The Central Bank of Nigeria (CBN) has published draft guidelines that could require banks and other financial institutions to refund victims of Authorised Push Payment (APP) fraud within 48 hours after investigations are concluded.
The document, released on November 26, 2025, marks one of the strongest consumer-protection measures introduced by the apex bank in response to rising social-engineering scams and payment-manipulation cases across the financial system.
According to the draft, financial institutions will nowĀ be requiredĀ to complete investigations into reported APP fraud cases within 14 working days.
Once the investigation isĀ finalisedĀ and the customer isĀ deemedĀ eligible, the bank must issue reimbursement withinĀ 48 hours. The CBN added that institutions thatĀ fail toĀ detect suspicious account activity or freeze fraudulent proceeds will be liable for the full exposure.
The framework highlights that APP fraud differs from account compromise because victims are convinced or manipulated intoĀ authorisingĀ the transfer themselves. TheseĀ scamsĀ usually rely on impersonation, deception, emotional pressure, or fake investment offersāforms of fraud that have become more difficult to prevent as digital payments grow.
The CBN said the draft is aimed at strengthening trust in Nigeriaās digital-payments ecosystem, where instant transfers dominate retail transactions. Comments on the draft guidelines are expected within three weeks before final rules are issued.
CBN strengthens investigations and boosts bank accountabilityĀ
The draft introduces extensive governance requirements for banks, mandating their boards to approve new fraud-risk policies and oversee all aspects of APP-fraud prevention, detection, escalation, investigation, and post-incident review.
The rules require institutions toĀ maintainĀ Early Warning Systems capable ofĀ identifyingĀ high-risk transactions based onĀ behaviouralĀ patterns, unusual inflows and outflows, repeated fraud complaints, previously flagged accounts, and market-intelligence indicators.
Banks will also be required to establish dedicated fraud analytics units to document red-flag triggers, strengthen internal controls, and update detection frameworks regularly.
In multi-bank cases, the originating institution must begin investigationĀ immediatelyĀ and notify other institutions involved within 30 minutes of receiving the complaint.
The apex bank has also strengthened its escalation protocol. Where institutions do not reach a conclusion within the 14-day investigation period, the case will be transferred to the CBNās Consumer Protection and Financial Inclusion Department, which will issue a binding decision.
Any institution thatĀ fails toĀ freeze fraudulent proceeds, or whose weak internal systems enable such funds to pass through, will bearĀ the fullĀ financial liability.
The guidelines further mandate full transparency in communicating investigation outcomes to customers, including reasons for denial of reimbursement. Detailed records must also be maintained and submitted to the CBN every quarter, alongside evidence of financial literacy and fraud-awareness campaigns.
Eligibility rules and mandatory 72-hour reportingĀ
The CBN outlined strict conditions forĀ determiningĀ whether a customer qualifies for reimbursement. A victim is eligible where theyĀ authorisedĀ the transaction under falseĀ pretencesĀ and had no reasonable cause to suspect fraud. The customer must report the incident withinĀ 72 hoursĀ and cooperate fully with the investigation. The draft alsoĀ statesĀ that there must be no evidence of negligence, collusion, or criminal intent by the customer.
However, the guidelines allow flexibility for delayed reporting in cases such as illness, force majeure, security concerns, or demonstrable unavailability of reporting channels.
BanksĀ are required toĀ offer 24/7 reporting platforms, including hotlines, email, mobile apps, USSD channels and in-branch reporting stations.
The draft also clarifies cost-sharing rules. Where neither the sending nor receiving bank is at fault, but the customer qualifies for reimbursement, both institutions must split the reimbursement amount equally. All data handling throughout the investigation mustĀ comply withĀ the Nigeria Data Protection Act 2023.
The CBN also emphasised the need for consumer awareness. Banks will be required to carry out quarterly fraud-education campaigns across multiple languages and platforms, as APP fraud relies heavily on deception rather than system compromise.
