Introduction
- On 15 June 2026, the Central Bank of Nigeria (CBN) issued a Circular introducing and reinforcing requirements relating to market structure, data localisation, ultimate beneficial ownership and systemic oversight within the Nigerian payments system. The Circular applies to Deposit Money Banks (DMBs), Microfinance Banks (MFBs), Mobile Money Operators (MMOs), switching and processing companies, Payment Terminal Service Providers (PTSPs), Payment Solution Service Providers (PSSPs), Super Agents, and other licensed participants in the Nigerian payments ecosystem.
- According to the CBN, the Circular was prompted by significant structural developments in the Nigerian payments ecosystem, including the rapid growth of electronic payments, increasing adoption of digital financial services, and the emergence of operators with substantial market presence across key payment activities. While these developments have supported innovation, efficiency and financial inclusion, they have also raised regulatory concerns around market concentration, systemic importance, ownership transparency and the localisation of critical payments data.
- The Circular should therefore be understood as more than a routine compliance update. It reflects the CBN’s intention to supervise the payments sector, not only by reference to individual licences, but also by reference to ownership structures, data control, market power and systemic resilience across the ecosystem.
- This Newsletter summarises the key provisions of the Circular, considers their practical implications for regulated entities, and highlights the compliance obligations and timelines that institutions must act upon.
Key Provisions of the Circular
Ultimate Beneficial Ownership Disclosure Requirements
- The Circular requires all DMBs, Payment Service Providers, and other financial institutions with digital payments operations to disclose the Ultimate Beneficial Ownership (UBO) of significant shareholders in accordance with applicable anti-money laundering, counter-terrorism financing, and counter-proliferation financing regulations[1]. Institutions are also required to maintain accurate and up-to-date UBO records and make such information available to the CBN upon request.[2]
Practical Implications
- On its face, this may not appear to be a wholly new requirement. Regulated financial institutions are already expected to provide ownership information during licensing, and material changes in ownership or control are typically subject to regulatory scrutiny. UBO disclosure is also a familiar part of anti-money laundering compliance, particularly where ownership is held through companies, trusts, nominee arrangements, offshore vehicles, or other layered structures.
- What is different, however, is the context in which the CBN is restating the requirement. The Circular places UBO disclosure within a broader payments-system oversight framework. This means the CBN is not only concerned with whether a regulated entity has identified its shareholders for licensing or AML purposes. It is also concerned with who ultimately controls key payment operators, whether the same beneficial owners or related entities sit behind multiple market participants, and whether such ownership links could create concentration risk, conflicts of interest, regulatory arbitrage or systemic dependence within the payment’s ecosystem.
- In practical terms, the CBN wants to be able to look beyond the name on a licence and see who really is behind different payment businesses. For example, a PSSP, an IMTO, a switching company, an MMO or an acquiring business may appear to be separate entities, but they could still be controlled by the same person, family, investment vehicle or group. Common ownership is not necessarily prohibited, but the CBN wants visibility over these links because they may affect AML risk, conflicts of interest, market concentration, regulatory arbitrage and systemic dependence.
- The practical implication is that institutions should not treat UBO disclosure as a static licensing record. They will need to ensure that ownership structures are accurately documented, indirect ownership arrangements are properly identified, shareholder registers are reviewed and updated where necessary, and internal governance processes are capable of responding promptly to regulatory requests. For fintech companies and payment service providers with complex investment structures, particularly those involving offshore holding companies, venture capital funds, nominee arrangements or layered ownership vehicles, this may require a more detailed review of ownership documentation and governance records.
- The better reading of the Circular is therefore that CBN is reinforcing an existing transparency obligation but applying it with renewed importance to the payments sector. The focus is no longer only “who owns the licence?” but also “who ultimately controls payment activity in the market, and could that control affect competition, resilience or financial-system stability?”
Mandatory Data Localisation Requirements
- The Circular mandates that all payment transaction data generated within Nigeria must be stored and managed within Nigeria in accordance with applicable Nigerian data protection laws and regulations. Affected institutions are required to comply with this requirement by 1 January 2027[3].
Practice Implications
- This is one of the most significant provisions of the Circular because it moves data localisation from a broad policy concern into a direct payments-system compliance obligation. Importantly, the requirement should not be read simplistically as a blanket ban on the use of foreign technology providers. The issue is not merely whether a payment company uses AWS, Azure, Google Cloud or another global vendor. The real question is where Nigerian payments data actually lives, where it is backed up, who can access it, and whether it remains within Nigerian regulatory reach.
- In practical terms, local data residency means that the core transaction database, settlement and reconciliation records, switching logs, merchant records, consumer issuing records, audit trails, cloud backups, disaster recovery systems and other records containing Nigerian payments data must be stored and managed within Nigeria. If the primary system is hosted locally, but backups, logs, support copies or analytics exports are routinely replicated offshore, the institution may still have a localisation issue.
- For affected institutions, compliance will therefore require more than a policy statement. They will need to conduct a detailed data-mapping and infrastructure review, identify every system and vendor that stores or processes Nigerian payments data, review cloud and third-party contracts for data residency commitments, assess offshore support arrangements, and confirm that backup, disaster recovery and encryption-key controls are consistent with the CBN’s requirement. For providers currently built on offshore cloud infrastructure, the practical question is not whether they must abandon a global cloud provider entirely, but whether Nigerian payments transaction data remains offshore. If the core transaction database, logs, backups or disaster recovery copies are hosted outside Nigeria, the provider may need to restructure that part of its infrastructure before the compliance deadline. In practice, this could mean moving the regulated payments data layer to a Nigerian data centre, local cloud, private cloud or hybrid model, while continuing to use global technology tools for other non-regulated parts of the business. The compliance exercise will therefore require a full data-mapping review: where the data sits, where it is backed up, who can access it, where encryption keys are held, and whether the CBN can supervise the data without depending on foreign infrastructure.
- The broader point is that the CBN is treating payments data as critical financial infrastructure: not just private operational data, but a strategic record of financial activity that must remain within Nigerian supervisory control. Given the implementation deadline of 1 January 2027, affected institutions should begin compliance readiness assessments early to avoid rushed infrastructure changes, contractual gaps or operational disruptions.
- From a data protection perspective, the localisation requirement does not sit outside Nigeria’s existing privacy and consumer protection framework; rather, it reinforces it for payments data. The CBN already treats consumer protection as part of its supervisory mandate, including protection of consumer assets and privacy, and the 2019 Consumer Protection Regulations expressly include data protection and privacy as part of responsible business conduct.[4] The Circular’s requirement that payment transaction data generated in Nigeria be stored and managed in Nigeria therefore adds a sector-specific residency obligation on top of the general obligations under the Nigeria Data Protection Act 2023, which regulates the processing of personal data, imposes duties on data controllers and processors, requires security, integrity and confidentiality of personal data, and governs cross-border transfers.[5]
- In practical terms, there is an active data protection angle: regulated institutions must determine whether payments data includes personal data, identify all systems, vendors, backups, logs and support arrangements through which such data is stored or accessed, ensure that any offshore access or transfer satisfies the NDPA’s cross-border transfer requirements, including adequacy, binding corporate rules, contractual clauses, codes of conduct, certification mechanisms or other permitted bases, and maintain appropriate documentation, data processing agreements, security controls, breach-response procedures and governance records.
- In summary, the localisation requirement should therefore be read not merely as an infrastructure rule, but as a combined payments-system, consumer-protection and data-protection compliance obligation aimed at ensuring that Nigerian payments data remains secure, supervisable and within Nigerian regulatory reach.
Market Structure Requirements
- The Circular introduces market structure rules aimed at preventing excessive concentration across key parts of the payments value chain. The CBN is basically looking at two connected activities: the consumer side, where institutions enable customers to make payments, and the merchant side, where the institutions enable businesses to accept payments[6].
- Under the Circular, a licensed financial institution that holds more than 25% market share in consumer issuing activities during any rolling twelve-month period may not hold more than 15% market share in merchant acquiring activities during the same period. The same restriction applies in reverse. A licensed financial institution that holds more than 25% market share in merchant acquiring activities may not hold more than 15% market share in consumer issuing activities during the same rolling twelve-month period.
- This is also where the UBO requirement becomes relevant. Because the market-share limits apply not only to individual institutions but also to groups of related entities, the CBN needs visibility over who ultimately owns or controls different payment businesses. Without accurate UBO information, an operator could appear to be below the threshold on paper while related companies; common shareholders or group structures hold significant positions across both consumer issuing and merchant acquiring. In this sense, UBO disclosure supports the market-structure rules by helping the CBN identify when separate entities should be viewed together for concentration-risk purposes.
- The practical effect is that an operator may be allowed to grow significantly on one side of the payments market, but it may face regulatory limits if it also becomes materially powerful on the other side. For example, if a payment company is already very strong in consumer issuing, it cannot also become too large in merchant acquiring. Similarly, if it is dominant in merchant acquiring, it cannot also build excessive market share in consumer issuing. The market structure provisions represent a notable development in the evolution of payments regulation in Nigeria. Historically, financial institutions and payment service providers have sought to expand across multiple segments of the payment value chain, including card issuance, wallet issuance, merchant acquiring, payment processing, switching, and related services. The Circular indicates that the CBN is increasingly concerned about concentration risk and the emergence of institutions with significant influence across several payment functions simultaneously.
- The regulatory concern is control. A company that is powerful on the consumer side and also powerful on the merchant side could influence how payments are routed, how merchants access payment services, what fees are charged, how settlement flows are managed and how easily smaller competitors can participate in the market. The CBN appears to be saying that growth is allowed, but dominance across connected parts of the payments chain must be controlled before it creates competition or systemic-risk concerns.
- To facilitate regulatory oversight, all regulated entities are required to submit monthly market share returns in accordance with prescribed templates and timelines. Affected institutions are also required to take necessary measures to ensure full compliance with the market structure requirements no later than 31 December 2026.[7]
- For institutions approaching the prescribed thresholds, compliance may require more than periodic reporting. They will need to monitor market share on a rolling twelve-month basis, assess the activities of related entities within the same group, evaluate whether expansion in one business line could create restrictions in another, and consider whether strategic restructuring, divestments, partnerships or business model adjustments may be necessary before the compliance deadline.
- Put simply, the CBN is not only supervising individual licences; it is watching how market power is building across the payment’s ecosystem.
Compliance and Enforcement
- The Circular expressly states that the CBN will monitor compliance and may impose supervisory sanctions where necessary in accordance with applicable laws, regulations and guidelines. Although the Circular does not specify sanctions, regulated entities should expect that non-compliance may attract regulatory measures consistent with the CBN’s broader supervisory framework.
- Considering this, institutions should take proactive steps to strengthen their compliance posture. This should include reviewing ownership structure and verifying UBO information, assessing data localization readiness, implementing mechanisms to monitor market share threshold, enhancing regulatory reporting processes and ensuring that governance frameworks are sufficiently robust to support ongoing compliance with the Circular.
- Institutions should also consider documenting their compliance approach. For UBO disclosure, this may include updated ownership charts, shareholder registers, control analyses, and supporting documentation. For data localisation, this may include data maps, vendor assessments, clous architecture reviews, backup and disaster recovery documentation, and contractual data residency commitments. For market structure compliance, this may include internal market share tracking, group entity analysis, and board-level review of business expansion plans.
Conclusion
- The Circular represents a significant regulatory intervention in Nigeria’s payments ecosystem and reflects the CBN’s increasing focus on transparency, competition, systemic resilience, and local control of critical payments infrastructure.
- While the UBO and data localization requirements align with broader global regulatory concerns around transparency, data sovereignty and financial system resilience, the market structure restrictions are likely to generate the greatest industry discussion. This is particularly so for large financial institutions and payment service providers with significant positions across multiple segments of the payments value chain.
- Ultimately, the Circular signals a shift in regulatory posture. The CBN is moving beyond supervising payment institutions as isolated licence holders and is now paying closer attention to how ownership, data, infrastructure and market power interact across the wider payments’ ecosystem. For regulated entities, the key task is not only to comply with the specific requirements of the Circular, but also to understand the broader supervisory direction it represents: a more active, structural and systemic approach to payments regulation in Nigeria
For further clarification or assistance regarding compliance with the CBN Circular or any related legal matters, you can contact us via email – lawyers@credence-law.com
[1] Section 1 of the CBN Circular on Market Structure, Data Localisation, UBO Disclosure and Systematic Oversight in the Nigerian Payments System.
[2] Ditto.
[3] Section 2 of the Circular.
[4] See the 2019 CBN Consumer Protection Regulations, particularly, Section 5.4.
[5] See Nigeria’s Data Protection Act, 2023.
[6] Section 3 of the Circular
[7] Section 3 (iv) of the Circular.