CBN's June 2026 AML Automation Deadline: What Nigerian Fintechs Need to Build

June 10, 2026. That's the date CBN's directive on automated AML/CFT compliance takes full effect.

If you're a Nigerian financial institution — bank, fintech, payment processor, microfinance bank, or money transfer operator — and you're still running manual AML processes, you have roughly 82 days to fix that.

This isn't a "nice to have" automation project. It's a regulatory requirement with teeth.

What the CBN directive requires

The Central Bank of Nigeria has been tightening AML/CFT requirements for years. The June 2026 deadline consolidates several previous circulars into a clear mandate: financial institutions must have automated systems for:

1. Transaction monitoring — real-time or near-real-time screening of transactions against risk rules
2. Suspicious activity detection — automated flagging of unusual patterns, velocity anomalies, and risk indicators
3. Sanctions screening — automated screening against CBN, OFAC, UN, and EU sanctions lists
4. Regulatory reporting — automated generation of Suspicious Transaction Reports (STRs) and Currency Transaction Reports (CTRs)
5. Customer risk scoring — dynamic risk classification of customers based on behaviour, geography, and profile

Manual spreadsheet reviews and end-of-day batch checks no longer meet the standard.

Why this matters now

Three things have changed:

Enforcement is real. CBN has revoked licences, imposed fines, and suspended operations for AML failures. They're not issuing warnings anymore — they're acting.

Nigeria's FATF status. Nigeria has been working to exit the FATF grey list. Demonstrating automated AML capabilities across the financial sector is part of that effort. CBN has political pressure to show results.

The fintech explosion. Nigeria's fintech ecosystem has grown faster than the compliance infrastructure supporting it. CBN knows that many licensed fintechs are running minimal AML processes. The June deadline is the correction.

What you need to build

Let's be specific about what "automated AML/CFT compliance" actually means in practice.

Transaction monitoring engine

This is the core. You need a system that:

• Processes every transaction in real-time (or within minutes, not hours)
• Applies configurable risk rules (amount thresholds, frequency patterns, geographic flags)
• Generates alerts for human review when rules trigger
• Logs every decision for audit trail purposes

The rules need to be specific to Nigerian transaction patterns. A ₦10 million transfer might be normal for one customer segment and deeply suspicious for another. Off-the-shelf solutions calibrated for Western markets often generate excessive false positives in Nigerian transaction environments.

Suspicious activity detection

Beyond simple rule-based triggers, CBN expects pattern recognition:

• Structuring detection — identifying when transactions are broken up to avoid reporting thresholds
• Velocity analysis — flagging sudden changes in transaction frequency or volume
• Network analysis — identifying related accounts or suspicious transaction chains
• Behavioural deviation — detecting when a customer's activity deviates significantly from their historical baseline

This is where AI becomes useful — not just nice to have, but practically necessary. Manual detection of structuring or network patterns across thousands of accounts is effectively impossible.

Sanctions screening

Every customer, beneficiary, and counterparty needs to be screened against:

• CBN sanctions list
• OFAC SDN list
• UN Security Council sanctions
• EU consolidated list
• PEP (Politically Exposed Persons) databases

Screening needs to happen at onboarding, at transaction time, and whenever lists are updated. Fuzzy matching is essential — sanctions targets use aliases, transliterations, and variant spellings.

Automated reporting

When your system flags a suspicious transaction, the STR needs to be generated and filed with the Nigerian Financial Intelligence Unit (NFIU). The system should:

• Auto-populate STR forms from transaction and customer data
• Route reports through compliance officer review before submission
• Track filing deadlines and generate reminders
• Maintain a complete audit trail of all reports filed

Customer risk scoring

Every customer needs a risk classification — low, medium, high — based on:

• Customer type (individual, corporate, PEP, high-risk jurisdiction)
• Transaction patterns
• Products and services used
• Geographic factors
• KYC completeness

The scoring should be dynamic, updating as new information becomes available, not a one-time classification at onboarding that never changes.

Build vs buy

You have three options:

Buy an off-the-shelf solution

Enterprise AML platforms (Actimize, SAS, Featurespace) work well for large banks but are priced accordingly — often $200K+ annual licensing plus implementation. For most Nigerian fintechs, this is overkill.

Mid-market solutions (Tookitaki, Napier, Unit21) offer more accessible pricing but still require significant configuration for Nigerian market patterns.

Build custom

Building a custom AML engine gives you control over rules, integration with your specific transaction infrastructure, and lower ongoing costs. The tradeoff is development time and expertise.

A practical custom build looks like:

• Transaction monitoring pipeline reading from your payment infrastructure
• Rule engine with configurable thresholds (start with 20-30 core rules)
• ML model for anomaly detection trained on your historical transaction data
• Sanctions screening service with fuzzy matching
• Alert management dashboard for compliance officers
• Automated STR generation and filing workflow

Development timeline: 8-16 weeks depending on complexity and existing infrastructure.

Hybrid approach

Use specialised services for sanctions screening (where data freshness is critical) and build custom for transaction monitoring and risk scoring (where Nigerian market knowledge matters most).

This is often the most practical path for fintechs. You get the benefit of maintained sanctions lists without being locked into an enterprise platform that doesn't understand your transaction patterns.

The compliance documentation side

Building the system isn't enough. You also need to document it. CBN auditors will want to see:

• AML/CFT policy — updated to reflect automated capabilities
• Risk assessment methodology — how your risk scoring works, what factors it considers, how it was validated
• Model documentation — if you're using AI/ML, the model needs documentation covering training data, performance metrics, bias testing, and override procedures
• Testing evidence — proof that the system works as intended, with test scenarios and results
• Audit trail — demonstrating that every transaction was screened and every alert was investigated

If your AI system makes decisions about flagging transactions, the NDPA also applies. You need a Data Protection Impact Assessment for the personal data processing involved.

The NDPA intersection

AML automation processes significant amounts of personal data — transaction histories, identification documents, biometric data, behavioural patterns. All of this falls under the Nigeria Data Protection Act.

You need:

• Lawful basis — legitimate interest or legal obligation (the AML regulatory requirement gives you this)
• Privacy notices — customers need to know their data is being processed for AML purposes
• Data minimisation — only process what's necessary for AML compliance
• Retention limits — CBN requires 5-year retention for AML records, but you shouldn't keep data longer than that without justification
• DPIA — if you're using automated decision-making that could significantly affect individuals (flagging accounts, blocking transactions), a DPIA is required

We've covered the CBN AML automation requirements in detail in our dedicated CBN AML guide.

Timeline to June 10

82 days. Here's a realistic project timeline:

Weeks 1-2: Assessment and planning

• Audit current AML processes
• Identify gaps against CBN requirements
• Choose build/buy/hybrid approach
• Scope the project

Weeks 3-6: Core build

• Transaction monitoring pipeline
• Rule engine configuration
• Sanctions screening integration
• Alert management system

Weeks 7-9: Testing and tuning

• Test with historical transaction data
• Tune rules to reduce false positives
• Validate sanctions screening accuracy
• UAT with compliance team

Weeks 10-11: Documentation and training

• AML policy updates
• Model documentation
• Compliance officer training
• NDPA documentation (DPIA, privacy notices)

Week 12: Go-live

• Deploy to production
• Monitor for first-week issues
• Brief CBN examiner if requested

It's tight but achievable if you start now. If you start in May, you won't make it.

What to do right now

1. Audit your current AML processes — what's automated, what's manual, what's missing?
2. Decide build/buy/hybrid — based on your transaction volume, budget, and existing infrastructure
3. Start the procurement or development process — 82 days goes fast
4. Update your AML policy — even before the system is built, your policy should reflect the intended state
5. Brief your board — this is a regulatory deadline with licence implications, not an IT project

The CBN deadline isn't moving. The question is whether you're ready when it arrives.

---

Need help building AML automation or getting compliant before June? We build automated AML/CFT systems and handle the compliance documentation. Nigerian infrastructure, Nigerian pricing. Talk to us.