Nigeria's Central Bank Enforces Strict BVN Protocols to Combat Digital Fraud
New regulations governing the Bank Verification Number (BVN) system have come into force, fundamentally altering how millions of Nigerians interact with their financial institutions. Effective from 1st May 2026, the measures introduced by the Central Bank of Nigeria (CBN) are designed to curb the escalating tide of identity theft and SIM-swap fraud. The policy mandates a "one-device" restriction for mobile banking applications and imposes severe limitations on changes to registered phone numbers.
Background and Context
The shift towards tighter regulatory oversight comes in response to a sophisticated surge in financial crimes targeting the digital banking ecosystem. Fraudsters have increasingly exploited SIM-swap techniques to hijack customer accounts and bypass biometric security measures. The BVN, introduced as a unique biometric identifier for banking customers, became a focal point for these actors, necessitating a review of the operational frameworks governing its use and the security of linked mobile numbers.
Key Figures and Entities
The directive comes directly from the apex bank, placing compliance obligations on all deposit money banks and financial institutions operating within the country. According to the new guidelines, these institutions are no longer passive custodians of customer data but active monitors. The CBN has explicitly instructed banks to "establish and maintain a temporary watchlist" for accounts exhibiting signs of compromise, shifting the burden of real-time surveillance onto the lenders.
Legal and Financial Mechanisms
The technical mechanics of the new rules are aimed at closing specific loopholes exploited by cybercriminals. Under the updated framework, a mobile banking session is restricted to a single active device; logging into a new application instance automatically terminates the session on the previous hardware, with potential transaction limits applying for the first 24 hours. Furthermore, customers attempting to update the mobile number linked to their BVN are now restricted to a single change. This measure directly targets SIM-swap fraud, where criminals fraudulently port a victim's number to a new SIM to receive one-time passwords. Additionally, the rules reinforce data privacy by restricting access to BVN data to licensed financial institutions and set a minimum age of 18 for registration.
International Implications and Policy Response
While the CBN's measures are domestically focused, they reflect a global trend among central banks to strengthen digital "Know Your Customer" (KYC) protocols and cybersecurity standards. Experts have noted that while the new regulations will likely reduce unauthorized access, they introduce friction for legitimate users, particularly those in regions with poor network connectivity or those who have legitimately lost their devices. The policy underscores the difficult balance regulators face in securing the financial ecosystem without alienating consumers who rely on seamless digital access.
Sources
This report is based on the latest regulatory guidelines issued by the Central Bank of Nigeria and public news reporting on the banking sector published in 2026.
