The Central Bank of Nigeria issued a circular on March 13, 2026 restricting BVN-linked phone number changes to once per lifetime, effective May 1. The regulation includes mandatory 24-hour watchlist holds for accounts flagged by the BVN Watchlisting system — a component of the CBN’s Fraud Defence Framework published in its February 2026 Fintech Policy Insight Report.

The stated motivation is clear: 62,000 SIM-swap fraud incidents in 2023, in which attackers convinced telcos to transfer a victim’s phone number to a SIM card under their control, then used the inherited OTPs to drain linked bank accounts. The once-per-lifetime restriction limits the attack surface. It is the most restrictive BVN identity binding the CBN has issued.

What the circular does not address in detail is the legitimate side of the ledger.

What the Rule Actually Does

Under the new framework, each Bank Verification Number may have its associated phone number changed only once across the holder’s lifetime. The change triggers a 24-hour watchlist hold — a period during which the account is flagged for monitoring and certain transaction categories may be restricted. The BVN Watchlisting infrastructure cross-references the change against fraud intelligence from the HAWK Central Industry Fraud Desk, which aggregates data from licensed financial institutions across Nigeria.

The rule sits on top of an existing system in which BVN enrollment — and by extension BVN-linked phone binding — was already a prerequisite for meaningful digital financial access. Nigeria’s 68.59 million BVN holders are not a homogeneous group. They include urban professionals banking with multiple tier-one institutions, rural smallholders whose single mobile money account is their only financial product, and digital lenders’ customers whose entire credit history is associated with one mobile-linked identity record.

For all of them, the once-per-lifetime phone binding is now a permanent constraint.

What It Costs Fintechs to Comply

The BVN Phone Lock does not introduce a new vendor requirement in the same way the liveness checks mandate or the AI AML Baseline Standards do. Most licensed Nigerian fintechs already integrate with NIBSS for BVN validation. The compliance requirement here is primarily a process update: institutions must block BVN phone change requests after the first lifetime change has been used, and must route flagged changes through the 24-hour watchlist hold before processing.

For tier-one and tier-two fintechs with structured KYC engineering teams, that is a sprint-level update — a database flag, a NIBSS API check, a UI flow for handling the watchlist hold state. The May 1 deadline is tight but not unreasonable for institutions that are already processing compliance updates for liveness checks (January) and AI AML (February) simultaneously.

The compliance burden is materially heavier for microfinance banks and digital lenders operating with smaller engineering teams. These institutions face overlapping compliance deadlines: AI AML system deployment by June/July 2026, liveness check integration already underway, and now BVN phone lock logic to implement before May 1. The CBN’s 2026 regulatory cascade is coherent as a fraud strategy. As a compliance delivery schedule, it is demanding.

The Inclusion Edge Case

The fraud case for the once-per-lifetime rule is straightforward. The inclusion case is more complicated. Nigeria has a documented history of phone number instability among lower-income BVN holders: SIM cards are lost or stolen, handsets are damaged or sold, subscribers switch mobile network operators to take advantage of better coverage or pricing, and phones are shared within households in ways that blur the one-person-one-number assumption the BVN system is built on.

The once-per-lifetime rule means that a customer who has already used their one permitted phone number change — for any reason, including a legitimate reason like a carrier switch or stolen phone — cannot change it again, ever. The CBN circular specifies that a 24-hour watchlist hold applies to changes. It does not specify a remediation pathway for customers locked out of their lifetime allocation through no fault of their own.

This is the question TechCabal’s straight-news coverage did not answer, because the circular does not answer it. Does the CBN intend to establish an exception process for documented legitimate cases — an affidavit pathway, a biometric re-enrollment option, a regulated fintech remediation flow? If so, what is the mechanism, what are the turnaround timelines, and can tier-two fintechs and MFBs operate it without routing every edge case to a physical branch?

If the answer is that no exception process exists, the once-per-lifetime rule creates a class of permanently locked-out BVN holders — individuals whose digital financial access is irreversibly bound to a phone number they can no longer use. The CBN has not issued guidance on this scenario.

Where This Sits in the Stack

Read alongside the January 2026 liveness checks mandate and the NCC’s TIRMS SIM recycling database (which requires 14-day pre-deactivation notice and real-time recycled-number visibility for banks), the BVN phone lock is the third layer of a coordinated mobile identity tightening. The architecture: liveness verification at account creation, SIM-recycling visibility at the network layer, and now lifetime BVN binding at the identity infrastructure level.

The CBN is building a fraud prevention system that treats phone-number-as-identity as a vulnerability to be eliminated. That logic is correct as far as it goes. The question is whether eliminating the vulnerability for fraudsters also eliminates something essential for the 68.59 million legitimate BVN holders who need flexibility that the circular, as written, does not provide for.

The CBN has until May 1 to clarify the remediation pathway. Fintechs and consumer advocates would benefit from knowing what it is before then.