Nigeria’s Central Bank Cracks Down on Fraud with Strict New BVN Rules
The Central Bank of Nigeria (CBN) has unveiled a stringent new regulatory framework for bank verification numbers (BVN), introducing rapid-response fraud watchlists and strict restrictions on mobile device access. The update, outlined in a circular dated March 26, is set to take effect on May 1, 2026. These measures are designed to curb increasing risks of identity-related fraud, including SIM-swap attacks, and to enhance the overall integrity of the banking system.
Background and Context
The BVN serves as the cornerstone of identity management in Nigeria’s banking sector. It is an 11-digit biometric identifier that links multiple bank accounts to a single individual, capturing unique data such as fingerprints and facial images during enrollment. While the system was initially lauded for reducing identity theft, the financial sector has continued to battle sophisticated fraud schemes that exploit gaps in digital verification processes.
Key Figures and Entities
The directive places the operational burden on deposit money banks and payment service providers, mandating them to upgrade their compliance systems to monitor customer behavior in real-time. The policy directly impacts the tens of millions of Nigerians enrolled in the banking system. According to the CBN, these financial institutions must now act as the first line of defense, utilizing the new tools to identify and mitigate suspicious activities before they result in financial loss.
Legal and Financial Mechanisms
Under the new guidelines, banks are required to create and maintain a "temporary watchlist" for BVNs linked to suspected fraudulent transactions. A BVN can remain on this list for a maximum of 24 hours, during which the customer must be contacted to clarify the transaction. Financial institutions retain the authority to temporarily freeze accounts during this investigative window.
Furthermore, the policy introduces severe restrictions on digital access. Customers will be restricted to accessing mobile banking apps on a single device at a time; logging in on a new device will automatically deactivate access on the previous one. To mitigate the risk of unauthorized account takeovers, transactions on newly activated devices will be capped at N20,000 for the first 24 hours, and customers will be required to pass additional authentication steps. Additionally, phone numbers linked to BVNs can only be updated once, and access to the BVN database is strictly limited to CBN-licensed financial institutions. Enrollment is also restricted to individuals aged 18 and above.
International Implications and Policy Response
The CBN's approach reflects a global trend among central banks to tighten digital security protocols in response to evolving cybercrime methodologies. By mandating single-device usage and immediate fraud flags, the regulator aims to close the loopholes that allow criminals to exploit the delay between unauthorized access and detection. These measures highlight the increasing tension between user convenience and the systemic need to secure digital financial infrastructure against modern threats.
Sources
This report draws on the Central Bank of Nigeria circular regarding the revised regulatory framework for BVN operations and watchlists, effective May 1, 2026.
