The CBN Draft AML Standards: What Every Financial Institution Needs to Do

In May 2025, the Central Bank of Nigeria (CBN) released the Draft Baseline Standards for Automated AML Solutions, now widely referred to as the CBN AML Standards.

While much of the discussion has focused on what these standards mean for AML technology vendors, the obligations for financial institutions themselves are just as critical. The CBN has made it clear: every bank, fintech, capital-market operator, insurance firm, and microfinance institution bears direct responsibility for ensuring that its AML systems, whether developed internally or sourced from vendors,  meet these standards.

Below, we break down the specific expectations for financial institutions, and what each one means in practice.

1. Deploy Robust, User-Friendly, and Customized AML Solutions

Institutions are required to deploy AML platforms that are:

• User-friendly for operational teams;

• Tailored to their risk profile, size, and product offerings; and

• Fully compliant with existing AML/CFT/CPF laws and regulations.

This marks a shift from generic, one-size-fits-all solutions. The AML system of a digital bank must differ from that of a stockbroking firm, reflecting each institution’s inherent risks and operational peculiarities.

Institutions can either build their systems internally or procure off-the-shelf solutions, but accountability remains with the institution, not the vendor.

2. Retain Control Over Rule and Scenario Updates

AML systems must be configurable to allow independent modification of rules and thresholds. This gives institutions the agility to respond to emerging typologies, such as mule account schemes or trade-based money laundering,  without depending entirely on vendor timelines.

Practically, this means your compliance and IT teams should establish:

• A change-management process for scenario updates; and

• Documentation trails to track version histories and justification for each rule change.

3. Obtain CBN Approval for Shared Service Arrangements

Where multiple entities (for example, a financial holding company and its subsidiaries) use a common AML system, they must obtain prior written approval from the CBN, while complying with the Guidelines for Shared Services Arrangements for Banks and Other Financial Institutions (2021), institutions that intend to adopt this model must obtain prior written approval from the CBN.

To secure approval, institutions must demonstrate that:

• Each entity’s data is securely segregated, with defined access rights;

• Shared infrastructure does not compromise confidentiality or system independence;

• There are clear SLAs and governance frameworks for managing joint usage; and

• The arrangement is cost-effective and does not expose any participant to operational or compliance risks.

This model can be beneficial, for instance, group entities using a single enterprise-grade AML platform, but it must be tightly governed to avoid regulatory breaches and data-sharing conflicts.

4. Ensure Scalability and Secure Data Transmission

AML systems must be capable of scaling with transaction growth and ensuring data integrity and security. As institutions expand into new markets, customer segments, or product lines, their systems should handle increasing data volumes without lag or risk.

End-to-end encryption, vulnerability assessments, and secure APIs are now explicit baseline requirements.

5. Conduct Regular Stress Testing and False-Positive Validation

Institutions are expected to conduct periodic system validation and stress testing to reduce false positives. They must define an acceptable false-positive threshold and ensure monitoring alerts stay below that rate.

Testing should be data-driven, using historical transactions, typologies, and pattern recognition, to confirm that alerts generated are meaningful and that the system can adapt to changing risk environments.

6. Automate Onboarding and Real-Time Identity Verification

Institutions must automate their onboarding process with real-time customer verification using national databases such as BVN and NIN. This integration ensures that onboarding aligns with the Money Laundering (Prevention and Prohibition) Act 2022 and CBN AML/CFT Regulations 2023.

Effective automation covers:

• Identity and address verification,

• PEP and sanctions screening,

• Risk-rating at onboarding, and

• Ongoing monitoring for customer lifecycle changes.

7. Strengthen Vendor Management and Oversight

Every institution must maintain a vendor management policy that clearly defines:

• Roles, responsibilities, and SLAs for all AML vendors;

• Data protection and confidentiality requirements;

• Audit and escalation procedures; and

• Obligations to report AML solution details to the CBN.

Where third-party service providers are involved, the institution remains ultimately responsible for ensuring that all AML activities meet the CBN’s baseline standards.

8. Achieve Compliance Within 12 months of issuance of Baseline standards

Institutions are given a 12-month transition window from the issuance of the final standards to achieve full alignment. Now is the time to:

• Conduct a system gap analysis against the draft standards;

• Develop an implementation roadmap with clear milestones; and

• Engage vendors early to ensure their systems are ready before enforcement begins.

Early compliance will save institutions from regulatory friction, and send a clear signal of proactive governance to regulators, partners, and investors.

9. Train Teams Regularly

The draft standards highlight that technology is only as effective as the people managing it. Institutions must provide regular, documented training to ensure AML and IT teams understand:

• The platform’s features and configurations;

• Data analysis and alert triage best practices; and

• New and emerging risk typologies, from virtual assets to trade-based laundering.

Continuous capacity building helps ensure both human and technological elements of compliance evolve in tandem.

Conclusion

The CBN’s Draft AML Standards are more than a regulatory requirement — they represent a shift toward accountable, data-driven, and self-reliant AML compliance.

Institutions that act early will not only meet regulatory expectations but also gain operational efficiency, enhanced detection accuracy, and improved reputational resilience.

If your institution is reviewing its AML systems or preparing for alignment, Regfyl can help assess your readiness and guide your compliance roadmap, ensuring that when the standards take effect, you’re not just compliant, but confident.

Book a 15-minute discovery call or reach out to us at hello@regfyl.com to see how Regfyl can strengthen your compliance posture and position your institution for long-term success