How Regfyl Meets the CBN Baseline Standards for Automated AML Solutions 2026

On 10 March 2026, the Central Bank of Nigeria (CBN) formally issued the Baseline Standards for Automated Anti-Money Laundering (AML) Solutions — binding on every bank, fintech, microfinance institution, IMTO, and payment service provider operating in Nigeria. 

With implementation roadmaps due within three months and full compliance required within 18 to 24 months of issuance.

This article breaks down:

• The Need for the Baseline Standards

• What the CBN baseline standards require

• How the framework is structured

• How Regfyl fully aligns with the standards, and 

• How Regfyl can support Financial Institutions with alignment and compliance with the standards

Why the CBN Introduced the Baseline Standards

The rationale behind the CBN Baseline Standards is rooted in the reality that financial crime risks have evolved faster than traditional compliance approaches. As financial services become more digital, interconnected, and high-volume, manual AML/CFT/CPF controls are no longer sufficient to effectively detect and manage emerging risks. 

The CBN is therefore requiring financial institutions to adopt automated AML solutions that can support risk-based customer due diligence, enable timely detection of suspicious activity, and ensure accurate and prompt regulatory reporting.

Beyond simply mandating automation, the standards are designed to ensure that AML technology delivers real, measurable effectiveness, rather than superficial, feature-driven compliance. They align with FATF recommendations and global best practices, and introduce a structured framework for how AML systems should be deployed, governed, and continuously improved.

Ultimately, the objective is to move institutions toward proactive, risk-based financial crime management, supported by systems that are integrated, intelligent, and adaptable. By doing so, the CBN aims to strengthen the Nigerian financial system’s ability to prevent, detect, and report money laundering, terrorist financing, and proliferation financing, while ensuring that compliance remains effective, auditable, and aligned with both domestic and international obligations.

Understanding the CBN Baseline Standards 

The Central Bank of Nigeria Baseline Standards set out the minimum functional and governance requirements for AML solutions used by all regulated financial institutions. They draw a clear distinction between what an AML system must be capable of doing (functional requirements) and how institutions must implement, oversee, and evidence those capabilities (governance requirements).

In total, the framework defines 62 functional requirements and 38 governance requirements, reflecting a deliberate shift by the CBN toward capability-based compliance. Institutions are no longer assessed on whether systems exist, but on whether they are properly configured, integrated, and effective in practice.

These requirements are structured across 12 core areas, covering the full AML lifecycle, from onboarding and risk assessment to transaction monitoring, investigation, reporting, and audit. Together, they establish a comprehensive standard for how AML systems should operate within modern, data-driven financial institutions.

How Regfyl Meets the CBN Baseline Standards

Regfyl was built as a full-stack AML operating system, not a point solution. As a result, our platform aligns directly with the structure and intent of the CBN Baseline Standards.

1. End-to-End AML Coverage (Section 5.1)

The CBN requires that AML solutions cover the full compliance lifecycle. It is required that every automated AML solution supports nine functional areas: customer identification and verification, risk assessment and profiling, sanctions and watchlist screening, PEP screening, transaction monitoring, case management, regulatory reporting, audit and governance, and data protection. 

Regfyl covers all nine within a single integrated platform. There is no need to stitch together multiple vendors or manage separate systems for screening and monitoring. Every capability is connected, which means customer risk data informs transaction monitoring, which feeds case management, which links directly to regulatory reporting, all within one auditable environment.

2. Customer Due Diligence (CDD), Know Your Customer (KYC) and Know Your Business (KYB) (Section 5.2)

Under the Central Bank of Nigeria Baseline Standards, AML solutions are expected to support end-to-end customer due diligence — linking KYC/KYB data, customer risk profiles, and transactional activity, and ensuring that alerts and investigations are assessed in the full context of the customer’s identity, behaviour, and risk classification. Institutions must also ensure that customer data is continuously updated, risk-based, and accessible within a single, integrated view.

Regfyl operationalises this by dynamically scoring and continuously re-scoring customers throughout the lifecycle of the relationship, combining onboarding data, behavioural patterns, and typology-driven detection logic to maintain an up-to-date view of risk.

When an investigator opens an alert, Regfyl presents a fully consolidated, context-rich view of the customer — bringing together KYC information, transaction history, prior alerts, case outcomes, and risk indicators within a single interface. This eliminates fragmented analysis and enables faster, more consistent decision-making.

By tightly linking customer data, risk profiles, and transactional activity in real time, Regfyl ensures that institutions meet the CBN’s expectation for integrated, risk-based CDD and investigation workflows with full auditability and regulatory readiness built in.

3. Sanction Lists & PEP Screening (Section 5.3)

The CBN Baseline Standards places heavy emphasis on appropriate integration with relevant domestic and global sanctions and watchlists, real-time or near real-time updates, high-quality matching logic, and auditability. Regfyl screens against over 1,500 global and local lists in real time, with fuzzy and transliteration matching to catch name variations. 

PEP coverage includes Nigeria-specific political and public officeholders, not just international figures. Institutions can maintain their own internal watchlists within the platform. Adverse media monitoring runs alongside sanctions screening. And where Regfyl is integrated with an institution's core banking or onboarding system, a confirmed sanctions match can trigger blocking workflows automatically.

Every screening action is logged and traceable, supporting regulatory inspection requirements.

4. Risk Assessment (Section 5.4)

The Baseline standards require AML systems to reflect institutional risk appetite, update risk dynamically, and support enterprise-wide risk visibility.

With Regfyl, institutions can configure their own risk rules, thresholds, and monitoring scenarios without engineering support. Customer risk scores are generated at onboarding and updated dynamically as behaviour changes. Regfyl aggregates risk data across products, segments, and channels at an enterprise level — and where AI contributes to a risk score or alert, the platform surfaces the underlying factors so investigators can understand and document the reasoning.

This ensures that risk is continuously recalibrated, not statically assigned.

5. Transaction Monitoring & Risk-Based Analyses (Section 5.5)

This is one of the most detailed and technically demanding sections of the CBN Baseline Standards, reflecting the regulator’s strong focus on the effectiveness of transaction monitoring systems. 

The CBN expects financial institutions to move beyond basic rule-based checks and implement behavioural monitoring that can identify unusual patterns over time, supported by scenario-based detection models aligned with known money laundering and terrorist financing typologies. 

Monitoring must be contextual, incorporating customer-specific attributes such as occupation, income range, geography, product usage, and risk classification, rather than relying solely on raw transaction data. In addition, the standards emphasise explainability, requiring that alerts generated by rules or AI/ML models can be clearly understood, justified, and audited by investigators and regulators. 

Finally, institutions are expected to implement robust governance frameworks around false positives and false negatives, including documented thresholds, periodic tuning, and oversight mechanisms, ensuring that monitoring systems remain both effective and proportionate to the institution’s risk profile.

Regfyl delivers a robust and intelligence-driven transaction monitoring framework designed to align fully with the expectations set out in the CBN Baseline Standards. At its core, the platform leverages typology-driven monitoring scenarios, ensuring that detection logic is grounded in real-world money laundering, terrorist financing, and proliferation financing patterns. This is complemented by behavioural anomaly detection, which continuously analyses customer activity over time to identify deviations from expected behaviour, rather than relying solely on static thresholds. Institutions can further refine detection through customer segmentation-based rules, allowing monitoring scenarios to be tailored to specific risk profiles, products, and customer categories.

To deepen detection capabilities, Regfyl incorporates peer grouping and network analysis, enabling institutions to identify unusual patterns not just at an individual level, but across related parties and comparable customer groups. This significantly enhances the ability to detect complex or coordinated activity that may otherwise go unnoticed. Importantly, all alerts generated within the system are fully explainable, with clear visibility into the underlying drivers, rules, and behavioural indicators that triggered the alert, ensuring transparency for investigators and regulators alike.

Each alert is presented within a unified and context-rich interface. Investigators are able to view a comprehensive customer profile, including KYC/KYB data, alongside the current risk score, recent and historical transaction behaviour, and any prior alerts or case outcomes associated with the customer. This consolidated view enables faster, more informed decision-making and ensures that investigations are grounded in a complete understanding of the customer’s risk posture.

This approach aligns directly with the CBN’s requirement for a “consolidated customer risk view”, where transaction monitoring is performed in the context of the full customer profile, rather than in isolation.

6. Fraud Monitoring and Detection (Section 5.6)

The CBN Baseline Standards recognise the growing intersection between fraud and money laundering risks and therefore encourage financial institutions to move toward a more integrated approach, while maintaining the integrity and distinct objectives of AML controls. This reflects a broader regulatory expectation that institutions should no longer operate fraud and AML systems in silos, particularly where doing so creates delays, duplication, or gaps in risk detection.

Regfyl is designed to support this convergence in a structured and controlled manner. The platform enables real-time fraud detection and monitoring across relevant channels, ensuring that suspicious activity can be identified and acted upon quickly, especially in high-velocity environments such as digital payments. The platform also provides unified workflows for managing both AML and fraud alerts, allowing institutions to streamline investigations while maintaining appropriate role-based segregation between teams and responsibilities.

By bringing these capabilities together within a single, integrated architecture, Regfyl helps institutions eliminate blind spots between fraud and AML systems, ensuring a more holistic, responsive, and effective financial crime risk management framework.

7. Enterprise Case Management (Section 5.7)

The CBN Baseline Standards place strong emphasis on the need for structured, well-governed, and fully auditable investigation processes. It is no longer sufficient for institutions to simply generate alerts; they must demonstrate that alerts are handled through clearly defined workflows, with appropriate oversight, documentation, and accountability at every stage of the investigation lifecycle.

Regfyl addresses this requirement through a comprehensive enterprise case management capability that transforms alerts into actionable, trackable investigations. Alerts are automatically converted into cases, ensuring that no potential issue is overlooked and that every alert enters a formal review process. The platform supports role-based workflows, including Maker-Checker controls, enabling clear segregation of duties and ensuring that key decisions are reviewed and approved in line with internal governance standards.

To support effective oversight, Regfyl incorporates structured escalation paths, allowing high-risk or complex cases to be promptly elevated to senior reviewers or specialised teams. Every action taken within a case — from initial review to final disposition — is recorded through comprehensive audit trails, capturing user identity, timestamps, decisions, and supporting rationale.

Beyond operational management, the platform provides case analytics, including insights into case volumes, ageing, resolution timelines, and investigation outcomes. These insights enable institutions to monitor performance, identify bottlenecks, and continuously improve their investigation processes.

8. Regulatory Reporting (Section 5.8)

Financial institutions must ensure that regulatory reporting is accurate, complete, and submitted in a timely manner. This includes key reports such as Suspicious Transaction Reports (STRs), Suspicious Activity Reports (SARs), Currency Transaction Reports (CTRs), and other required returns. Beyond generating these reports, the standards emphasise the need for strong governance around the reporting process, ensuring that submissions are properly reviewed, approved, and aligned with underlying investigation outcomes.

Regfyl enables institutions to meet these requirements through a structured and technology-driven reporting framework. The platform supports the automated generation of regulatory reports, significantly reducing manual effort and the risk of errors. Compliance teams also benefit from internal dashboards that provide real-time visibility into reporting activity, alert volumes, and submission status, supporting effective oversight by management and compliance leadership.

To strengthen governance, Regfyl incorporates controlled submission workflows, ensuring that reports pass through defined review and approval stages before submission. Every step is logged, creating a clear audit trail that demonstrates accountability and compliance with internal policies and regulatory expectations. The platform is also designed to ensure alignment with prescribed regulatory formats and timelines, helping institutions meet their obligations without delay.

In addition, Regfyl provides a key operational advantage through its integration with the NFIU goAML portal, enabling direct and seamless submission of CTRs and STRs to the regulator. This eliminates the need for manual uploads, reduces operational friction, and ensures that reports are transmitted securely and efficiently.

9. Audit & Governance (Section 5.9)

One of the strongest and most consistent themes across the CBN Baseline Standards is auditability. The regulator makes it clear that financial institutions must be able to demonstrate, at any point in time, how their AML systems operate, how decisions are made, and how actions are taken.

Regfyl is designed with this principle at its core. The platform maintains immutable audit logs that capture all system and user activities, ensuring that records cannot be altered or deleted. Every action, from configuration changes and access events to alert reviews and case decisions, is recorded with full traceability, including user identity, timestamps, and the nature of the activity performed. In addition, Regfyl supports historical record retention in line with regulatory requirements, ensuring that past activities remain accessible for review over time.

To enhance usability and oversight, the platform provides searchable audit trails, allowing authorised users to quickly retrieve and analyse system activity without disrupting ongoing operations. These capabilities are complemented by governance reporting dashboards, which summarise key compliance activities, system usage, and operational trends, enabling continuous monitoring and informed decision-making by compliance, risk, and senior management teams.

10. System Integration & Scalability (Section 5.10)

Financial institutions are expected to operate integrated environments where customer data, transactional activity, and risk intelligence flow seamlessly across systems. This is critical to ensuring that monitoring is contextual, comprehensive, and capable of identifying risks across products, channels, and customer relationships.

Regfyl is built with this integration-first approach at its core. The platform supports API-based connectivity with core banking systems, onboarding platforms, and other institutional infrastructure, enabling seamless data exchange across the financial crime lifecycle. It accommodates both real-time and batch data processing, ensuring flexibility for institutions with varying levels of technological maturity, while still maintaining continuous monitoring and screening capabilities. 

Underpinning this is a high-performance architecture capable of processing large transaction volumes, combined with scalable cloud infrastructure that grows alongside the institution’s operations without compromising performance or detection quality.

By bringing these capabilities together, Regfyl enables institutions to move away from fragmented, disconnected systems and toward a unified financial crime architecture.

11. Security & Data Protection (Section 5.11)

The standards explicitly align AML obligations with data protection, cybersecurity, and operational resilience frameworks, requiring financial institutions to safeguard the confidentiality, integrity, and availability of sensitive data used in financial crime monitoring.

Regfyl is built to meet these expectations through a comprehensive security and data protection framework. The platform implements strong encryption protocols for data both at rest and in transit, ensuring that sensitive customer and transaction data is protected at all times. Access is governed through role-based controls, ensuring users can only access what is necessary for their roles, and further strengthened by multi-factor authentication (MFA) to prevent unauthorised access.

In addition, Regfyl supports full alignment with the Nigeria Data Protection Act (NDPA) and the General Application Implementation Directive (GAID). Beyond technical controls, Regfyl is also a licensed Data Protection Compliance Organisation (DPCO), bringing a deeper, practical understanding of regulatory expectations around data privacy, governance, audit, and enforcement. Complementing this, Regfyl is ISO 27001 certified, demonstrating that our information security management systems meet internationally recognised standards for managing and protecting sensitive information. This combination ensures that institutions are supported not just technologically, but also from a governance, risk, and compliance perspective.

From an operational resilience standpoint, the platform maintains clearly defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO), supported by resilient infrastructure, redundancy, and disaster recovery processes. This ensures that AML monitoring, screening, and reporting capabilities remain available even in the event of system disruptions.

12. User Experience & Configurability (Section 5.12)

The CBN Baseline Standards recognise that the effectiveness of an AML solution is not determined solely by its technical capabilities, but also by how usable it is for the teams responsible for operating it. A system that is difficult to navigate or interpret ultimately weakens detection, slows down investigations, and increases operational risk. As such, the standards emphasise the importance of clear interfaces, intuitive workflows, and configurable environments that enable compliance teams to act quickly and confidently.

Regfyl is designed with this in mind. The platform provides real-time dashboards that give immediate visibility into alerts, risk trends, and compliance metrics, enabling teams to monitor activity as it evolves. It also offers investigator-friendly workflows, structured to support efficient case review, decision-making, and escalation without unnecessary complexity. Institutions can tailor the system to their specific needs through configurable rules, thresholds, and workflows, ensuring alignment with their risk appetite, products, and customer segments. In addition, Regfyl supports multi-entity, multi-currency, and multi-jurisdiction operations, making it well-suited for institutions with complex organisational structures or cross-border activities.

Next Steps

The urgency of the CBN Baseline Standards cannot be overstated. The regulator has set clear expectations: implementation has already commenced, institutions are required to submit implementation roadmaps within three months of issuance of the standards, and full compliance must be achieved within 18 months for banks and 24 months for other financial institutions.

This creates a narrow and critical window for institutions to assess their current AML systems, identify gaps against the standards, and implement solutions that are fully compliant. Those that delay risk falling behind both from a regulatory and operational standpoint, while those that act early position themselves to strengthen their financial crime controls and regulatory posture in a meaningful way.

To get started using Regfyl, book a no obligation 30-minute assessment call to find out more about how we can support.