cap on newly activated mobile banking applications within their first 24 hours, as part of efforts to curb fraud and strengthen the resilience of the country’s rapidly expanding instant payment ecosystem.
The directive, issued by the financial regulator in a circular dated March 12, 2026, forms part of a package of measures designed to reduce the growing risks associated with mobile banking fraud, identity theft and unauthorised access to financial accounts.
The new provisions, which apply to banks, other financial institutions and payment service providers, will take effect from July 1, 2026, giving industry participants several months to upgrade their systems and align internal risk controls with the regulator’s updated framework.
Under the directive, financial institutions must impose strict transaction limits on newly activated mobile financial service applications during the first 24 hours of activation.
During that period, total transactions (both inflows and outflows) for newly opened accounts must not exceed N20,000. While the regulator has set the maximum threshold, banks are allowed to impose lower limits based on their internal risk management frameworks.
The restriction also applies to existing customers who activate their mobile banking application on a new device. In such cases, banks must impose an outflow transaction cap of N20,000 during the first 24 hours following activation.
The CBN said the policy is intended to mitigate rising incidents of digital fraud, particularly cases involving account takeover and device migration where fraudsters gain access to customers’ banking credentials and rapidly move funds out of compromised accounts.
Beyond transaction limits, the CBN also introduced mandatory device binding for mobile banking applications, a measure aimed at strengthening identity verification and preventing simultaneous access to banking apps from multiple devices.
Under the rule, customers will only be allowed to operate their mobile banking application on one device at a time.
If a user attempts to migrate their banking application to a new device, the system will automatically trigger a fresh authentication process requiring the customer to revalidate their identity before the application can be reactivated.
The regulator said the step is necessary to curb unauthorised device migration, which has become a common method used in digital banking fraud schemes.
Financial institutions were also directed to enforce additional multi-factor authentication requirements for first-time logins to internet banking platforms on new devices.
These controls may include biometric verification, one-time passwords, soft tokens, hard tokens or other layered authentication mechanisms that strengthen identity verification during sensitive account operations.
The circular also introduces stronger operational requirements for fraud detection across Nigeria’s financial institutions.
Banks and payment service providers are now required to deploy enterprise fraud monitoring systems capable of tracking both incoming and outgoing transactions in real time.
The systems are expected to allow institutions to identify suspicious activity quickly and block or restrict potentially fraudulent transactions before funds are lost.
The CBN also tightened regulations governing online account opening and account reactivation processes.
Under the new framework, accounts opened through digital channels must undergo liveliness checks, a verification method used to confirm that the person initiating the account opening process is physically present and not using pre-recorded images or stolen identity data.
All online account opening and reactivation requests must also be validated in real time against the Bank Verification Number (BVN) and National Identity Number (NIN) databases.
These additional checks are designed to strengthen identity verification and prevent fraudsters from using stolen or fabricated credentials to open financial accounts.
In a move aimed at giving customers greater control over the security of their accounts, the CBN also introduced a voluntary opt-out and opt-in feature for instant payment services.
The option will allow customers to temporarily disable instant transfers from their accounts at any time and for any period of their choosing.
Once activated, the opt-out feature will disable all online instant transfers, including transactions within the same bank as well as interbank transfers.
Customers who opt out will still be able to carry out transactions by visiting their bank physically, ensuring that account access remains available even while instant digital transfers are restricted.
The default setting for new customers will remain opt-in at the point of account onboarding.
The circular also maintains the existing maximum transaction thresholds for instant payments, which currently stand at N25 million for individual accounts and N250 million for corporate accounts.
However, customers who wish to adjust their personal transaction limits must undergo enhanced due diligence and risk assessment by their financial institution before such changes take effect.
According to the CBN, the new provisions represent the minimum operational standards required to safeguard instant payment services in Nigeria’s financial system.
