CBN Directs Banks to Refund App Fraud Victim in 48 Hours
UPDATED: The Central Bank of Nigeria (CBN) has unveiled draft guidelines that could compel banks and other financial institutions to reimburse victims of Authorised Push Payment (APP) fraud within 48 hours after investigations are concluded.
APP fraud is a type of scam where the victim voluntarily sends money to a fraudster because they are tricked, persuaded or manipulated into doing so. Unlike traditional hacking, the victim’s account is not stolen or hacked; the victim authorises the payment themselves, but under false pretences.
Because the victim authorises the transaction, traditional fraud protections do not always cover APP scams, which is why the CBN’s proposed 48-hour refund rule is significant, as it ensures that victims can be reimbursed quickly once the bank confirms the fraud.
The draft, released on November 26, 2025, represents one of the most robust consumer-protection measures introduced by the apex bank amid rising cases of social-engineering scams and payment manipulation across Nigeria’s financial system.
According to the guidelines, financial institutions will be required to conclude investigations into reported APP fraud cases within 14 working days.
Once an investigation is finalised and the customer qualifies, the bank must issue reimbursement within 48 hours. The CBN warned that institutions failing to detect suspicious account activity or freeze fraudulent proceeds will bear full financial liability.
The draft framework emphasises that APP fraud differs from typical account compromises because victims are deliberately convinced or manipulated into authorising transfers themselves.
These scams often involve impersonation, deception, emotional pressure, or fraudulent investment schemes, forms of fraud that have become increasingly sophisticated with the rise of digital payments.
“The draft is aimed at strengthening trust in Nigeria’s digital-payments ecosystem, where instant transfers dominate retail transactions,” the CBN stated. Comments on the draft guidelines are expected within three weeks before final rules are issued.
To reinforce bank accountability, the guidelines introduce extensive governance requirements. Boards of financial institutions must approve new fraud-risk policies and oversee all aspects of APP-fraud prevention, detection, escalation, investigation, and post-incident review.
Banks are also required to maintain Early Warning Systems capable of identifying high-risk transactions based on behavioural patterns, unusual inflows or outflows, repeated fraud complaints, previously flagged accounts, and market-intelligence indicators.
Dedicated fraud analytics units must document red-flag triggers, strengthen internal controls, and update detection frameworks regularly.
For cases involving multiple banks, the originating institution must begin investigations immediately and notify other involved institutions within 30 minutes of receiving the complaint.
Where institutions fail to conclude investigations within the 14-day period, cases will be transferred to the CBN’s Consumer Protection and Financial Inclusion Department, which will issue binding decisions. Institutions that fail to freeze fraudulent proceeds or whose weak systems allow such funds to pass through will bear full financial responsibility.
The guidelines also set clear eligibility conditions. Victims must have authorised transactions under false pretences without reasonable suspicion of fraud, report incidents within 72 hours, and cooperate fully with investigations.
Exceptions for delayed reporting include illness, force majeure, security concerns, or unavailability of reporting channels. Banks are required to provide 24/7 reporting platforms, including hotlines, mobile apps, USSD channels, email, and in-branch reporting stations.
The CBN emphasised the importance of consumer awareness, mandating quarterly fraud-education campaigns in multiple languages across various platforms. The guidelines also clarify cost-sharing rules: if neither bank is at fault but the customer qualifies, the reimbursement must be split equally. All data handling must comply with the Nigeria Data Protection Act 2023. Dangote Cement Gains 10% in Fresh Rally
