So someone has handed you a document — CBN Circular BSD/DIR/PUB/LAB/019/002 — and told you to “sort out compliance.” Maybe it came with a deadline. Maybe it came without much context. Either way, it is now your problem, and you need to understand what it actually requires before you can do anything useful with it.
This guide is written for you, not for the lawyers or the compliance specialists. It explains what the CBN wants, why it matters, what you need to do first, and how to run the meeting that turns a circular into an actual plan.
What you’ve actually been handed#
In March 2026, the Central Bank of Nigeria issued a directive that says, in plain terms: every bank and financial institution in Nigeria must replace manual AML compliance processes with automated technology — and do it on a fixed timeline.
AML stands for Anti-Money Laundering. Your institution has obligations around detecting suspicious transactions, screening customers against watchlists, and reporting to the regulator. Right now, there is a reasonable chance that some or all of this is being done manually — spreadsheets, periodic reviews, staff checking names by hand. The CBN has decided that is no longer acceptable.
The circular sets out exactly what an automated system must be able to do. It also sets out who is accountable if it does not happen. And it gives you a deadline that is already close.
The deadline that matters right now#
There are two deadlines in the circular. Most people focus on the wrong one.
The big deadline — full technical compliance — is 18 months away for deposit money banks and 24 months for everyone else. That feels manageable. It is not the urgent one.
The urgent deadline is 10 June 2026. By that date, your institution must submit a Board-approved Implementation Roadmap to the CBN. This is a document that says: here is our plan, here are our phases, here is our timeline, here is who is responsible, and the Board has signed it off.
You do not need a finished system by June. You need a credible plan — and you need the Board to have formally approved it.
If you miss the June deadline, you are in regulatory difficulty before the main clock has even started. That is the thing your CEO needs to understand.
What the CBN is actually asking for#
Before you can write a roadmap, you need to understand the four things the CBN says any automated AML system must be able to do. You do not need to be a compliance expert to grasp them — they are genuinely logical once explained.
1. It must react in real time, not in batches#
The old way: every week or month, someone runs a report, checks a list, and flags anything suspicious. The problem is that a lot can happen in a week. Money can move. A customer can be added to a sanctions list. A transaction can complete that should have been stopped.
The CBN calls what it now requires Event-Driven Monitoring. When something happens — a large transfer, a customer appearing on a watchlist — the system must react immediately, not at the next scheduled review. Think of it like a smoke alarm versus a weekly inspection. The CBN wants smoke alarms.
2. The system must be able to explain itself#
The CBN has specifically said: no black box AI. If the system flags a customer or a transaction, your compliance team must be able to tell the regulator exactly why — which rule was triggered, what data caused it, what threshold was crossed. “The algorithm said so” is not an acceptable answer.
When you are evaluating technology vendors, this is a question worth asking directly: Can you show me exactly why your system would flag a specific transaction, in a way I could explain to a CBN examiner?
3. It must handle Nigerian names properly#
This is a practical point that gets overlooked. If someone whose name appears on a sanctions list has their name entered slightly differently in your database — a different spelling, a missing middle name, a transliteration variation — a basic system will miss the match. The CBN requires what is called fuzzy matching: the ability to catch close variations, not just exact duplicates.
If your institution processes customers from across Nigeria and the diaspora, name variation is not an edge case. It is routine.
4. It must screen against the right lists, every day#
The system must check customers against global sanctions lists — UN, OFAC (US), UK, EU — as well as domestic Nigerian watchlists and databases of Politically Exposed Persons (PEPs). And this cannot be a one-time check at onboarding. If a customer who was clean yesterday appears on a list today, the system must catch that automatically. Daily synchronisation with updated lists is a requirement, not a nice-to-have.
The three phases — and what “done” looks like in each one#
The CBN has structured the programme into three phases. Your roadmap needs to address all three.
Phase 1: Months 1–3 — Understand where you are and commit to a plan#
This is what you are doing right now. The output of Phase 1 is the document you submit to the CBN on June 10.
Done looks like: A gap analysis that honestly compares where you are today against the four requirements above. A shortlist of potential technology vendors. A budget that the CFO has signed off on. A timeline for Phases 2 and 3. A document that the Board has formally reviewed and approved.
Phase 1 does not require you to have selected a system or written a single line of code. It requires you to have a credible, honest plan.
Phase 2: Months 4–12 — Build it#
Select your vendor. Sign the contract. Connect the AML system to your Core Banking System (this is the technical integration that your CTO owns — more on that below). Configure the system for your institution’s specific risk profile. Train your staff.
Done looks like: A live system that is technically integrated, configured, and your compliance team knows how to use.
Phase 3: Months 13–24 — Prove it works#
The CBN requires what it calls shadow running — a period where you operate the new automated system and your old manual processes simultaneously, comparing outputs. The purpose is to verify that the new system is catching what the old one would have caught, and not generating so many false alarms that your compliance team cannot function.
Done looks like: Documented evidence that the automated system performs accurately, signed off by Internal Audit, with the old manual processes formally decommissioned.
The people you need, and what you need from each of them#
This is where projects like this stall. Everyone agrees it needs to happen. Nobody quite agrees who is responsible for what.
The Board needs to formally set the institution’s risk appetite and sign the Implementation Roadmap. If they have not discussed this directive at Board level, that conversation needs to happen before June. This is not optional — the CBN holds the Board legally accountable for compliance failures.
The CEO needs to approve the budget. The circular is explicit that cost is not a defence against non-compliance. The CEO needs to understand that the CapEx required here is not discretionary.
The CTO or Head of IT is the person who owns the hardest part: connecting the AML system to your Core Banking System via API. This is a genuine technical project, and it cannot be run by the compliance function. The CTO needs to assess what your current CBS can support and what the integration timeline looks like — and they need to do this in Phase 1, not Phase 2.
The MLRO (Money Laundering Reporting Officer) or Chief Compliance Officer understands the regulatory requirements better than anyone else in the room. They own the gap analysis and the day-to-day operation of the new system. They also need to be able to explain model outputs to a CBN examiner — which means they need to understand the technology, not just the regulation.
Internal Audit must independently verify that the system works. They are not part of the implementation team, but they need to be briefed early so they know what they will be reviewing.
Your first meeting: a practical agenda#
This is the meeting that turns the circular into a project. Keep it to 90 minutes. Exit with owners and dates, not further questions.
Who to invite: CEO, CTO, MLRO/CCO, CFO, Head of Internal Audit, and a Board representative — ideally the Chairman or Risk Committee Chair.
Before the meeting, ask the MLRO to prepare a one-page summary of the circular and a rough sense of where the institution is today. Ask the CTO to come with a view on what the Core Banking System integration would involve. Ask the CFO to have a preliminary sense of what budget might be available.
| Agenda Item | Time | What you need to leave with |
|---|---|---|
| 1. What are we actually required to do? | 15 min | Everyone in the room shares the same understanding of the circular. MLRO presents. Questions answered. No ambiguity about what is required or when. |
| 2. Where are we today? | 20 min | An honest assessment of the gap. Not a formal gap analysis — that comes later — but enough of a picture to know how far you have to travel. MLRO and CTO present jointly. |
| 3. What is our risk appetite? | 15 min | A documented Board position on AML/CFT risk tolerance. This is a legal requirement under the circular. The Board rep leads this item. It does not need to be a long discussion — but it needs to happen and be written down. |
| 4. Who owns what? | 20 min | A named owner and a deadline for every Phase 1 workstream: gap analysis, CBS integration assessment, data residency review, vendor longlist, budget proposal, roadmap draft. Every item has a person's name next to it before you leave the room. |
| 5. What budget are we working with? | 10 min | A committed or indicative CapEx figure from the CEO. Without a number, Phase 2 vendor selection cannot proceed. This does not have to be a final Board approval — but it needs to be more than "we'll look into it." |
| 6. When do we meet next? | 5 min | A date in the diary — ideally four weeks from now. Same attendees. Progress against workstream owners reviewed. Recommend weekly or fortnightly from that point until June 10. |
Where projects like this stall#
These are the most common reasons CBN compliance projects run late. They are all avoidable if you see them coming.
“IT says they can’t integrate that.” The CBS integration is the technical backbone of the whole project, and it is often the first thing to get stuck. The CTO needs to be in the room early — not brought in at Phase 2 when the vendor has already been selected. If your CBS cannot support a modern API integration without significant work, that is a Phase 1 finding that shapes the entire vendor conversation.
“We don’t have budget for that.” The CBN is explicit: cost is not a defence. If the CEO has not seen the circular and does not understand that non-compliance carries penalties, enforcement action, and reputational risk, they need that context before the budget conversation happens.
“Legal needs to review this first.” Legal review is part of the process, particularly on data residency and vendor contracts. It should not be a blocker to the Phase 1 work that does not require legal sign-off. Keep the gap analysis and the vendor longlist moving while Legal is engaged on the NDPA questions.
“The MLRO is handling it.” The MLRO owns the compliance expertise. But the technical integration (CTO), the budget (CFO/CEO), and the Board sign-off require people who sit outside the compliance function. If this project lives only in the compliance department, it will not move fast enough.
Why Anqa Compliance is built for this#
When you get to vendor selection, every platform in the room will tell you it meets the CBN standards. Here is how Anqa actually answers the questions that matter.
“Can you show me exactly why your system flagged that?” Yes — every alert Anqa generates carries a full audit trail: the specific rule triggered, the threshold crossed, and the data that caused it. Your MLRO can explain any alert to a CBN examiner in plain language. There is no black box.
“How does it connect to our Core Banking System?” Anqa integrates with your CBS via API, and we have done this before with institutions across Nigeria and Africa. When your CTO asks what the integration looks like in practice, we can show them — not describe it in theory.
“How current are your sanctions lists?” Lists are updated daily. The moment a name is added to the UN, OFAC, UK, or EU consolidated lists — or to domestic Nigerian watchlists — it is live in your system. Automated rescreening means customers are checked against the current list at all times, not just at the point of onboarding.
“Can it handle Nigerian names?” Anqa’s fuzzy matching is designed for the naming conventions of African and emerging markets — catching spelling variations, transliterations, and partial matches that an exact-match system would miss. This is not an afterthought; it is a core part of how the screening engine works.
“What does Shadow Running look like?” We have structured onboarding processes that support the parallel-running period the CBN requires in Phase 3. Your compliance team will have documented evidence of system accuracy before the old processes are switched off.
“What does it cost, and what happens when we grow?” Anqa is priced on customer volume, which means you start at a cost that reflects where you are today — not where a large bank is. As your customer base grows, the platform scales with it. There is no enterprise pricing that puts proper compliance out of reach for a microfinance institution or a mid-size bank.
If you want to see any of this in practice rather than on a page, talk to our Nigeria team.
The bottom line#
You have been given a regulatory mandate with a near-term deadline, a cast of stakeholders who all have other priorities, and a technical requirement that touches IT, finance, compliance, and the Board simultaneously.
That is a genuinely difficult project to run. But it is not complicated. The circular tells you exactly what is required. The June 10 deadline tells you when Phase 1 must be done. The stakeholder map is clear. The technology exists.
What this project needs is a project manager who understands what they are managing — and can keep the right people moving in the same direction.
That is what this guide was written to help you do.