CBN AML automation mandate: Nigerian banks are not ready

When the Central Bank of Nigeria issued its Baseline Standards for Automated AML Solutions on March 10, the immediate reaction from many compliance professionals was a mix of validation and alarm.

Validation, because those of us who have been working in compliance technology have long argued that Nigeria’s financial system needed enforceable standards for the technology used to fight financial crime.

Alarm, because the gap between where most institutions are today and where the CBN expects them to be is significant.

I have spent years building compliance technology for financial institutions across Africa and beyond. I want to share what I believe this mandate actually means in practice: not the regulatory language, but the real-world implications for the people who will have to implement it.

This is not about buying software

The first and most important thing to understand about the new standards is that they are not a procurement directive. The CBN is not telling institutions to go buy an AML software package. It is telling them to build a comprehensive, integrated, and continuously governed approach to financial crime detection that happens to require technology as its backbone.

The standards cover 12 areas of capability, from transaction monitoring and customer due diligence to case management, regulatory reporting, and data protection. What ties them all together is the CBN’s insistence that these systems cannot operate in silos. The regulator explicitly states that AML solutions

Operating solely on transaction data, without effective linkage to customer identity, risk profiles, and case histories, will not be considered compliant.

This is a significant philosophical shift. Many institutions currently run their KYC processes, transaction monitoring, and sanctions screening on separate platforms with limited data sharing between them. The CBN is saying that this fragmented approach is no longer acceptable.

The three-month pressure point

While the full compliance deadline is 18 to 24 months away depending on institution type, the more immediate pressure point is the 3-month deadline for submitting implementation roadmaps. This means that within the next three months, every bank, mobile money operator, and payment service provider must have a documented plan that the CBN will evaluate.

A credible roadmap requires institutions to have already assessed their current capabilities against the baseline standards, identified the gaps, evaluated potential technology solutions, and developed a realistic implementation timeline. Institutions that have not started this process are already behind.

The AI question

The standards explicitly reference artificial intelligence and machine learning as tools for enhancing detection quality and timeliness. But the CBN has been careful to attach governance requirements to any use of AI.

The standards require transparent configuration and validation of AI-based models, documented governance frameworks with human oversight and explainability, independent validation at least annually, and documented procedures for managing the outputs of automated systems.

This is a mature and thoughtful approach to AI governance. The CBN is not saying every institution must use AI. It is saying that those who do must be able to explain how their models work, demonstrate that they are properly governed, and prove that they are regularly validated. This is the right approach, and it aligns with emerging global standards for AI use in financial services.

The purpose-built advantage

There is one aspect of the new standards that deserves particular attention. The CBN requires AML solutions to integrate with Nigeria’s national identity infrastructure, including BVN and NIN databases.

It requires compliance with the Nigeria Data Protection Act and local data sovereignty requirements. It requires solutions calibrated to the proportionality principle, meaning they must be adaptable to the wide range of institutional sizes and risk profiles that characterise Nigeria’s financial sector.

These are not requirements that can be easily met by taking a system designed for European or North American banks and layering Nigerian regulatory logic on top. The most effective AML technology for Nigerian financial institutions will be technology that was conceived and built with these realities as foundational design constraints, not afterthoughts.

At Smartcomply, this is the principle on which we built Adhere. We built a global-grade system with a deep focus on African regulation. We started with the regulatory frameworks, identity infrastructure, risk typologies, and institutional diversity of the markets we serve and built outward from there. The CBN’s new standards validate that approach.

Why customisation will separate the ready from the scrambling

There is another dimension that I believe will define which institutions meet these standards credibly and which ones struggle. The CBN standards repeatedly call for solutions that are configurable: configurable risk scenarios, configurable alert thresholds, configurable workflows, and institution-specific rule sets. This is not a footnote in the standards. It is woven throughout them.

In practice, this means a compliance platform that offers the same default configuration to every institution will fall short. Each bank, each fintech, each payment service provider has a distinct risk appetite, distinct transaction patterns, and distinct operational workflows.

The technology must adapt to the institution, not the other way around. This is what compliance teams across the industry are telling us they need, and it is central to how we built Adhere.

What I would tell compliance officers today

If you are a compliance officer, CTO, or CEO reading this and wondering where to start, here is my honest advice:

Start with a gap assessment. Map your current capabilities against the 12 baseline standard areas. Be honest about where you stand. A realistic assessment now is worth far more than an optimistic one that falls apart under CBN scrutiny.

Prioritise integration over features. The single biggest theme in the CBN standards is connectivity: linking KYC data to transaction monitoring to risk profiles to case management. If your current systems cannot share data seamlessly, that is your most critical gap.

Do not underestimate the governance requirements. Technology is only half the challenge. The CBN expects documented governance frameworks, regular validation of AI models, defined procedures for preemptive interventions, and internal service level standards for alert review. These are organisational capabilities, not just software features.

Think about vendor due diligence now. The CBN specifically addresses third-party provider management, requiring institutions to assess their AML technology vendors on their ability to provide institution-specific configuration, audit access, and compliance with governance requirements. Start evaluating providers now, before the market becomes crowded and timelines compress.

The CBN has set a high bar with these standards. That is a good thing. Nigeria’s financial system needs robust, effective, and well-governed AML technology. The institutions that embrace this mandate as an opportunity, not just a compliance burden, will be the ones that build lasting competitive advantage in trust, operational efficiency, and regulatory standing.

The next 18 months will define how seriously Nigeria’s financial sector takes financial crime prevention. I believe the industry is ready to rise to the challenge.

 

Gbemisola Osunrinde is the CEO of Smartcomply, an international compliance and cybersecurity technology company with deep expertise across African markets. Smartcomply’s Adhere platform provides AI-powered AML compliance and fraud detection for financial institutions across Africa and other emerging markets.