What CBN's cybersecurity framework actually says about penetration testing
The CBN Risk-Based Cybersecurity Framework and Assessment Methodology (RBCF) applies to all CBN-licensed financial institutions. Section 4.5 of the framework addresses technical security testing and specifies that licensed entities must conduct regular independent vulnerability assessments and penetration testing of all systems that process, store, or transmit customer financial data. The framework defines "independent" as testing conducted by a party that is not part of the institution's internal IT or security team.
CBN examiners who conduct IT Risk Assessments (ITRAs) specifically request the following documentation: the most recent penetration test report including the date of testing, scope definition, methodology used, findings with severity ratings, and evidence of remediation for critical and high findings. An undated or internally produced report will not satisfy the examiner's documentation requirement.
Licence categories and their specific obligations
Different CBN licence categories carry different examination cadences and documentation requirements:
- Payment Solution Service Providers (PSSPs): Annual ITRA, quarterly vulnerability scanning, annual penetration test. This category includes payment gateway operators like Paystack and Flutterwave.
- Mobile Money Operators (MMOs): Annual ITRA, annual penetration test covering the mobile app, USSD interface, backend API, and cloud infrastructure. OPay, PalmPay, and Moniepoint operate under this licence.
- Switching and Processing companies: Annual ITRA with additional requirements for ISO 8583 message security, HSM configuration review, and network segmentation testing.
- Microfinance Banks (MFBs): CBN ITRA cadence matches the bank's risk category (tier 1, 2, or 3 MFB). Annual penetration testing applies across all tiers.
What the examination documentation must include
Based on our experience supporting Nigerian fintechs through CBN IT examinations, the penetration test report that satisfies an examiner must include:
- The name and credentials of the testing firm, confirming independence from the entity being tested.
- The date of testing and the scope of systems tested (named applications, APIs, mobile apps, cloud environments).
- The testing methodology (black-box, grey-box, or white-box) and the standards followed (OWASP, PTES, NIST).
- A complete findings register with severity ratings using a recognized scale (Critical, High, Medium, Low, Informational).
- For each finding: a technical description of the vulnerability, the potential business impact, a remediation recommendation, and the remediation status (open, in progress, resolved).
- A re-test confirmation for all critical and high findings, showing that remediation was verified by the testing firm.
- An executive summary suitable for board or committee review.
Timing your penetration test relative to the CBN examination cycle
CBN conducts ITRAs throughout the year, typically notifying an entity 2 to 4 weeks before the examination date. If your most recent penetration test is more than 12 months old when the examination notice arrives, you are already out of compliance. We recommend completing your annual test no later than the 10-month mark after your previous test — giving you a two-month buffer for remediation and re-testing before the next examination window.
The test must also cover any significant system changes made since the previous test. A common mistake is to conduct the annual test in January and then launch a new payment product in August. The new product has never been tested. A CBN examiner who learns about the August launch will ask for testing evidence specific to the new product.
What we test for CBN licence holders
Our CBN compliance penetration tests follow the scope that satisfies RBCF documentation requirements. For a typical PSSP or MMO, this covers: the consumer-facing mobile application (Android and iOS), the web application and merchant dashboard, the payment API (REST and ISO 8583 where applicable), the cloud infrastructure (AWS, GCP, or Azure), the admin panel and internal tools, and the third-party integrations (NIBSS, card scheme processors, BaaS banking partners).
Entity had not tested its merchant API in 18 months
A Nigerian PSSP engaged us three weeks before a scheduled CBN IT examination. Their last penetration test had been conducted 18 months earlier and covered only the consumer mobile app. In the intervening period, they had launched a merchant-facing API used by over 200 businesses to process payments. The merchant API had never been penetration tested. We conducted an expedited targeted assessment of the merchant API, identified two high-severity authorization vulnerabilities, supported the remediation team through fixes, and conducted a re-test confirming resolution — all within the 3-week window. The client presented the completed report to CBN examiners on examination day. CBN accepted the report and noted the remediation evidence in the examination findings.
CBN-licensed payment company? Book your annual penetration test and get a report structured to satisfy examiner documentation requirements.
Book a CBN Compliance PentestFrequently asked questions
Which CBN licences require penetration testing?
CBN's Risk-Based Cybersecurity Framework applies to all CBN-licensed entities including Payment Solution Service Providers (PSSPs), Mobile Money Operators (MMOs), Payment Terminal Service Providers (PTSPs), Switching and Processing companies, and Microfinance Banks. All of these are required to conduct annual penetration testing by an independent qualified third party.
What happens if CBN finds during an examination that we have not done a penetration test?
CBN examiners will issue a regulatory directive requiring remediation within a defined period, typically 30 to 90 days. Continued non-compliance can result in fines, licence suspension, or in severe cases, licence revocation. Beyond the regulatory consequence, the absence of a pentest report during an examination signals to the examiner that the entity's security governance is weak, which typically triggers a more thorough examination of other security controls.
Can our internal IT team conduct the penetration test for CBN compliance?
No. CBN's cybersecurity framework explicitly requires that penetration testing be conducted by an independent third party. An internal team cannot be considered independent. CBN examiners will ask whether the testing firm had access to your source code and internal systems (black-box vs grey-box vs white-box testing) and whether the testing firm is certified or qualified. A test conducted by the company's own staff will not satisfy the independence requirement.
How often must we test under CBN requirements?
Annual penetration testing is the baseline. However, CBN's framework also requires testing after significant system changes, major infrastructure migrations, and following security incidents. A launch of a new payment product or migration to a new cloud provider should trigger a targeted penetration test of the changed components, not just the next annual cycle.
Related reading
Blog: Preparing for a CBN IT examination · What CBN audits check · PCI DSS compliance in Nigeria
Services: Penetration testing · Vulnerability assessment