CBN wallet tiers: what the regulation actually says

The Central Bank of Nigeria's tiered KYC framework, operationalised through the CBN Regulatory Framework for BVN Operations and Watch-List for the Nigerian Banking Industry and subsequent AML/CFT guidelines, defines three wallet tiers with explicit transaction limits:

The vast majority of Nigerian digital fintechs — neobanks, mobile money operators, agent banking platforms, and standalone wallet apps — onboard users at Tier 1 by default. The friction is low, the acquisition funnel converts better, and the regulatory minimum is technically met. The problem is that every control in this framework is scoped to a single account, not to the person behind it.

The cross-pollination attack: mechanics of a Tier 1 ring

BVN data has leaked from multiple Nigerian financial institutions. It is actively traded on Telegram channels and dark-web marketplaces, sometimes in bulk data sets containing BVN, full name, date of birth, and phone number. This is not speculation — NITDA and multiple security researchers have documented specific breach instances. A motivated attacker with ₦200,000 to spend on data acquisition can walk away with hundreds of valid BVN records.

The attack sequence runs as follows:

  1. Data acquisition — Attacker purchases 50 valid BVN records from a data broker operating on a private Telegram channel. Each record contains enough PII to pass Tier 1 registration: BVN, linked phone number, date of birth.
  2. Account creation — Using a combination of SIM farms, emulators, and VPN exits across different Nigerian mobile carrier subnets (MTN, Airtel, Glo, 9mobile), the attacker registers 50 distinct Tier 1 wallets. Some are created on the same fintech platform; others are spread across competing platforms to reduce per-platform exposure.
  3. Funding the mules — A central coordinator account transfers funds in sub-₦50,000 tranches to each mule wallet. Because each individual transfer stays under the Tier 1 single-transaction threshold, no automated alert fires.
  4. Accumulation — Each mule wallet accumulates up to ₦300,000 — the Tier 1 balance ceiling — before being used for outbound transfers. Fifty wallets at ₦300,000 each: ₦15 million in usable float, per rotation cycle.
  5. Extraction — Mule accounts send funds to aggregation accounts held at tier-1 commercial banks (Guaranty Trust, Zenith, Access), where the funds are mixed with legitimate transaction volume and the trail cools. Mule wallets are then abandoned or handed off to new synthetic identities before any compliance review cycle completes.

The rotation speed is the key variable. A well-run ring cycles through accounts fast enough that by the time a compliance analyst flags an account for manual review, the funds are already two hops away.

Why the ₦300,000 aggregate limit does not contain this

The CBN Tier 1 balance limit was designed assuming one account per person. That assumption collapses the moment an attacker holds multiple accounts under different BVNs — real or synthetic. The ₦300,000 ceiling applies per wallet, not per human being.

A fintech cannot, without deliberate engineering effort, detect that BVN 12345678901 and BVN 98765432109 belong to accounts that share the same physical device, the same registration IP, or the same network of outbound transfers. NIBSS provides a BVN validation API that confirms identity against a given BVN — but it does not expose cross-account linkage signals. Detecting this requires the fintech to build internal correlation logic across its own account population.

Most platforms do not do this. They validate each BVN once at account creation, confirm the phone number matches, and move on. The compliance function sees individual accounts in isolation, not the graph they collectively form.

Network topology of a Tier 1 mule ring

Structurally, these rings follow a consistent pattern. Understanding the topology is necessary before you can instrument for detection.

At the centre is a coordinator account — often a Tier 3 account held at a commercial bank, funded through a legitimate-looking business or from a prior laundering cycle. The coordinator distributes funds to a first layer of mule wallets (the "dispersal layer"). These wallets receive funds in small tranches and hold them briefly.

The dispersal layer accounts then send to a second layer of mule wallets (the "mixing layer"). This introduces a hop that makes graph tracing harder: if you only observe the mixing layer, the coordinator is not visible. The mixing layer wallets look like they are receiving peer-to-peer transfers from ordinary users — because from the vantage point of any single platform, that is exactly what the data shows.

The mixing layer feeds one or more aggregation accounts at large commercial banks. By the time funds reach an Access Bank or Zenith account, the transaction history is a tangle of small transfers from dozens of wallets across multiple platforms. Formal AML typology for this pattern is called layering via smurfing — a documented Financial Action Task Force (FATF) typology that Nigerian fintechs are expected to have controls against under NFIU guidance.

What the transaction data looks like from the inside

Individually, each Tier 1 mule account looks completely normal. Consider the following representative transaction profile:

A compliance analyst reviewing this account in isolation sees a new user receiving regular transfers and sending money to one person. This could be a market trader receiving payments from customers and remitting to their supplier. Nothing about the individual account screams fraud.

The pattern only becomes visible when you look across accounts simultaneously — specifically when you ask: how many other accounts share the same registration device? How many other accounts send to the same destination? Were any of those accounts registered within the same six-hour window from the same IP block? These are graph questions, not single-account questions, and they require your data model to support them.

Detection signals: what to build into your platform

Each of the following controls closes a different detection gap. Implement them in layers — no single signal is definitive, but in combination they make a ring extremely difficult to operate undetected.

Device fingerprint deduplication

Collect a stable device fingerprint at registration. On mobile (Android/iOS), this is a combination of hardware identifiers, screen resolution, OS version, installed font set, and accelerometer calibration data. On web, TLS fingerprinting (JA3 or JA4) combined with browser canvas and audio context fingerprints is sufficient for most cases.

Persist the device fingerprint hash against the account record. Run a deduplication query at every new account registration: if a fingerprint has been seen before, flag it for review rather than auto-approving. A single device fingerprint appearing in more than one account registration within a 30-day window should escalate to Tier 2 verification before the second account is activated.

IP and network clustering

Log the full registration IP, the ASN (autonomous system number), and the mobile carrier where applicable. Group registrations by /24 subnet and by ASN. A cluster of five or more Tier 1 accounts registered from the same /24 subnet within a two-hour window is a strong signal — especially if those accounts have no prior transaction history and are not linked by referral codes.

MTN, Airtel, Glo, and 9mobile each operate predictable NAT subnet ranges for their mobile data traffic. Attackers using SIM farms rotate SIMs but often share the same carrier, which clusters their egress IPs within identifiable ASN ranges. Cross-referencing registration ASN against known Nigerian carrier ASN blocks lets you weight the signal correctly — a registration from MTN's ASN is not suspicious on its own, but ten registrations from MTN's ASN within thirty minutes, all to fresh accounts, warrants a second look.

Transaction graph analysis

Model your accounts and transactions as a directed graph. Each account is a node; each transfer is a directed edge from sender to recipient. Run the following queries periodically (daily or near-real-time for high-velocity platforms):

In PostgreSQL, the common destination cluster query can be expressed with a simple GROUP BY on the transfers table. The registration co-location query requires joining on a device fingerprints table. Recursive CTEs handle the multi-hop graph traversal for the layered ring structure described above. You do not need a graph database to start — you need a schema that stores device fingerprints and an index on the destination account ID column in your transfers table.

Per-device velocity limits, not per-account

Velocity limits scoped to the account are trivially bypassed by the ring structure described. Move your velocity checks upstream to the device fingerprint. A rule such as "no more than ₦100,000 in aggregate outbound transfers in 24 hours across all accounts sharing this device fingerprint" collapses the per-account limit evasion entirely. This is implementable in Redis with a sliding window counter keyed on the device fingerprint hash.

Proactive controls: the exact fixes

Compliance guidelines name the obligation; the following is the technical implementation:

None of these controls require a compliance team to manually review each account. They automate the escalation decision and route the edge cases to human review — which is the correct architecture for a high-volume onboarding funnel.

Example finding

23 accounts. One device. ₦68 million. Zero alerts.

During a compliance architecture assessment for a digital wallet platform (not a penetration test — a structured review of transaction controls and data model), we analysed 90 days of transaction graph data. We identified a cluster of 23 accounts, all registered on the same Android device model with sequential account creation timestamps spanning a four-hour window on a single day. Across the 30-day period following creation, this cluster had collectively moved ₦68 million in outbound transfers — all to a single destination account at a tier-1 commercial bank. Each individual account had triggered zero compliance alerts. The platform had no cross-account device linkage logic, no graph analysis capability, and no per-device velocity controls. Outbound transfers from the cluster had already ceased by the time we identified the pattern, suggesting the ring had completed its cycle and rotated. Fix priority: Critical. Finding was reported to the compliance team with a remediation roadmap that included device fingerprint binding, cluster detection queries, and Tier 2 auto-escalation rules.

If your compliance team reviews accounts individually and your transaction monitoring fires on single-account thresholds, you are not detecting this class of attack — can you check your architecture today?

Get a security review

Frequently asked questions

Does CBN require fintechs to perform cross-account BVN checks?

CBN AML/CFT guidelines require fintechs to know their customer and detect structuring — the practice of breaking up large transactions to avoid reporting thresholds. Cross-account BVN deduplication is the technical implementation of that obligation. A fintech that cannot detect the same BVN appearing across multiple wallet registrations is not meeting the spirit of that requirement.

How do we handle legitimate users who have multiple accounts?

Some users legitimately hold separate business and personal wallets. The correct response is not automatic blocking. Any second account registered under the same BVN should be auto-elevated to Tier 2 or Tier 3 verification before it is activated. This is proportionate, compliant, and preserves the user relationship while closing the loophole that mule rings exploit.

What graph analysis tools work for detecting cross-account patterns at fintech scale?

Apache TinkerPop (backed by JanusGraph), Neo4j, and Amazon Neptune are purpose-built graph databases that handle this well at scale. However, a well-structured PostgreSQL schema with recursive CTEs can surface the same patterns at early product scale without requiring a dedicated graph infrastructure investment. Start with what you have, then migrate the graph workload when query times degrade.

Related reading

Blog: KYC and BVN data security in fintech · BVN spoofing and liveness bypass on Tier 1 onboarding

Guides: CBN compliance security guide

Services: API security testing · Secure architecture review