KYC, KYB & AML compliance checklist
Nigeria KYC, KYB & AML
A general Nigerian MLPPA and TPPA implementation baseline, with a detailed overlay for financial institutions supervised by the Central Bank of Nigeria. It is not a complete checklist for DNFBPs, capital-market operators, insurers, pension operators or virtual asset service providers; those entities must apply the relevant SCUML, SEC, NAICOM, PenCom and other sector rules.
- Reviewed
- 15 July 2026
- Version
- 1.1
- control areas
- 7
- implementation checks
- 45
Direct answer
What does the Nigeria compliance checklist cover?
The Nigeria checklist translates primary KYC, KYB and AML rules into 7 control areas and 45 implementation checks. It identifies the relevant authorities, customer and beneficial-owner controls, reporting duties, recordkeeping expectations and evidence teams should retain.
Key regulatory facts
- Supervision and reporting
- CBN, SEC, NAICOM, PenCom or SCUML by activity; STRs to NFIU
- Core CDD rules for CBN FIs
- CBN CDD Regulations, 2023
- Record retention
- At least 5 years
- Suspicion reporting
- Immediately; statutory 24-hour rule
Implementation detail
Nigeria compliance requirements and actions
Open each control area to review the requirement, recommended implementation action, evidence to retain and the primary-source citation used by the research team.
01Applicability and governanceDetermine the entity's regulatory perimeter before translating AML obligations into accountable controls.6 items+
Map the regulated activity
- Implementation action
- Document the services and authorization. CBN supervises specified banks, OFIs and payment institutions; SEC supervises capital-market operators and VASPs; NAICOM supervises insurance institutions; PenCom supervises pension operators; and SCUML supervises DNFBPs.
- Evidence to retain
- Regulatory-perimeter assessment and license map
- Primary citation
- MLPPA 2022, s.30; applicable sector rules
Confirm reporting and registration channels
- Implementation action
- Identify the licensing and AML supervisor, NFIU route and every sector-return destination. FIs generally use goAML for STRs and applicable threshold reports. RapidAML is used by CBN entities excluding BDCs for nil and PEP reports; BDCs for STR, CTR, nil and PEP reports; SEC- and NAICOM-regulated entities for nil reports; and SCUML-regulated DNFBPs for STRs. DNFBPs submit applicable CTR, CBTR, public-sector, PEP and training returns to SCUML. Confirm current portal instructions.
- Evidence to retain
- Registration confirmations and channel matrix
- Primary citation
- NFIU RapidAML; SCUML S.I. No. 39
Do not infer regulation from the fintech label
- Implementation action
- A technology provider is not automatically a reporting entity. Record which regulated service, license, agency or outsourcing arrangement creates direct or contractual obligations.
- Evidence to retain
- Service-to-obligation mapping
- Primary citation
- MLPPA definitions and applicable licensing law
Appoint accountable compliance leadership
- Implementation action
- Designate a qualified AML/CFT/CPF compliance officer with authority, independence, resources and direct access to senior management or the board.
- Evidence to retain
- Appointment letter, mandate and escalation chart
- Primary citation
- CBN AML/CFT/CPF Regulations 2022
Maintain an enterprise risk assessment
- Implementation action
- Assess customer, product, geography, delivery-channel, transaction and emerging-technology risks and update the assessment for material changes.
- Evidence to retain
- Approved business-wide risk assessment
- Primary citation
- CBN risk-based supervision and applicable sector rules
Approve and test the AML program
- Implementation action
- Maintain risk-based policies, internal controls, staff training, management information and independent testing proportionate to the institution's scope.
- Evidence to retain
- Board-approved program, training record and audit plan
- Primary citation
- MLPPA 2022 and applicable regulator rules
02KYC for natural personsIdentify and independently verify the customer, understand the relationship and document the expected financial profile.6 items+
Prohibit anonymous or fictitious accounts
- Implementation action
- Do not establish or maintain anonymous, numbered or fictitious-name accounts.
- Evidence to retain
- Onboarding rule and exception report
- Primary citation
- CBN CDD Regulations 2023, reg. 4
Collect required identity particulars
- Implementation action
- For a natural person under the CBN overlay, obtain legal and other names used; permanent physical and residential addresses; telephone, email and social-media handle; date and place of birth; BVN; TIN; nationality; occupation, public position and employer; an official identifier from an unexpired government document bearing name, photograph and signature; relationship type; signature; and PEP status.
- Evidence to retain
- Completed customer profile
- Primary citation
- CBN CDD Regulations 2023, reg. 6
Verify identity independently
- Implementation action
- Verify identity using reliable independent documents, data or information, including an unexpired government-issued document appropriate to the customer.
- Evidence to retain
- Document copy, authenticity result and audit trail
- Primary citation
- CBN CDD Regulations 2023, reg. 7
Verify birth, address and contacts
- Implementation action
- Confirm birth data from a valid official record; verify residential address through physical visitation and corroborating evidence such as a utility bill, tax assessment, bank statement or public-authority letter; obtain positive contact confirmation; and, particularly for wallet providers, validate phone numbers through an independent process such as the NCC database or geospatial checks.
- Evidence to retain
- Address, contact and phone-verification results
- Primary citation
- CBN CDD Regulations 2023, reg. 7(2)
Understand purpose and source of funds
- Implementation action
- Record the intended nature, expected transaction pattern, occupation or business, source of income and expected origin of funds.
- Evidence to retain
- Purpose and financial-profile statement
- Primary citation
- CBN CDD Regulations 2023, regs. 10-11
Resolve incomplete CDD
- Implementation action
- If required CDD cannot be completed, do not open the account, establish the relationship or execute the transaction. Terminate an existing or prematurely commenced relationship where applicable and file an STR to NFIU. If continuing CDD would create tipping-off risk, stop CDD and file the STR immediately.
- Evidence to retain
- Decline, exit and STR record
- Primary citation
- CBN CDD Regulations 2023, regs. 19 and 22; SCUML regs. 23-24
03KYB for legal persons and arrangementsVerify legal existence and authority, then trace ownership and control to the relevant natural persons.6 items+
Verify legal existence and status
- Implementation action
- Search the CAC or another reliable registry and obtain incorporation or registration evidence, registration number, legal form and governing documents.
- Evidence to retain
- Current registry result and certified documents
- Primary citation
- CBN CDD Regulations 2023, regs. 6(b) and 7(3)
Understand the business
- Implementation action
- Confirm registered and operating addresses, nature and purpose of activity, expected transactions, operating footprint and financial profile.
- Evidence to retain
- Business profile, address evidence and financial information
- Primary citation
- CBN CDD Regulations 2023, regs. 6(b), 7(3), 10-11
Verify authority and connected persons
- Implementation action
- Obtain the board resolution or equivalent mandate and identify and verify directors, senior management, controllers and authorized signatories.
- Evidence to retain
- Mandate, connected-person register and KYC files
- Primary citation
- CBN CDD Regulations 2023, regs. 6(b), 8 and 9
Identify and verify beneficial owners
- Implementation action
- Understand the ownership and control structure and identify and verify natural persons who ultimately own or control the customer, including control through voting rights or other means.
- Evidence to retain
- Ownership chart, BO declaration and verified BO KYC
- Primary citation
- CBN CDD Regulations 2023, regs. 5 and 8
Check persons with significant control
- Implementation action
- Compare declarations with the CAC beneficial-ownership register. Treat the PSC threshold of at least 5% or other control tests as a disclosure trigger, not a safe harbor that replaces broader BO analysis.
- Evidence to retain
- CAC PSC result and discrepancy assessment
- Primary citation
- CAC PSC Regulations 2022
Maintain a beneficial-owner register
- Implementation action
- For CBN-supervised FIs, maintain names, identification details, nature of ownership, shareholding, voting rights, controlling interests, source of wealth and PEP status.
- Evidence to retain
- Current BO register and change history
- Primary citation
- CBN CDD Regulations 2023, reg. 8(f)
04Risk assessment and screeningUse documented risk factors and current lists to determine standard, simplified or enhanced due diligence.5 items+
Assign and explain customer risk
- Implementation action
- Assess customer, ownership, geography, product, service, channel and transaction risks before approval and retain the rationale.
- Evidence to retain
- Risk score, rationale and approval
- Primary citation
- CBN CDD Regulations 2023, reg. 15
Apply targeted financial sanctions
- Implementation action
- Screen prospective and existing customers, BOs, directors, signatories, agents and transaction parties against current UN and Nigeria lists before onboarding or transactions, on list updates and ongoing. On a confirmed match, freeze without delay or prior notice all directly, indirectly or jointly owned or controlled assets, prohibit funds or services, report immediately to NIGSAC, NFIU and the sector regulator, and do not unfreeze without authorization.
- Evidence to retain
- Screening, freeze and reporting audit trail
- Primary citation
- TPPA 2022; NIGSAC TFS Guidance
Apply PEP controls
- Implementation action
- Identify foreign, domestic and international-organization PEPs among customers and BOs, including relevant family and close associates. Risk-rate, obtain senior approval, apply EDD to foreign and higher-risk PEPs, establish source of funds and wealth, and enhance monitoring. PEP status alone does not require an STR; map applicable PEP returns separately.
- Evidence to retain
- PEP result, approval, source analysis and monitoring plan
- Primary citation
- CBN PEP Guidance 2023
Use adverse information proportionately
- Implementation action
- Review reliable public information where relevant, distinguish allegation from verified fact and record the risk decision.
- Evidence to retain
- Adverse-information review and disposition
- Primary citation
- Risk-based approach
Keep country risk current
- Implementation action
- Use current FATF, GIABA and Nigerian guidance. Record that Nigeria left FATF increased monitoring in October 2025 rather than applying an obsolete automatic high-risk label.
- Evidence to retain
- Country-risk methodology and update log
- Primary citation
- FATF Nigeria country profile
05Enhanced due diligenceApply additional verification, approval and monitoring where higher ML, TF or PF risk is identified.5 items+
Collect and corroborate additional information
- Implementation action
- Obtain additional customer, beneficial-owner, business, purpose and transaction information and verify material claims with reliable sources.
- Evidence to retain
- EDD pack and corroboration record
- Primary citation
- CBN CDD Regulations 2023, reg. 17
Establish source of funds and wealth
- Implementation action
- Obtain and assess source of funds and source of wealth to a depth proportionate to the higher-risk scenario.
- Evidence to retain
- Source evidence and plausibility analysis
- Primary citation
- CBN CDD Regulations 2023, reg. 17(2)(c)
Obtain senior-management approval
- Implementation action
- Require documented senior approval to establish or continue higher-risk relationships and impose any conditions.
- Evidence to retain
- Approval and conditions
- Primary citation
- CBN CDD Regulations 2023, reg. 17(2)(e)
Increase monitoring
- Implementation action
- Increase the number, frequency or depth of controls and select transaction patterns for closer examination.
- Evidence to retain
- EDD monitoring plan and case history
- Primary citation
- CBN CDD Regulations 2023, reg. 17(2)(f)
Control non-face-to-face risk
- Implementation action
- Apply the applicable e-KYC and non-face-to-face controls, including measures addressing impersonation, document fraud, device or channel risk and first-payment requirements where relevant.
- Evidence to retain
- Digital-onboarding control assessment
- Primary citation
- CBN CDD Regulations 2023, regs. 14 and 35
06Ongoing due diligence and automated monitoringKeep customer knowledge current and ensure monitoring technology remains governed, testable and fit for the institution's risks.5 items+
Monitor throughout the relationship
- Implementation action
- Scrutinize transactions for consistency with customer knowledge, business, risk profile and source of funds, and investigate complex or unusual activity.
- Evidence to retain
- Monitoring rules, alerts and investigation outcomes
- Primary citation
- CBN CDD Regulations 2023, reg. 12
Refresh records by risk
- Implementation action
- For CBN-supervised FIs, review existing records at least every 12 months for high risk, 18 months for medium risk and three years for low risk, or earlier when a trigger arises.
- Evidence to retain
- Risk-based review schedule and refreshed file
- Primary citation
- CBN CDD Regulations 2023, reg. 23(b)
Rescreen and reassess on change
- Implementation action
- Trigger rescreening and risk reassessment for ownership, management, product, geography, behavior or list changes.
- Evidence to retain
- Event-driven review and rescreening history
- Primary citation
- Ongoing CDD obligation
Implement the mandatory 2026 CBN standards
- Implementation action
- For every CBN circular addressee, implement the Baseline Standards as mandatory minimum requirements effective 10 March 2026. The approved roadmap was due within three months and is overdue if not submitted. DMBs have 18 months for full compliance; OFIs and applicable non-DMB addressees have 24 months, subject to written CBN classification or direction.
- Evidence to retain
- Submitted roadmap, gap plan and accountable owners
- Primary citation
- CBN circulars of 10 and 31 March 2026
Prove institution-level effectiveness
- Implementation action
- Demonstrate institutional accountability, consolidated customer-risk visibility, data and system integration, governance, model or scenario testing, alert and case management, auditability, access controls, change management and operational effectiveness. Vendor claims alone do not establish compliance.
- Evidence to retain
- Architecture, validation, testing and governance records
- Primary citation
- CBN Baseline Standards 2026
07Reporting, records, privacy and assuranceEscalate suspicion without delay, preserve retrievable evidence and process personal data lawfully.12 items+
Escalate suspicion internally
- Implementation action
- Give staff a confidential route to escalate unusual transactions or activity promptly to the compliance function without alerting the customer.
- Evidence to retain
- Escalation procedure, cases and training
- Primary citation
- MLPPA 2022, s.7
File STRs without delay
- Implementation action
- File to NFIU immediately once the statutory suspicion threshold is met. MLPPA section 7 requires immediate reporting and written reporting and action within 24 hours after the suspicious transaction; TPPA section 84 requires relevant TF/PF reports within 24 hours. NFIU's FAQ describes an FI-only 48-hour examination plus 24 hours after confirmation but misstates that as 78 hours. Guidance does not amend the Acts: do not delay established suspicion or rely on longer timing without current written confirmation.
- Evidence to retain
- Filing reference and complete decision timeline
- Primary citation
- MLPPA 2022, s.7; TPPA 2022, s.84; NFIU FAQ
Prevent tipping off
- Implementation action
- Restrict knowledge of reports and investigations and avoid disclosures that may prejudice analysis, restraint or investigation.
- Evidence to retain
- Access controls and communications guidance
- Primary citation
- CBN CDD Regulations 2023, regs. 19 and 22
Report domestic mandatory disclosures
- Implementation action
- Report any single transaction, lodgment or transfer exceeding N5 million for an individual or N10 million for a body corporate within seven days. Financial institutions report to NFIU; DNFBPs report the applicable CTR to SCUML.
- Evidence to retain
- Threshold rules, filings and reconciliation
- Primary citation
- MLPPA 2022, ss.2 and 11; SCUML rules
Report cross-border transfers
- Implementation action
- Report transfers to or from a foreign country exceeding US$10,000 or equivalent to NFIU, CBN and SEC in writing within one day of the transaction.
- Evidence to retain
- Cross-border report and delivery evidence
- Primary citation
- MLPPA 2022, s.3
Enforce cash limits and anti-structuring
- Implementation action
- Do not make or accept cash above N5 million for an individual or N10 million for a body corporate except through a financial institution. Detect deliberate splitting across transactions or institutions to evade reporting.
- Evidence to retain
- Cash controls, aggregation logic and cases
- Primary citation
- MLPPA 2022, s.2
Apply DNFBP-specific returns
- Implementation action
- Under S.I. No. 39 of 2024, file CTRs above NGN 5 million for an individual or NGN 10 million for a body corporate with SCUML within seven days, with monthly nil returns where applicable. File the Standard Data Form for cash above US$1,000 within seven days, with applicable monthly nil returns. Report domestic foreign-currency transfers above US$10,000 within seven days, public-sector and PEP transactions monthly, employee-training returns yearly and the training plan annually. Follow current SCUML portal instructions.
- Evidence to retain
- SCUML return matrix, filings and nil returns
- Primary citation
- SCUML S.I. No. 39 of 2024, regs. 36-38
Resolve threshold wording conservatively
- Implementation action
- MLPPA uses exceeding or in excess of, while the NFIU FAQ uses at or above. Configure conservatively and document the current portal instruction. Evaluate linked transactions for CDD, structuring and suspicion; STRs have no monetary threshold.
- Evidence to retain
- Approved threshold interpretation and test cases
- Primary citation
- MLPPA 2022; NFIU FAQ
Retain CDD and related records
- Implementation action
- Keep CDD records, account files, business correspondence and analysis for at least five years after relationship termination or the occasional transaction, and longer where another rule or lawful direction applies.
- Evidence to retain
- Retention schedule and retrieval test
- Primary citation
- CBN CDD Regulations 2023, reg. 23
Apply data-protection controls
- Implementation action
- Apply the NDPA and GAID 2025. Determine DCPMI status and complete registration and returns. Document lawful bases, transparency, minimization, security, retention, processor governance, rights, transfers, breach response, DPO duties and DPIAs for high-risk processing. Preserve legally required AML records despite an erasure request.
- Evidence to retain
- Registration, privacy records, DPIAs and security controls
- Primary citation
- Nigeria Data Protection Act 2023; GAID 2025
Map professional privilege and activity scope
- Implementation action
- For law firms, notaries and independent legal professionals, apply CDD and reporting when preparing for or carrying out buying or selling real estate or businesses; managing client money, securities, assets or bank, savings or securities accounts; organizing company contributions; creating, operating or managing companies, trusts or other arrangements; or acting or arranging another to act as formation agent, director, secretary, partner, trustee or equivalent. Privilege and confidentiality do not apply to section 11(4) activities or material produced in furtherance of an unlawful act. Document other privilege and reporting-route decisions.
- Evidence to retain
- Activity-scope, privilege and reporting-route protocol
- Primary citation
- MLPPA 2022, s.11(4); SCUML S.I. No. 39, reg. 8(2)
Train, test and remediate
- Implementation action
- Provide role-based training, independently test the program and track findings to accountable owners and closure.
- Evidence to retain
- Training register, audit report and remediation log
- Primary citation
- Applicable CBN or SCUML requirements

7 control areas and 45 implementation checks, with direct regulatory sources.
Download the Nigeria KYC, KYB & AML checklist
Share your work details for immediate access to the source-linked Nigeria implementation checklist. Regulatory review date: 15 July 2026.
Get the PDF immediately
Submit your details and the download starts automatically
Reviewed and source-linked
Version 1.1, reviewed 15 July 2026
Trusted by leading compliance teams
Primary-source register
19 sources used for this checklist
Use these links to verify the underlying legislation, regulator guidance, reporting procedures and international status statements.
- Money Laundering (Prevention and Prohibition) Act, 2022Nigerian Financial Intelligence Unit - Laws and Regulations · primary
- Terrorism (Prevention and Prohibition) Act, 2022Nigerian Financial Intelligence Unit - Laws and Regulations · primary
- Customer Due Diligence Regulations, 2023Central Bank of Nigeria · primary
- AML/CFT supervision and regulatory materialsCentral Bank of Nigeria · primary
- Baseline Standards for Automated AML/CFT/CPF Solutions, 10 March 2026Central Bank of Nigeria · primary
- Implementation Guidance for the Baseline Standards, 31 March 2026Central Bank of Nigeria · primary
- Frequently asked questions on suspicious transaction reportingNigerian Financial Intelligence Unit · primary
- Persons with Significant Control Regulations, 2022Corporate Affairs Commission · primary
- Economic and Financial Crimes Commission AML/CFT/CPF Regulations for DNFBPs, 2024 (S.I. No. 39 of 2024)Special Control Unit against Money Laundering, Economic and Financial Crimes Commission · primary
- RapidAML reporting portal and channel noticesNigerian Financial Intelligence Unit · primary
- Rules and RegulationsSecurities and Exchange Commission Nigeria · primary
- Investments and Securities Act, 2025Securities and Exchange Commission Nigeria · primary
- Guidance on Politically Exposed Persons, May 2023Central Bank of Nigeria · primary
- Guidance on Ultimate Beneficial OwnershipCentral Bank of Nigeria · primary
- Targeted Financial Sanctions Implementation GuidanceNigeria Sanctions Committee · primary
- Nigeria Data Protection Act, 2023Nigeria Data Protection Commission · primary
- General Application and Implementation Directive, 2025Nigeria Data Protection Commission · primary
- Nigeria country profileFinancial Action Task Force · primary
- CBN Baseline Standards 2026: KYC, KYB and AML guide for Nigerian fintechsVOVE ID · context
Direct answers
Nigeria KYC, KYB and AML questions
Which regulator oversees KYC and AML compliance in Nigeria?+
It depends on the activity: CBN for specified banks, OFIs and payment institutions; SEC for capital-market operators and VASPs; NAICOM for insurance; PenCom for pensions; and SCUML for DNFBPs. STRs go to NFIU through the applicable channel, while threshold and sector returns may also go to SCUML or a sector regulator.
What information is required for KYC at a CBN-supervised financial institution?+
The 2023 CBN CDD Regulations list identity, address, contact, date and place of birth, nationality, occupation or public position, employer, BVN, TIN, an official identifier, relationship type, signature and PEP status, with verification from reliable independent sources. Applicability can depend on the customer and product.
How should beneficial ownership be checked in Nigeria?+
Understand the legal person's ownership and control structure, identify and verify the natural persons who ultimately own or control it, and compare declarations with reliable sources such as CAC records. The CAC PSC threshold of at least 5% is a disclosure trigger and does not replace broader control analysis.
When must a suspicious transaction be reported in Nigeria?+
File immediately once the statutory threshold is met. MLPPA section 7 requires immediate reporting and written reporting and related action within 24 hours after the suspicious transaction; TPPA section 84 requires relevant TF/PF reports within 24 hours. NFIU's FAQ describes a longer FI examination workflow but administrative guidance does not amend the Acts, so do not delay an established suspicion without current written confirmation.
How long must CDD records be retained in Nigeria?+
The CBN CDD Regulations require CBN-supervised financial institutions to keep CDD records, account files, business correspondence and analysis for at least five years after relationship termination or the occasional transaction. Another applicable law, supervisor or legal direction may require longer.
Is Nigeria currently on the FATF grey list?+
No. FATF removed Nigeria from increased monitoring on 24 October 2025. Institutions should keep country-risk data current and continue applying a documented risk-based approach rather than relying on obsolete list status.
Research and review method
VOVE ID Compliance Research maps the regulatory perimeter, translates obligations into operational controls, links each material claim to a source and records the date and version of every review.
VOVE ID Compliance Research · Reviewed 15 July 2026 · Version 1.1
This is a general Nigeria baseline with a detailed CBN overlay, not legal advice or a complete sector checklist. A fintech technology provider is not automatically a reporting entity. Obligations depend on regulated services and authorization. Apply the relevant CBN, SEC, NAICOM, PenCom, SCUML or professional-sector overlay and confirm current reporting-channel instructions.