Payment Transaction Data Localisation in Nigeria: New CBN Rules and Their Legal Implications
In a new directive issued by the Central Bank of Nigeria (CBN), banks, payment service providers, mobile money operators, payment switches and other regulated participants in Nigeria’s payment ecosystem are now required to store and manage payment transaction data generated in Nigeria within Nigeria in accordance with timelines and implementation requirements set by the CBN. While the directive appears straightforward, its legal implications depend on how its key requirements are interpreted and operationalised in practice. In particular, the scope of payment transaction data localisation in Nigeria turns on four interconnected legal requirements: scope of application, storage obligations, management obligations, and compliance with applicable data protection law.
1. Scope of the Obligation: “Payment Transaction Data Generated in Nigeria”
The scope of the new CBN localisation requirements is limited to “payment transaction data generated within Nigeria”. On its face, this raises an important threshold legal question: what qualifies as payment transaction data generated in Nigeria? While the directive does not exhaustively define this term, it is expected in practice to cover data arising from payment activities occurring within the Nigerian payment ecosystem. This would typically include:
card payment transactions conducted in Nigeria (including POS and online card-present and card-not-present transactions);
mobile money transactions initiated and completed within Nigeria;
account-to-account transfers between Nigerian financial institutions;
POS transactions processed through Nigerian acquiring infrastructure; and
settlement and routing data associated with domestic payment flows.
The key legal point is that the localisation obligation is likely to be transaction-origin based, not merely system-location based. Accordingly, where a payment is initiated or executed in Nigeria, the associated payment transaction data in Nigeria will be expected to fall within the scope of the directive, regardless of whether elements of processing infrastructure are distributed across jurisdictions.
2. Storage in Nigeria: A Territorial Data Residency Requirement
The second requirement is that payment transaction data in Nigeria must be stored within Nigeria. This introduces a clear data residency obligation for payment transaction data. In legal terms, “storage” refers to the persistent retention of data in a defined jurisdiction, typically within physical or logically controlled infrastructure located in that territory.
For regulated entities, this means that primary databases, transaction logs, archival systems, and backups containing payment transaction data in Nigeria must be hosted on infrastructure physically located within the territorial jurisdiction of Nigeria.
The directive further requires that payment transaction data in Nigeria must not only be stored in Nigeria but also “managed” within Nigeria. This introduces a second layer of localisation that goes beyond physical storage. “Management” should be understood as encompassing the operational control, administration, access governance, and oversight of data. In practical legal terms, this requirement is likely to include:
control over access rights to payment transaction data in Nigeria;
administration of databases and data environments;
execution of data processing operations affecting Nigerian payment data;
monitoring, logging, and audit functions relating to transaction data; and
governance of third-party access by service providers or subcontractors.
The legal significance of this requirement is that it restricts not only where data is stored, but also where and how it is controlled. Even where infrastructure is technically hosted in Nigeria, operational management performed entirely offshore may raise compliance concerns. Accordingly, regulated institutions may need to restructure outsourcing arrangements to ensure that meaningful administrative and operational control over payment transaction data in Nigeria is exercised within the jurisdiction.
4. Compliance with Applicable Data Protection Law
The final requirement is that implementation of the directive must comply with applicable data protection law in Nigeria. This introduces an important legal interaction between the CBN framework and the Nigeria Data Protection Act (NDPA) 2023.
Importantly, the NDPA does not impose a general data localisation requirement. Instead, it regulates the conditions under which personal data may be transferred outside Nigeria. The statutory framework is built around principles of:
lawful processing;
purpose limitation;
data minimisation;
security safeguards; and
lawful cross-border transfer mechanisms.
Under the NDPA, international data transfers are permitted where certain conditions are met, including adequacy determinations, appropriate safeguards, or explicit consent in limited cases. This means that, as a matter of data protection law, cross-border processing is not prohibited per se.
Key Takeaways
The CBN directive introduces an additional sector-specific constraint: payment transaction data in Nigeria must be stored and managed within Nigeria. This creates a dual regulatory framework where, (a) the NDPA governs how personal data is processed and transferred, and (b) the CBN governs where payment transaction data must reside and be controlled. The legal consequence is that regulated entities must ensure alignment between both regimes. Importantly, compliance with the NDPA does not displace CBN localisation requirements, and compliance with CBN rules does not remove obligations under data protection law.

Olu A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), LL.M. (Reading, U.K.)
Olu is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
olu@balogunharold.com
Kunle A.
LL.B. (UNILAG), B.L. (Nigeria), LL.M. (UNILAG), Barrister & Solicitor (Manitoba)
Kunle is a Partner in the Firm’s Transactions & Policy Practice. Admitted as a Barrister & Solicitor of the Supreme Court of Nigeria in 2009, he has spent over a decade advising clients on high-value transactions and policy matters at some of Nigeria’s leading law firms.
k.adewale@balogunharold.com
Esther O.
LL.B. (OOU), B.L. (Nigeria)
Esther is a Legal Analyst at Balogun Harold.
Related Articles
The Legal Framework for Classified Information in Nigeria: Key Considerations
It would be prudent for the Federal Government undertake a comprehensive review of the Official Secrets Act to ensure that it reflects contemporary national security, technological and governance realities.
Data Localisation in Nigeria: Key Considerations for Cloud Service Providers and AI Companies
Nigeria does not yet have a single, economy-wide data localisation statute. Instead, the regime has developed incrementally on a sector-by-sector basis, through a combination of primary legislation, sectoral regulations, licensing conditions, and regulatory guidelines issued by agencies
NERC Net Billing Regulations 2026: Commercial Considerations
The Net Billing Regulations 2026 is not automatically applicable in states that have formally activated their independent regulatory markets under the Electricity Act 2023, like Lagos, and that SubCos created under the Delineation Order may not be bound by the Net Billing Regulations, 2026.
The Architecture of a Joint Operating Agreement: A Framework for Negotiation and Control
In practice, a Joint Operating Agreement is the primary instrument through which control, risk, funding, and decision-making are allocated among private parties in a capital-intensive venture.