The Central Bank of Nigeria (CBN) has introduced a raft of new security measures for instant payments, including a rule that restricts mobile banking applications to a single device at a time.
Under the new directive, bank customers will no longer be able to operate the same mobile banking application on multiple devices simultaneously.
The new requirements were outlined in a circular issued on Friday to banks, financial institutions, and payment service providers, providing additional guidance for the operation of Instant Payments (IP) in Nigeria.
The circular, signed by the CBN’s Director of Payments System Policy Department, Musa Jimoh, said the measures were introduced in line with the apex bank’s mandate to strengthen the stability and security of the financial system.
According to the CBN, all financial institutions offering instant payment services must implement mandatory device binding, which ensures that a mobile financial services application is active on only one device at a time.
“Migration to another device shall trigger automatic re-activation and authentication,” the circular stated.
The regulator also directed banks to allow customers to opt in or opt out of instant payment services at any time, subject to multi-factor authentication.
When a customer opts out, online instant transfers—whether within the same bank or to other banks—will not be possible. However, such customers can still carry out transfers by visiting their financial institutions physically.
The new framework also allows customers to set voluntary transaction limits, within the existing ceilings of N25 million for individuals and N250 million for corporate accounts. Any adjustment to these limits will require enhanced due diligence and risk assessment by the bank.
As part of the new safeguards, financial institutions must also deploy enterprise fraud monitoring systems to track both incoming and outgoing transactions and detect suspicious activity.
The CBN further directed banks to introduce liveliness checks for online account opening and reactivation, with real-time validation against the Bank Verification Number (BVN) and National Identity Number (NIN) databases.
Additional authentication tools such as biometrics, soft tokens, hard tokens and multi-factor authentication will also be required for online account reactivation.
For newly activated mobile banking applications, the regulator said transaction limits must be imposed during the first 24 hours.
In both new and existing accounts where the mobile app is activated on a new device, the maximum transaction limit during this period will be N20,000, subject to the discretion of the financial institution.
The CBN also directed that first-time internet banking logins on a new device must undergo additional multi-factor authentication.
The central bank said the new measures represent the minimum security standards for instant payments in Nigeria, adding that implementation will take effect from July 1, 2026.
