Nigeria’s central bank has ordered every lender, fintech, and payment provider in the country to restrict mobile banking applications to a single device per customer and to cap transactions at 20,000 naira in the first 24 hours of app activation, as part of a sweeping anti-fraud framework that takes effect on July 1, 2026.
The directive was contained in a policy circular issued on March 12, 2026, signed by Musa Jimoh, Director of the Payments System Policy Department at the Central Bank of Nigeria (CBN), and addressed to all banks, financial institutions, and payment service providers. The apex bank described the new provisions as minimum operational standards, meaning institutions may introduce even stricter controls where their internal risk assessments demand it.
Under the device binding rule, a customer will no longer be able to run the same banking application simultaneously on multiple smartphones or tablets. If a user wants to switch to a new device, the system will automatically trigger a fresh verification and re-authentication process before the app can be activated on the new handset. The restriction is designed to block a fraud technique in which criminals who obtain a customer’s login credentials transfer funds rapidly by activating banking apps on separate devices.
New Accounts Face a 24-Hour Freeze on Large Transfers
Any newly activated mobile banking application must operate under a strict transaction ceiling during its first day of use, with both incoming and outgoing transfers capped at 20,000 naira. The same restriction applies when an existing customer activates their mobile banking app on a new device. The CBN said the cooling-off window gives financial institutions enough time to detect suspicious activity before a potentially compromised account can be used to move large sums.
For internet banking, the first login attempt from any newly registered device must pass additional Multi-Factor Authentication (MFA) checks before the user is granted access.
Customers Get an Off Switch
One of the more notable consumer-facing features in the framework gives account holders the ability to temporarily disable instant payment services on their own accounts at any time. Customers who choose the opt-out mode will have online instant transfers blocked, both within the same bank and across banks, but can still visit a branch in person to initiate transfers if needed. New customers will be enrolled in instant payment services by default when opening an account.
Customers will also be allowed to voluntarily adjust their individual transaction limits within the existing regulatory ceiling of 25 million naira for individuals and 250 million naira for corporate accounts. Any adjustment must be validated through enhanced due diligence by the financial institution and confirmed with multi-factor authentication before it takes effect.
Face Checks and Real-Time Identity Verification
Online account openings and reactivations must now include liveness checks, a verification method used to confirm the person initiating the process is physically present and not using pre-recorded images or stolen identity data. All new accounts opened through digital channels must also be validated in real time against the Bank Verification Number (BVN) and National Identification Number (NIN) databases.
Banks and payment service providers are additionally required to deploy enterprise fraud monitoring systems capable of observing all incoming and outgoing transactions in real time, flagging and restricting suspicious activity before funds leave the account.
Nigeria has experienced rapid growth in electronic payments and mobile banking in recent years. The expansion of digital financial services has improved financial inclusion across the country but has simultaneously increased exposure to cyber fraud, SIM-swap attacks, and account takeover schemes. The new rules give lenders until July 1 to upgrade their systems and achieve full compliance.
