On June 15, 2026, the CBN’s Payments System Supervision Department issued circular PSS/DIR/PUB/CIR/001/004, signed by Director Rakiya O. Yusuf. It requires every financial institution facilitating payments in Nigeria — deposit money banks, microfinance banks, mobile money operators, switching companies, payment solution service providers, super agents — to ensure that payment transaction data generated within Nigeria is stored and managed within Nigeria. Full compliance deadline: January 1, 2027.
Six months. For institutions running transaction workloads on AWS us-east-1, Azure West Europe, or Google Cloud’s Frankfurt region, that clock is already uncomfortable.
The directive is legitimate, the sovereignty rationale is sound, and the direction of travel is right. But the gap between the policy intent and the operational reality of Nigerian digital infrastructure deserves a clear-eyed assessment — not panic, and not cheerleading.
What the Circular Actually Says
The core obligation in PSS/DIR/PUB/CIR/001/004 is precise: payment transaction data generated within Nigeria must be stored and managed in Nigeria, in accordance with applicable data protection laws and regulations — including the NDPA 2023.
The qualifier “and managed” matters. It closes off the interpretation that data can simply be replicated locally while remaining operationally processed offshore. Your primary workload must reside on domestic infrastructure.
The circular is one of three distinct policy instruments bundled in the same document:
- Data localisation — effective January 1, 2027
- Ultimate Beneficial Ownership (UBO) disclosure — all institutions with digital payment operations must maintain current UBO records and produce them to the CBN on request, in line with AML/CFT/CPF regulations
- Market structure / concentration limits — any institution controlling more than 25% of the card-issuing market cannot simultaneously hold more than 15% of the merchant-acquiring market; monthly reporting required; compliance by December 31, 2026
The UBO and market structure elements are material compliance obligations in their own right. But it is the data localisation clause that will dominate remediation timelines at most institutions.
The Infrastructure Reality: Progress, but Not Yet at Scale
Nigeria’s data centre sector is expanding — and the investment pipeline is real. As of mid-2026, the market is led by Rack Centre, Equinix (formerly MDXi/MainOne), Open Access Data Centres (OADC), Africa Data Centres, MTN’s Dabengwa facility, and newer entrants including Kasi Cloud’s 100MW hyperscale campus in Lekki. Together, the top four operators account for more than 70% of active IT power capacity in the country.
Recent additions have been meaningful: Rack Centre’s 12MW AI-ready LGS2 facility came online in March 2025, Equinix completed its LG2.3 Lagos expansion in April 2025, and Kasi Cloud’s first phase is now operational. Market forecasts put Nigerian data centre capacity growing from approximately 209MW in 2025 to 317MW by 2030.
On paper, the capacity narrative looks manageable. In practice, two structural constraints make the January 2027 deadline genuinely difficult.
Geographic concentration. More than 80% of Nigeria’s approximately 21-22 major data centre facilities are clustered in Lagos. The remaining geographies — including Abuja and all 35 other states — have minimal colocation infrastructure. For institutions with regional operations outside Lagos, this isn’t an abstract concern; it is an operational constraint on where their disaster recovery and business continuity infrastructure can realistically land.
Power reliability. Nigeria’s national grid provided approximately 5,639MW against an installed capacity of 13,625MW in 2025 — a structural generation shortfall that forces every serious data centre operator to maintain expensive diesel backup generation. Self-generated power costs roughly double those of natural gas. This cost burden does not disappear when financial institutions migrate workloads; it transfers downstream into colocation pricing. For smaller licensed operators — super agents, payment solution service providers, tier-2 switching companies — the economics of compliant domestic hosting are not comfortable.
The question fintech executives are asking is not whether Nigerian data centres exist. It is whether they can reliably absorb production-scale workloads from dozens of institutions simultaneously migrating in a compressed window, without degrading the payment rails that process over 14 billion transactions annually.
That question does not yet have a definitive answer.
The Enforcement Question: Will the CBN Actually Sanction Non-Compliers?
This is the question that determines whether January 1, 2027 is a hard deadline or a target with a grace period.
The CBN’s recent enforcement posture suggests the former is more likely. The regulator revoked Heritage Bank’s licence in 2024 for insolvency-related failures. Fidelity Bank received a fine of NGN 555.8 million for data-privacy breaches. Zenith Bank faced a NGN 15.42 billion penalty in 2025 covering money laundering failures, cybersecurity breaches, and FX violations. Access Bank was fined NGN 35 million in May 2026 for AML/CFT/CPF compliance lapses. The pattern is consistent: the CBN under Governor Cardoso is willing to impose material sanctions, and it does not reserve enforcement for systemic institutions.
The circular itself reflects this posture. It states explicitly that the CBN will “monitor compliance with the provisions of this Circular and may, where necessary, impose supervisory sanctions in accordance with applicable laws, regulations, and guidelines.”
That said, a genuine enforcement challenge exists. Verifying that payment transaction data is actually stored domestically — rather than merely declared to be — requires technical audit capability that is qualitatively different from reviewing financial returns or transaction monitoring logs. The CBN would need to validate data residency at the infrastructure layer, which means either on-site technical inspections or mandatory attestation mechanisms (such as third-party audit certificates from accredited firms). Neither mechanism is yet formally specified in the circular.
This creates a practical asymmetry: large deposit money banks with dedicated technology risk teams will move quickly and document thoroughly. The tail of licensed operators — smaller fintechs, super agents, payment solution service providers with limited compliance infrastructure — will struggle both to migrate and to evidence compliance. The CBN’s circular provides no framework for cost absorption or technical assistance for smaller operators.
The Regulatory Stack Is Now Layered
For CCOs and CISOs at regulated institutions, the data localisation mandate does not arrive in isolation. It lands on top of an existing and recently expanded compliance architecture:
- NDPA 2023 already requires that personal data of Nigerian residents be processed in accordance with Nigerian data protection standards — the CBN directive reinforces and extends this into the payments layer specifically
- CBN Risk-Based Cybersecurity Framework (2021) requires annual risk assessments and cybersecurity control self-assessments submitted by February 28 each year — your data architecture is part of that submission
- CBN AML/CFT Baseline Standards (March 2026) require deposit money banks to achieve full AML system compliance by September 2027, with implementation roadmaps already due to the CBN’s Compliance Department by June 10, 2026
These are not parallel tracks. Your data localisation architecture, your cybersecurity risk posture, and your AML/CFT system infrastructure are converging into a single question: where is your data, who controls it, and can you prove it?
If you are currently mapping this as a technology migration project owned by your CTO, your framing may be too narrow. This is a compliance risk event with a hard regulatory deadline, and the accountable owner needs to be named at the C-suite level today.
What Your Institution Should Be Doing Now
The six-month window between June 15 and January 1, 2027 is not generous. It is the time between a board decision and an audit finding. Here is where the effort should be concentrated:
First: data inventory. You cannot localise what you have not mapped. Your compliance team needs a current-state view of every payment transaction data flow — where it originates, where it transits, and where it is stored at rest. Many institutions will find gaps here that were invisible under the prior regulatory regime.
Second: infrastructure due diligence. Not all domestic colocation is equivalent. Engage Rack Centre, Equinix/MDXi, OADC, Africa Data Centres, and Kasi Cloud early. Understand their actual available capacity, their SLAs, their power redundancy posture, and their pricing for the workload profile you intend to migrate. Do not assume capacity is available on the timeline you need.
Third: cloud provider engagement. The circular does not prohibit the use of global hyperscalers — it requires data residency within Nigeria. AWS, Azure, and Google Cloud all operate or partner with local infrastructure in Nigeria. Understand whether your existing cloud contracts and configurations can be modified to enforce Nigerian data residency, and what the cost delta is.
Fourth: compliance documentation architecture. The CBN will ask for evidence. Define now what that evidence looks like — contractual certifications from hosting providers, technical audit logs, board-approved implementation timelines — and build that documentation trail from day one of the migration.
The Bottom Line
The CBN’s data localisation mandate is sound policy with an ambitious timeline and a real infrastructure gap sitting between intention and execution. The January 1, 2027 deadline is not performative — the CBN’s enforcement record in 2024 and 2025 makes that clear.
What it requires from your institution is not heroics. It requires the same discipline that every material compliance deadline demands: a named owner, a credible project plan, a realistic infrastructure assessment, and board-level awareness that this is a risk event, not an IT migration.
The institutions that treat PSS/DIR/PUB/CIR/001/004 as a technology ticket are the ones most likely to be filing for an extension they are not guaranteed to receive.
RiskCanvasIQ helps regulated financial institutions in Nigeria and across Africa manage multi-framework compliance from a single platform. If your team is mapping the data localisation obligations under PSS/DIR/PUB/CIR/001/004 alongside your NDPA and CBN Cybersecurity Framework posture, visit riskcanvasiq.com to see how we structure that work.

Leave a Reply