On June 15, 2026, the Central Bank of Nigeria issued a circular that changes the trajectory of the country's digital economy.

By January 1, 2027, every bank, fintech, mobile money operator, and payment processor in Nigeria must store and manage all payment transaction data within the country's borders.

Not recommended. Not encouraged. Mandatory, with sanctions for non-compliance.

This is the most consequential regulatory intervention in Nigerian financial technology since the cashless policy. And it arrives at a moment when Nigeria's digital payments ecosystem processes over 14 billion transactions annually, cards, transfers, USSD, mobile wallets, much of it routed through infrastructure that sits outside the country.

The message from the CBN is unambiguous: Nigeria's financial data belongs in Nigeria.

What the Mandate Actually Requires

The circular, issued by the Payments System Supervision Department and signed by Director Rakiya Yusuf, applies to every institution facilitating payments in Nigeria.

"All Financial Institutions and participants facilitating payments within Nigeria shall ensure that payments transaction data generated within Nigeria are stored and managed in Nigeria in accordance with data protection laws and regulations applicable in Nigeria."

The deadline is January 1, 2027. Full compliance. No exemptions.

This covers deposit money banks, microfinance banks, mobile money operators, switching and processing companies, payment terminal service providers, payment solution service providers, super agents, and all other licensed payment operators.

The immediate scope is payment transaction data. But any institution processing financial transactions knows that data does not exist in isolation. Payment data feeds fraud detection models, credit scoring algorithms, customer analytics, and regulatory reporting systems. When the data stays home, the compute that processes it must stay home too.

The Scale of the Migration

Over 90% of Nigerian banks and fintechs currently host data on foreign cloud platforms; AWS, Azure, Google Cloud.

Nigeria spends an estimated $1.1 billion annually on public cloud services, the vast majority of which leaves the country as foreign exchange. Analysts estimate that localizing payment data could retain as much as $850 million per year that currently flows to offshore providers.

But the cost is not just financial. When transaction data sits on foreign servers, Nigerian regulators must navigate foreign legal processes to access it during fraud investigations or systemic risk assessments. Every delay in access is a vulnerability in the financial system.

The CBN's directive solves this. But compliance requires more than signing a contract with a local hosting provider. It requires infrastructure — real, physical, sovereign infrastructure, operating inside Nigeria at production scale.

The Infrastructure Reality

Nigeria has approximately six Tier III data centers. Most were designed for traditional CPU workloads, web hosting, database servers, basic enterprise applications. They were not built for the compute density that modern financial AI requires.

This creates a tension that most discussions of this mandate miss.

A bank that moves its transaction data to a local data center but continues running fraud detection models on foreign GPU infrastructure has not truly localized. The models sit offshore, but they process live transaction data — data that the CBN has now declared must remain in Nigeria. The regulatory risk follows the data, not the storage medium.

The same logic applies to credit scoring, customer analytics, regulatory reporting, and every other AI-driven financial process. If the data feeding those models is Nigerian payment transaction data, the compute must live in Nigeria too.

This is not a storage problem. It is an infrastructure problem. And it requires a solution that spans both CPU and GPU workloads.

For batch AI workloads on historical data, the compliance line may be debatable. The circular's language focuses on "payment transaction data", not necessarily derived or anonymized datasets. But for real-time inference, the fraud detection model that scores every transaction as it happens, the credit risk model that evaluates a loan application in milliseconds, the model processes live transaction data. That data cannot leave Nigeria, which means the compute must live here.

Prudent institutions will treat the mandate as a full-stack requirement, not just a storage requirement. History shows that data localization mandates tend to expand in scope over time. Regulators in Kenya, India, and Brazil all started with "payment data" and broadened to broader financial data within 2-3 years. Building for the expanded scope now avoids paying the migration cost twice.

The Opportunity

Every country that has achieved true digital sovereignty has done so through deliberate policy paired with strategic infrastructure investment. The CBN's circular is Nigeria's sovereign cloud moment, the point at which the country decides that its financial data, its AI capability, and its digital infrastructure belong within its own borders.

The economic argument is straightforward: $850 million per year currently leaves Nigeria for foreign cloud services. That is capital that could fund local data centers, train Nigerian engineers, and build the infrastructure for the next generation of African technology companies.

The security argument is equally clear: financial transaction data is critical national infrastructure. It should not require a foreign legal process to access. It should not be subject to foreign government policy changes. It should not be priced in a foreign currency that Nigerian institutions cannot control.

And the technology argument is where most of the conversation is still missing: localization is not just about where data sits. It is about what you can do with it. A bank that localizes storage but cannot run AI against that data locally has only half a solution. The institutions that understand this now — and invest in full-stack local infrastructure before the deadline — will have a competitive advantage that lasts a decade.

What Financial Institutions Should Do Now

If you are responsible for technology infrastructure at a Nigerian financial institution, your compliance clock started on June 15. Here is the path forward.

Audit your data footprint. Map every workload that touches payment transaction data. You cannot migrate what you have not inventoried. This includes production databases, analytics pipelines, backup systems, and disaster recovery environments.

Identify your AI dependencies. If your fraud detection, credit scoring, customer analytics, or regulatory reporting models run on foreign GPU infrastructure, those workloads fall within the practical scope of this mandate. Migrating AI workloads is more complex than migrating storage — plan for local deployment now.

Start infrastructure conversations today. Six months is tight. Hardware procurement, international shipping, customs clearance, racking, and network configuration take time. The institutions that start conversations now will be compliant by January. Those that wait will scramble — and regulators will notice.

Demand Naira pricing. One of the hidden wins of this mandate is the opportunity to eliminate FX exposure from infrastructure costs. Institutions that accept dollar-denominated local hosting have missed the point. The infrastructure is local. The pricing should be too.

Plan for the full stack, not just storage. A compliant infrastructure strategy must account for CPU workloads; transactional databases, core banking operations; GPU workloads — AI models, ML training, real-time inference — and the security layer that governs access to both. Treating them as separate procurement exercises creates integration risk and compliance gaps.

The Infrastructure That Compliance Requires

Cencori is building the stack that makes this possible.

Not as a reseller of foreign cloud capacity. Not as a colocation middleman. As a vertically integrated sovereign cloud platform, co-located within existing Tier III facilities in Lagos, designed from the ground up for Nigeria's regulatory environment.

Our model rests on three integrated layers.

Foundation. Enterprise-grade CPU infrastructure for transactional data storage, payment processing, and core banking operations. AES-256 encrypted NVMe storage with customer-managed keys. Private cross-connects delivering sub-5ms latency within Lagos. Billed entirely in Naira, no dollar exposure, no FX adjustment clauses, no surprises.

AI Compute. High-performance GPU infrastructure for model training, inference, and AI-driven financial operations. NVIDIA MIG-partitioned at the hardware level, ensuring complete memory and execution isolation between tenants. A bank's fraud detection model runs on its own GPU slice, invisible to any other workload on the same physical hardware.

These are one infrastructure stack. The same physical hardware that hosts a bank's transaction ledger serves AI models against that data, without ever sending a byte outside Nigeria's borders.

This is the model that the moment demands. Not storage here and compute there. Not CPU now and GPU later. A single, sovereign stack that gives Nigerian institutions full control over their data, their compute, and their AI future.

The Deadline is Real

January 1, 2027, is 191 days from today.

That is 191 days to audit, plan, procure, ship, clear, rack, configure, test, and go live with infrastructure that meets the CBN's requirements. It is doable. But it requires urgency, focus, and the right partners.

The CBN has signaled that this is not a suggestion. Institutions that fail to comply will face sanctions. The only question is whether you will be ready, or whether you will be catching up while your competitors have already secured compliant infrastructure.

Nigeria's financial data belongs in Nigeria. The infrastructure to keep it here exists. The only missing piece is the decision to act.