The Central Bank of Nigeria's March 2026 circular on AML baseline standards marked a significant change in how the CBN expects regulated institutions to approach anti-money laundering compliance. For the first time, the CBN has set explicit, tiered deadlines that distinguish between deposit money banks, fintechs, and payment service providers, with specific reporting requirements attached to each stage.

Most Nigerian fintechs are focused on the June 10 roadmap submission. However, June 10 is a checkpoint, not the end of the road. The full compliance build-out runs through September 2027 for DMBs and March 2028 for fintechs and PSPs, and the CBN has been explicit that roadmap submissions without credible implementation plans will not satisfy the standard.

This article breaks down what the circular actually requires, what a credible roadmap submission looks like, and what the full 18 to 24-month compliance journey means for Nigerian fintechs and payment providers.

What the CBN Circular Actually Covers and the Three-Tier Deadline Structure

The circular establishes a baseline AML compliance framework that all regulated institutions must meet. 

The deadline structure works across three stages:

1. June 10, 2026: Roadmap Submission

All regulated institutions, including fintechs, PSPs, and mobile money operators, must submit a formal AML compliance roadmap to the CBN by June 10. This is a documented plan showing how the institution intends to meet the full baseline standard, including system upgrades and implementation timelines. Submissions without specific milestones, responsible owners, and realistic delivery dates are unlikely to pass scrutiny.

2. September 2027: DMB Deadline

Deposit money banks have until September 2027 to achieve full compliance with the baseline AML standards. This includes live transaction monitoring systems, documented KYC and AML linkage, suspicious activity reporting infrastructure, and governance frameworks that meet CBN expectations. By this point, DMBs should have moved well beyond the roadmap into active implementation.

3. March 2028: Fintech and PSP Deadline

Fintechs, payment service providers, and mobile money operators have until March 2028 to achieve full compliance. The longer runway reflects the CBN's proportionality approach, but it does not reduce the scope of what is required. The same system and reporting standards apply. 

What a Credible Implementation Roadmap Must Include

The CBN has been clear that a roadmap submission is not a statement of intent. It is a structured plan that demonstrates the institution understands what compliance requires and has a realistic path to achieving it. A credible submission covers the following:

1. Current state assessment: A documented gap analysis showing where the institution currently sits against the baseline standard, covering KYC linkage, reporting, and governance.
2. System and technology requirements: Specific identification of the tools or upgrades required to meet the standard, including transaction monitoring platforms, identity verification infrastructure, and suspicious activity reporting workflows.
3. Governance and ownership: Named responsible parties for each compliance workstream, with clear escalation paths and senior management accountability attached to the implementation plan.
4. Implementation milestones: A phased timeline with specific delivery dates that maps the institution's path from current state to full compliance by the applicable deadline.
5. Training and awareness: Documentation showing that compliance, operations, and product teams understand their obligations under the new standard and how those obligations translate into day-to-day processes.

A roadmap that covers these five areas gives the CBN what it needs to assess whether the institution is on a credible compliance path. One that doesn't risks rejection or follow-up scrutiny.

What Happens After June 10

Submitting a roadmap is the beginning of the compliance build-out, not the end of it. Here is what the CBN expects institutions to have in place by their applicable deadline:

• Live transaction monitoring: Automated systems that screen transactions in real time, flag suspicious activity, and generate alerts for review. Manual monitoring alone will not satisfy the standard.
• Audit trail infrastructure: Complete, retrievable records of transaction decisions, KYC checks, and suspicious activity reports that can be produced for regulatory examination without significant delay.
• Governance documentation: Board-level AML policies, compliance officer mandates, and escalation procedures that are documented, current, and demonstrably followed.
• Periodic review processes: Scheduled customer risk reassessments, transaction pattern reviews, and compliance audits that happen on a defined cycle rather than only in response to incidents.

How the Proportionality Principle Works

The CBN's proportionality principle means compliance requirements are set to institutional size, product complexity, and risk exposure. In practice:

• A microfinance bank serving low-income retail customers with limited transaction volumes will apply a lighter monitoring framework than a tier-one bank processing billions in daily transactions.
• A fintech offering a single wallet product has a narrower compliance surface than a PSP running multiple payment channels across different customer segments.
• Proportionality does not reduce the obligation to comply. It adjusts the depth and complexity of the systems required to meet that obligation.
• Every regulated institution, regardless of size, must have documented KYC processes, transaction monitoring, and suspicious activity reporting in place by their applicable deadline.

The Link Between KYC, KYB, and AML

The CBN has explicitly stated that AML systems without effective linkage to CDD and KYC information will not be regarded as compliant. That means transaction monitoring cannot operate in isolation from identity verification. 

Here is what that linkage requires in practice:

1. Identity verification feeding into transaction monitoring: Customer identity data collected during onboarding, including BVN, NIN, and document verification outputs, must be accessible to the transaction monitoring system so that activity can be assessed against the verified customer profile.
2. Risk profiles informing monitoring rules: The risk tier assigned to a customer during CDD must determine the monitoring intensity applied to their transactions. A high-risk customer should face tighter monitoring thresholds than a low-risk one, and that calibration should be documented.
3. KYB linkage for business accounts: For corporate customers, business verification outputs including beneficial ownership data and business activity information must feed into the AML monitoring framework, not sit in a separate onboarding file.
4. End-to-end audit trail: The CBN expects institutions to demonstrate, when examined, that identity data and transaction monitoring data are connected and that compliance decisions can be traced from customer onboarding through to suspicious activity reporting.

Fintechs running separate KYC and AML systems with no structured data linkage between them are already non-compliant under the new standard, regardless of how good each individual system is.

How Dojah Helps Nigerian Fintechs Meet the CBN AML Baseline Standards

Meeting the CBN AML baseline standards requires more than checking boxes at onboarding. It requires identity verification, business verification, transaction monitoring, and risk assessment working together as a connected compliance infrastructure.

Dojah gives Nigerian fintechs and PSPs that infrastructure through a single integration.

• Real-time identity verification: BVN, NIN, and document verification checks run at onboarding and feed directly into customer risk profiles, giving your transaction monitoring system the identity context it needs to flag suspicious activity accurately.
• Business verification: KYB checks covering business registration, beneficial ownership, and director verification satisfy the CBN's requirement for documented KYB linkage in AML frameworks for corporate accounts.
• Transaction risk signals: Dojah's risk infrastructure generates real-time signals that support automated transaction monitoring, helping compliance teams prioritize alerts and meet suspicious activity reporting obligations.
• Connected compliance data: Identity verification outputs, risk scores, and transaction signals sit in one platform, giving institutions the end-to-end audit trail the CBN expects to see during regulatory examination.

Nigerian fintechs that are still running separate KYC and AML systems have a narrow window to close that gap before their deadline arrives. Dojah's infrastructure is built to connect those layers without requiring a full system rebuild.

Explore how Dojah’s Identity Verification infrastructure powers KYC, KYB, and AML compliance for regulated fintechs. 

FAQs on CBN AML Baseline Standards 2026

1. What are the CBN AML baseline standards 2026? The CBN AML baseline standards 2026 are a set of minimum AML compliance requirements issued by the Central Bank of Nigeria in March 2026. They cover transaction monitoring, KYC and CDD linkage, suspicious activity reporting, governance structures, and audit trail requirements for all regulated financial institutions in Nigeria.

2. What is the June 10, 2026 deadline for Nigerian fintechs? June 10 2026 is the deadline for all regulated institutions to submit a formal AML compliance roadmap to the CBN. It is not a full compliance deadline. Fintechs and PSPs have until March 2028 to achieve full compliance with the baseline standard.

3. What must a CBN AML roadmap submission include? A credible roadmap submission must include a current state gap analysis, system and technology requirements, and governance and ownership structure

4. Why does the CBN require KYC and AML systems to be linked? The CBN has stated that AML systems without effective linkage to KYC and CDD information will not be regarded as compliant. Transaction monitoring must be connected to verified customer identity data so that suspicious activity can be assessed against the customer's profile, risk tier, and expected behavior.