Two systems. One goal. No shared architecture.
On 27 March 2026, Nigeria’s National Communications Commission issued a circular mandating all licensed telecommunications operators to activate TIRMS — the Telecoms Interference Reporting and Management System. TIRMS does one thing: it flags scam phone numbers in real time, before a subscriber answers the call. MTN, Airtel, Glo, and 9mobile now have a live operational obligation to identify and label suspected fraud numbers at the network layer, before the call completes.
Three weeks earlier, on 10 March 2026, the Central Bank of Nigeria issued its own circular requiring all licensed financial institutions to implement AI-powered AML infrastructure — real-time transaction monitoring, automated anomaly detection, continuous identity verification — under an 18–24 month deployment window.
Both circulars are responses to the same underlying crisis: industrialised fraud networks operating across Nigeria’s financial and telecommunications systems simultaneously. Both represent significant regulatory ambition. And they were designed, built, and published without a shared technical standard, a common API, or a joint enforcement framework between the two regulators that issued them.
What TIRMS actually does
TIRMS operates at the call-network layer. When a number triggers a scam classification — through complaint volumes, pattern analysis, or direct NCC flagging — the system propagates that classification to operator networks in real time. A subscriber receiving a call from a flagged number sees a warning on their handset before they answer.
The system addresses a specific and documented fraud vector. In Nigeria, voice fraud — particularly impersonation of bank officials, government agencies, and telco customer service — remains a primary delivery mechanism for financial fraud. Fraudsters operating voice-based attacks require a phone number that is not yet flagged; TIRMS creates an operational cost by compressing the useful lifespan of any given fraud number.
The enforcement mechanism is direct. Licensed telcos that fail to implement TIRMS connectivity face NCC sanctions under the Nigerian Communications Act — sanctions that have teeth. MTN Nigeria was fined ₦1 trillion in 2015 for SIM registration non-compliance, a figure eventually negotiated to ₦330 billion. The precedent for large-scale operator enforcement is established.
Whether subscribers can see TIRMS flags before answering depends on handset and operator implementation. The NCC circular mandates network-level propagation; the consumer-facing display layer is operator-determined. Industry implementation is uneven at launch — a gap the NCC has acknowledged and set a six-month harmonisation window to address.
The enforcement gap
TIRMS covers the telephone number layer. It cannot see what happens after the call connects. The moment a subscriber is deceived into initiating a bank transfer, the fraud moves into the financial system — where TIRMS has no jurisdiction, no data feed, and no visibility.
The CBN’s AI AML circular covers the financial transaction layer. It can see anomalous transfer patterns, flag suspicious beneficiary accounts, and trigger real-time transaction holds. It cannot see the phone call that preceded the transfer, the scam number that originated the deception, or the telco infrastructure the fraud network used to deliver it.
“The infrastructure gap is architectural,” said Gbenga Adeyinka, co-founder of Cybervergent, a Lagos-based cybersecurity firm that raised $3 million in early 2026 and works with financial institutions on fraud infrastructure. “TIRMS and CBN AML are looking at different cross-sections of the same attack. A coordinated system would allow a flagged number in TIRMS to automatically trigger elevated scrutiny on any transaction initiated by the call recipient in the next 30 minutes. That handoff does not currently exist.”
The USSD dispute of 2020 — when CBN and NCC issued conflicting instructions to telcos and banks over mobile money service suspension — established that both regulators can act on overlapping infrastructure simultaneously without coordinating the operational consequences. TIRMS going live while CBN AML infrastructure is being mandated in parallel represents the same pattern at higher stakes: two regulators, one fraud crisis, separate systems.
Operator compliance reality
For MTN, Airtel, Glo, and 9mobile, TIRMS activation is not optional and is not technically complex. The NCC circular specifies an API integration standard that all four major operators have the engineering capacity to implement. The compliance cost is operational rather than capital — connecting existing network management infrastructure to the TIRMS classification feed, building a flagged-number display layer for subscribers, and establishing incident reporting back to the NCC.
The more consequential compliance question is data quality. TIRMS is only as effective as its number classification database. If the fraud number corpus is incomplete, stale, or manipulated — and fraud networks will attempt to game any classification system — the consumer-facing flag becomes unreliable. A subscriber who sees too many false positives stops trusting the flag. A subscriber who sees the flag only after a number has already been cycled out of service receives information that is accurate but useless.
NCC has not published the classification methodology, update frequency, or audit standards for the TIRMS database. That information gap is the operational risk in the system — and it is one that the regulator needs to address in the harmonisation period.
The coordination ask
The structural improvement available here is not technically difficult. A shared fraud signal exchange — allowing a TIRMS-flagged number to automatically populate a watch list in the CBN’s AML reporting infrastructure — would create a detection handoff that neither system can provide alone. The CBN already has mandatory reporting obligations for fraud-linked transactions. Adding TIRMS flag status as a classification dimension in that reporting architecture would cost both regulators a single integration point.
The obstacle is institutional. NCC and CBN are separate regulators with separate mandates, separate enforcement jurisdictions, and separate political relationships with the Ministry of Communications and Finance. Joint infrastructure requires joint governance, and joint governance requires a coordination mechanism that neither circular establishes or anticipates.
Nigeria has TIRMS. Nigeria has CBN AI AML. Together they cover the phone layer and the money layer of the dominant fraud delivery mechanism in the country. That is better than most African markets have. It is not as good as a coordinated system would be — and the gap between adequate and optimal is being measured, right now, in successful fraud transactions that neither system can see.
Related reading: CBN AI/AML Baseline Standards: The Compliance Mandate Reshaping Nigeria’s Fintech Stack (BETA-624); CBN AML AI Market: African Regtech Startups Positioned to Win (BETA-1074)
UphivaBETAR
Joseph Busari
