The Central Bank of Nigeria has ordered every bank, fintech, mobile money operator, and payment service provider in the country to store and process locally generated payment transaction data on servers inside Nigeria by January 1, 2027. The directive, contained in a circular signed by Rakiya Yusuf, the CBN’s Director of Payments System Supervision, gives an industry that has spent the last decade building on foreign cloud infrastructure roughly eighteen months to relocate one of its most sensitive assets.
The circular does more than mandate data localisation. It also introduces new market structure rules, ultimate beneficial ownership disclosure requirements, and systemic oversight measures for payment participants, with a separate December 31, 2026 deadline for compliance with the market structure provisions. But it’s the data localisation clause that has sent Nigerian fintech executives scrambling, because it strikes directly at infrastructure decisions many companies made years ago on the assumption that offshore hosting would remain the default.
Who It Affects
The directive is addressed to deposit money banks, microfinance banks, mobile money operators, switching and processing companies, payment terminal service providers, payment solution service providers, and super agents — effectively every licensed entity that touches a Nigerian payment transaction. The CBN has framed the requirement narrowly around “payment transaction data,” which in practice covers transaction logs, payment receipts, account balance histories, card details, and the personal information tied to Nigerian bank accounts.
For CBN-licensed operators, compliance is mandatory and enforceable, and the regulator has warned it will impose supervisory sanctions where necessary. Unlicensed technology companies that merely facilitate payments without holding a CBN licence sit in murkier territory, but industry lawyers reviewing the circular say the practical reach extends well beyond the directly regulated entities, since any fintech built on top of a licensed partner’s rails inherits at least some of that partner’s compliance obligations. Nigeria’s payments sector processed over ₦1.07 quadrillion in electronic transactions in the past year, according to Nigeria Inter-Bank Settlement System data, which is the scale of activity the CBN is now insisting stays under direct domestic oversight. It’s a natural extension of the regulator’s recent posture, following the geo-tagging mandate that forced more than four million PoS terminals to register real-time GPS coordinates within sixty days.
The CBN’s official rationale centres on regulatory visibility, consumer protection, and reducing the operational risk of offshore data storage. The regulator said it had observed structural developments in the payments ecosystem — rapid growth, rising market concentration, and operators with substantial market presence — that made the existing arrangement, where critical financial data can sit on servers in the United States or Europe, incompatible with its supervisory mandate. For fintechs that rely on Amazon Web Services, Microsoft Azure, or Google Cloud for their primary infrastructure, the directive effectively forces a migration project most had not budgeted for this year.
Industry reaction has been a mix of resignation and cautious optimism. Ayotunde Coker, chief executive of Open Access Data Centres, said Nigeria’s data centre industry has spent years preparing for exactly this kind of demand signal, and argued the bigger constraint isn’t physical data centre capacity but the availability of local cloud computing and storage platforms comparable to what banks currently consume from global hyperscalers. That distinction matters: data centres provide the power, cooling, and physical security, while cloud platforms provide the actual computing services fintechs run on top of them. Several industry figures are pushing for global cloud providers to establish in-country regions on top of Nigerian data centre infrastructure, rather than forcing every bank to abandon the platforms they’ve already built around.
Historical Context and Regional Precedents
This isn’t Nigeria’s first attempt at data sovereignty. NITDA’s 2019 guidelines already required certain sovereign, government, and consumer data to be hosted locally unless specifically approved for offshore storage, and the Nigeria Data Protection Act 2023 mandates local processing of sensitive personal data more broadly — the same law underpinning the ₦7.2 billion in penalties Nigeria’s Data Protection Commission has collected from non-compliant companies since 2023. What’s new is the CBN applying that same sovereignty logic specifically to payments data, with a hard deadline and the threat of supervisory sanctions attached.
Nigeria isn’t acting in isolation. Data localisation requirements for financial and payments data have become increasingly common across emerging markets over the past five years, as regulators from India to Indonesia have pushed similar rules to keep critical financial infrastructure under domestic legal jurisdiction. What sets Nigeria’s approach apart is the scale of the compliance gap it’s asking the industry to close. Industry estimates put the country’s operational data centre count at roughly 21 facilities, with close to 90 percent of that capacity concentrated in Lagos — a footprint TechMoonshot has previously reported struggles to expand fast enough even before this mandate, largely because of Nigeria’s unreliable national power grid. Some analysts believe the country will eventually need well over 70 modern facilities to support a genuinely trillion-dollar digital economy. The CBN’s mandate creates the demand; it doesn’t create the electricity to run it.
The Enforcement Gap Nobody’s Talking About
The CBN’s circular is confident in tone and light on specifics about what happens when a mid-sized fintech simply can’t hit the January 2027 deadline. Migrating payment infrastructure isn’t a weekend project — it involves re-architecting systems built for years around foreign cloud regions, renegotiating vendor contracts, and in many cases accepting higher operating costs, since local cloud and storage pricing in Nigeria still often carries a premium over global hyperscaler rates. Smaller payment startups without the balance sheets of Flutterwave or Moniepoint are the ones most exposed to that cost gap, raising the risk that a policy meant to strengthen the payments ecosystem ends up consolidating it further, favouring incumbents who can absorb the migration expense over startups who can’t.
There’s also a question of what “stored and managed in Nigeria” actually means in an era of hybrid and multi-cloud architecture. Global cloud providers increasingly offer in-country regions that still route some backend processing, monitoring, or disaster recovery functions through infrastructure abroad. The CBN circular doesn’t yet spell out how granular its enforcement will get, or whether backup and redundancy systems hosted offshore for disaster-recovery purposes will be treated as a violation. Nigeria’s broader digital infrastructure buildout, including the finance ministry’s recent push to align satellite connectivity spending with its data-localisation ambitions through NIGCOMSAT, suggests the government understands the mandate is really an infrastructure strategy dressed up as a payments circular, not a standalone banking rule.
What comes next will depend on whether the CBN issues the kind of interpretive guidance NITDA eventually had to publish for its own 2019 rules, and on whether Nigeria’s data centre operators can scale fast enough to absorb genuine demand rather than merely announced demand. Eighteen months is not a long runway for an industry-wide infrastructure migration. Whether Nigeria’s payments sector treats that runway as an opportunity to build sovereign digital infrastructure, or as a compliance cost it quietly resents, will shape how the next phase of the country’s fintech growth gets built.