Security expectations by license category
Different CBN license categories carry different levels of cybersecurity scrutiny. The common thread: all require demonstrable, independent evidence of security testing and risk management.
PSSP (Payment Service Solution Provider)
The most common fintech license. PSSPs must demonstrate secure payment infrastructure, PCI DSS alignment for card-related flows, and evidence of independent penetration testing. Webhook security, API authorization, and transaction integrity are areas CBN examiners focus on.
MMO (Mobile Money Operator)
MMO licenses require demonstrating secure USSD infrastructure, agent network access controls, and wallet integrity. Testing must cover the unique attack surfaces of mobile money — USSD session management, agent privilege escalation, and telco integration boundaries.
Switching & Processing
The highest security bar. Switching companies handle inter-bank transactions and must demonstrate network segmentation, encryption in transit and at rest, and rigorous access controls. Independent security testing with detailed remediation evidence is non-negotiable.
MFB (Microfinance Bank)
MFBs increasingly operate digital-first with mobile apps and online banking. CBN expects core banking system security, loan disbursement integrity, and customer data protection. Security testing should cover both the digital channels and CBS integration boundaries.
What to prepare before your application
- Independent penetration test report: From a third-party firm (not your own team). The report should demonstrate that your application was tested for business logic flaws, authentication bypass, API authorization, and payment flow integrity.
- Vulnerability assessment: Complementing the pentest, this maps your complete security posture including infrastructure, configuration, and dependency risks.
- Cybersecurity policy documentation: Incident response plan, access control policy, data classification policy, and change management procedures. Your testing results should validate that these policies are implemented, not just documented.
- Data protection compliance: Evidence of NDPA compliance — data processing records, privacy notices, DPIA where required, and technical measures to protect PII.
- Business continuity & disaster recovery: Documented and tested backup procedures, failover mechanisms, and recovery time objectives.
After licensing: ongoing compliance
Getting licensed is the beginning, not the end. CBN examiners conduct periodic reviews and expect to see evidence of continuous security improvement:
Annual penetration testing
Most license categories require annual independent testing. For fast-shipping teams, we recommend quarterly deep dives with comprehensive annual reviews.
Biannual vulnerability assessments
At minimum twice per year. These should cover application, infrastructure, and dependency layers. Results should show remediation of previously identified issues.
Incident reporting
CBN requires timely notification of significant cybersecurity incidents. Having established testing relationships and incident response procedures reduces both the likelihood and severity of reportable incidents.
Preparing a license application? Get your security testing done right.
Get Pre-Licensing Security TestingRelated services and resources
For the full CBN cybersecurity framework breakdown, see our CBN compliance guide. For data protection requirements, see NDPR/NDPA compliance. To understand your current risk posture, read our fintech breach risk assessment. For budget planning, see how much a pentest costs in Nigeria.
Frequently asked questions
Do I need a pentest before applying for a CBN license?
While requirements vary by license type, most CBN license categories require evidence of cybersecurity readiness as part of the application. Having a current penetration test report demonstrates technical due diligence and significantly strengthens your application. Some categories explicitly require independent security testing.
Which license types require security testing?
PSSP (Payment Service Solution Provider), MMO (Mobile Money Operator), Switching and Processing companies, and MFBs (Microfinance Banks) all have cybersecurity requirements. The specific testing requirements vary by category and are detailed in the respective licensing frameworks and the CBN Risk-Based Cybersecurity Framework.
How often do we need to retest after getting licensed?
The CBN typically requires annual penetration testing and at least biannual vulnerability assessments. Additionally, you should conduct testing before major platform changes, after significant security incidents, and as part of your ongoing SSDLC (Secure Software Development Lifecycle).
Can Simpa Labs help with the cybersecurity policy documentation?
Our core expertise is technical security testing, not policy writing. However, our test reports provide the technical evidence that supports your cybersecurity policies, and we can advise on what technical controls are expected by CBN examiners based on what we see across the industry.