The Role of Financial Institutions in AML/CFT Compliance: Between Regulatory Burden and Risk-Based Approach

Abstract

This article examines the role of financial institutions in Nigeria’s anti-money laundering (AML) and counter-financing of terrorism (CFT) framework, focusing on the application of the Risk-Based Approach (RBA). While Nigeria has adopted robust laws that align with international standards set by bodies like the FATF, the implementation of RBA remains inconsistent. The article explores regulatory burdens, institutional challenges, and limited capacity as key obstacles to effective RBA adoption. It concludes with practical recommendations for policymakers, regulators, and financial institutions to harmonize compliance with risk sensitivity and enhance overall AML/CFT effectiveness.

Keywords: Anti-Money Laundering, Risk-Based Approach, Regulatory Compliance, Terrorism Financing.

Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) refer to two closely linked regulatory regimes established to curb the flow of illicit funds and prevent the misuse of the financial system worldwide.[1] AML refers to the legal and institutional framework implemented by financial institutions and various other entities to identify and prohibit the conversion of illegal obtained funds into superficially legitimate assets. This process known as money laundering typically involves concealing the true origin of proceeds from criminal activities.[2] CFT on the other hand, while complementary to AML, focuses specifically on detecting and disrupting the movement of funds intended to support terrorist operations. It involves identifying sources of terrorist financing, freezing suspicious assets, and breaking the financial networks that facilitate terrorism.[3] Despite targeting different risks, both AML and CFT initiatives aim to increase transparency in financial dealings, ensure that institutions conduct proper risk assessments, and require the prompt reporting of irregular or suspicious transactions to designated authorities.

Financial institutions occupy a central position in the fight against money laundering and terrorist financing. As gatekeepers of the financial system, they are uniquely positioned to detect, monitor, and report suspicious transactions that may indicate illicit financial activity. Through mechanisms such as Know Your Customer (KYC), Customer Due Diligence (CDD), and Suspicious Transaction Reports (STRs), they serve as the first line of defence in identifying and disrupting criminal financial flows. Their compliance efforts not only uphold regulatory requirements but also help safeguard national and global financial integrity.

However, financial institutions face a persistent dilemma in navigating the demands of AML/CFT compliance. On one hand, they must adhere to stringent regulatory obligations that require comprehensive reporting, customer verification, and record-keeping. On the other hand, the adoption of the risk-based approach (RBA) calls for flexibility, allowing institutions to tailor their controls based on the specific risks associated with different clients or transactions. Striking this balance is often challenging as over-compliance can lead to inefficiency and increased operational costs, while under-compliance exposes institutions to regulatory sanctions and reputational damage.

The purpose of this article is to critically examine the role of financial institutions in Nigeria’s AML/CFT regime, with a focus on the tension between meeting stringent regulatory obligations and implementing a risk-based approach to compliance. It seeks to explore how financial institutions can effectively detect and prevent illicit financial flows while managing regulatory burdens and operational risks. Ultimately, the article aims to propose a balanced path forward that strengthens compliance without compromising efficiency or innovation.

The AML/CFT Legal and Regulatory Framework in Nigeria

Nigeria’s approach to combating money laundering and terrorism financing is anchored in a robust legal and institutional structure. The country has put in place a wide-ranging set of laws and regulations designed to align with global AML/CFT standards, particularly those of the Financial Action Task Force (FATF). The principal legislative instruments and oversight bodies include:

Money Laundering (Prevention and Prohibition) Act, 2022.

The Money Laundering (Prevention and Prohibition) Act, 2022 serves as the foundation for Nigeria’s AML regime. This Act, which has been amended over time to improve its effectiveness, outlines measures for identifying and preventing money laundering. It places obligations on financial institutions and certain non-financial businesses to verify their customers’ identities and report suspicious transactions to the Nigerian Financial Intelligence Unit (NFIU). It also provides for penalties, including fines and imprisonment, for individuals or organizations involved in money laundering. Additionally, the law mandates that institutions carry out customer due diligence to detect and prevent illegal financial activity.[4]

Terrorism (Prevention) Act, 2011 (as amended)

This legislation addresses the financing of terrorism and works in tandem with the Money Laundering Act. It prohibits providing or collecting funds intended for terrorist purposes and mandates financial institutions to identify and mitigate the risk of terrorism financing. The Act compels enhanced scrutiny of high-risk individuals and transactions potentially linked to terrorist activities.[5]

Nigerian Financial Intelligence Unit (NFIU)

The NFIU serves as Nigeria’s central agency for financial intelligence. It collects, processes, and disseminates information on suspicious financial activities to relevant domestic and international authorities. As a key player in AML/CFT enforcement, the NFIU collaborates with the EFCC, law enforcement bodies, and financial institutions to trace illicit funds and dismantle financial crime networks.[6] Recent upgrades in technological infrastructure and data-sharing protocols have improved the NFIU’s ability to detect and track suspicious financial behaviour, positioning it as a crucial stakeholder in both domestic and cross-border AML/CFT efforts.

The Economic and Financial Crimes Commission (EFCC)

The EFCC is Nigeria’s main law enforcement agency tasked with investigating and prosecuting financial crimes. It works hand-in-hand with the NFIU to ensure compliance with AML/CFT regulations and prosecute offenders involved in financial misconduct, including corruption, fraud, and money laundering.[7]

Central Bank of Nigeria (CBN)

As the principal regulator of Nigeria’s financial system, the CBN is tasked with ensuring that banks and other financial institutions maintain robust internal controls and comply with AML/CFT requirements. It issues regulatory guidelines, monitors implementation, and enforces penalties for non-compliance.

The CBN plays a vital regulatory role by issuing AML guidelines to banks and other financial institutions. These guidelines require the use of risk-based approaches to assess customer risk and ensure the monitoring of suspicious activity. The CBN also provides detailed instructions on verifying customer identities and filing reports.

In addition to these five (5) regulators, there are also laws such as the Banks and Other Financial Institutions Act 2020, Advance Fee Fraud and other related offences Act 2006, Independent Corrupt Practices and other related Offence Commission Act 2000, Code of Conduct Bureau Act 2004, Terrorism Prevention (Freezing of International Terrorists Funds and Other Related Measures) Regulations 2013, etc.[8]

There are also institutions such as: the Independent Corrupt Practices Commission (ICPC) and the Code of Conduct Bureau (CCB), law enforcement agencies (LEAs) such as the National Drug Law Enforcement Agency (NDLEA), National Intelligence Agency (NIA),Department of State Services (DSS), Nigeria Police Force (NPF), Nigeria Customs Service (NCS), Nigeria Security and Civil Defense Corps (NSCDC), Nigeria Immigration Service (NIS), National Agency for the Prohibition of Trafficking in Persons (NAPTIP) and all other agencies established by law to tackle the 21 predicate offences of money laundering.[9]

Nigeria’s international obligations on AML/CFT compliance stem from its membership and cooperation with key global and regional bodies, particularly the Financial Action Task Force (FATF) and the Inter-Governmental Action Group against Money Laundering in West Africa (GIABA). As a GIABA member state, Nigeria is committed to implementing FATF’s 40 Recommendations, which provide a global standard for combating money laundering, terrorist financing, and the financing of proliferation. These obligations require Nigeria to enact effective laws, ensure institutional coordination, promote international cooperation, and conduct regular mutual evaluations. Compliance with these standards enhances Nigeria’s financial system integrity, facilitates cross-border transactions, and protects the country from being blacklisted or subjected to economic sanctions.[10]

The Regulatory Burden on Financial Institutions.

Regulatory burden refers to the cumulative cost, effort, and administrative complexity that organizations, such as financial institutions, face in complying with laws, regulations, and oversight requirements imposed by government authorities or regulatory bodies. Financial institutions face a significant regulatory burden due to the extensive compliance requirements imposed by national and international standards. These obligations include customer due diligence (CDD), know-your-customer (KYC) checks, ongoing transaction monitoring, record-keeping, and the timely filing of Suspicious Transaction Reports (STRs) to agencies like the Nigerian Financial Intelligence Unit (NFIU).[11]

This burden is further compounded by frequent updates to AML/CFT laws, increasing regulatory expectations, and the risk of severe penalties for non-compliance. Financial institutions must invest heavily in compliance infrastructure, such as specialized personnel, training programs, and technology systems to meet these expectations. Smaller institutions, in particular, may struggle with the cost and complexity of full compliance, leading to concerns about operational efficiency and profitability.[12]

Moreover, the fear of regulatory sanctions can lead to a practice known as defensive reporting, where institutions over-report suspicious activity to avoid liability, often overwhelming regulators with low-quality data. In effect, while the regulatory framework is designed to protect the financial system, the resulting burden can hinder innovation, reduce access to financial services, and divert resources from core business operations.

For example, under the Money Laundering (Prevention and Prohibition) Act, 2022 and CBN AML/CFT Regulations, financial institutions are required to verify customer identity before account opening; obtain detailed information such as utility bills, BVN, occupation, and source of funds; re-verify existing customer information periodically, etc. This process is costly and time-consuming, especially for banks operating in rural or underserved areas. Section 11 of the Money Laundering Act provides that transactions exceeding ₦5,000,000 (for individuals) or ₦10,000,000 (for corporate bodies) are to be reported to the Special Control Unit against Money Laundering Banks and other financial institutions are also required to file Suspicious Transaction Reports (STRs) and Currency Transaction Reports (CTRs) with the Nigerian Financial Intelligence Unit (NFIU). Failure to comply can result in fines or regulatory sanctions, leading some institutions to engage in defensive over-reporting, which strains both the institutions and regulators.[13]

The Central Bank of Nigeria (CBN) mandates all banks to appoint a dedicated Chief Compliance Officer (CCO). Banks are also expected to set up AML/CFT units with trained personnel, conduct regular staff training and maintain audit trails.[14] These requirements impose additional staffing, training, and operational costs on institutions, particularly smaller microfinance banks or fintech companies. CBN, NFIU, and other regulators frequently carry out onsite and offsite compliance examinations. Banks must prepare documentation, respond to queries, and may be required to make remedial changes under tight deadlines. This diverts resources from customer service or business innovation to compliance and documentation tasks.

In order to comply with AML/CFT record-keeping requirements (e.g., keeping customer data and transaction logs for at least 5 years), institutions must invest in secure digital databases, transaction monitoring systems and automated reporting software. Such systems are expensive to acquire, maintain, and constantly update, especially as regulators adopt stricter standards aligned with FATF recommendations.

All these and many more are examples of how AML/CFT compliance, while essential, places a heavy regulatory load on Nigerian financial institutions.

The Risk-Based Approach (RBA) to AML/CFT

The Risk-Based Approach (RBA) is a strategic method that allows financial institutions to allocate their AML/CFT resources more effectively by identifying and prioritizing higher-risk customers, transactions, and services.[15] Rather than applying uniform controls across all areas, the RBA encourages institutions to assess the level of risk and apply proportionate measures based on that assessment. The Financial Action Task Force (FATF) endorses the RBA as a core component of its 40 Recommendations, emphasizing that countries and institutions should identify, assess, and understand the risks of money laundering and terrorist financing, and take appropriate actions in line with those risks.

The Risk-Based Approach to AML/CFT can be classified into 4 categories;

1. Risk Identification: The first stage in the Risk-Based Approach is identifying potential threats across various aspects of a financial institution’s operations. This includes understanding who the customers are, where they are from, how they conduct transactions, and what services or products they use. For instance, clients involved in high-risk industries or located in countries known for weak anti-money laundering enforcement may present greater risks. Similarly, products like anonymous transfers or services accessed through digital platforms can raise concerns. Recognizing these risks early allows institutions to focus their efforts on the areas most likely to be exploited for financial crimes.[16]
2. Risk Assessment: After risks have been identified, the next step is to assess how serious they are. This involves looking at how likely a risk is to occur and the damage it could cause. Institutions often use a mix of data analysis and expert judgment to rate risks as low, medium, or high. They also examine unusual transaction patterns and consider how their own internal practices align with national and international standards. This step is crucial for ensuring that resources are used effectively—paying closer attention to higher risks while avoiding overburdening low-risk areas with unnecessary checks.[17]
3. Risk Mitigation: Once risks are evaluated, financial institutions must take steps to reduce them in a way that is proportionate and practical. This means applying stronger checks, such as enhanced due diligence, to high-risk clients or transactions, while simplifying procedures for those that pose minimal risk. It also includes using technology to track and flag suspicious activity and ensuring that clients are not listed on sanctions databases or linked to politically exposed persons without proper review. These tailored controls help strike a balance between strong compliance and smooth operations.[18]
4. Continuous Monitoring & Adaptive Response: Lastly, AML/CFT risks are not static, they change with time, technology, and global trends. As such, financial institutions must continuously monitor their systems and update them as new risks emerge. This involves regularly reassessing customer profiles, conducting compliance audits, and using tools like artificial intelligence to detect new threats early. Institutions must also remain alert and ready to report suspicious transactions to the appropriate authorities. By maintaining this ongoing vigilance, they can stay ahead of evolving risks and remain compliant with regulatory expectations.[19]

There are many advantages to the Risk Based Approach;

1. It makes anti-money laundering efforts more effective by helping institutions focus directly on the activities that pose the greatest risk.
2. It optimizes resource allocation, ensuring that the cost of compliance matches the level of risk involved.
3. It strengthens regulatory alignment. By following this approach, financial institutions are more likely to meet regulatory expectations and avoid penalties.
4. It enhances proactive risk mitigation by allowing institutions to respond quickly and adjust their systems as new financial crime threats emerge.[20]

In Nigeria, the Central Bank of Nigeria (CBN) and the Nigerian Financial Intelligence Unit (NFIU) have adopted the RBA in line with FATF standards. Regulations such as the CBN AML/CFT Regulations, 2022 require financial institutions to establish an AML/CFT risk management framework, categorize customers by risk level (e.g., low, medium, high), document the rationale behind risk categorization and actions taken and review risk profiles periodically.

However, while the RBA is practical in theory, many Nigerian financial institutions struggle with challenges such as lack of reliable data and tools for accurate risk assessment, limited AML/CFT expertise and training, and regulatory pressure that often favors rigid rule-based compliance over flexible risk-based judgment. Thus, while RBA represents a shift from a one-size-fits-all compliance model to a more targeted, effective, and intelligent method of managing AML/CFT risks, there are challenges to its successful implementation.

Regulatory Burden and Challenges to RBA Implementation in Nigeria.

The implementation of the Risk-Based Approach (RBA) in Nigeria faces several challenges, largely due to the heavy regulatory burden placed on financial institutions. While both the Financial Action Task Force (FATF) and the Central Bank of Nigeria (CBN) endorse the RBA as a smarter, more efficient way to fight money laundering and terrorist financing, many Nigerian institutions still struggle to apply it effectively.

A key reason for this is the complex web of regulations and compliance obligations that institutions must follow. Financial institutions are required to carry out extensive customer due diligence, report suspicious transactions, maintain detailed records, and conduct regular audits. These tasks can be overwhelming, especially for small and medium-sized banks or fintech companies with limited resources. Many institutions, to avoid penalties or regulatory sanctions, often adopt a blanket, rules-based approach, treating all customers the same regardless of risk, just to “tick the boxes” and show compliance. This defeats the purpose of RBA, which is supposed to allow for flexibility and focus on high-risk areas.

Another issue is the lack of technical capacity and skilled personnel.[21] Implementing RBA requires strong internal systems, data analytics tools, and trained compliance officers who can interpret risk indicators and make sound decisions. Unfortunately, many Nigerian financial institutions lack these resources. As a result, they rely on outdated manual methods or default to rigid policies that do not reflect actual risk levels.

A real-life example is the 2020 sanction of several Nigerian banks by the CBN for failing to comply with AML/CFT requirements.[22] Investigations showed that some of these banks did not conduct proper risk assessments and instead applied the same level of scrutiny to all clients. In some cases, high-risk customers went unnoticed due to weak internal controls.

Thus, while the RBA is a valuable tool, Nigerian institutions face serious regulatory and operational challenges that hinder its full adoption. Until these issues are addressed true risk-based compliance will remain out of reach for many.

Solutions/Recommendations.

To ensure a more effective and balanced AML/CFT regime in Nigeria, it is essential to harmonize regulatory compliance with risk sensitivity. This requires a collaborative effort from policymakers, financial institutions, and regulators, each playing a distinct role in shaping a system that not only meets international standards but also functions practically within Nigeria’s financial environment.

Policymakers;

1. Improve coordination between agencies like the CBN, EFCC, and NFIU to streamline national efforts and reduce redundancy.
2. Enhance the NFIU’s operational capacity to deliver timely intelligence and support to financial institutions.
3. Update legal frameworks to support flexible, risk-based compliance rather than rigid, low-impact obligations.

Financial Institutions;

1. Invest in modern technologies for risk assessment and automated transaction monitoring to detect suspicious activities more effectively.
2. Utilize typologies and red flags from the NFIU to refine internal controls.
3. Ensure continuous, practical training for compliance officers on implementing risk-based approaches in daily operations.

Regulators;

1. Shift from checklist-based audits to assessments that evaluate the real-world effectiveness of institutions’ risk management.
2. Provide constructive feedback on the quality of Suspicious Transaction Reports (STRs) and overall risk-handling practices.

In summary, achieving harmony between compliance and risk sensitivity requires reforms at every level. By modernizing laws, improving coordination, and encouraging practical, risk-focused actions, Nigeria can build a more agile and effective AML/CFT system.

While Nigeria has made notable progress in aligning with global AML/CFT standards, the effective implementation of the Risk-Based Approach remains limited due to regulatory burdens, weak institutional coordination, and capacity gaps. Financial institutions often struggle to balance strict compliance obligations with meaningful risk management. However, by adopting a more collaborative, flexible, and intelligence-driven framework—one that prioritizes risk sensitivity over mere formal compliance—Nigeria can enhance the effectiveness of its AML/CFT regime. A well-harmonized system will not only improve financial integrity but also foster trust and efficiency in the country’s financial sector.

Reference(S):

21 Analytics, ‘Anti-Money Laundering (AML) & Counter-Terrorism Financing (CFT)’ <https://www.21analytics.ch/glossary/anti-money-laundering-aml-counter-terrorism-financing-cft/> accessed 11 June 2025.

Business Day, Hope Moses-Ashike, ‘29 Banks Fined N15bn for Anti-Money Laundering, Counter-Terrorism Violations’ Business Day (Nigeria, 30 November 2024).

Central Bank of Nigeria, Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions Regulations 2022.

Keshinro E and Odeleye F, ‘Legal Framework and Strategies for Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) Compliance in Nigeria’ <https://www.mondaq.com/nigeria/money-laundering/1596658/legal-framework-and-strategies-for-anti-money-laundering-aml-and-counter-terrorist-financing-ctf-compliance-in-nigeria#:~:text=Regulatory%20Framework%20for%20AML%20and%20CTF%20in%20Nigeria&text=AML/CTF%20compliance%20is%20essential,and%20other%20pertinent%20financial%20information.> accessed 11 June 2025.

National (Money Laundering & Terrorist Financing) Risk Assessment Forum, Nigeria Anti-Money Laundering and Combating the Financing of Terrorism National Strategy 2018–2020 <https://www.scuml.org/wp-content/uploads/2019/08/NIGERIA-AMLCFT-NATIONAL-STARTEGY-DOCUMENT.pdf> accessed 11 June 2025.

Neotas, ‘Risk-Based Approach (RBA) to AML & KYC Risk Management’ <https://www.neotas.com/risk-based-approach-rba/> accessed 11 June 2025.

Sanctions.io, ‘Anti-Money Laundering (AML) in Nigeria: A 2025 Guide’ <https://www.sanctions.io/blog/anti-money-laundering-aml-in-nigeria-a-2025-guide> accessed 11 June 2025.

Sanctions.io, ‘Guide: Anti-Money Laundering (AML) Compliance in Nigeria’ <https://www.sanctions.io/blog/guide-anti-money-laundering-aml-compliance-in-nigeria#:~:text=5.,in%20addition%20to%20money%20laundering.> accessed 11 June 2025.

Sowunmi T, Olayemi R and Abolaji V, ‘Compliance Imperatives: What Financial Institutions Should Know About the Nigerian Financial Unit Suspicious Transaction Reporting Guidelines’ <https://www.mondaq.com/nigeria/money-laundering/1572568/compliance-imperatives-what-financial-institutions-should-know-about-the-nigerian-financial-unit-suspicious-transaction-reporting-guidelines#:~:text=STRs%20are%20to%20be%20submitted,1.> accessed 11 June 2025.

[1] 21 Analytics, “Anti-Money Laundering (AML) & Counter-Terrorism Financing (CFT)” < https://www.21analytics.ch/glossary/anti-money-laundering-aml-counter-terrorism-financing-cft/ > assessed June 11, 2025.

[2] Ibid.

[3] Ibid.

[4] Sanctions.io, “Anti-Money Laundering (AML) in Nigeria: A 2025 Guide” < https://www.sanctions.io/blog/anti-money-laundering-aml-in-nigeria-a-2025-guide > accessed June 11, 2025.

[5] Ibid.

[6] Ibid.

[7] Sanctions.io, “Guide: Anti-Money Laundering (AML) Compliance in Nigeria” < https://www.sanctions.io/blog/guide-anti-money-laundering-aml-compliance-in-nigeria#:~:text=5.,in%20addition%20to%20money%20laundering. > accessed June 11, 2025.

[8]The National (Money Laundering & Terrorist Financing) Risk Assessment Forum, “Nigeria Anti Money Laundering and Combating the Financing of Terrorism National Strategy 2018 – 2020” < https://www.scuml.org/wp-content/uploads/2019/08/NIGERIA-AMLCFT-NATIONAL-STARTEGY-DOCUMENT.pdf > accessed June 11, 2025.

[9] Ibid.

[10] Ibid.

[11] E. Keshinro, F. Odeleye, “Legal Framework And Strategies For Anti-Money Laundering (AML) And Counter-Terrorist Financing (CTF) Compliance In Nigeria” < https://www.mondaq.com/nigeria/money-laundering/1596658/legal-framework-and-strategies-for-anti-money-laundering-aml-and-counter-terrorist-financing-ctf-compliance-in-nigeria#:~:text=Regulatory%20Framework%20for%20AML%20and%20CTF%20in%20Nigeria&text=AML/CTF%20compliance%20is%20essential,and%20other%20pertinent%20financial%20information. > accessed June 11, 2025.

[12] Ibid.

[13] T. Sowunmi, R. Olayemi, V. Abolaji, “Compliance Imperatives: What Financial Institutions Should Know About The Nigerian Financial Unit Suspicious Transaction Reporting Guidelines” < https://www.mondaq.com/nigeria/money-laundering/1572568/compliance-imperatives-what-financial-institutions-should-know-about-the-nigerian-financial-unit-suspicious-transaction-reporting-guidelines#:~:text=STRs%20are%20to%20be%20submitted,1. > accessed June 11, 2025.

[14] Central Bank of Nigeria (Anti-Money Laundering, Combating the Financing of Terrorism and Countering Proliferation Financing of Weapons of Mass Destruction in Financial Institutions) Regulations, 2022.

[15] Neotas, “Risk-Based Approach (RBA) to AML & KYC risk management” < https://www.neotas.com/risk-based-approach-rba/ > assessed June 11, 2025.

[16] Ibid.

[17] Ibid.

[18] Ibid.

[19] Neotas, “Risk-Based Approach (RBA) to AML & KYC risk management” < https://www.neotas.com/risk-based-approach-rba/ > assessed June 11, 2025.

[20] Ibid.

[21] Ibid.

[22] Hope Moses-Ashike, “29 banks fined N15bn for anti-money laundering, counter-terrorism violations” Business Day (Nigeria, 30 November 2024).