How to Prepare Your CBN Baseline Standards Implementation Plan

On March 10, 2026 the CBN issued the Baseline Standards For Automated Anti-Money Laundering (AML) Solutions For Financial Institutions In Nigeria. A key part of the obligations under the standards, is the requirement to submit implementation roadmaps to the Compliance Department within 3-months from the date of issuance.

Therefore, every regulated financial institution must submit a detailed roadmap for how they will implement or align with the AML Baseline Standards. 

This article is written as a thinking guide for Money Laundering Compliance Officers, Chief Compliance Officers, and the IT leads working alongside them; as a way to approach the twelve capability areas and the decisions embedded in each one, so that your submission reflects reality, not aspiration.

The CBN wants to see that your institution has genuinely assessed where it is, where it needs to get to, and how it is going to get there.

Step 1 - Start with an honest gap assessment

Before you open the CBN template, run an internal audit of your current AML setup against the twelve capability areas in Sections 5.1 through 5.12 of the Baseline Standards. The CBN is asking you to do this anyway — the template has columns for "Current State" and "Target State" for a reason.

The question your executive summary needs to answer is simple: is your AML operation currently Manual, Semi-Automated, or Automated? Most Nigerian financial institutions, if they are honest, fall somewhere in the first two categories for the majority of capabilities. That is not a problem — it is the starting point the CBN expects you to name.

Common mistake: Institutions that select "Automated" for capabilities they have not actually implemented create a much larger problem for themselves during examination. The CBN will ask for evidence. "Automated" means you have logs, callbacks, and a live system generating them — not a plan to have one.

For each of the twelve sections, ask your team three questions:

1. What are we actually doing today to meet this requirement — and is it manual, partially automated, or fully automated?

2. What is the gap between that and what the CBN requires?

3. What evidence do we have (or can we generate before submission) that the current state is what we say it is?

This exercise will feel uncomfortable if your current controls are weak. That discomfort is productive. The CBN implementation roadmap is an invitation to show you understand the gap and have a credible plan to close it.

We created a free tool here that can support your gap assessment.

Step 2 - Understand what the CBN is actually measuring

The twelve capability areas in the Baseline Standards are not arbitrary. They follow the full lifecycle of an AML compliance programme — from knowing your customer all the way through to audit governance and board oversight. To complete your implementation plan well, it helps to understand the intent behind each cluster.

• Customer intelligence (5.1 – 5.4)

The first cluster — covering the end-to-end system, CDD/KYC/KYB, sanctions and PEP screening, and risk assessment — is about whether your institution actually knows who it is dealing with. The CBN wants to see that customer risk profiles are not static documents created at onboarding and never revisited. It wants dynamic profiling: scores that update as behaviour changes, screening that runs on a recurring basis, and a consolidated view of each customer's risk that investigators can access in one place.

"A customer risk rating that was accurate at onboarding but has not been updated in twelve months is not a risk rating. It is a filing artefact."

When completing these sections, ask yourself: if a customer who was Low risk at onboarding has made ten high-value transfers to a sanctioned jurisdiction over the past six months, does your system know that — and has anyone reviewed it?

• Detection and monitoring (5.5 – 5.6)

Transaction monitoring is the capability area where the CBN's expectations are most demanding, and where the gap between what institutions think they have and what they actually have is often largest.

The Baseline Standards require risk-based monitoring — not just threshold-based rules. This is a meaningful distinction. A system that flags every transaction above ₦5 million is running rules. A system that flags transactions that are unusual for that specific customer's behaviour profile is doing risk-based monitoring. The CBN wants the latter, and the template's requirement for AI/ML alert explainability signals that regulators understand the difference.

You should be able to explain not just that you monitor transactions, but how your system interprets context: customer risk tier, transaction channel, counterparty country, and whether the activity is consistent with the customer's historical behaviour. If your system cannot do this today, say so — and explain what your target state will look like and by when.

• Investigation and reporting (5.7 – 5.8)

The CBN is not only asking whether you detect suspicious activity. It is asking whether, when you detect it, your institution has a structured process to investigate it, document it, and report it correctly to the NFIU via goAML. Many institutions have detection capability but no formal case management — alerts are reviewed via email threads, outcomes are not documented, and STR preparation is done manually in a spreadsheet. This is the gap the CBN is most focused on closing.

For Sections 5.7 and 5.8, your submission should describe: how an alert becomes a case, who reviews it and in what sequence, what a maker/checker approval looks like in practice, and how the final STR or CTR is generated and filed. If any of those steps are manual today, say so and describe how they will be automated.

• Governance and security (5.9 – 5.12)

The final cluster asks whether senior management is actually in control of the AML programme — not just on paper. Sections 5.9, 5.11, and 5.12 together ask: does anyone senior in your organisation actually see what the AML system is doing, and can you prove it?

This means tamper-proof audit logs, defined data retention policies, board-level MI reporting, and evidence that your monitoring rules are being reviewed and updated. These are governance commitments — your implementation plan should name who owns each one.

Step 3 -  Choose your implementation approach deliberately

The CBN template asks you to select your implementation approach: Replace existing system, Enhance existing system, or Hybrid. This is a decision with real consequences for how you complete the rest of the template — and for your regulatory relationship going forward.

Most institutions that have relied on manual processes, core banking rule sets, or fragmented point solutions will need to choose replacement or hybrid.  Please note that a hybrid approach only works if you are explicit about which capability areas are covered by the retained system and which by the new one — and that the two systems exchange data without creating blind spots. If your retained system handles some monitoring but the new platform handles screening, and the two do not share a common customer identifier, you have not closed the gap; you have created a new one.

Whatever approach you select, your submission here should do three things:

• justify the approach in terms of how it addresses your specific identified gaps; 

• explain how the target state covers all 12 capability areas; and 

• commit to a timeline that is actually achievable, not optimistic.

Step 4 - Build a timeline you can actually defend

The implementation timeline section is where many submissions will be either too vague or too ambitious. Both create problems as the CBN will track your commitments. 

A defensible implementation timeline is sequenced correctly, names owners, and accounts for dependencies.

You should also be honest about your dependencies honestly. Some of the dependencies that you need to be particularly wary of are: 

• core banking API readiness - your IT team may need more time than the compliance team realises, 

• internal developer resource - API integration requires engineering time and support, and 

• compliance team availability for training and UAT. 

If any of these is uncertain, your timeline should say so — and describe the mitigation.

Step 5 - Know what evidence you will need to produce

For every capability in the Baseline Standards, the financial institution is required to provide evidence of this. 

When the CBN conducts an examination, they will ask to see these records. Your implementation plan should be built around what evidence you can actually generate — and for gaps where you cannot yet generate evidence, describe exactly when that evidence will exist and in what form.

The discipline of building your implementation plan around evidence — rather than intentions — is what separates a credible submission from a compliance exercise. If you cannot point to a specific log, record, or dashboard export that proves a capability is operational, it is not yet operational for CBN purposes.

Step 6 -  Build the governance structure before you submit

The sections on governance and board oversight are the parts of the implementation plan that compliance teams most often complete last — and too quickly. But the CBN reads them carefully, because they reveal whether senior management is genuinely engaged with the AML programme or whether the compliance team is managing it alone.

Before you submit, you should have already:

1. Named the AML System Owner — the person responsible for platform configuration, rule management, and user administration

2. Defined the change management process — who must approve changes to monitoring rules and thresholds before they are made in production

3. Established the reporting structure — how often MI reports from the compliance dashboard will be presented to senior management or the Board AML/CFT Committee

4. Documented the vendor risk file for your technology provider — including third-party due diligence assessment, data processing agreement, and SLA

Step 7 - Measure effectiveness from day one

The CBN wants to see that financial institutions that submit their implementation plan, also include within the plan, a process for measuring their processes.Some of the metrics that need to be measured include:

• Alert volume — the total number of suspicious activity alerts generated per month; a baseline you can only establish once monitoring is live

• False positive rate — the proportion of alerts that, on investigation, require no further action; high false positive rates indicate poorly calibrated rules

• STR conversion rate — the proportion of alerts that ultimately generate a Suspicious Transaction Report; an indicator of detection quality, not just volume

• Investigation turnaround time — average time from alert generation to case closure; directly linked to your SLA structure and team capacity

• STR filing timeliness — whether STRs are filed within the NFIU's statutory window from the point of detection

Final things to note

Before you submit the implementation plan to the CBN, make sure all of the following have been covered:

1. All 12 capability areas (CBN 5.1–5.12) and 62 functional requirements have been addressed in Section 3 of the submission

2. The implementation timeline is realistic, has been reviewed by the relevant teams, and aligns with the regulatory deadline

3. The implementation approach selected reflects the institution's actual situation — not a theoretical or aspirational description

4. Evidence is available — or has a defined date by which it will be available — for every capability marked as operational or in progress

5. A data processing agreement has been signed with the AML technology provider, and vendor due diligence is documented

6. The submission has been reviewed and approved by the signing officer, who has read and verified all sections

The CBN AML Baseline Standards represent a genuine step forward in the quality of AML oversight in Nigeria. 

For institutions that engage with the process seriously this presents an opportunity to build a programme that will withstand examination and actually protect the institution from financial crime risk.

If you are interested in seeing how the Regfyl platform can support your end to end compliance process, please book a demo here.