CBN AML Baseline · Gap Assessment & Implementation Guide

Contact Information

Institution Name *

Your Full Name *

Work Email *

Your gap assessment report will be sent here. Work email required

Your Role

Institution Type

Your institution type determines your compliance deadline. Deposit Money Banks have 18 months from March 10, 2026. All other regulated financial institutions have 24 months.

Deposit Money Bank (Commercial, Merchant, or Non-Interest Bank)

18-month deadline · Full compliance by September 2027

18 months

Microfinance Bank (Unit, State, or National)

24-month deadline · Full compliance by March 2028

24 months

Payment Service Provider (Switching, Gateway, Processor)

24-month deadline

24 months

International Money Transfer Operator

24-month deadline · Cross-border remittance services

24 months

Mobile Money Operator

24-month deadline · Mobile wallet and payment services

24 months

Finance Company / Development Finance Institution

24-month deadline

24 months

Primary Mortgage Institution / Mortgage Bank

24-month deadline

24 months

Other CBN-Regulated Institution

24-month deadline · Bureau de change, representative office, etc.

24 months

Compliance Deadline

18 months Deposit Money Banks

Full compliance by September 10, 2027 · Roadmap to CBN by June 10, 2026

24 months Other Financial Institutions

Full compliance by March 10, 2028 · Roadmap to CBN by June 10, 2026

All institutions must submit an implementation roadmap to the CBN Compliance Department by June 10, 2026 — regardless of their compliance deadline.

Proportionality principle: The CBN calibrates the depth of required implementation to your institution's scale and complexity. Your gap assessment will reflect what adequate compliance looks like for your specific institution.

Transaction Volume

Under 1,000 transactions / day

Small unit MFBs, niche finance companies, or limited-operation PSPs

1,000 – 50,000 transactions / day

Mid-tier MFBs, smaller commercial banks, growing PSPs

50,000 – 500,000 transactions / day

Large commercial banks, mid-tier mobile money operators, high-volume PSPs

Over 500,000 transactions / day

Tier-1 commercial banks, national mobile money operators, major switching companies

Customer Base

Under 10,000 customers

10,000 – 100,000 customers

100,000 – 500,000 customers

Over 500,000 customers

CBN Risk Classification

Low Risk

Limited product range, modest volumes, low-risk customer profile.

Medium Risk

Standard product mix, moderate volumes, typical institutional profile.

High / Above Average Risk

CBN has classified your institution or sector as high or above average. Additional mandatory requirements apply — including a unified financial crime architecture roadmap.

Not yet formally assessed

Your assessment will apply medium risk assumptions and flag areas that require formal classification.

Geographic Footprint & Group Structure

Geographic Footprint *

Single state / limited branches

Multiple states across Nigeria

Cross-border / international operations

Group Structure *

Standalone — not part of a group

Subsidiary of a holding company

Group holding company with subsidiaries

Shared services arrangement (CBN-approved)

Your product mix and channels determine which monitoring scenarios and typologies the CBN expects to see in your AML solution. Each selection directly maps to requirements in Sections 5.5 and 5.6 of the standard.

Products & Services Offered

Delivery Channels

Your gap assessment is only useful if it reflects where you actually are. The more precisely you describe your current state, the more accurate each gap row in your report will be.

Overall AML System Status *

No automated AML system in place

All monitoring is manual or spreadsheet-based. Every technology requirement will be assessed as a full gap.

Manual processes with some rule-based spreadsheet tools

No dedicated AML software platform. Every technology requirement will be assessed as a full gap.

Automated system in place — covers some CBN requirements

A vendor solution exists but does not cover all 62 requirements. Select which functions are covered below.

Full automated AML solution deployed

A comprehensive platform is in operation. Select which functions are confirmed to meet the CBN standard below.

Select the AML functions your current system covers. Each function maps directly to a CBN section — unselected functions will be assessed as gaps in the report.

Customer risk scoring and CDD/EDD automation 5.2(a)

Sanctions and watchlist screening 5.3(a)

PEP identification and adverse media monitoring 5.3(a)(vi-vii)

Transaction monitoring and alert generation 5.5(a)

Fraud monitoring across cards and e-channels 5.6(a)

Case management with maker-checker workflow 5.7(a)

Automated STR / SAR / CTR / FTR generation 5.8(a)

Tamper-proof audit trail and governance logs 5.9(a)

AI / Machine Learning Usage

AI/ML usage triggers mandatory annual independent model validation under CBN 5.5(b)(i), AI governance aligned to ISO 42001 under Section 6(d), and explainability requirements under 5.4(a)(iv). These will appear as institution obligations in your gap assessment.

Yes — AI / ML in use or planned

Anomaly detection, behavioural scoring, or adaptive rules

No — rules-based only

Fixed threshold rules, no adaptive learning

Automated Alert Closure

CBN 5.5(b)(vii) permits automated alert closure only under strict conditions — eligibility criteria, back-testing, CBN notification, and annual audit review. If you use this, it will appear as a mandatory institution obligation in your report.

Yes — automated closure in use or planned

No — all alerts reviewed manually

Each risk factor below activates specific CBN requirements. Selected factors will be flagged as heightened requirements in the relevant sections of your gap assessment.

Select all that apply to your institution

You onboard or serve Politically Exposed Persons (PEPs), their family members, or close associates

Heightened requirement — CBN 5.3(a)(vi) Activates enhanced EDD and mandatory PEP register cross-referencing

You process material volumes of cross-border or foreign currency transactions

Heightened requirement — CBN 5.3(a)(i) Activates enhanced sanctions screening scope and SWIFT/correspondent banking monitoring

You have exposure to virtual assets, cryptocurrency, or blockchain-based payment services

Full standard applies Monitoring scenarios must cover crypto-specific ML/TF typologies

You operate a third-party agent banking or distribution network

High-risk channel Agent-specific fraud and AML monitoring scenarios required

You issue or process card products — debit, credit, or prepaid

Mandatory — CBN 5.6(a)(i) Real-time or near-real-time fraud monitoring required for card and electronic channels

Your institution has experienced material fraud losses or operates in a high-fraud-risk subsector

Mandatory — CBN 5.6(b)(i) Unified financial crime risk architecture roadmap required

Governance gaps often carry higher examination risk than technology gaps. Each item below maps to a specific CBN obligation. Tick only what genuinely exists and is current — your report will flag missing items as institution action required.

Leadership & Policy

Formally designated MLRO or CCO with documented AML responsibility 5.9(b)(i)

Ownership of the AML solution governance framework must be formally assigned

Board-approved AML/CFT/CPF policy currently in effect 5.9(b)(i)

Must be updated to reference the CBN Baseline Standards (March 2026) by name

AML System Governance

Documented AML solution governance framework covering ownership, configuration authority, change management, access rights, and incident handling 5.9(b)(i)

Required before go-live; must be reviewed and updated when the system changes

Formal change control process for AML system configuration changes — including rule amendments, threshold updates, and model parameter changes 5.9(b)(ii)

All configuration changes must be authorised, logged, and reviewed

Model governance committee or documented change-control process specifically for AI/ML components of the AML solution 5.5(b)(v)

Required if AI/ML is or will be in use; committee must approve automated actions

Documented alert review SLAs for high-risk alerts — setting maximum review and disposition times, approved by senior management 5.5(b)(vi)

SLAs must be formally documented and signed off — not just informal practice

Data & Vendor Management

Vendor / Third-Party Management Policy covering AML solution procurement, implementation, incident handling, and exit 6(a)

Specifically required under CBN Section 6(a) — without it, you have a documented gap

Documented data retention and destruction policy for AML/CFT data with retention periods aligned to CBN requirements 5.11(b)

Must specify retention periods and destruction procedures for all AML data categories

Integration with BVN and/or NIN for customer identity corroboration at onboarding 5.2(b)(i)

BVN/NIN is an identity corroboration tool — not standalone verification. Must be integrated where available.

Training & Audit

AML team training programme with documented completion records — covering system usage, typologies, and regulatory developments 5.9(b)(iv)

Training must be documented and evidence retained; informal training is not sufficient

Internal Audit Coverage of AML

Not currently covered

Annually

Twice a year

Quarterly

CBN 5.9(b)(iii) requires periodic independent internal audit of the AML solution. Quarterly coverage meets the standard; annual coverage is the minimum.

Additional Context

Anything else relevant to your gap assessment? (Optional)

Recent CBN examination findings, management letter findings, planned migrations, pending applications, fraud history, or specific areas of concern — all of this makes your gap assessment more precise.

Ready to generate. Your gap assessment report will map every CBN requirement to your current position and describe exactly how Regfyl closes each identified gap — emailed within 15 minutes.

Your Gap Assessment Will Include

An executive summary with your compliance priorities, key dates, and a gap summary calibrated to your current AML status and risk classification

A requirement-by-requirement gap table for all 62 CBN AML solution requirements — showing the current gap for your institution and how Regfyl closes it

Your ~30 institution obligations — governance framework, training, change control, model validation, and notification requirements — mapped to specific CBN references

Mandatory requirements flagged explicitly — unified architecture, standalone feed prohibition, AI/ML model validation, and automated closure obligations where applicable

A vendor contract checklist showing how Regfyl's standard service agreement satisfies CBN Section 6 third-party management requirements

A phased implementation roadmap calibrated to your compliance deadline and current AML status, with Regfyl's role at each phase

A CBN examination evidence table showing what you need to be able to produce at examination and how Regfyl generates it

A programme sign-off record ready for your compliance file and CBN roadmap submission due June 10, 2026

By submitting, you confirm the information provided is accurate to the best of your knowledge. This gap assessment does not constitute legal advice. Review with your legal and compliance advisers before submission to the CBN.

CBN Automated AML Baseline StandardsYour Bespoke Gap Assessment

CBN Automated AML Baseline Standards
Your Bespoke Gap Assessment