The Central Bank of Nigeria (CBN) has introduced significant updates to enhance the security and stability of digital banking and instant payment systems. In a recent circular dated March 12, 2026, from the Payments System Policy Department (signed by Director Musa Jimoh), the apex bank outlined new guidelines for financial institutions offering instant payments (IP) and mobile financial services. These measures aim to curb fraud, reduce account compromises, and give customers greater control over their transactions. The changes take effect from July 1, 2026.
Key Restriction: Mobile Banking Apps Limited to One Device
A major highlight is the mandatory device binding rule for mobile banking applications. Under the new directive, banks and other financial institutions must ensure that a customer's mobile banking app operates on only one device at a time. Simultaneous use across multiple devices (such as a phone and tablet, or two phones) will no longer be permitted.
- If a customer switches to a new device, the app will require automatic re-activation and enhanced authentication (such as multi-factor authentication or biometrics) before access is granted.
- This policy targets rising cases of account takeovers and unauthorized access, as fraudsters often exploit multi-device logins to compromise accounts.
The CBN emphasized that this "device binding" is part of broader efforts to strengthen mobile financial services security while maintaining convenience for legitimate users.
Temporary Transaction Limits on New Activations
To further mitigate risks during initial setup, the guidelines impose a temporary cap on transactions for newly activated mobile banking apps:
- For the first 24 hours after activation (on new or existing accounts), both inflows and outflows are limited.
- The maximum allowable transaction amount is ₦20,000, though banks can set lower limits based on their risk assessment.
- This cooling-off period helps prevent immediate exploitation if a device or account is compromised shortly after setup.
New Instant Payment Rules: Greater Customer Control and Security
The CBN has mandated several additional functionalities for instant payment platforms to promote user empowerment and fraud prevention:
- Voluntary Opt-In/Opt-Out Feature: Customers can now choose to enable (opt-in) or disable (opt-out) instant payment services on their accounts at any time. This must be protected by multi-factor authentication (MFA) to avoid unauthorized changes. By default, the feature remains enabled, but users have clear options to pause it for privacy or security reasons.
- Customizable Transaction Limits: Within existing regulatory caps (₦25 million daily for individuals and ₦250 million for corporates), customers can adjust their personal limits as needed, subject to enhanced due diligence and authentication.
- Other Security Enhancements: The guidelines include requirements for liveness checks, fraud monitoring, and stronger authentication processes to combat identity theft and suspicious activities.
These updates build on Nigeria's growing reliance on digital payments, where instant transfers via platforms like NIP (Nigeria Inter-Bank Settlement System) have surged in volume.
Implications for Customers and Banks
For everyday users in Nigeria, the changes mean added layers of protection against fraud but may require adjustments in habits—such as logging out properly when switching phones or re-authenticating after device changes. Banks must update their apps and systems by the July 1 deadline to comply, potentially rolling out notifications and in-app guides to ease the transition.
The CBN's proactive stance reflects ongoing efforts to safeguard the financial system amid increasing cyber threats and digital adoption. While some customers may find the one-device limit inconvenient, experts view it as a necessary step toward a more secure banking environment.
This policy underscores the regulator's commitment to balancing innovation with robust consumer protection in Nigeria's evolving payments landscape. Financial institutions are expected to communicate these changes clearly to their customers ahead of the implementation date.
No comments:
Post a Comment