What CBN's cybersecurity framework actually says about penetration testing

The CBN Risk-Based Cybersecurity Framework and Assessment Methodology (RBCF) applies to all CBN-licensed financial institutions. Section 4.5 of the framework addresses technical security testing and specifies that licensed entities must conduct regular independent vulnerability assessments and penetration testing of all systems that process, store, or transmit customer financial data. The framework defines "independent" as testing conducted by a party that is not part of the institution's internal IT or security team.

CBN examiners who conduct IT Risk Assessments (ITRAs) specifically request the following documentation: the most recent penetration test report including the date of testing, scope definition, methodology used, findings with severity ratings, and evidence of remediation for critical and high findings. An undated or internally produced report will not satisfy the examiner's documentation requirement.

Licence categories and their specific obligations

Different CBN licence categories carry different examination cadences and documentation requirements:

What the examination documentation must include

Based on our experience supporting Nigerian fintechs through CBN IT examinations, the penetration test report that satisfies an examiner must include:

Timing your penetration test relative to the CBN examination cycle

CBN conducts ITRAs throughout the year, typically notifying an entity 2 to 4 weeks before the examination date. If your most recent penetration test is more than 12 months old when the examination notice arrives, you are already out of compliance. We recommend completing your annual test no later than the 10-month mark after your previous test — giving you a two-month buffer for remediation and re-testing before the next examination window.

The test must also cover any significant system changes made since the previous test. A common mistake is to conduct the annual test in January and then launch a new payment product in August. The new product has never been tested. A CBN examiner who learns about the August launch will ask for testing evidence specific to the new product.

What we test for CBN licence holders

Our CBN compliance penetration tests follow the scope that satisfies RBCF documentation requirements. For a typical PSSP or MMO, this covers: the consumer-facing mobile application (Android and iOS), the web application and merchant dashboard, the payment API (REST and ISO 8583 where applicable), the cloud infrastructure (AWS, GCP, or Azure), the admin panel and internal tools, and the third-party integrations (NIBSS, card scheme processors, BaaS banking partners).

Engagement note from a CBN ITRA preparation

Entity had not tested its merchant API in 18 months

A Nigerian PSSP engaged us three weeks before a scheduled CBN IT examination. Their last penetration test had been conducted 18 months earlier and covered only the consumer mobile app. In the intervening period, they had launched a merchant-facing API used by over 200 businesses to process payments. The merchant API had never been penetration tested. We conducted an expedited targeted assessment of the merchant API, identified two high-severity authorization vulnerabilities, supported the remediation team through fixes, and conducted a re-test confirming resolution — all within the 3-week window. The client presented the completed report to CBN examiners on examination day. CBN accepted the report and noted the remediation evidence in the examination findings.

CBN-licensed payment company? Book your annual penetration test and get a report structured to satisfy examiner documentation requirements.

Book a CBN Compliance Pentest

Frequently asked questions

Which CBN licences require penetration testing?

CBN's Risk-Based Cybersecurity Framework applies to all CBN-licensed entities including Payment Solution Service Providers (PSSPs), Mobile Money Operators (MMOs), Payment Terminal Service Providers (PTSPs), Switching and Processing companies, and Microfinance Banks. All of these are required to conduct annual penetration testing by an independent qualified third party.

What happens if CBN finds during an examination that we have not done a penetration test?

CBN examiners will issue a regulatory directive requiring remediation within a defined period, typically 30 to 90 days. Continued non-compliance can result in fines, licence suspension, or in severe cases, licence revocation. Beyond the regulatory consequence, the absence of a pentest report during an examination signals to the examiner that the entity's security governance is weak, which typically triggers a more thorough examination of other security controls.

Can our internal IT team conduct the penetration test for CBN compliance?

No. CBN's cybersecurity framework explicitly requires that penetration testing be conducted by an independent third party. An internal team cannot be considered independent. CBN examiners will ask whether the testing firm had access to your source code and internal systems (black-box vs grey-box vs white-box testing) and whether the testing firm is certified or qualified. A test conducted by the company's own staff will not satisfy the independence requirement.

How often must we test under CBN requirements?

Annual penetration testing is the baseline. However, CBN's framework also requires testing after significant system changes, major infrastructure migrations, and following security incidents. A launch of a new payment product or migration to a new cloud provider should trigger a targeted penetration test of the changed components, not just the next annual cycle.

Related reading

Blog: Preparing for a CBN IT examination · What CBN audits check · PCI DSS compliance in Nigeria

Services: Penetration testing · Vulnerability assessment