Compliance7 min read

CBN Data Localisation 2027: What Nigerian Banks and Fintechs Need to Do Now

The Central Bank of Nigeria has directed every bank, fintech, and payment service provider to store transaction data on local servers by January 1, 2027. Here is what the directive says, who it covers, and what a compliant infrastructure path looks like.

On June 15, 2026, the Central Bank of Nigeria issued a circular that will reshape how every licensed financial institution in Nigeria thinks about its infrastructure. The directive is direct: all payment transaction data generated within Nigeria must be stored and managed on local servers. The deadline is January 1, 2027.

This is not a recommendation. It is an enforceable regulatory requirement, and the CBN has been explicit that it will monitor compliance and impose sanctions where necessary.

Who This Directive Covers

The circular, signed by Rakiya Yusuf, Director of the Payments System Supervision Department, was addressed to a comprehensive list of regulated entities:

  • Deposit money banks
  • Microfinance banks
  • Mobile money operators
  • Switching and processing companies
  • Payment terminal service providers
  • Payment solution service providers
  • Super agents
  • All other licensed operators in the payments ecosystem

In practice, this means every institution that touches a Nigerian payment transaction — from the largest commercial banks to the smallest mobile money agent network operators and licensed fintechs. If you hold a CBN licence and facilitate payments within Nigeria, this directive applies to you.

What the Directive Actually Requires

The circular's language on data localisation is unambiguous:

"All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payments transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria."

"All affected Financial Institutions shall fully comply with this requirement effective January 1, 2027."

The directive covers payment transaction data — the records of electronic transactions processed within Nigeria. This includes data generated through mobile banking platforms, digital wallets, payment gateways, card transactions, and other financial technology channels.

Institutions currently routing this data through foreign cloud infrastructure — AWS, Microsoft Azure, Google Cloud, or any other offshore platform — are operating in a way that will be non-compliant from January 1, 2027.

Why the CBN Is Doing This Now

The circular is explicit about the CBN's reasoning. Nigeria's digital payments market has expanded rapidly, with electronic transactions reaching record levels and the number of operators with significant market presence growing substantially. That growth has brought benefits — innovation, efficiency, financial inclusion — but also created risks that the regulator is now moving to address.

The CBN cited four specific concerns driving these reforms: market concentration, operational dependence, ownership transparency, and the storage of critical payments data. The data localisation requirement directly addresses the last of these — ensuring that sensitive payment information remains within Nigerian jurisdiction, under Nigerian regulatory oversight, and is not dependent on foreign infrastructure that the CBN cannot directly supervise.

The directive also sits within a broader global trend. Regulators across Africa and worldwide are increasingly requiring that critical financial data remain within national borders. Ghana moved first in West Africa with its Cyber and Information Security Directive in March 2026, which requires all core banking systems and critical customer data to remain within Ghana. Nigeria's CBN has now followed with its own enforceable localisation requirement for payment data specifically.

Beyond Data Localisation: The Full Circular

While data localisation is the most infrastructure-significant requirement, the June 15 circular introduced three additional sets of requirements that affected institutions should be aware of.

Market structure and concentration limits. The CBN introduced caps on market dominance in the payments industry. Any institution with more than 25% of the card-issuing market in a rolling 12-month period cannot hold more than 15% of the merchant-acquiring market in the same period, and vice versa. Affected institutions must submit monthly market share returns and achieve full compliance with these market structure requirements by December 31, 2026 — one day before the data localisation requirement takes effect.

Beneficial ownership disclosure. All financial institutions and payment operators must maintain accurate records of ultimate beneficial owners and make this information available to the CBN upon request. The disclosure requirement must comply with existing anti-money laundering, counter-terrorism financing, and counter-proliferation financing regulations.

Systemic oversight measures. The CBN introduced broader monitoring and oversight frameworks for payment operators, particularly those with significant market presence, reflecting concerns about operational dependence and systemic risk in the payments ecosystem.

The Infrastructure Problem This Creates

For Nigerian financial institutions, the data localisation requirement creates a concrete infrastructure challenge that needs a concrete infrastructure response.

Institutions on foreign public cloud face the most immediate compliance gap. AWS, Microsoft Azure, and Google Cloud do not operate data centres in Nigeria. Payment transaction data currently processed and stored on these platforms will be non-compliant from January 1, 2027. With six months to the deadline, migration planning needs to begin immediately — not because migration itself takes six months, but because proper assessment, design, procurement, and validation do.

Institutions on legacy on-premise infrastructure may be locally resident by default, but the CBN's broader direction on operational resilience, cybersecurity, and oversight means that simply having servers in Nigeria is not sufficient. Those servers need to be properly secured, monitored, and documented — and many legacy environments cannot demonstrate this adequately.

Institutions with mixed or fragmented infrastructure — some systems on foreign cloud, others on ageing on-premise hardware — face the most complex compliance picture. A clear inventory of what data sits where is the essential first step before any migration decision can be made responsibly.

The Naira Dimension

The compliance pressure arrives alongside a financial reality that has been shaping Nigerian fintech infrastructure decisions for several years. Nigerian fintechs earning in Naira but paying cloud bills in US Dollars have faced significant cost exposure as the Naira has depreciated over time. The dollar-denominated cost of foreign cloud infrastructure has grown substantially in Naira terms independent of actual usage changes.

Local infrastructure — owned by the institution, operated by locally-based engineers — eliminates this recurring foreign currency exposure. The hardware purchase has a dollar cost at the point of procurement, but once in place, ongoing operational costs are largely denominated in local currency. For a Nigerian fintech, the compliance requirement and the financial logic now point in the same direction.

What a Compliant Path Looks Like

Meeting the CBN's data localisation requirement means more than physically moving servers to Nigeria. It means building an infrastructure environment that can demonstrate proper operational controls to a regulator — monitoring, incident response, documented access policies, security controls, and audit-ready records.

A private cloud deployment on the institution's own hardware, located within Nigeria, addresses the core requirement directly:

Data residency — all payment transaction data is processed and stored on hardware physically located in Nigeria. The institution can demonstrate to the CBN exactly where its data resides because it has never left the country.

Operational controls — a properly deployed private cloud includes continuous monitoring, automated alerting, documented incident response procedures, and regular reporting. These are the evidence artefacts that a compliance review requires.

Audit readiness — access logs, configuration records, and operational history are under the institution's direct control, without dependency on a foreign cloud provider's audit export tools or data access processes.

No foreign cloud dependency — the infrastructure runs on open-source technology with no proprietary licensing that could be withdrawn, price-changed, or affected by the service decisions of a foreign provider.

The Timeline Is Tight

January 1, 2027 is six months away. For institutions currently on foreign cloud infrastructure, the practical steps are:

First, assess what data sits where. A complete inventory of payment transaction data — where it is processed, where it is stored, and what systems generate it — is the essential foundation for any migration decision.

Second, design the local infrastructure environment. This means determining whether to build on existing on-premise hardware, procure new equipment, or use Nigerian colocation facilities — and designing the private cloud architecture appropriate for the institution's workload profile.

Third, execute the migration without disrupting live payment processing. A live migration approach — replicating running systems to the new environment before cutover — minimises downtime risk for systems that cannot afford extended interruption.

Fourth, validate and document. Before decommissioning any foreign-hosted systems, confirm that the local environment is fully operational, monitored, and producing the audit documentation that ongoing compliance requires.

What SwiftInfra Does

SwiftInfra is a private cloud engineering company based in Accra, Ghana. We deploy and manage private cloud infrastructure on our clients' own hardware — compute, storage, networking, monitoring, and operational controls — for financial institutions that need to meet data residency requirements without building an internal platform engineering team from scratch.

We have direct experience with exactly this kind of regulatory-driven infrastructure transition. Ghana's CISD 2026 directive requires the same local infrastructure posture that the CBN is now mandating for Nigeria.

Articleswift-infra.com/blog/cisd-2026-data-residency
Bank of Ghana CISD 2026: What Financial Institutions Need to Know About Data Residency

We understand how to design, deploy, and operate environments that meet these requirements and can demonstrate compliance to a regulator.

For Nigerian banks and fintechs that need to be compliant by January 2027, the planning conversation needs to start now. We are ready to have it.

Talk to SwiftInfra →

References

  • Central Bank of Nigeria, Circular on Payment System Data Localisation, Market Structure and Systemic Oversight, June 15, 2026
  • Punch Newspapers, CBN orders banks, fintechs to store payment data locally, June 15, 2026 — punchng.com

SwiftInfra is a private cloud engineering company based in Accra, Ghana. We deploy and manage private cloud infrastructure for financial institutions, fintechs, and enterprises across West Africa. This article is provided for general informational purposes and does not constitute legal or compliance advice. Institutions should consult their legal and compliance teams regarding their specific obligations under the CBN directive. Photo Credit: Central Bank of Nigeria