Go back to Blog
Chioma Ugwa
Marketing
11 min read
Share to
6 Compliance Challenges for African Digital Businesses in 2026
Three years ago, compliance was a fintech conversation. It was the domain of licensed lenders, payment processors, and banks. Other African digital businesses, including marketplaces, gig platforms, logistics apps, and SaaS companies, sat largely outside the regulatory frame.
That has changed. The combination of stricter data privacy enforcement, expanded AML obligations, and pressure on platforms that facilitate payments or merchant activity has pushed compliance requirements into sectors that were not previously thinking about them. In Nigeria, Kenya, Ghana, and South Africa, regulators are no longer drawing a clean line between fintech and everyone else.
For founders and compliance teams at African digital businesses, the challenge is not just understanding what is required. It is building the infrastructure to meet those requirements with teams and budgets that were not sized for this level of regulatory complexity.
Below are the six compliance challenges that are creating the most pressure for African digital businesses in 2026, along with the practical consequences of getting them wrong.
Challenge 1: The identity verification gap
More African digital businesses are now required to verify users and merchants, but most have no structured verification flow in place. What was previously a product decision has become a regulatory obligation, and many businesses are discovering the gap only when a regulator or a fraud incident makes it visible.
• Who this affects: Any platform that facilitates financial transactions, onboards merchants, or holds user accounts with wallet functionality. This now includes marketplaces, ride-hailing apps, delivery platforms, and BNPL providers, not just traditional fintechs.
• What regulators expect: The CBN, CAC, and sector-specific regulators have moved toward requiring documented identity verification at onboarding for any business with payment or financial services exposure. In many cases, the requirement now extends to beneficial ownership verification for merchant accounts.
• Where most businesses fall short: Many platforms collect identity data at signup, typically a phone number, email address, or self-reported name, without running it against a government database or biometric check. This creates an onboarding flow that looks like KYC but provides none of the actual protection or compliance coverage.
Illustrative consequence A marketplace platform in Lagos was flagged during a routine CBN examination for onboarding merchants without BVN verification. The business had been running for two years with a self-reported signup flow, assuming it fell outside the verification requirement. The remediation process required retroactive verification of thousands of merchant accounts, alongside a formal response to the regulator |
Challenge 2: Data privacy obligations
Nigeria's NDPR, Kenya's Data Protection Act, Ghana's Data Protection Act, and South Africa's POPIA are all in active enforcement. What was once a compliance aspiration is now a liability with real consequences. African digital businesses that collect, process, or store user data without proper legal structure are now exposed.
• What the frameworks require: Each framework establishes requirements around lawful basis for data collection, user consent, data retention limits, cross-border data transfer restrictions, and the right of users to access or delete their data. Most digital businesses meet none of these requirements in full.
• Where the gaps typically sit: The most common failures are collecting more data than the stated purpose requires, retaining data beyond what is necessary, failing to obtain meaningful consent before processing, and having no documented response process when a user requests access to their data or requests deletion.
• Cross-border exposure: African digital businesses operating across multiple markets face layered obligations. A business headquartered in Nigeria but processing data for Kenyan users is subject to both the NDPR and the Kenyan Data Protection Act. Many businesses are unaware of this exposure until an incident triggers a review.
Real consequence In July 2025, Nigeria's Data Protection Commission fined MultiChoice Nigeria NGN 766,242,500 (approximately $500,000) for violating the Nigeria Data Protection Act. The NDPC's investigation, initiated in Q2 2024, found that MultiChoice had conducted unauthorised cross-border transfers of personal data belonging to Nigerian subscribers and non-subscribers, without appropriate consent or safeguards. The Commission described the data processing as "patently intrusive, unfair, unnecessary and disproportionate." MultiChoice's initial response to regulatory directives was deemed unsatisfactory, which contributed directly to the scale of the penalty. The case was the largest data protection enforcement action in Nigeria's history at the time and signalled the NDPC's shift from education to active enforcement. |
Challenge 3: Merchant and vendor onboarding blind spots
Marketplace and gig economy platforms are facing growing scrutiny for onboarding merchants and vendors without proper business verification. Regulators and financial partners are increasingly treating the platform as responsible for the compliance posture of the businesses it hosts.
• The scale of the problem: Most African marketplace platforms have onboarding flows that collect a business name, a bank account number, and sometimes a CAC registration number. Few verify that the registration is valid, that the business is actively trading, or that the beneficial owner of the account matches the person running the merchant profile.
• Why this matters beyond compliance: Unverified merchant accounts are a primary entry point for fraud on marketplace platforms. Fraudsters register merchant profiles, accumulate payments from buyers, and withdraw before the platform can respond. The platform bears the financial and reputational cost.
• Regulatory direction: The CBN's guidance on payment facilitation makes clear that platforms processing payments on behalf of merchants carry liability for those merchants' compliance status. EFCC and the Financial Intelligence Unit have both increased scrutiny of marketplace platforms as vectors for financial crime.
Sample consequence A Nigerian gig platform was used by fraudulent service providers to collect payments from customers for services that were never delivered. The platform had no verification of provider identity beyond a selfie and a phone number. When the fraud became public, the platform faced regulatory questions about its onboarding process alongside the reputational damage from the incident itself. |
Challenge 4: Cross-border compliance complexity
African digital businesses expanding across markets are discovering that compliance requirements differ significantly by country. What satisfies a Nigerian regulator does not automatically satisfy a Kenyan or Ghanaian one. Manual, country-by-country compliance stitching does not scale and creates gaps that grow as the business grows.
• Where the differences create problems: Identity document types, verification requirements, data residency rules, AML thresholds, and licensing obligations all vary by market. A business that has built its compliance infrastructure around Nigerian requirements will need significant rework to operate compliantly in Kenya or South Africa.
• The integration cost: Many African digital businesses expanding across markets end up with separate verification vendors, separate data storage arrangements, and separate compliance workflows for each country. This is expensive to build, difficult to maintain, and impossible to audit consistently.
• The regulatory relationship risk: Regulators in newer markets pay attention to how a business has handled compliance in its home market. A business with a clean compliance record in Nigeria is better positioned when it approaches the Bank of Ghana or the Central Bank of Kenya for the permissions it needs to operate.
Example of consequence A Nigerian fintech expanding into Kenya discovered that its BVN-based onboarding flow had no equivalent in the Kenyan market. Building a parallel verification flow for Kenyan national ID took four months and required a separate vendor integration. By the time the build was complete, the business had been operating in Kenya for six months with a verification gap it had not disclosed to its banking partner. |
Challenge 5: The Compliance resource gap
Most African digital businesses outside tier-one fintechs are managing compliance with no dedicated compliance team and with tools that were not built for the African regulatory context. Compliance decisions are being made by founders, product managers, or legal counsel who are handling multiple other priorities at the same time
• What this looks like in practice: A startup founder interpreting the NDPR without legal support and hoping the privacy policy template they downloaded is sufficient. A product manager adding a terms of service checkbox to an onboarding flow and calling it consent. A five-person operations team manually reviewing flagged transactions because the business has no automated monitoring in place.
• The tooling problem: Many compliance tools available in the market were built for European or North American regulatory contexts and require significant configuration to work with African identity documents, local databases, and regional regulatory requirements. Businesses that try to use these tools often end up with partial coverage and false confidence.
• Why this is a growth risk, not just a compliance risk: Investors conducting due diligence on African digital businesses are increasingly including compliance posture in their assessments. Banking partners and payment processors are requiring documented compliance infrastructure as a condition of maintaining the relationship. The resource gap is starting to limit commercial options, not just create regulatory exposure.
Illustrative example of consequence An African B2B SaaS platform raised a Series A from an international investor. During due diligence, the investor's legal team found that the platform had no documented data-processing agreements with its enterprise clients, no formal incident-response process, and no records of user consent obtained under the NDPR. Closing the round required three months of compliance remediation work that had not been budgeted for. |
Challenge 6: AML obligations outside traditional financial services
Anti-money laundering obligations have extended beyond banks and licensed fintechs. African digital businesses that facilitate payments, hold wallets, operate peer-to-peer platforms, or provide financial products as part of a broader service are increasingly caught by AML requirements they were not originally designed to meet.
• What triggers AML obligations: Any business that facilitates the movement of value between parties, holds user funds, enables merchant payouts, or offers credit or savings products is likely operating within the scope of AML regulation in Nigeria, Kenya, Ghana, or South Africa, regardless of whether it holds a financial services licence.
• What AML compliance requires in practice: Transaction monitoring, customer due diligence, suspicious transaction reporting to the NFIU or equivalent body, and documented record-keeping that can be produced for regulatory examination. A standard product analytics stack meets none of these requirements.
• The enforcement trajectory: Regulators across Africa are expanding the scope of AML enforcement to include non-bank platforms. Businesses that assumed AML obligations applied only to licensed financial institutions are discovering otherwise when they seek banking partnerships, payment processing relationships, or regulatory approvals in new markets.
Real consequence In 2024 and 2025, the CBN levied significant penalties against Nigerian financial institutions for AML compliance failures. Zenith Bank received a NGN 15.42 billion fine in 2025 covering money laundering failures, cybersecurity breaches, and FX violations. Access Bank was fined NGN 35 million in May 2026 for AML/CFT compliance lapses identified during a risk-based examination. These enforcement actions form part of a broader CBN posture shift, confirmed in its April 2025 directive reminding all banks and payment service providers of their obligations to comply with sanctions regimes or face regulatory sanctions. Separately, the NFIU expanded its enforcement capacity through 2024 and 2025, with increased frequency of suspicious transaction investigations across both licensed fintechs and non-bank payment platforms. |
How Dojah helps African digital businesses close the gap
Most compliance infrastructure sold to African digital businesses was built for a different market or a different problem. Dojah is built specifically for the African regulatory context, combining the capabilities that digital businesses need across multiple compliance challenges in a single platform.
Across all six challenges, a common theme emerges. African digital businesses are being asked to verify more users, manage more data, monitor more activity, and satisfy more regulatory expectations than ever before. The businesses that succeed will be those that treat compliance infrastructure as a growth enabler rather than a regulatory afterthought.
The businesses that will navigate 2026 most effectively are not necessarily the ones with the largest compliance teams. They are the ones that have built verification and compliance infrastructure on a foundation that was designed for the market they are operating in.
Dojah gives African digital businesses that foundation, covering identity verification, business verification, fraud monitoring, and compliance documentation in one platform, with the African regulatory context built in from the start.
See how Dojah helps African digital businesses build verification and compliance infrastructure that scales identity verification, business verification, fraud monitoring, and compliance reporting in one platform.
Start using Dojah for all your business needs