Legal Implications of ISO 20022 Migration and Geo-Tagging for the Nigerian Payment System

By Olumide Opeyemi Toyinbo

1. Introduction

On August 25, 2025, the Central Bank of Nigeria (CBN) issued a circular (Ref: PSS/DIR/PUB/CIR/001/001) to all operators in the Nigerian payments ecosystem. The recipients included Deposit Money Banks, Microfinance Banks, Mobile Money Operators, Super Agents, and other licensed payment service providers.

The circular mandates two major compliance requirements. The first is the migration to the ISO 20022 payment messaging standard. The second is the mandatory geo-tagging of all payment terminals. Both requirements are designed to make Nigeria’s payment system more open, transparent, and trackable.

2. The Legal Basis of the Circular

The authority of the CBN primarily rests on the Central Bank of Nigeria Act, 2007, and the Banks and Other Financial Institutions Act, 2020 (BOFIA). Under these laws, the CBN regulates and supervises payment, clearing, and settlement systems in Nigeria.

Section 2(d) of the CBN Act empowers the Bank to promote a sound financial system. Part VIII of BOFIA gives the CBN regulatory powers over payment systems and service providers. Circulars issued by the CBN are binding on licensed operators. Failure to comply can result in sanctions. However, where a circular is ruled by a court to be ultra vires or inconsistent with existing law, it becomes invalid, and any penalties based on it cannot stand.

3. ISO 20022 Standard for Payment Messaging

ISO 20022 is the global benchmark for financial messaging. It is already widely used within the SWIFT network and other jurisdictions. The CBN has set October 31, 2025, as the deadline for compliance.

The standard requires payment institutions to include payer and payee identifiers, merchant or agent details, and full transaction metadata in their messages. This improves efficiency and supports compliance with the Money Laundering (Prevention and Prohibition) Act, 2022, and other anti-money laundering and counter-terrorism financing frameworks. It also strengthens consumer protection, as transactions become more auditable across jurisdictions.

Failure to comply with ISO 20022 can be treated as a breach of statutory and regulatory obligations. This may affect KYC processes, customer due diligence, and transaction reporting duties. On the other hand, compliance provides regulators and courts with clear and reliable records, which carry strong evidentiary value. This reform therefore brings Nigeria’s payment messaging into alignment with global standards.

4. Geo-Tagging of Payment Terminals

The circular also introduces a mandatory requirement for geo-tagging of all payment terminals within 60 days. Operators must deploy double-frequency GPS receivers, integrate the National Central Switch Geolocation SDK, and ensure geofencing within 10 meters of their registered business premises.

This means that merchant activities, including Point of Sale (POS) transactions, must be confined to a radius of 10 meters outside the registered business location. Any transaction beyond this limit would fall outside compliance. Geo-location data must also be captured at transaction initiation and included in the message payload as a mandatory reporting field.

Legally, this requirement enhances accountability and curtails fraud. It gives effect to Section 68 of BOFIA, which empowers the CBN to address cybersecurity issues in financial service delivery, and Section 69, which allows it to prescribe standards for payment, settlement, and clearance activities.

The Nigeria Data Protection Act, 2023 (NDPA), defines personal data in Section 65 as “any information relating to an individual, who can be identified or is identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.”

By this definition, geolocation data qualifies as personal data. It can reveal a person’s position or indirectly identify them when combined with other datasets. Payment operators must therefore comply with NDPA principles of data minimisation, lawful processing, and secure storage. Non-compliance may attract penalties from both the Nigeria Data Protection Commission and the CBN.

5. Potential Challenges

Implementing ISO 20022 and mandatory geo-tagging will present practical difficulties. The deadlines are short, and operators must upgrade their systems within a limited time. A related challenge is the financial burden of compliance. While large banks may absorb the costs, startups and smaller institutions may struggle. In rural and underserved areas, weak infrastructure could further hinder the effective rollout of geo-tagging technology.

Geo-tagging requires the real-time tracking of every transaction. Without doubt, this can improve accountability and reduce fraud. At the same time, it raises privacy and data protection concerns. The right to privacy under Section 37 of the 1999 Constitution (as amended) is directly engaged. There is also a potential conflict with the NDPA. If geolocation data is mishandled or inadequately secured, consumers may face serious risks, and operators could be exposed to penalties.

A further concern is the broad application of the directives. Businesses such as travel agencies, logistics companies, and mobile service providers routinely operate across multiple locations. Requiring geo-tagging for every transaction in such sectors could impose unnecessary burdens with little regulatory value. A framework that provides reasonable exemptions or modified requirements would create a better balance between regulatory objectives and business realities.

6. Conclusion

The CBN’s directives on ISO 20022 messaging and mandatory geo-tagging of payment terminals are commendable steps. Despite potential challenges, the directives promise to curb fraud, illicit financial flows, and weak monitoring of transactions. Their success will depend on two factors. First, how well operators adapt to the new requirements. Second, how the CBN balances strict enforcement with flexibility and guidance. If managed carefully, the directives can strengthen Nigeria’s financial system. Most importantly, it can do this while respecting privacy as a human right and recognising the mobility needs of certain businesses.

Olumide Opeyemi Toyinbo

Legal Practitioner

ootoyinbo@nigerianbar.ng

olumideopeyemitoyinbo@gmail.com

Source: BarristerNG