TL;DR. Under CBN Circular PSS/DIR/PUB/CIR/001/004 (15 June 2026), payment transaction data generated within Nigeria must be stored and managed within Nigeria from 1 January 2027 — a directive that reaches payment-facilitating institutions down to the microfinance tier and directly shapes where their core systems may be hosted.
The regulation in brief
On 15 June 2026, the CBN's Payments System Supervision Department issued Circular PSS/DIR/PUB/CIR/001/004 — a payments market-structure directive which, among other measures, requires that "payments transaction data generated within Nigeria are stored and managed in Nigeria, in accordance with the data-protection laws and regulations applicable in Nigeria." Compliance is mandatory from 1 January 2027.
The directive is addressed broadly — deposit money banks, microfinance banks, mobile money operators, switching and processing companies, PTSPs, PSSPs, super agents, and other licensed payment operators — so it reaches well beyond tier-1 banks into the microfinance and finance-company segment. Institutions may continue to use cloud infrastructure, but the provider must guarantee data residency within Nigeria.
One scope point matters for compliance teams: this circular governs payment transaction data specifically. Broader personal-data residency obligations sit under the separate NDPA 2023 / NDPR framework. The two are complementary obligations, not the same rule — and conflating them is a common error.
For institutions still on internationally-hosted core platforms, meeting the deadline is a non-trivial, multi-quarter migration. For any institution selecting a new core banking platform in 2026–2027, Nigerian data-residency readiness should be an explicit vendor-evaluation criterion.
How FinovaMax handles it
- Residency-ready architecture. The platform is designed from the ground up to be deployed on Nigerian-resident infrastructure — not retrofitted for compliance.
- Configurable per-tenant hosting jurisdiction. Because FinovaMax is multi-tenant, hosting decisions can be made per institution. An institution requiring on-shore hosting from day one can specify it as a deployment parameter.
- Hosting-flexible roadmap. The platform's hosting layer can move with the institution's requirement — onboarding can begin on the platform's current footprint and migrate to on-shore as the institution prepares for the 2027 deadline.
- No platform redesign required for residency compliance. The data-architecture decisions (encryption, audit log, key management) are jurisdiction-agnostic by design. Moving the data location does not require moving the data model.
Practical implication for your institution
If your institution is currently running on an internationally-hosted core banking platform, the 2027 deadline is closer than it appears. Migration is not just a hosting move — it is a regulatory project that touches every customer record. Choosing a residency-ready platform now removes that project from your 2027 risk register before it lands there.
Talk to us about your institution
We'll walk through your specific exposure under this regulation and how the platform responds.
Apex Grid Technologies Ltd · RC 9108833 · Lagos & Abuja, Nigeria