Banks Face 16-Day Refund Clock Under CBN’s New APP Fraud Framework

The Central Bank of Nigeria (CBN) has published draft guidelines that tighten how banks and fintechs handle Authorised Push Payment (APP) fraud. Under the proposal — dated November 26, 2025 — customers would have to report suspicious or fraudulent transfers within 72 hours, while financial institutions would be required to investigate and, where appropriate, reimburse victims within a 16 working-day timeline when more than one institution is involved.

The move is the latest step in the regulator’s long-running campaign to curb rising electronic fraud across Nigeria’s financial system.

Why the CBN stepped in: fraud on the rise

Fraud in the banking sector has surged. Data from the Financial Institutions Training Centre (FITC) shows a 603% increase in fraud losses in Q1 2025,  rising to ₦3.29 billion ($2.27 million), with 12,347 cases reported, a 7.63% uptick year-on-year. Those trends help explain the urgency behind the new draft rules.

“When finalised, the Guidelines would mandate all financial institutions to institute preventive measures as well as modalities for mitigating and managing APP fraud,” reads the circular signed by Rita Sike, director of the Financial Policy and Regulation Department.

What is APP fraud (as defined by the CBN)?

The CBN describes APP fraud as situations where a customer is tricked or manipulated into approving a payment to a third-party account or wallet — commonly via channels like WhatsApp, SMS, or email.

The draft also highlights institutional failures that facilitate APP fraud, including:

• failure to act on red flags

• weak KYC or fraud controls

• staff collusion

• delayed resolution

• misuse of accounts for fraudulent purposes

“These failures,” the regulator says, “facilitation, negligence, or non-compliance by financial institutions… weak Know Your Customer (KYC) or fraud controls, staff collusion, delayed resolution, and use of accounts for fraudulent purposes.”

New reporting and response timelines

Key operational deadlines in the draft:

• Customer reporting: Victims must report APP fraud within 72 hours, providing transaction date, amount, recipient details and supporting documents.

• Acknowledgement by bank: Institutions must acknowledge a report within 24 hours and start investigations immediately.

• Investigation window: Investigations should conclude within 14 working days. If unresolved, cases may be escalated to the CBN’s Consumer Protection and Financial Inclusion Department.

• Reimbursement after investigation: Where reimbursement is warranted, payments must be made within 48 hours of investigation conclusion.

• Multi-institution incidents: If multiple institutions are involved, the originating institution must notify others within 30 minutes. Affected institutions must complete reimbursements within 16 working days of the incident being reported.

During probes, the CBN may instruct settlement systems such as NIBSS to withhold settlement for the full value of transactions identified as fraudulent — potentially across multiple stages of the payment chain. “This may extend to second-level or other subsequent beneficiary institutions along the transaction chain,” the circular notes.

READ MORE: Seven Sentenced to Prison in Over ₦1 Billion Agency Banking Scam at TAJBank

Who gets refunded — and who doesn’t

The draft clarifies eligibility:

Customers are eligible for reimbursement if they:

• reported the fraud within 72 hours and cooperated with investigators

• had no evidence of negligence, collusion, or criminal intent

• were misled under false pretences, or were harmed due to weak or absent bank controls

Customers are not eligible if they:

• acted fraudulently or negligently

• reported the fraud after 72 hours (subject to exceptions)

• were involved in transactions that predate the guideline’s effective date

Exceptions to the 72-hour rule are included where delays result from illness, force majeure, channel unavailability, or where the fraud stemmed from bank staff negligence or internal control failures.

Where a financial institution fails to flag or freeze a fraudulent transfer because of inadequate systems, the institution bears the loss. If neither the bank nor the customer is at fault, the draft proposes that refund responsibility be shared equally among the banks involved.

New operational requirements for banks and fintechs

To meet the framework’s expectations, financial firms will need to upgrade processes and systems. The draft requires:

• 24/7 fraud reporting channels

• Early Warning Systems (EWS) to detect and mitigate APP fraud

• monitoring and red-flagging of suspicious accounts and behaviours

• documentation of fraud indicators and regular reporting to the CBN

• customer financial literacy and outreach programmes

Regulatory sanctions will apply if institutions fail to meet timeframes without justification, and customers may escalate unresolved disputes to the CBN. The draft also warns that supplying false or misleading information will attract sanctions for both individuals and institutions.

Where this fits in the CBN’s longer fight against fraud

The draft builds on more than a decade of CBN interventions:

• 2011: Creation of the Nigeria Electronic Fraud Forum (NeFF) for knowledge-sharing on fraud.

• 2015: Mandate for financial institutions to open dedicated fraud desks.

• 2023: Stricter KYC rules requiring Bank Verification Number (BVN) or national ID (NIN) for account/wallet openings.

• 2024: Instruction to NIBSS to debit accounts of commercial banks that receive fraud proceeds.

The guideline is currently a draft and open for comments from financial institutions and the public for three weeks. Once finalised, it will become a central plank of the CBN’s strategy to tighten accountability, speed up reimbursements, and reduce APP fraud’s human and institutional cost.

For customers: report suspicious transfers promptly, keep transaction records, and cooperate with investigations. For institutions: review fraud-detection infrastructure now — the draft puts the onus on you to prevent, detect and remedy APP losses quickly.