Global Law Experts Logo
cbns new instantpayment security minimums live

Cbn's Instant‑payment Minimums Are Live: One‑device Rule & ₦20,000 24‑hour Cap

By Global Law Experts
– posted 22 minutes ago

The Central Bank of Nigeria’s new instant‑payment security minimums are now live, and every bank, fintech and payment service provider operating in the country must comply. Effective 1 July 2026, the CBN’s guidelines on instant‑payment functionalities impose a mandatory one‑device rule for mobile banking applications, a ₦20,000 transaction cap during the first 24 hours after activation on a new device, compulsory device binding, multi‑factor authentication and enterprise‑grade fraud monitoring. These standards represent the most significant overhaul of Nigeria’s digital‑payment security architecture since the Risk‑Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers, and they carry immediate contractual, technical and regulatory consequences for every institution in the payments chain.

This article provides a detailed compliance roadmap, from the exact regulatory obligations to practical implementation checklists, customer‑communication templates and enforcement risk analysis, so that compliance officers, in‑house counsel, product managers and corporate treasurers can act with confidence.

What the CBN requires, quick summary of the new instant‑payment security minimums

The CBN circular published on its official reforms page sets out a series of mandatory minimum standards for all institutions that offer instant‑payment services. According to the CBN, these standards took effect on 1 July 2026. The core requirements can be summarised as follows:

  • One‑device rule. Mobile banking apps may only be active on one device at a time per customer account. A customer who switches to a new device must deactivate the previous one first.
  • ₦20,000 24‑hour transaction cap. When a customer activates their mobile banking app on a new device, the maximum transaction limit during the first 24 hours must not exceed ₦20,000. This applies to both new and existing accounts.
  • Mandatory device binding. Financial institutions must bind each mobile banking application session to a specific, identified device using hardware‑level identifiers.
  • Multi‑factor authentication (MFA). All first‑time device activations and high‑risk transactions must be verified through at least two independent authentication factors.
  • Enterprise fraud monitoring. Institutions must deploy real‑time, enterprise‑level fraud‑monitoring systems capable of flagging and blocking suspicious instant‑payment transactions.
  • Customer opt‑out. Customers must be given the option to disable instant‑payment transfers entirely on their accounts if they choose.

Industry observers expect that compliance with these CBN instant‑payment guidelines will require most Nigerian banks and fintechs to update mobile application infrastructure, amend customer terms and conditions, and reconfigure transaction‑monitoring engines within a compressed timeframe.

Policy rationale: why the CBN implemented the ₦20,000 cap and one‑device rule

The CBN has stated publicly that these measures are designed to strengthen the security of digital banking transactions and protect customers from fraud, particularly from cases involving stolen phones, unauthorised access or fraudulent device changes. Nigeria recorded a sharp increase in mobile‑banking fraud linked to SIM‑swap attacks, device theft and social‑engineering schemes in the years leading up to this circular. The one‑device rule directly targets a common attack vector: fraudsters who clone or hijack credentials to operate a victim’s banking application from a second, unauthorised device.

The ₦20,000 24‑hour cap on newly activated devices serves as a cooling‑off period. Even if an attacker gains access to a customer’s banking credentials and activates the application on a new phone, the financial damage is capped at ₦20,000 for the first day, giving both the bank’s fraud team and the customer time to detect and respond to the compromise. This approach aligns with international best practices seen in the United Kingdom’s Confirmation of Payee framework and the European Union’s PSD2 strong‑customer‑authentication requirements, both of which impose friction on novel or high‑risk payment scenarios to reduce fraud losses.

Similar to recent RBI banking rules in India, the CBN’s framework reflects a global regulatory trend toward layered, device‑level security controls for instant payments.

Detailed requirements: CBN obligations for banks and payment service providers

Device binding and the one‑device rule

Under the CBN’s instant‑payment guidelines, device binding requires financial institutions to capture and verify hardware‑level device identifiers, such as the International Mobile Equipment Identity (IMEI) number or equivalent hardware token, each time a customer registers or changes the device on which their mobile banking application operates. The binding must be persistent: the application must refuse to function on a second device unless the first device has been formally deactivated through the institution’s prescribed process.

Practically, this means institutions must maintain a secure device registry that records, at minimum, the customer account number, bound device identifier, activation timestamp, deactivation timestamp and the authentication method used at registration. A first‑time log‑on to a new device for an existing account must trigger additional multi‑factor authentication before the account becomes usable. Banks should treat any device‑change event as a high‑risk trigger within their fraud‑monitoring systems.

₦20,000 24‑hour cap: what counts and when it lifts

The limit applies to the total transfer volume, not per‑transaction, during the first 24 hours after a mobile banking application is activated on a new device. According to the CBN, the limit shall be set by the financial institution, with a maximum limit not exceeding ₦20,000. This means institutions can set a lower threshold (for example, ₦10,000 or even zero) during the cooling‑off period, but they may not exceed the ₦20,000 ceiling. Once the 24‑hour window elapses without a fraud alert, the customer’s normal transaction limits resume automatically, though institutions retain discretion to extend the restricted period if risk indicators warrant it.

MFA and authentication requirements

The CBN mandates multi‑factor authentication for all device activations and for transactions that exceed institution‑defined risk thresholds. Acceptable factors include knowledge factors (PINs, passwords), possession factors (OTP via registered phone number, hardware tokens) and inherence factors (biometric verification such as fingerprint or facial recognition). Financial institutions must ensure that MFA mechanisms are resistant to common attack vectors including SIM‑swap fraud, phishing and man‑in‑the‑middle interception. Each authentication event, including the factors used, the timestamp and the outcome, must be logged and retained for audit and regulatory examination.

Implementation checklist for banks and fintechs under CBN instant‑payment guidelines

Compliance with the CBN’s new instant‑payment security minimums demands action across legal, technical and operational functions. The following checklist provides a structured approach for banks and fintechs working to meet these standards:

  • Policy and governance. Establish or update internal policies to reflect the one‑device rule, ₦20,000 cap and MFA requirements. Assign a named compliance owner and create an escalation path for exceptions.
  • Terms and conditions. Amend customer‑facing terms and conditions to disclose the new device limits, the 24‑hour cap and the customer’s right to opt out of instant payments entirely.
  • Customer notifications. Issue immediate notice to all existing customers, via in‑app messages, SMS, email and website announcements, explaining the changes and any action the customer must take.
  • Device registration flows. Update or build device‑registration and device‑change workflows within the mobile banking application to capture hardware identifiers, enforce single‑device binding and trigger MFA at each device change.
  • Transaction‑limit engine. Configure the core banking or middleware layer to enforce the ₦20,000 aggregate cap for 24 hours after each new‑device activation event.
  • Fraud‑monitoring integration. Ensure real‑time enterprise fraud monitoring flags device‑change events, monitors post‑activation transaction patterns and generates alerts for anomalous behaviour.
  • Logging and retention. Implement tamper‑proof audit logs for all device registrations, MFA events and cap‑enforcement decisions. Retain logs in accordance with CBN record‑keeping directives.
  • Vendor and third‑party contracts. Review service‑level agreements with mobile‑app vendors, payment processors and MFA providers to ensure contractual alignment with the new standards.
  • Testing and certification. Conduct end‑to‑end testing of the new flows, including device switching, cap enforcement and MFA, prior to go‑live and retain test evidence.
  • Staff training. Train customer‑service, fraud‑operations and compliance teams on the new rules, escalation procedures and customer communication scripts.

The comparison table below maps key obligations to each entity type in the payments ecosystem:

Entity type Key obligations (top 3) Priority implementation actions
Commercial banks 1) Enforce one‑device binding; 2) Apply ₦20,000 cap for first 24 hours on newly activated devices; 3) Deploy enterprise fraud monitoring and MFA Update mobile app onboarding; amend T&Cs; reconfigure AML/transaction monitoring alerts
Fintechs / PSPs 1) Comply with device and MFA standards under supervised arrangement; 2) Coordinate with sponsor banks on cap enforcement; 3) Vendor risk management Confirm integration with sponsor bank systems; ensure institution‑level logging; update vendor SLAs
Corporate treasuries / business customers 1) Review multi‑user access flows; 2) Implement approval thresholds; 3) Use tokenised corporate credentials Deploy delegated admin portals; update internal SOPs for device changes; coordinate with banking partners

Customer impacts and corporate account exceptions under the CBN one‑device rule

For individual retail customers, the practical effect is straightforward: changing phones or reinstalling a banking app triggers a 24‑hour cooling‑off period with a ₦20,000 transaction ceiling. Major Nigerian banks, including Access Bank, have already begun notifying customers that effective 1 July 2026, the new CBN instant‑payment guidelines restrict transfers to ₦20,000 within the first 24 hours of activating a banking app on a new device.

Corporate and multi‑user accounts present a more complex compliance challenge. Many businesses operate treasury functions across multiple authorised users and devices. The one‑device rule applies per customer account, which means a corporate account with delegated signatories may need to establish role‑based device‑binding protocols, allowing each authorised user to bind one device to their specific access credentials rather than to the corporate account as a whole. Industry observers expect that institutions will need to develop delegated administration portals that allow a corporate administrator to manage device registrations, approve new‑device requests and set institution‑specific sub‑limits.

Companies relying on API‑based payment integrations, such as payroll processors or supply‑chain platforms, should confirm with their banking partners whether API channels fall within the scope of the one‑device rule or are treated separately under the guidelines. This is a point where the CBN circular leaves some ambiguity, and early legal advice is recommended.

Enforcement, liability and contract changes: legal risk under the CBN’s new standards

The CBN retains broad enforcement powers under the Banks and Other Financial Institutions Act (BOFIA) and its supervisory framework. Non‑compliance with the instant‑payment security minimums can expose institutions to regulatory sanctions including directives, fines, licence conditions and, in serious cases, restrictions on banking operations. Beyond direct regulatory action, institutions that fail to implement the mandated security controls face heightened civil liability: a customer who suffers fraud losses on a non‑compliant platform may have a stronger claim for restitution or damages, particularly where the institution failed to enforce device binding or the ₦20,000 cap.

Contract amendments are equally critical. Banks that provide instant‑payment infrastructure to fintechs and PSPs through sponsor‑bank arrangements should update their partnership agreements to allocate responsibility for device‑binding enforcement, MFA provision and cap compliance. Indemnity clauses should address scenarios where a partner’s failure to enforce the rules results in customer losses or regulatory penalties. Data‑privacy considerations also arise: device identifiers such as IMEI numbers may qualify as personal data under the Nigeria Data Protection Act 2023, meaning institutions must ensure that collection, storage and processing of device data complies with data‑protection obligations alongside the CBN requirements.

A practical guide to regulatory compliance for financial institutions, similar in format to the Uganda tax changes practical guide, can help institutions structure their response across multiple regulatory domains simultaneously.

Technical implementation notes for product teams

Device binding UX patterns

Product teams should design the device‑binding experience to be transparent and low‑friction for legitimate customers while remaining robust against attackers. Best practice is to present a clear in‑app screen during first activation on a new device that explains the binding process, requests the necessary hardware permissions and notifies the customer that a 24‑hour restricted period will apply. A confirmation message, delivered via a separate channel such as SMS or email to the previously registered contact, provides an additional security layer and creates a customer‑verifiable audit trail.

MFA design choices and fallback mechanisms

Given the prevalence of SIM‑swap attacks in Nigeria, relying solely on SMS‑based OTP for multi‑factor authentication carries residual risk. Product teams should consider implementing app‑based authentication tokens (TOTP), biometric verification or hardware security keys as primary or secondary factors. A well‑designed fallback mechanism, such as in‑branch verification or call‑back confirmation for customers who cannot complete digital MFA, ensures accessibility while maintaining security. All MFA design choices should be documented and available for CBN supervisory review.

Fraud monitoring metrics and KPIs

Enterprise fraud monitoring systems should track device‑change frequency per account, transaction velocity immediately after activation, geographic anomalies between the new device’s IP address and the customer’s historical profile, and failed MFA attempts. Recommended logging fields include: account identifier, old device ID, new device ID, activation timestamp, MFA method used, MFA result, each transaction amount and timestamp during the 24‑hour window, and any fraud‑alert triggers. Retention periods should align with CBN audit requirements, a minimum of six years is prudent given the limitation periods under Nigerian law.

How to update bank and customer communications

Timely, clear customer communication is both a regulatory requirement and a practical necessity. The following template language can be adapted for in‑app notifications, email and SMS:

“Dear Customer, effective 1 July 2026, new CBN security standards apply to your mobile banking app. Your app is now linked to one device at a time. If you activate your app on a new device, your transfer limit will be temporarily set to ₦20,000 for the first 24 hours. After 24 hours, your normal limits will resume. You may also choose to disable instant transfers entirely by contacting us. These measures are designed to protect your account from unauthorised access. For more information, visit [bank URL] or contact [support channel].”

For the in‑app device‑activation flow, the recommended script sequence is:

  • Step 1. Display: “You are activating this app on a new device. Your previous device will be deactivated.”
  • Step 2. Prompt MFA (biometric or OTP to registered contact).
  • Step 3. Confirm: “Activation successful. A ₦20,000 transfer limit applies for the next 24 hours. Normal limits resume on [date/time].”
  • Step 4. Send confirmation to previously registered email and phone number.

What to watch next: timeline and next steps for counsel

The CBN’s instant‑payment security minimums are now in effect, but several aspects of the framework are likely to evolve. Industry observers expect the CBN to issue supplementary guidance addressing ambiguities, particularly around corporate multi‑user accounts, API‑channel treatment and the interplay between the new rules and existing cybersecurity frameworks. Compliance teams should monitor the CBN’s circulars page and industry body communications for updates.

Institutions that have not yet fully implemented the requirements should treat remediation as an urgent priority. Engaging specialised banking and finance counsel, through the Global Law Experts lawyer directory, can accelerate compliance planning, particularly for complex areas such as sponsor‑bank contract amendments, data‑privacy assessments and corporate‑account exception design. Early legal engagement also helps institutions document good‑faith compliance efforts, which may mitigate regulatory consequences if supervisory review identifies gaps.

Conclusion: acting on CBN’s new instant‑payment security minimums

With CBN’s new instant‑payment security minimums now live, the window for reactive compliance has closed. Banks, fintechs and PSPs must verify that their mobile applications enforce single‑device binding, apply the ₦20,000 24‑hour cap on new‑device activations, implement robust multi‑factor authentication and operate enterprise‑level fraud monitoring. Equally important are the downstream tasks: updating customer terms, issuing clear notifications, amending sponsor‑bank contracts and training frontline staff. Institutions seeking tailored compliance reviews, contract drafting support or regulatory‑risk assessments should connect with experienced Nigerian banking and finance counsel through Global Law Experts.

Sources

  1. Central Bank of Nigeria, Reforms and Initiatives
  2. BusinessDay, CBN caps new mobile banking transfers at N20,000 for 24 hours
  3. TVC News, New CBN Rule Lets Customers Disable Instant Transfers
  4. Pavestones Legal, Key Regulatory Update: CBN Guidelines on Instant Payment Functionalities and Mobile Banking Security
  5. Manifield Solicitors, CBN Operational Guidelines: The New Instant Payment Functionalities for Financial Institutions

FAQs

When do the CBN instant‑payment minimums take effect?
The standards took effect on 1 July 2026, as published on the Central Bank of Nigeria’s official reforms page.
Mobile banking apps are limited to one active device at a time per customer account. Switching to a new device requires deactivation of the previous device and triggers additional multi‑factor authentication plus the 24‑hour transaction cap.
For both new and existing accounts, the maximum transaction limit during the first 24 hours of activation on a new device must not exceed ₦20,000. This cap covers total transfer volume, not individual transactions. Normal limits resume after the 24‑hour window.
Yes. Once the 24‑hour period elapses without fraud indicators, the customer’s standard transaction limits are restored automatically. However, institutions retain discretion to extend restrictions or require additional verification if risk flags are present.
Banks should provide immediate notice through in‑app messages, SMS, email and website announcements. Terms and conditions must be amended to reflect the new device limits, the 24‑hour cap and the customer’s right to opt out of instant payments. Step‑by‑step device‑change guidance should be published prominently.
The CBN circular does not provide an explicit corporate‑account exemption. Institutions should implement delegated access and role‑based device‑binding protocols for corporate clients. Specialised legal advice is recommended to design compliant exception frameworks that satisfy both the CBN’s security objectives and corporate operational needs.
The CBN can impose regulatory sanctions under its supervisory powers, including directives, monetary penalties and operational restrictions. Non‑compliant institutions also face increased civil liability for customer fraud losses and reputational damage. Prompt remediation and documented good‑faith compliance efforts are the most effective risk mitigants.

Find the right Advisory Expert for your business

The premier guide to leading advisory professionals throughout the world

Specialism
Country
Practice Area
ADVISORS RECOGNIZED
0
EVALUATIONS OF ADVISORS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest advisor briefings and news within Global Advisory Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Advisory Experts is dedicated to providing exceptional advisory services to clients around the world. With a vast network of highly skilled and experienced advisors, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GAE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

Cbn's Instant‑payment Minimums Are Live: One‑device Rule & ₦20,000 24‑hour Cap

Send welcome message

Custom Message