The regulatory reality: No more offshore switching
Historically, a Nigerian fintech could build its entire infrastructure on AWS in London (eu-west-1) or Google Cloud in Virginia. A customer in Lagos would swipe a PoS terminal, the transaction would be routed to a server in London for authorization against a database in Ireland, and the response would travel back to Lagos.
The Central Bank of Nigeria has unequivocally closed this loophole. For domestic transactions (a Nigerian card used on a Nigerian terminal), the data must be switched, processed, and stored locally. The deadline is rigid, and the penalties for non-compliance include the suspension of operating licenses.
The Hybrid Cloud dilemma: Security in a split architecture
Very few fintechs are moving their entire stack to Nigeria. Instead, they are adopting a Hybrid Cloud architecture. Non-critical workloads (marketing websites, analytics, user frontends) remain on AWS, while the core payment ledger and ISO 8583 switching engines are migrated to local Tier III data centers like MainOne, Rack Centre, or Galaxy Backbone.
This split architecture is a nightmare to secure if not engineered correctly.
1. The Interconnect Vulnerability
How does your frontend in AWS securely talk to your ledger in Lagos? If you expose the local ledger API directly to the public internet, you will be breached. You must establish a highly monitored, IPsec Site-to-Site VPN or a dedicated physical interconnect.
2. Loss of Managed Cloud Security
In AWS, encrypting a database at rest takes one click. In a local colocation facility using bare-metal servers, you have to manually configure LUKS encryption, manage your own KMS (Key Management Service), and handle key rotation yourself.
3. Split Identity Management
Do your DevOps engineers use the same credentials to access the AWS servers and the local bare-metal servers? Without centralized IAM (Identity and Access Management), managing access revocation when an employee leaves becomes impossible, opening the door to insider threats.
Architecting for local security
To maintain a high security posture while complying with CBN localization, engineering teams must implement the following architectural controls:
Zero Trust across the Hybrid Bridge
Assume the VPN tunnel connecting your offshore cloud and your local data center will eventually be compromised. Implement Mutual TLS (mTLS) for all service-to-service communication crossing that bridge. An AWS-hosted microservice must cryptographically prove its identity to the locally hosted ledger before any data is exchanged.
Hardware Security Modules (HSM) for local PIN processing
If your local infrastructure is now processing raw PoS data, you are handling encrypted PIN blocks. You cannot decrypt or translate these PIN blocks in software memory; you must deploy physical Hardware Security Modules (HSMs) in your local rack. Ensure these HSMs are FIPS 140-2 Level 3 certified and strictly segregated on an isolated VLAN.
Unified Security Logging (SIEM Integration)
When an attack occurs, the attacker will often probe the AWS frontend before pivoting to the local infrastructure. If your AWS logs and your local data center logs are kept in separate silos, your SOC team will never piece the attack together. You must forward all logs to a centralized, immutable SIEM.
Is your hybrid cloud architecture exposing your core ledger to attack?
Book an Architecture ReviewValidating the local infrastructure
The CBN will not take your word that your local deployment is secure. You must mathematically prove it.
- Pre-Migration Architecture Review: Do not buy local server hardware until a security engineer has reviewed your network topology. It is vastly cheaper to fix a firewall rule on a whiteboard than in a live data center.
- Internal Network Penetration Testing: Once deployed, commission an internal penetration test. The tester should simulate an attacker who has bypassed the external firewall and is sitting on the local data center network. Can they reach the HSM? Can they query the database?
- Physical Security Audit: While Tier III data centers have excellent physical security, you must still audit who has "Remote Hands" access to your specific rack, and ensure your servers have physical chassis intrusion detection enabled.
Data Localization does not mean "Less Security"
A common misconception is that moving data to Nigeria inherently lowers its security. This is false. A well-architected local deployment utilizing Kubernetes, strict network policies, and proper secrets management can be just as secure as an AWS deployment. The difference is entirely in the capability of your DevOps and security teams to manage the infrastructure themselves.
Frequently asked questions
What is the CBN data localization directive?
The Central Bank of Nigeria (CBN) mandates that Point of Sale (PoS) and all domestic payment transaction data must be routed, processed, and stored locally within Nigeria. It strictly prohibits routing domestic transactions outside the country for processing.
Can a Nigerian fintech still use AWS or Google Cloud?
Yes, but with strict architectural constraints. While you can host non-core application logic on foreign cloud regions (like AWS eu-west-1), the actual core payment processing, switching, and the databases holding the domestic transaction ledgers must reside in a physical data center located within Nigeria's borders.
What are the security risks of migrating to local Nigerian data centers?
Many local data centers lack the managed security services built into AWS or Azure (like automated IAM, managed WAFs, and one-click encryption at rest). You are moving from a 'managed security' model to a 'shared responsibility' or 'do-it-yourself' security model, drastically increasing the burden on your internal DevOps team.
How do we prove compliance to the CBN?
Compliance is proven through a combination of physical data center certifications (Tier III/IV), network architecture diagrams showing local switching, and independent security audits (penetration testing and architecture reviews) validating that the local infrastructure is secure.
Related reading
Blog: CBN CSAT Compliance · Microservices Security
Guides: CBN Compliance Guide · Fintech Security Checklist
Services: Secure Architecture Review · Penetration Testing