CBN Readiness Scorecard BSD/DIR/PUB/LAB/019/002
Published 7 May 2026 Version 1.0 Reading time 90 minutes Author Autogon

CBN AML/CFT/CPF Readiness Scorecard

A 90-minute self-assessment for Nigerian fintechs, MFBs, and banks against the Baseline Standards for Automated AML/CFT/CPF Solutions issued by the Central Bank of Nigeria on 10 March 2026. Read the source circular.

days remaining until the 10 June 2026 implementation-roadmap submission deadline.
Full-compliance windows: 18 months for Deposit Money Banks, 24 months for other regulated FIs.
What is at stake → Begin assessment → See the live system → Sources
§ Abstract

How this works

This scorecard is a structured reading of CBN Circular BSD/DIR/PUB/LAB/019/002. It does not replace a formal gap analysis, but it is the assessment your team should run before commissioning one. Built for honest internal use by risk, compliance, and engineering leadership.

Who is in the room
CCO or Head of Compliance (chairs), MLRO, CTO or Head of Engineering, Head of Risk, Internal Audit. Engineering must provide factual answers — not estimates.
How to score
Yes (3) — capability is in place, documented, evidenced. Partial (1) — in place but incomplete. No (0) — not in place. An honest "No" is more useful than an optimistic "Partial".
Trigger questions
Six questions are flagged trigger. Score "No" on any one and that section auto-fails the standard, regardless of percentage. These are CBN's stated automatic non-compliance criteria.
Output
A tier classification (Ready / Path / Significant work / Critical), a list of failed triggers, a section breakdown, and a downloadable .txt summary you can paste into your CBN roadmap submission.
§ 1 — What is at stake

Three things every Nigerian financial institution should be measuring this week

The CBN circular is read most often as a technology mandate. It is not. It is a personal-liability instrument backed by a real fraud-loss landscape and an enforcement posture that has visibly tightened since March. Read in that order before you read the standards themselves.

§ 1.1  ·  Personal liability

The Chief Compliance Officer and MLRO are personally on the hook

Under the Money Laundering (Prevention and Prohibition) Act 2022, named officers face fines and custodial sentences for failures of diligence. Under the Banks and Other Financial Institutions Act 2020, the CBN may revoke an institution's licence for material non-compliance and sanction directors and officers in their individual capacity.

The March circular extends both regimes to the AML/CFT/CPF technology stack. Where a monitoring system fails to detect a flagged pattern that a reasonably-implemented automated solution would have caught, the institution and its named officers — not just the vendor — are exposed.

"Consequences may affect both the institution and accountable individuals." Senior management and compliance officers carry personal regulatory exposure.

§ 1.2  ·  The fraud landscape

Volumes are accelerating, and the attack surface is shifting to AI

Per NIBSS public reporting, electronic-fraud volume in Nigerian banking has risen sharply year-on-year, with social-engineering and account-takeover the fastest-growing categories. Insider-related fraud and glitches accounted for more than ₦22 billion of losses across Nigerian banks in the eight months leading into 2026.[2]

The Arup deepfake video-call fraud (Hong Kong, January 2024, US$25.6M) is the template arriving in West African banking now. AI-generated synthetic identities are passing real-time KYC checks at major fintechs. Detection-based AML, used in isolation, can no longer keep pace with attacks generated at machine speed.

§ 1.3  ·  Enforcement posture

10 June is a real deadline, not a target

The CBN Compliance Department tracks roadmap submissions. The 18-month and 24-month full-compliance windows are deadlines after which enforcement action is expected, not extension dates. Annual fitness-and-propriety assessments now include AML/CFT/CPF compliance as a named criterion. Licence renewals for PSPs and MFBs are being delayed where compliance gaps are identified during quarterly reviews.

The CBN also rolled out a Cybersecurity Self-Assessment Tool (CSAT) in April 2026, requiring institutions to report cybersecurity posture in real time. The Nigeria Data Protection Commission opened formal investigations into named institutions in the same window. The combined signal is unambiguous: enforcement has moved from awareness to action.

§ 2 — By the numbers, 2026

The Nigerian fraud and cyber landscape, in figures

Six numbers that frame why the CBN issued the Baseline Standards. Every figure links to a publisher; verify before quoting in board papers.

FigureRealitySource
01 4,000+ Coordinated cyberattacks per week across Nigeria. The NDPC alone records over 1,500 attempts per week on its own networks.[1] NDPC, May 2026
02 ₦22B+ Lost to insider-related glitches and fraud at Nigerian banks in the eight months leading into 2026. Insider risk is now the most-cited concern by Nigerian CCOs.[2] Dojah, 2026
03 +71.5% Year-on-year increase in dormant ("sleeper") accounts in Nigeria — accounts opened, left inactive for months, then activated by coordinated fraud rings.[2] Dojah, 2026
04 ~70% Projected intensification in AI-driven phishing and impersonation campaigns in 2026. Generative AI now produces deepfake voice clones and bank-mimicking emails at scale.[3] Techpoint Africa, 2026
05 900,000* Customer records (BVN, NUBAN, transaction history) alleged to have been exposed in the March 2026 Sterling Bank breach claim. NDPC investigation ongoing.[4] BusinessDay, April 2026
06 ₦18.78T Q1 2026 PoS transaction volume in Nigeria — the attack surface CBN is asking you to monitor in real time, with explainable decisions and immutable logs.[5] NIBSS, 2026
  1. Nigeria Data Protection Commission, IoT West Africa Conference, May 2026, via Nairametrics public reporting.
  2. Dojah, "6 emerging fraud trends African businesses must prepare for in 2026."
  3. Techpoint Africa, "Nigeria bank fraud 2026: How AI stops deepfake scams."
  4. BusinessDay, "New alleged breach hits Nigerian lender as cyber attacks mount on financial sector," 26 April 2026. Sterling Bank had not officially confirmed the breach at time of writing; figure is the threat actor's claim.
  5. NIBSS, "What CBN's new BVN regulations mean for the Nigerian financial ecosystem," April 2026.

Figures reflect public reporting as of May 2026. Verify the latest figure with the publisher before citing in board papers.

If you score Tier 3 or Tier 4 on this assessment, you are in the cohort the CBN is actively watching. The 90 minutes you are about to spend here is the cheapest hour of risk-reduction work your institution will do this year.

§ 3 — Begin assessment

Enter your work email to unlock the assessment

Your work email — your bank, fintech, MFB, or PSP domain. We send your scored result and a free Autogon Playground access link to that address.

Must be your institution's domain. Personal addresses (gmail, yahoo, outlook, etc.) cannot access this assessment.

By starting, you consent to Autogon contacting you about your readiness result. No spam — one follow-up email maximum.

Answer at least 70 of 90 questions to view your tier classification.

Your CBN Readiness Result

— —

0 / 312
0%

Section breakdown

Top closeable gaps

Sections where you scored under 60%, sorted by impact.

    Want to see the system in action first?
    A live operations demo — six Nigerian fraud scenarios, real-time AI explanations, no login.
    Open live demo →

    Two ways forward — pick the one that fits your team

    Self-serve in the live Autogon OmniGuard Playground, or talk to our compliance and engineering team. Both options take less than a minute to start.

    Self-serve
    Try the Autogon Playground

    Live AML/CFT/CPF environment. See the gaps closed in practice. No call required.

    Guided
    Book a CBN Readiness Review

    30-minute walk-through with our compliance and engineering team. We map your top three gaps to closure timelines.

    Book a 30-minute review
    Use these credentials to sign in

    Shared playground account · no real customer data. Click Open the playground below — your password copies to the clipboard automatically and the new tab opens. Paste straight into the OmniGuard sign-in form.

    EMAIL playground@autogon.ai PASS Playground123!
    § 4 — Sources and primary references

    Cite the source, not the scorecard

    This scorecard is a structured reading of the documents below. Verify any specific claim against the primary text before you commit to it in a board paper or a CBN submission.

    1. CBN Circular BSD/DIR/PUB/LAB/019/002 — Baseline Standards for Automated AML/CFT/CPF Solutions
      Issued 10 March 2026. The primary regulatory instrument this scorecard reads against.
      cbn.gov.ng → Out/2026/CCD/Baseline-Standards.pdf
    2. CBN Circulars index
      Master list of regulatory circulars (search "AML" or "CFT").
      cbn.gov.ng/Documents/circulars.html
    3. CBN AML/CFT Circulars page
      All AML/CFT-specific circulars in one place.
      cbn.gov.ng/Documents/AML-CFT.html
    4. Money Laundering (Prevention and Prohibition) Act 2022
      MLPPA 2022 — basis for personal liability of named officers.
      placng.org → MLPPA 2022 PDF
    5. Banks and Other Financial Institutions Act 2020
      BOFIA 2020 — CBN's revocation and supervision powers.
      cbn.gov.ng → BOFIA 2020 PDF
    6. Nigeria Data Protection Act 2023
      NDPA — Section 48 penalty regime, enforced by NDPC.
      ndpc.gov.ng
    7. Nigerian Financial Intelligence Unit (NFIU)
      STR / CTR filing portal and guidance.
      nfiu.gov.ng
    8. ISO/IEC 42001:2023 — AI Management System
      Required by Section 6 cross-cutting governance.
      iso.org/standard/81230.html
    9. ISO/IEC 27001 — Information Security Management System
      Referenced under Standard 5.11.
      iso.org/standard/27001
    10. FATF Recommendations
      International AML/CFT standards underpinning the Nigerian regime.
      fatf-gafi.org
    11. NIBSS public reporting
      Nigerian Inter-Bank Settlement System fraud trends, BVN regulations, transaction volumes.
      nibss-plc.com.ng
    12. NDIC Annual Reports
      Banking-sector fraud and forgery statistics.
      ndic.gov.ng
    13. Arup deepfake video-call fraud (Hong Kong)
      SCMP coverage, 4 February 2024 — US$25.6M reported loss.
      scmp.com/...3250851
    14. Dojah — Africa fraud trends 2026
      Sleeper accounts, insider risk, KYC farming.
      dojah.io/blog/fraud-trends-africa-2026
    15. Techpoint Africa — bank fraud guide 2026
      AI-driven phishing projections, deepfake KYC bypass, fintech AI defence adoption.
      techpoint.africa/guide/nigeria-bank-fraud-ai-deepfake-identity
    16. BusinessDay — Sterling Bank breach claim
      "New alleged breach hits Nigerian lender" — 26 April 2026.
      businessday.ng
    17. Nairametrics — NDPC weekly attack volume
      IoT West Africa Conference, May 2026 — 4,000+ attacks per week disclosed.
      nairametrics.com
    18. Vanguard — Nigeria IFFs 2013-2022
      $77.7B trade-related illicit financial flows, 3 February 2026.
      vanguardngr.com/...77-7bn
    19. TechCabal — Nigeria FATF grey-list exit
      Cybersecurity disclosure pressure, 6 March 2026.
      insights.techcabal.com
    20. TRM Labs — 2026 crypto crime report
      Illicit crypto flows, 28 January 2026.
      trmlabs.com/reports-and-whitepapers/2026-crypto-crime-report

    If you cite this scorecard externally, cite Autogon as the publisher and link directly to the relevant primary source for any individual claim. The scorecard is an interpretation; the law and the circular are the authority.