The CBN issued a sweeping directive forcing Nigerian banks and fintechs to end offshore data processing and migrate to domestic servers by 2027.
In a sweeping regulatory move aimed at anchoring digital financial sovereignty and strengthening national security, the Central Bank of Nigeria (CBN) has issued an absolute mandate prohibiting the offshore processing and storage of domestic financial information. Officially contained in a comprehensive policy circular released by the apex bank’s Payments System Supervision Department on Monday, June 15, 2026, the new directive orders all commercial banks, microfinance institutions, mobile money operators, and financial technology firms to migrate their infrastructure. According to Technext, under the new guidelines, all payment transaction data generated within national borders must be stored and processed strictly on servers physically located inside the country, bringing a definitive end to the unhindered use of foreign cloud systems.
The infrastructure migration directive targets Nigeria’s entire financial services matrix, which currently stands as Africa’s largest and most technologically dynamic digital payment market. Signed by Rakiya Yusuf, the Director of the Payments System Supervision Department, the statutory order applies to all licensed switching companies, payment terminal service providers (PTSPs), payment solution service providers (PSSPs), and super agents. BusinessDay reports that to avoid catastrophic disruptions to live payment rails, the CBN has provided a structured transitional window, giving financial institutions until December 31, 2026, to achieve full compliance before the absolute data localization framework officially becomes law on January 1, 2027.
The underlying reason driving the apex bank to enforce this strict domestic data boundary is twofold: establishing a bulletproof system oversight and shielding local financial assets from international legal or geopolitical vulnerabilities. For years, Nigerian banks and fast-growing fintech startups have relied heavily on foreign cloud providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, hosting critical consumer databases on offshore servers located across Europe and North America. The CBN explained that this massive outward flow of transactional data creates significant structural risks, making it difficult for local regulators to conduct immediate forensic audits or monitor transaction logs in real time. By forcing local data residency, the CBN ensures that sensitive data remains fully protected under the Nigeria Data Protection Act (NDPA) 2023, while preventing foreign entities from gaining unilateral control over Nigeria’s digital economy.
Furthermore, this localization rule is part of a broader regulatory cleanup aimed at fixing market imbalances and tracking the true structures of corporate influence. Alongside the data residency mandate, the June 15 circular introduces strict market share caps to prevent a handful of massive, dominant players from monopolizing the fast-growing payments industry. For example, any institution controlling more than 25 percent of the card-issuing market is now strictly barred from holding more than 15 percent of the merchant acquiring segment within the same 12-month window. To further combat systemic fraud and close transparency gaps, the central bank has mandated that all deposit money banks and payment services reveal the Ultimate Beneficial Ownership (UBO) of all significant shareholders, ensuring that hidden corporate syndicates can no longer operate behind complex shell networks.
