The Central Bank of Nigeria has named six virtual asset service providers to a new AML supervision pilot, requiring them to submit monthly compliance reports and develop readiness plans for the FATF Travel Rule. The named firms include Paystack and Flutterwave — two of Nigeria’s largest payment companies — alongside four others that the CBN has not publicly identified in full.
The pilot operationalises a regulatory direction that BETAR has been tracking since January: Nigeria’s post-grey-list compliance infrastructure is not finished, and the CBN intends to formalise it at the level of individual firms, not just sector-wide guidance.
What the Pilot Requires
Firms enrolled in the supervision pilot face two concrete obligations. The first is a monthly AML reporting submission to the CBN — a structured return covering suspicious transaction volumes, customer due diligence outcomes, and AML control effectiveness indicators. The cadence matters: monthly reporting is operationally heavier than quarterly filings, and requires automated data pipelines rather than manual compilation. For firms that have previously submitted AML data annually or on request, the infrastructure gap is non-trivial.
The second obligation is a Travel Rule readiness plan. The FATF Travel Rule requires virtual asset service providers to transmit originator and beneficiary information alongside transactions above a threshold value — effectively applying wire transfer identification standards to crypto transactions. Nigeria adopted FATF standards as a condition of its late-2024 grey list removal, but implementation of the Travel Rule at the VASP level has lagged. The CBN pilot formalises a timeline for catching up.
The combination — monthly AML reporting plus Travel Rule readiness — signals that the CBN is treating these six firms as systemically significant VASPs whose compliance posture will be scrutinised on a continuous basis, not assessed during periodic licensing reviews.
Who Gets Named and What It Means
Being named to the pilot carries ambiguous prestige. On one reading, designation signals that the CBN regards these firms as important enough to monitor closely — a form of regulatory recognition of market significance. Flutterwave, Paystack, and the four undisclosed firms are not mid-tier operators; they are the companies processing the most significant virtual asset transaction flows in Nigeria.
On another reading, designation is a compliance overhead that smaller competitors currently avoid. Monthly AML reporting infrastructure — the data pipelines, the compliance function, the documentation standards — costs money to build and maintain. BETAR’s analysis of the Q1 2026 CBN compliance cost stack placed annual compliance infrastructure investment for a mid-tier Nigerian fintech at $52,000 to $87,000 in year-one build costs, before professional services. The Travel Rule adds technical integration costs on top: firms must connect with a Travel Rule messaging network, validate counterparty VASP identities, and document the compliance chain for every qualifying transaction.
For the six named VASPs, the pilot is an obligation. For everyone not named, it is a preview of what is coming.
The Timing Is Not Accidental
The CBN launched this pilot in the same week that it confirmed Flutterwave’s microfinance bank licence approval. That proximity is unlikely to be coincidental.
Flutterwave’s MFB licence changes its regulatory relationship with the CBN — it is now a deposit-taking institution subject to prudential supervision, not merely a PSP subject to payment system oversight. Being simultaneously named to a VASP AML supervision pilot means Flutterwave is now regulated at two distinct levels: as a payment service company and as a bank. The compliance surface area has expanded materially.
For Paystack, which does not hold an MFB licence, the supervision pilot has a different texture. Paystack’s regulatory exposure runs through its PSP licence and, by extension, Stripe’s global compliance infrastructure. Monthly CBN AML reporting will require Paystack to build a Nigeria-specific compliance data architecture that is separate from Stripe’s consolidated AML infrastructure — a localisation demand that global companies consistently find more expensive than expected.
What the Travel Rule Actually Costs
The FATF Travel Rule has been a known compliance obligation for Nigerian VASPs since the country re-engaged with FATF standards. Implementation has been slow because the technical infrastructure — particularly the Travel Rule messaging protocols used by entities like TRUST, VerifyVASP, and Notabene — requires integration work and counterparty network coverage that is thinner in Africa than in mature crypto markets.
Nigerian VASPs implementing the Travel Rule face two layers of cost. The first is the messaging network integration: licensing a Travel Rule protocol, integrating it into transaction infrastructure, and testing it against counterparty VASPs. Depending on transaction volume, this runs $15,000 to $40,000 in year-one implementation costs. The second is the counterparty coverage problem: the Travel Rule only works if both the sending and receiving VASP are enrolled in compatible protocols. Where Nigerian VASPs transact with counterparties in jurisdictions with lower Travel Rule penetration — a significant share of African cross-border flows — compliance becomes partially dependent on counterparty readiness that the Nigerian firm cannot control.
The CBN’s pilot request for a “readiness plan” rather than immediate implementation suggests awareness of this coverage problem. But the readiness plan has a deadline, and deadlines create spending commitments.
The Regulatory Pattern Holds
The VASP AML supervision pilot is the latest in a consistent series of CBN interventions designed to close the gap between Nigeria’s formal FATF commitments and the compliance infrastructure of its virtual asset sector. The pattern — mandate, pilot, named institution, deadline — has played out identically across AI/AML standards, BVN phone-lock requirements, and liveness check obligations.
The named VASPs have the compliance budgets and engineering capacity to absorb the pilot requirements. The real structural effect will be felt when the pilot conclusions inform sector-wide AML standards — the point at which every Nigerian VASP, not just six named ones, faces monthly reporting and Travel Rule obligations. That extension is the regulatory direction of travel. The pilot is the mechanism the CBN uses to calibrate what full sector rollout will look like.
For Nigeria’s fintech sector, the message is consistent and has been for three quarters: the compliance environment is hardening, the timeline is compressing, and the institutions with the infrastructure to absorb it are the institutions that will define what Nigerian fintech looks like on the other side.
— Business Desk, BETAR.africa
UphivaBETAR
Joseph Busari
