ABUJA, June 16 – Nigeria’s Central Bank has directed banks, fintech firms, mobile money operators and other payment service providers to store all payment transaction data generated within the country on local servers from January 1, 2027.
The requirement was outlined in a circular signed by Rakiya O. Yusuf, Director of the Payments System Supervision Department, as part of a broader effort to strengthen oversight and improve transparency in Nigeria’s rapidly expanding digital payments industry.
Under the new rule, all institutions involved in processing payments in Nigeria must ensure that transaction records are stored and managed within the country in line with existing data protection laws.
The move is expected to affect operators that currently rely on foreign data infrastructure for parts of their payment operations. According to the Central Bank, the measures come in response to major changes in the payments landscape, driven by the rise in electronic transactions, wider adoption of digital financial services and the growing influence of a few large players across key segments of the market.
While these developments have supported innovation and financial inclusion, the regulator said they have also raised concerns around dependence on external infrastructure, ownership transparency and the location of critical payment data.
Beyond data localisation, the CBN introduced fresh disclosure requirements for financial institutions. Banks, payment service providers and other operators with digital payment businesses must now identify and maintain records of their Ultimate Beneficial Owners in line with anti-money laundering and counter-terrorism financing regulations.
The regulator also moved to curb excessive market dominance. Institutions controlling more than 25% of the card issuing market will be restricted to a maximum 15% share of merchant acquiring activities, and vice versa. Affected firms have until December 31, 2026 to comply and must submit monthly market share reports to the CBN.
The latest measures come months after the Nigeria Data Protection Commission warned of coordinated cyber threats targeting the country’s financial systems and digital infrastructure.
