CBN’S DATA LOCALISATION DIRECTIVE – COMPLIANCE CONSIDERATIONS FOR PAYMENT SYSTEM PARTICIPANTS
BY ADERONKE ALEX-ADEDIPE & PROMISE ITAH
Introduction
On June 15, 2026, the Central Bank of Nigeria (“CBN“) issued a Circular on Introduction of Market Structure Requirements, Data Localisation, Ultimate Beneficial Ownership Disclosure, and Systemic Oversight Measures in the Nigeria Payments System (the “Circular“). Among other regulatory reforms, the Circular introduces a significant data localisation requirement directing all financial institutions and participants facilitating payments within Nigeria—including banks, payment service providers, mobile money operators and other payment participants— (collectively “Payment System Participants”) to ensure that data generated in relation to payment transactions in Nigeria is stored and managed in Nigeria by January 1, 2027.
In this newsletter, we examine the scope of the CBN’s data localisation requirements, their interaction with existing data protection obligations, and some of the key legal, contractual and operational considerations which Payment System Participants should consider in preparation for compliance.
- Who does the Circular Apply to?
The Circular applies to payment transaction data generated through Nigeria’s payments system. Although the Circular does not define the term “payment transaction data”, it intuitively includes information generated in connection with a payment transaction, including the payer’s and beneficiary’s payment details, transaction amounts, payment references, authentication records, settlement and routing information, transaction logs and other related technical data required to process, verify or record a payment.The Circular also appears to frame the localisation requirement by reference to payment transaction data generated within Nigeria, rather than the location in which the business is principally domiciled. On this basis, therefore any Payment System Participant processing payment transaction data generated within Nigeria may be expected to comply with this requirement, regardless of their country of domicile.
- What are the Key Compliance Requirements?
a. Local Processing and Storage
Payment System Participants must ensure that payment transaction data is both stored and managed within Nigeria. This extends beyond maintaining a local copy of data and requires that the primary processing environment, databases, backups and operational control remain on infrastructure located within Nigeria.The requirement for payment transaction data to be “managed” in Nigeria may also have implications for administrative activities such as access management, database administration, encryption key management and audit logging, particularly where these functions are performed through offshore infrastructure or personnel.
b. Technology and Infrastructure
The Circular is likely to require many Payment System Participants to review their technology infrastructure, particularly where payment services rely on foreign cloud service providers or systems hosted outside Nigeria. Given the requirement for payment transaction data generated within Nigeria to be stored and managed locally, organisations should assess whether their existing technology architecture involves the storage, processing or replication of payment transaction data outside Nigeria. Areas that may require review include:
-
- cloud hosting arrangements and the location of servers;
- disaster recovery and backup systems;
- analytics and monitoring platforms that process payment data;
- testing and development environments that use live or production payment data; and
- third-party APIs and other technology integrations that may transfer payment data outside Nigeria.
Payment System Participants operating hybrid or multiple cloud environments should assess whether payment data is stored, replicated or processed outside Nigeria and, where necessary, implement appropriate technical or operational changes before the compliance deadline.
c. Vendor and Outsourcing Arrangements
Whilst it is commonplace for Payments System Participants to assign data processing and storage activities to third parties, the Circular does not appear to transfer the obligations from Payment System Participants to service providers in such instance. Accordingly, organisations should review their contractual arrangements with cloud service providers, payment processors, application programming interface (API) providers and other technology vendors to assess whether those arrangements support compliance with the localisation requirement. In particular, organisations should consider whether their contracts adequately address:
-
- the requirements for payment data to be stored and managed within Nigeria;
- restrictions on processing payment data outside Nigeria;
- rights to conduct audits and facilitate regulatory inspections;
- controls over the use of subcontractors that may have access to payment data;
- obligations to promptly notify the Payment System Participant of any data breaches or incidents; and
- termination rights where a vendor is unable to comply with the localisation requirements.
- How does the Circular Interact with the Nigeria Data Protection Act (NDPA)?
The Circular complements rather than replaces the NDPA. While the NDPA regulates the processing and international transfer of personal data through recognised transfer mechanisms and safeguards, the CBN Circular imposes an additional regulatory obligation applicable specifically to payment transaction data. Accordingly, compliance with the NDPA alone will not satisfy the CBN’s localisation requirements.
- Practical Compliance Steps
Pending any further guidance from the CBN, Payment System Participants should consider taking the following steps to prepare for implementation:
-
- conducting a comprehensive data mapping exercise to identify where payment data is stored, processed and transmitted;
- assessing existing cloud and infrastructure arrangements for localisation risks;
- reviewing third-party vendor relationships and contractual provisions;
- updating internal data governance, outsourcing and information security policies;
- establishing board and management oversight of the implementation programme; and
- maintaining adequate documentation to demonstrate compliance during regulatory inspections.
Conclusion
The CBN’s payment data localisation requirements represent a significant development in the regulation of Nigeria’s payments ecosystem. By requiring payment transaction data generated within Nigeria to be stored and managed in Nigeria, the Circular appears intended to strengthen regulatory oversight, enhance operational resilience and support the security of Nigeria’s payments infrastructure. For Payment System Participants, the immediate priority will be to assess whether existing technology infrastructure, data governance frameworks and third-party vendor arrangements are consistent with the new localisation requirement. Given the breadth of the obligation and the absence of detailed implementation guidance, organisations that begin assessing their compliance position ahead of the January 2027 implementation date will be better positioned to address any legal, operational or contractual gaps as further guidance emerges.


Leave a Reply
Want to join the discussion?Feel free to contribute!