The Central Bank of Nigeria (CBN) has released a draft of its Guidelines for Handling Authorised Push Payment (APP) Fraud—a document that, if adopted, will fundamentally shift how Nigerian banks, fintechs and payment service providers manage liability, investigations and consumer protection in fraud cases.
APP fraud, where customers are deceived into authorising payments, is one of the fastest-growing forms of digital crime in Nigeria’s financial system. Until now, institutions have generally treated these losses as the customer’s responsibility.
The draft rules disrupt that position entirely: they establish structured reimbursement mechanisms, enforce strict investigative timelines, elevate fraud management to Board level, and make ecosystem-wide collaboration mandatory.
This is one of the most consequential regulatory moves in Nigeria’s digital payments landscape since the introduction of the BVN.
Why this matters
Nigeria’s payments infrastructure has expanded rapidly, but so has the sophistication and scale of fraud. Finance in Africa’s reporting shows that Nigerian institutions have lost at least ₦159 billion since 2020 across banks and payment platforms, with high-profile incidents at Access Bank, Fidelity, First Bank, Wema, MTN MoMo and Flutterwave.
Much of this fraud follows a familiar pattern: funds stolen through deception or social engineering; rapidly split across dozens of accounts; moved through wallets, neobanks, PoS agents, betting platforms or BDCs; and ultimately difficult to trace due to weak data-sharing, inconsistent KYC standards, and slow inter-agency coordination.
APP fraud has become the centre of gravity because it bypasses traditional security checks. The user clicks “send,” the money leaves the account, and the institution’s fraud triggers rarely activate in time.
The CBN is signalling a new regulatory philosophy: protecting consumers requires structural changes, not just cautionary messages telling users to be careful.
Background Context
Nigeria’s fraud ecosystem is shaped by four persistent weaknesses. We went into this in detail in this piece, but here’s a quick rundown.
Fragile KYC foundations
Tier-1 accounts can be opened with minimal information, BVNs have been compromised, and NIN data circulates on the black market. Weak onboarding makes it easy to create mule accounts or recycle identities.
Internal collusion
Staff-enabled fraud remains a material risk. FITC estimates place bank losses due to insider involvement at over ₦24 billion since 2020. Collusion helps fraudsters bypass checks built into existing controls.
Slow recovery mechanisms
Tracing funds requires ex parte court orders, multiple police units, and cooperation across 20–200 institutions once money starts moving. This creates structural delays that fraudsters exploit.
Limited ecosystem collaboration
Banks may have visibility through NIBSS, but many fintechs do not. Flags raised in one institution often do not propagate across the system quickly enough. Industry-led initiatives like Project Radar have struggled due to coordination challenges and competitive mistrust.
Against this backdrop, the CBN’s draft guidelines attempt to hard-code accountability, introduce uniform standards, and reduce the ambiguities that have shaped how APP fraud is handled today.
What’s new and what’s changing
Reimbursement becomes a regulatory expectation
The guidelines state that customers “shall be eligible for reimbursement” if they were deceived into authorising a payment, reported the fraud within 72 hours, and did not act negligently.
This represents a fundamental shift from discretionary refunds to presumed liability for institutions that cannot establish customer fault.
Strict timelines replace open-ended investigations
The CBN introduces time-bound obligations:
- Acknowledge complaints within 24 hours.
- Launch formal investigations immediately.
- Conclude cases within 14 working days.
- Issue refunds (when applicable) within 48 hours of resolution.
This counters the systemic delays documented across banks and law enforcement.
Mandatory early warning systems
Institutions must implement real-time behavioural monitoring and dedicated fraud units with the capacity to detect high-velocity transfers, mule-account behaviour, and red-flag activity. This elevates fraud detection from a siloed operational function to a core risk capability.
Board-level governance
Every institution must adopt a Board-approved APP Fraud Policy. The Board Risk Management Committee and Board Audit Committee will oversee fraud cases, while Internal Audit provides regular summaries of incidents and resolutions.
Fraud governance, historically owned by operations teams, becomes a Board responsibility.
System-wide collaboration
The CBN places clear responsibility on institutions to share information, escalate unresolved cases to the regulator, and freeze suspicious proceeds. Any institution that fails to act promptly will be liable for the total exposure.
Enforcement and sanctions
Non-compliance is a regulatory breach. False or incomplete reporting will attract penalties for both the institution and responsible individuals.
This is the strongest set of fraud-management sanctions the CBN has proposed in recent years.
The implications
For banks, payment service providers, and fintechs, the implications are far-reaching:
- Liability will shift. Institutions will carry more of the financial burden in APP fraud cases.
- Onboarding pipelines must tighten. Weak Tier-1 KYC and inconsistent NIN verification will become cost centres.
- Fraud teams will need deeper technical capacity. Behavioural analytics and real-time monitoring are no longer optional.
- Consumer-protection infrastructure must scale. Complaint channels must operate 24/7, with vulnerable users treated under stricter care standards.
- Ecosystem coordination will accelerate. A fragmented approach will create legal, financial and supervisory risks.
- Boards must treat fraud as systemic risk. This moves fraud from operational firefighting to enterprise risk management.
These shifts will require technology upgrades, revised internal processes, and new levels of regulatory engagement.
Looking towards the future
Nigeria is moving closer to global norms. The UK’s Payment Systems Regulator is introducing mandatory APP fraud refunds in 2024. Brazil’s PIX rail now uses centralised fraud databases. India’s UPI ecosystem has tightened liability frameworks around social engineering.
The CBN’s draft guidelines follow this international pattern: shared liability, data-driven detection, and faster consumer redress.
If the final guidelines maintain their current structure, Nigeria’s payment system will enter a new phase—one where fraud risk is treated as a collective responsibility and where the cost of weak internal controls will become increasingly difficult to externalise.
