The Central Bank of Nigeria (CBN) has published draft guidelines that could require banks and other financial institutions to refund victims of Authorised Push Payment (APP) fraud within 48 hours after investigations are concluded.
The document, released on November 26, 2025, marks one of the strongest consumer-protection measures introduced by the apex bank in response to rising social-engineering scams and payment-manipulation cases across the financial system.
According to the draft, financial institutions will now be required to complete investigations into reported APP fraud cases within 14 working days.
Once the investigation is finalised and the customer is deemed eligible, the bank must issue reimbursement within 48 hours. The CBN added that institutions that fail to detect suspicious account activity or freeze fraudulent proceeds will be liable for the full exposure.
The framework highlights that APP fraud differs from account compromise because victims are convinced or manipulated into authorising the transfer themselves. These scams usually rely on impersonation, deception, emotional pressure, or fake investment offers—forms of fraud that have become more difficult to prevent as digital payments grow.
The CBN said the draft is aimed at strengthening trust in Nigeria’s digital-payments ecosystem, where instant transfers dominate retail transactions. Comments on the draft guidelines are expected within three weeks before final rules are issued.
CBN strengthens investigations and boosts bank accountability
The draft introduces extensive governance requirements for banks, mandating their boards to approve new fraud-risk policies and oversee all aspects of APP-fraud prevention, detection, escalation, investigation, and post-incident review.
The rules require institutions to maintain Early Warning Systems capable of identifying high-risk transactions based on behavioural patterns, unusual inflows and outflows, repeated fraud complaints, previously flagged accounts, and market-intelligence indicators.
Banks will also be required to establish dedicated fraud analytics units to document red-flag triggers, strengthen internal controls, and update detection frameworks regularly.
In multi-bank cases, the originating institution must begin investigation immediately and notify other institutions involved within 30 minutes of receiving the complaint.
The apex bank has also strengthened its escalation protocol. Where institutions do not reach a conclusion within the 14-day investigation period, the case will be transferred to the CBN’s Consumer Protection and Financial Inclusion Department, which will issue a binding decision.
Any institution that fails to freeze fraudulent proceeds, or whose weak internal systems enable such funds to pass through, will bear the full financial liability.
The guidelines further mandate full transparency in communicating investigation outcomes to customers, including reasons for denial of reimbursement. Detailed records must also be maintained and submitted to the CBN every quarter, alongside evidence of financial literacy and fraud-awareness campaigns.
Eligibility rules and mandatory 72-hour reporting
The CBN outlined strict conditions for determining whether a customer qualifies for reimbursement. A victim is eligible where they authorised the transaction under false pretences and had no reasonable cause to suspect fraud. The customer must report the incident within 72 hours and cooperate fully with the investigation. The draft also states that there must be no evidence of negligence, collusion, or criminal intent by the customer.
However, the guidelines allow flexibility for delayed reporting in cases such as illness, force majeure, security concerns, or demonstrable unavailability of reporting channels.
Banks are required to offer 24/7 reporting platforms, including hotlines, email, mobile apps, USSD channels and in-branch reporting stations.
The draft also clarifies cost-sharing rules. Where neither the sending nor receiving bank is at fault, but the customer qualifies for reimbursement, both institutions must split the reimbursement amount equally. All data handling throughout the investigation must comply with the Nigeria Data Protection Act 2023.
The CBN also emphasised the need for consumer awareness. Banks will be required to carry out quarterly fraud-education campaigns across multiple languages and platforms, as APP fraud relies heavily on deception rather than system compromise.
