Nigeria’s digital payments landscape has seen significant transformation over the past decade, with mobile banking, electronic transfers, and agent banking bringing millions into the formal financial system. These innovations have provided access to banking services for previously unbanked populations.

However, this expansion has also created new vulnerabilities. As digital payment channels have grown, so have the schemes designed to exploit them. Innovation in payments is only valuable when matched by the security that protects it.

The Central Bank of Nigeria (CBN), on March 12, 2025, issued a circular introducing new security standards for mobile banking applications, Bank Verification Numbers (BVN), and Point of Sale (POS) terminals. These measures are a direct response to escalating threats within Nigeria’s financial ecosystem.

A key measure is the 24-hour transaction limit of ₦20,000 for new device activations of banking apps. This applies to both incoming and outgoing transfers for newly opened accounts. For existing accounts on new devices, the restriction is limited to outgoing payments only.

This 24-hour cap is designed to create crucial breathing room, significantly reducing the window for fraudsters. It allows customers and banks time to detect suspicious activity before substantial financial damage occurs. This addresses a specific fraud pattern where criminals gain access to credentials and quickly drain accounts, often during weekends or after business hours.

The new restrictions on BVN-linked phone numbers aim to close another dangerous gap. Customers can now update their BVN phone number only once, and this process requires rigorous identity verification. The BVN is fundamental to identity verification in Nigerian banking, and fraudsters have exploited weaknesses in SIM registration and identity validation.

When fraudsters successfully change a customer’s BVN-linked number, they can intercept authentication messages and reset banking credentials, effectively gaining control of the account. These tighter rules reinforce the identity framework essential for the digital banking system, though they may introduce minor inconveniences for legitimate updates.

Furthermore, POS terminals are now required to be geo-tagged and restricted to a 10-meter radius of their registered location. This addresses challenges arising from the rapid proliferation of POS terminals and agent banking, which have expanded financial inclusion, especially in rural areas.

Previously, oversight gaps allowed some terminals to operate in unregistered locations or facilitate activities unrelated to legitimate merchant services. Criminal networks have exploited these gaps, and the new geo-tagging requirement aims to bring greater transparency and control to POS operations.