1 phone, 1 bank app: Inside CBN’s device binding rule and what it means for Nigerian users

On July 1, 2026, every Nigerian who uses a fintech app will be locked to one device. The Central Bank of Nigeria’s directive, issued March 12 by Musa Jimoh, Director of Payments System Policy, gives banks and fintech entities 109 days to implement mandatory device binding.

One app, one phone, no exceptions. Switch devices, and you trigger re-authentication, a 24-hour waiting period, and a ₦20,000 transaction limit until the system clears you.

The device binding rule affects millions. OPay, Moniepoint, Kuda, PalmPay, and Paga collectively serve an estimated 30 to 50 million Nigerians. Add traditional bank apps, and the number climbs higher.

Nigeria has over 172 million active mobile subscriptions. A significant portion of those subscribers use banking apps that must now comply with device binding restrictions stricter than what most global markets enforce.

Fintech regulation in Nigeria

CBN is solving a real problem:

Digital payment fraud cost Nigeria ₦25.85 billion in 2025, down from ₦52.26 billion in 2024 but still substantial.

Between January 2023 and April 2025, an estimated ₦320 billion disappeared to financial fraud. Social engineering, particularly insider abuse, drives most incidents. SIM swap attacks and account takeovers follow close behind. Lagos accounts for 63.43% of fraud activity. Instant payments reached ₦284.99 trillion in Q1 2025 alone, creating a massive attack surface.

Device binding addresses specific vulnerabilities. When a fraudster steals login credentials, they typically access accounts from a different device.

Current systems allow multiple simultaneous logins, a security gap that enables account takeovers. Lock each account to one device, and fraudsters hit a wall. They need physical possession of the phone, not just stolen credentials.

How device binding works and what happens when you need a new phone

The technical mechanics are straightforward.

Banks and fintech entities will track IMEI numbers, device IDs, and MAC addresses. When you log in from a new device, the system detects the change and triggers re-authentication. You verify your identity through BVN validation, biometric checks, and one-time passwords. The first 24 hours on the new device limit you to ₦20,000 in transactions. After that, full access returns.

But here is where theory meets reality. Nigeria recorded 25.35 million stolen phones between May 2023 and April 2024. Less than 12% were recovered, according to National Bureau of Statistics data.

Millions of Nigerians lose their phones every year, not through carelessness but through theft. Under the new rule, a stolen phone means immediate lockout. You get a replacement device, download your banking app, and begin the verification process. You cannot move more than ₦20,000 for 24 hours, even if you need urgent access to your own money.

Phone repairs create another friction point. Send your device to a repair shop and you lose banking access entirely. The app is locked to hardware you no longer possess. USSD codes offer a workaround for basic transactions, but not everyone knows the codes or has reliable network access to execute them. Branch visits become necessary, defeating the purpose of digital banking.

Phone technicians at the Ikeja Computer Village

Shared devices, common among low-income Nigerians, become unusable. Families who share one phone to access multiple accounts must now choose.

Each person needs their own device, an expense many cannot afford. Economic pressures already force Nigerians to swap old phones for cheaper models or buy refurbished UK-used devices.

Tecno and Infinix dominate because they cost ₦80,000 to ₦370,000, within reach for budget-conscious buyers. Premium phones remain aspirational. The directive assumes device ownership is universal and stable. It is not.

The 24-hour transaction limit compounds these problems. Imagine a trader who loses their phone on a Friday. They order a replacement, receive it Saturday, and begin verification. They cannot access their full balance until Sunday. If suppliers demand payment or customers need refunds, the trader is stuck. The security measure becomes a business disruption.

CBN pairs device binding with another restriction. Starting May 1, 2026, Nigerians can change the phone number linked to their BVN only once in a lifetime. This rule intersects with device binding in problematic ways.

Lose your phone, change your number, and you burn your one allowed BVN phone number update. Future number changes become impossible. The twin restrictions create a rigid system with little room for the messy reality of life in Nigeria, where phones get stolen, numbers get swapped, and people move between networks for better rates.

Traditional banks already use device restrictions, but public documentation of their processes is sparse.

Zenith Bank’s app has been described as locked to devices, preventing unauthorised use. GTBank implements biometric face verification for large transactions. But neither bank publishes detailed guidance on what happens when customers need to change devices, how long verification takes, or what fallback options exist.

App Store reviews hint at friction. One user wrote that it is easier to pass a camel through a needle than log into their banking app. Another complained about login difficulties with poor network connections. Device-related authentication issues appear sporadically in reviews, but comprehensive data on user experience is absent.

The UK offers a contrasting approach. Under the Financial Conduct Authority’s Strong Customer Authentication rules, banks must verify two of three factors: something you know (password), something you have (device), or something you are (biometric).

The system emphasises layered security over device binding. Users can access accounts from multiple devices as long as they pass multi-factor authentication. Behavioural biometrics, which analyse typing patterns and interaction habits, count as valid authentication. The UK prioritises flexibility with security layers. Nigeria chooses restriction.

An enrollment center (IMG: Integrated Biometrics)

Why device binding implementation will test Nigerian fintechs

Fintech entities now face an implementation scramble.

They must build or buy device fingerprinting infrastructure, integrate with BVN and NIN databases for real-time validation, deploy liveliness detection technology to prevent spoofing, create automated migration protocols, and scale customer service teams to handle device change requests.

The timeline is tight. March 12 to July 1 gives them 109 days. Some platforms already have pieces of this infrastructure. Others are starting from scratch. RegTech vendors will see a surge in demand for device binding solutions, identity verification APIs, and fraud monitoring dashboards.

Customer service becomes a critical bottleneck. Expect a flood of device change requests on day one. Users who upgrade phones, replace stolen devices, or switch to cheaper models will all trigger re-authentication.

Each request requires manual or automated verification. If systems fail or networks lag, users get locked out. Fintech entities must prepare support teams, draft clear communication guides, and build redundancy into verification workflows. A smooth rollout depends on operational readiness as much as technical capability.

User education campaigns must begin now. Most Nigerians do not yet know that device binding is coming. They have not prepared for the ₦20,000 limit or the re-authentication process.

Fintech firms that communicate early and clearly will retain customers. Those that wait until June to announce the changes will face backlash. Social media will amplify complaints. Trust will erode. The transition period matters as much as the rule itself.

The directive signals CBN’s evolving stance on fintech. The regulator is tightening control, adding layers of compliance that increase friction for users but reduce fraud risk for the system. This follows other recent measures: mandatory automated AML systems, cash withdrawal penalties, and the slow rollout of open banking protocols.

Each rule aims to professionalise the sector, but cumulatively they add weight. Fintech entities that thrived on speed and convenience now navigate a more restrictive environment.

Financial inclusion takes a hit. CBN has championed digital banking as a path to bringing unbanked Nigerians into the formal economy. Device binding works against that goal. It assumes stable device ownership, reliable network access, and digital literacy. Many Nigerians lack all three.

Image Source: Andrew Esiebo/Rest of World.

Rural users with limited access to device repair or replacement will struggle. Elderly users unfamiliar with re-authentication processes will abandon apps. Low-income users who share phones will be excluded entirely. Security and inclusion often conflict. CBN has chosen security.

The July 1 test will reveal whether Nigerian fintech firms can execute under pressure. A smooth rollout means users barely notice the change. Verification happens quickly, transaction limits lift on schedule, and customer service handles edge cases efficiently. A failed rollout means widespread lockouts, angry users, viral complaints, and a trust crisis that sets fintech adoption back. The stakes are high. Fraud losses justify the rule. User experience will determine whether it works.

Nigeria is building a more secure financial system. The question is whether it remains accessible. Device binding stops fraudsters but also stops legitimate users caught in bad circumstances. The balance matters. Other markets found ways to secure accounts without rigid device restrictions. Nigeria has chosen a different path. By July 1, we will know if it works.

The post 1 phone, 1 bank app: Inside CBN’s device binding rule and what it means for Nigerian users first appeared on Technext.