What Nigerian regulations actually require
CBN doesn't use the words "pre-launch security audit" in its licensing checklist. But read the documentation requirements carefully: PCI DSS certification evidence, penetration test results, cybersecurity policy documentation, and incident response plans are standard submission requirements for PSSPs, MMOs, and similar categories. You produce these by doing the work.
Post-licensing, CBN mandates use of the Cybersecurity Self-Assessment Tool (CSAT) and full compliance with the June 2022 Risk-Based Cybersecurity Framework. For a legal overview, see this commentary on the Risk-Based Cybersecurity Framework. For our detailed guide on meeting these requirements, see CBN compliance security.
NDPR obligations activate quickly
Processing personal data of more than 1,000 Nigerian residents within a six-month window triggers NDPR obligations: a Data Protection Officer, annual audit reports filed with the NDPC, DPIAs for high-risk processing, and documented consent mechanisms. The penalty under the Nigeria Data Protection Act reaches 2% of annual gross revenue or ₦10 million, whichever is higher. See the NDPR Implementation Framework for practical guidance and our NDPR/NDPA compliance guide for a full walkthrough.
SEC pre-launch testing for wealth tech
If you're building a robo-advisory or wealth management platform, the SEC's Robo Advisory Rules require pre-launch algorithm testing. Back-testing of risk profiling accuracy using hypothetical inputs must be completed before you go live. The SEC's published rules for fintechs explain these requirements in detail.
The four audit types that matter
Vulnerability Assessment
Scans infrastructure for known weaknesses. Broad, fast, non-intrusive. The starting point, not the endpoint. See our vulnerability assessment service.
Penetration Testing
A certified ethical hacker actively tries to exploit weaknesses the way a real attacker would. PCI DSS requires quarterly vulnerability scans and annual pen tests. See our VA vs pentest comparison.
Secure Code Review
Examines source code for logic errors, injection vulnerabilities, and insecure API handling. Catches problems that infrastructure-level pentests miss entirely. See our architecture review service.
ISO 27001 / SOC 2
Independent audits of your overall security management system. Not required for CBN launch, but expected by enterprise clients and investors as you scale.
Need to scope a pre-launch security audit for your fintech?
Talk to an EngineerWhat you risk by skipping it
Submitting incomplete security documentation commonly causes significant delays in your CBN application cycle. Nigerian fintech apps are active targets, and launching with unpatched vulnerabilities means exposure is a matter of when, not if. A data breach before you've run a DPIA or established an incident response plan leaves you legally exposed on two fronts: NDPC sanctions and potential customer litigation. Fidelity Bank received a ₦555.8 million fine in 2024 for privacy rule breaches.
The cost of a proper security audit is a fraction of what a breach costs in remediation, regulatory fines, and lost user trust. For breach cost data, see our breach risk assessment guide.
Your pre-launch security checklist
- AML/CFT policy, KYC framework, and cybersecurity policy documentation
- Incident response plan (written and tested, not just filed)
- Evidence of PCI DSS certification if processing card payments
- Penetration test report from a qualified third-party tester
- DPIA completed for high-risk data processing activities
- Data Protection Officer appointment and NDPC registration
- CSAT readiness confirmation for CBN's Cybersecurity Framework
Realistic costs and timelines
- Vulnerability assessments: ~₦500K-₦1.5M depending on scope
- Penetration tests: ~₦1.5M-₦5M for a fintech app (see our pricing guide)
- ISO 27001 / SOC 2: Longer engagements, significantly higher cost; not pre-launch for most early-stage fintechs
- Total timeline: 6-10 weeks for scoping, testing, remediation, retesting, and documentation
Finding the right auditor
Look for auditors with CREST, OSCP, or QSA certifications and verifiable experience with Nigerian fintech engagements. Your auditor should deliver a remediation report, not just a findings list. For guidance, see our choosing a pentest company guide and our certifications guide.
Map your license category to the exact audits required
Start 6-10 weeks before your target launch date. Don't submit your CBN application until your penetration test report is in hand and critical findings are remediated. Run vulnerability assessment first, then pentest, then remediation, then documentation. Getting the order wrong means repeating steps.
Related reading
Blog: How a Simpa Labs pentest works · 10-point security checklist · Security audit timing playbook
Guides: Licensing security requirements · CBN compliance · Security before fundraising
Services: Penetration testing · Vulnerability assessment · Architecture review