On June 15, the Central Bank of Nigeria sent out a circular that quietly reshapes how money moves in the country. Tucked inside a broader package on ownership and competition was one line with outsized consequences: every bank, fintech, and payment company operating in Nigeria has to store and manage its payment transaction data inside the country, on local servers, by January 1, 2027. Right now, a lot of that data lives on servers in the US and Europe. The clock to bring it home runs about six months.
What the Circular Actually Says
The directive, referenced PSS/DIR/PUB/CIR/001/004 and signed by Rakiya Yusuf, who heads the CBN’s Payments System Supervision Department, went out to pretty much everyone in the payments chain. Deposit money banks, microfinance banks, mobile money operators, switching companies, payment terminal and solution providers, super agents, all of them. The data rule carries that January 1, 2027 deadline. It arrived bundled with two other things: new caps on how much of the card-issuing and merchant-acquiring markets any single player can hold, and a requirement to disclose who actually owns these companies. Those two kick in a day earlier, on December 31, 2026.
The Case for Keeping the Data Home
The logic isn’t hard to follow. When most of Nigeria’s payment data sits on foreign servers, the CBN and local law enforcement can’t simply reach for it. If they need to chase a fraud case or a financial crime, they often have to go through foreign companies or foreign courts to get records that were generated in Lagos in the first place. Keeping the data in-country puts it under Nigerian jurisdiction, where regulators can get to it directly. The CBN frames the whole thing around three ideas: integrity, sovereignty, resilience. And the directive says local storage has to line up with Nigeria’s own data protection rules, so it’s built to sit alongside the existing privacy framework rather than route around it. On principle, almost nobody in the industry is arguing with that.
Where the Worry Starts
The fight is about capacity, not principle. Nigeria’s payment system runs more than 14 billion transactions a year, and the question operators keep raising is whether local data centres can carry that load at production scale without buckling. Adedapo Sobayo, co-founder and CTO of the fintech Rank, put the doubt plainly: “the problem I have is the processing capacity of these data centres.” There are facilities in Nigeria. Whether they can deliver the quality of service a financial institution needs, around the clock, is a separate question, and many fintechs haven’t tested them at full scale yet.
Then there’s the move itself. Shifting live financial systems off AWS or Azure and into local infrastructure isn’t a copy-paste job. It means re-architecting systems, replicating databases, and keeping transactions flowing the entire time, with no room for the kind of downtime that, for a payment company, turns straight into lost money and frustrated customers. Doing all of that inside six months, without cracking the rails millions of people lean on every day, is the real stress test.
The Contradiction Inside the Same Circular
The cost is where it gets awkward, and it lands unevenly. The global cloud giants used to hand startups credits to get going. Local providers mostly charge commercial rates from day one, and round-the-clock support is still maturing here. Big banks and well-funded fintechs can absorb that. The long tail of smaller switching companies, microfinance banks, and super agents may not. If some of them can’t afford to comply and get pushed out, the market gets more concentrated, not less. Which is strange, because the very same circular is also trying to reduce concentration with those new market-share caps. One half of the document could quietly work against the other.
What Happens Before January
None of this makes the policy wrong. Keeping sensitive payment data in-country is a defensible call, and regulators across the world are drifting the same way. The open question is execution. The CBN has a habit of issuing firm directives and then enforcing them… unevenly. The months between now and January 2027 are when everyone finds out whether the local infrastructure is ready, whether smaller players get any help reaching the line, and whether “store it at home” can happen without knocking over the thing it’s meant to protect. The goal is a sturdier payment system. The risk is that the scramble to build it shakes the floor first.
