A fintech that fails to re-verify its users does not just face fraud. It faces CBN sanctions, AML exposure, and licence risk. On March 10, 2026, the Central Bank of Nigeria issued Circular BSD/DIR/PUB/LAB/019/002, making continuous identity verification a legal obligation, not just a best practice recommendation.

A user who completed KYC at onboarding is not necessarily the same person using the account six months later. A SIM swap, device change, or account takeover may have already shifted who controls it. The identity on file remains valid. The person behind it may not.

According to the FITC Q1 2025 report, fraud losses jumped 603% year-on-year in Q1 2025 while cases rose only 7.63%. Attackers are no longer fighting onboarding controls. They are targeting verified accounts. This article breaks down how to build a re-verification system that stops them.

What CBN and Global AML Standards Say About Periodic Review

Both Nigerian and international regulatory frameworks are built on ongoing customer diligence.

1. KYC as a Continuous Process

Under the Financial Action Task Force (FATF) standards, which serve as the global blueprint for AML, KYC is explicitly defined as a continuous process. Ongoing Customer Due Diligence (OCDD) means that a platform must ensure the transactions being conducted are consistent with its knowledge of the customer, their business, and their risk profile.

2. The 2026 CBN Mandate: Live Records

On March 10, 2026, the Central Bank of Nigeria issued a new circular establishing mandatory Baseline Standards for automated AML Solutions across all regulated financial institutions. The circular requires real-time validation against government databases, mandatory biometric checks, and integration between KYC data, customer risk profiles, and transactional activity into a single unified customer view. As reported by The Condia, fintechs must submit their implementation roadmaps to the CBN by June 10, 2026, with full compliance required within 24 months of the circular.

The regulator now expects fintechs to maintain live records. If a customer's government-issued ID expires, or if their status changes, such as becoming a Politically Exposed Person, the fintech is responsible for capturing that update.

3. Automation and Real-Time Compliance

The circular is explicit that manual compliance processes are no longer viable. It requires institutions to monitor activity in real-time or near real-time, detect unusual patterns indicative of fraud, and file Suspicious Transaction Reports to the NFIU within 24 hours. Institutions that still rely on batch processes or periodic manual reviews will not meet the standard.

4. The Risk-Based Approach

Crucially, these standards dictate that risk determines frequency. Regulators do not expect you to apply the same level of scrutiny to a low-volume retail wallet as to a high-net-worth corporate account. Fintechs must adopt a Risk-Based Approach where the depth and cadence of re-verification are scaled according to the potential threat level.

Why Most Re-Verification Systems Fail in Practice

1. Manual Compliance Processes Do Not Scale

Many compliance teams still rely on spreadsheets or manual reminders to track user document expiry. This works for a startup with 1,000 users. It breaks at 100,000. When re-verification is manual, it is inconsistent, and inconsistency is where fraud finds its opening.

2. Fragmented Identity and Fraud Data Systems

The biggest technical hurdle is the silo effect. Identity data often lives in one database, while transaction behaviour and device signals live in another. When these systems do not communicate, your fraud team has no way of knowing that a verified user is currently exhibiting high-risk behaviour.

3. Legacy Systems Cannot Respond at the Speed Risk Moves

Identity risk can change within hours, not months, and systems built for annual or biannual reviews are not equipped to respond at that speed. If a user's SIM is swapped on a Tuesday, waiting until a scheduled review in December is not a compliance gap. It is an open door. 

In Africa's mobile-first financial ecosystem, where SIM-based authentication remains the dominant second factor, this vulnerability is especially acute.

4. Re-Verification Happens Too Late

In many organisations, re-verification is triggered by a suspicious transaction. By the time a risk lead manually flags an account for review, the fraud has often already been committed, and the funds have been moved. This reactive posture creates a structural disadvantage. 

Identity farming, where fraud networks build pools of verified accounts and let them sit dormant for months before activating them, exploits exactly this gap. According to TechCabal's March 2026 report on African fintech fraud, some fraudulent identities were reused in more than 1,000 account registrations within a single 30-minute window.

The Triggers That Should Prompt Unscheduled Re-Verification

By automating event-based triggers, your system can catch identity theft in minutes rather than months. Here are five critical events that should prompt an immediate, unscheduled re-verification flow:

1. SIM Swap or Phone Number Change

In Africa's mobile-first economy, a SIM swap is one of the most direct indicators of an imminent account takeover. Cifas Fraudscape data shows SIM swap fraud reports in the UK surged 1,055% in 2024 alone, and the tactic is increasingly industrialised across African markets where SMS-based authentication remains dominant.

 If a user who has transacted with the same number for two years suddenly attempts to link a new, unverified number, your system should automatically block the update until they complete a biometric liveness check confirming the request is coming from the actual account owner.

2. Device Fingerprint Anomalies

If a user who consistently transacts on a specific device in a known location suddenly logs in from an unfamiliar, low-cost device in a different region, the identity must be confirmed before any transaction is permitted. 

Device anomalies are a core signal of compromised credentials, and a login from a device previously associated with fraudulent activity on another platform is grounds for an immediate identity refresh.

3. Unusual Login Location or Velocity

If a user logs in from Abuja and then attempts a transaction from a London IP address sixty minutes later, the velocity is physically impossible. In this case, authentication requirements should immediately step up. 

Rather than a simple password, the user should be prompted to scan a government ID to confirm they have not bypassed security using a high-risk VPN or remote access tool.

4. Transaction Spikes and Behavioural Shifts

Sudden jumps in volume, such as a retail wallet moving from a ₦10,000 monthly average to ₦1,500,000 in a single afternoon, directly contradict the user's established risk profile. Under CBN AML guidelines, this constitutes a trigger for Enhanced Due Diligence. 

Before funds are cleared, an automated flow should require the user to confirm their source of funds, preventing the account from being flagged for suspicious activity after the fact.

5. Changes to Account Recovery Details

When a user alters high-sensitivity information such as a recovery email or transaction PIN, it is a critical security event. Fraudsters often attempt these changes immediately after gaining access in order to lock the real owner out.

 An automated re-verification step at this point ensures no critical security change is finalised until the user provides a fresh identity signal, such as a face match against their original BVN or NIN record.

How to Build a Re-Verification Cadence Based on User Risk Tier

A risk-based approach requires tailoring checks based on user risk level.

Low-Risk Users: Periodic Maintenance

The profile: verified identifiers at onboarding, consistent device and login patterns, low transaction volumes.

Suggested cadence: 12 to 24 months.

The workflow: a routine refresh of expired identity documents, automated to keep records live without interrupting the daily app experience.

Medium-Risk Users: Active Monitoring

The profile: moderate activity shifts, occasional login anomalies, or mid-tier transaction volumes.

Suggested cadence: 6 to 12 months.

The workflow: proactive confirmation of socio-economic status or business activity. Financial data APIs during these windows allow you to verify whether actual cash flow still aligns with the risk profile declared at onboarding.

High-Risk Users: Continuous Oversight

The profile: high-value transactions, behavioural irregularities, or associations with high-risk jurisdictions or PEP status.

Suggested cadence: continuous monitoring combined with quarterly or event-based review.

The workflow: for these users, re-verification is not a date on a calendar. It is a permanent state. Quarterly mandatory biometric liveness checks ensure account continuity and prevent high-stakes takeovers. 

This tier also covers users flagged under the CBN circular's PEP screening requirements, which mandate ongoing adverse media monitoring and watchlist screening in addition to identity checks.

Addressing the Dormant Account Trap

Identity risk is particularly high for accounts that have been inactive for extended periods. Research into African fintech fraud patterns has identified identity farming, where fraud networks build pools of verified accounts and let them sit dormant before activating them for money movement, as a growing tactic.

 Any account inactive for six months or more should be automatically moved to a high-risk tier for its first transaction back. This ensures a fresh identity signal is captured before funds can move, neutralising the sleeper account threat before it activates.

Frequency should match risk level, not a fixed timeline. A low-risk user today can become a high-risk user tomorrow, and your review schedule should reflect that in real time.

How Dojah Automates the Identity Lifecycle

Most fintechs treat KYC as a checkpoint. The CBN's 2026 Baseline Standards make clear that it must be a continuous loop. The gap between those two approaches is where fraud lives, and where regulatory exposure accumulates.

Dojah provides the infrastructure to move from stop-and-start compliance to a continuous identity lifecycle. Rather than stitching together separate tools for onboarding, monitoring, and re-verification, Dojah connects these into a single integrated flow built on government ID databases, including NIMC and NIBSS.

With Dojah, you have:

• Unified risk scoring that aggregates device signals, behavioural patterns, and identity data into a single actionable score that updates dynamically as user behaviour changes
• Live background refreshes that automatically check IDs against primary databases, keeping your records compliant with the CBN's live records requirement without manual intervention
• Low-friction re-verification flows that trigger liveness checks only when a risk event is detected, protecting your completion rates while maintaining security where it actually matters
• AML screening that runs continuously against watchlists and PEP databases, aligned with the NFIU's reporting requirements

The result is a compliance posture that meets the CBN's June 2026 roadmap deadline and the full 24-month implementation requirement, without building separate systems for every stage of the customer lifecycle.

Book a demo to see how Dojah helps you detect identity risk in real time and automate re-verification across your entire user lifecycle. 

Frequently Asked Questions

Is periodic KYC review mandatory for African fintechs?

Yes. Under CBN Circular BSD/DIR/PUB/LAB/019/002 issued March 10, 2026, and global FATF standards, onboarding is only the first step. Fintechs must implement continuous KYC to keep user data live, accurate, and compliant. Implementation roadmaps are due to the CBN by June 10, 2026.

How often should we re-verify users?

Your cadence should follow a risk-based model: low-risk users every 12 to 24 months, medium-risk users every 6 to 12 months, and high-risk users under continuous monitoring with quarterly structured reviews. Event-based triggers override these schedules when a risk signal is detected.

What triggers an unscheduled re-verification?

Identity refreshes should be event-driven. Immediate triggers include SIM swaps, new device logins, impossible travel locations, sudden transaction spikes, and changes to account recovery details.

How do we prevent churn during re-verification?

Avoid full re-onboarding flows for routine checks. Apply step-up verification proportionally: low-friction liveness checks for moderate triggers, fuller document re-submission only for high-risk events. The goal is to confirm the user is still the authorised account owner, not to repeat the original onboarding experience.

How do we stop dormant account fraud?

Treat accounts inactive for six months or more as high-risk for their first transaction back. Require a fresh identity signal before any funds move. This neutralises identity farming tactics where fraud networks activate dormant verified accounts for money movement.