CBN Circular BSD/DIR/PUB/LAB/019/002

Your June 10 roadmap. We write it. You submit it.

SJULTRA Sentinel · AML Compliance Advisory · 2026

Nigeria's purpose-built CBN AML compliance advisory partner. We help your institution move from manual controls to a structured automation roadmap — starting with a CBN-grade submission document in two weeks and an 18-month implementation plan.

12
CBN Baseline
Standards Covered
4 phases
Sprint to
CBN Submission
30%
Below NICE
Actimize Pricing
100%
Nigerian
Data Residency
WHO THIS IS FOR
Tier 2 Deposit Money Banks
Payment Service Providers
Mobile Money Operators
Digital Lenders & Fintechs
Wallet Operators

WHAT YOU RECEIVE
Gap Analysis — 12 CBN Standards
CBN Roadmap Document (June 10)
Target Architecture Diagram
Vendor Evaluation Matrix
18-Month Milestone Schedule
AI/ML Governance Framework
SJULTRA
SENTINEL
sentinel.sjultr.ng
SJULTRA Technology Solutions Limited
CAC Registered · Nigeria
March 2026
The CBN gave every bank in Nigeria
just 92 days to file a compliance roadmap.
CBN Circular issued: March 10, 2026  ·  Submission deadline: June 10, 2026  ·  Total window: 92 days
92
Total days given
by the CBN
Mar 10
Circular issued
2026
Jun 10
Roadmap due
2026
4 phases
SJULTRA Sprint
delivers your filing
Mar 10, 2026 — CBN circular issued ← 92 days total → Jun 10, 2026 — roadmap due
Months 1–2: gap analysis, vendor selection, internal approvals Weeks 9–12: SJULTRA Sprint → CBN submission Submission buffer
A compliance transformation that typically takes many months to execute must be fully planned in just 92 days.  ·  SJULTRA delivers your CBN submission document in 4 of those weeks, with an 18-month implementation roadmap aligned to your institution.
The Regulatory Reality

Nigeria's banks can no longer
monitor AML manually.

On March 10, 2026, the CBN issued a 27-page circular mandating every licensed financial institution deploy a fully automated AML/CFT system — covering 12 specific technical capabilities. This is not guidance. It carries personal liability for senior executives.

⚖️

The Legal Mandate

CBN Circular BSD/DIR/PUB/LAB/019/002 took effect on March 10, 2026. Every licensed DMB, PSP, MMO, and fintech must comply. Non-compliance results in administrative sanctions and financial penalties — affecting both the institution and accountable individuals including the CCO and MD personally.

Personal Liability
📅

Two Deadlines, One Urgency

DMBs have 18 months for full compliance (September 2027). PSPs, MMOs and fintechs have 24 months (March 2028). But every institution — regardless of type — must submit a formal implementation roadmap to the CBN Compliance Department by June 10, 2026.

86 Days Away
🇳🇬

The Proportionality Principle

The CBN explicitly applies a proportionality principle: institutions must calibrate solutions to their size, transaction volume, risk profile, and business model. SJULTRA's tiered consulting service is structured around this — your institution does not need an Oracle FCCM deployment to be compliant.

Calibrated Solutions
The 12 CBN Baseline Standards

Every standard. Covered.

The CBN circular mandates 12 distinct technical capability areas. SJULTRA's service is structured around all 12 CBN baseline standards: the Sprint covers roadmap and governance requirements now, while Sentinel platform capabilities are being developed for pilot testing in November 2026. Every Sprint deliverable maps directly to specific standards.

STANDARD 01
Customer Identification & Verification
BVN, NIN, and national identity database integration. Automated KYC/KYB. Sanctions match triggers automated onboarding closure.
Smile ID BVN/NIN API + Sentinel Screening Engine
STANDARD 02
Risk-Based Customer Profiling
Dynamic risk scoring on full customer profile — not just raw transaction data. Proportionality: calibrated to institution size.
Sentinel Unified Entity Profile (UEP)
STANDARD 03
Sanctions & PEP Screening
Real-time screening against 200+ global watchlists, PEP registers, internal watchlists, and adverse media. Auto-block on confirmed matches.
Sentinel Screening Engine — <300ms
STANDARD 04
Transaction Monitoring
Real-time detection across all channels: cards, e-channels, deposits, and lending. AI/ML encouraged but must be governed and explainable.
Kafka + CBN Rule Engine + ML Scorer
STANDARD 05
Case Management & Investigation
Enterprise case management with auto-generated alerts, assignment, tracking, and Maker-Checker workflow controls.
Sentinel Maker-Checker RBAC Dashboard
STANDARD 06
Regulatory Reporting
Automated STR/SAR generation in NFIU goAML XML 3.1 format. Timely reporting to CBN, NFIU, and other authorities.
One-click NFIU XML 3.1 Export
STANDARD 07
Audit & Governance
Tamper-proof audit trails. Role-based workflow controls. Secure authentication. Annual independent AI/ML model validation.
Cryptographic Hash-Chain Audit Log
STANDARD 08
System Integration & Scalability
Secure RESTful API integration with core banking and payment systems. Scalability for growing transaction volumes. Zero CBS changes required.
Kafka CDC — Finacle · T24 · Flexcube
STANDARD 09
Data Protection & NDPA
Full compliance with Nigeria Data Protection Act. Customer data must remain in Nigeria. Confidentiality and integrity of all data.
AWS af-south-1 — NDPA Compliant
STANDARD 10
Fraud Monitoring Integration
Automated fraud monitoring across all channels. CBN expects convergence of fraud and AML systems into a unified risk view.
Unified Fraud + AML Risk Score
STANDARD 11
Vendor Management Policy
Documented policies for third-party vendor procurement, implementation, support, incident management, and exit strategy.
Sprint Deliverable — Policy Documentation
STANDARD 12
AI/ML Governance
AI/ML models properly governed. Independent annual validation. Accuracy checks, fairness audits, bias testing, and human oversight.
SHAP XAI + Annual Validation Report
The Sprint Process

Bank information. Asset discovery. CBN-ready roadmap.

Every Sentinel Sprint follows a structured, four-phase process. Your institution provides the data. SJULTRA runs a comprehensive cyber asset discovery across your entire IT and compliance environment, generates a structured report, designs the CBN roadmap from that report, and delivers a polished first draft for your review — before any CBN deadline pressure sets in.

Phase
One
Information
Bank Provides Required Information
Step 1 · Structured Intake — Before Discovery Begins
The Sprint begins the moment your institution completes SJULTRA's structured information intake. This is not a workshop or a discovery call — it is a documented submission of the specific data SJULTRA needs to run an accurate cyber asset discovery and produce a credible CBN roadmap. Incomplete intake means a delayed Sprint. Complete intake means we start discovery within 24 hours of receipt.
Institutional Profile
Full legal name, CBN licence number and category, CCO and CTO contact details, compliance team structure, and any CBN correspondence received in the last 24 months relating to AML.
Transaction & Operational Data
Average monthly transaction volume (count and Naira value), active transaction channels, total customer and merchant accounts, cross-border corridors, and current STR filing method and frequency.
Technology Stack Details
Core Banking System name and version, cloud provider or hosting environment, current AML tooling (if any), API availability status, and any existing data classification or NDPA compliance documentation.
Governance Documents
Current AML/CFT policy (any version), existing risk appetite statement, board-level AML resolution (or confirmation one will be obtained), and official institution letterhead for the final submission document.
Why this comes first
  • The cyber asset discovery cannot be scoped accurately without knowing your CBS version, cloud provider, and IT environment
  • The roadmap document cannot be personalised without your institutional profile, transaction data, and governance documents
  • Providing complete information at this stage is the single greatest factor in Sprint speed — every missing document adds a day
✅ Phase 1 Gate
Intake Confirmation: SJULTRA confirms receipt of all required information and provides a written Sprint commencement notice with the expected discovery completion date. The Sprint clock starts here.
Phase
Two
Discovery
Full Cyber Asset Discovery & Structured Report
Step 2 · Total Discovery Across Your Entire IT and Compliance Environment
SJULTRA conducts a comprehensive discovery of your institution's entire cyber asset inventory — every IT system, every data flow, every compliance control, and every gap. This is not a desktop review. It is a structured, evidence-based mapping of your current state across all dimensions the CBN will assess. The output is a formal Discovery Report that becomes the single source of truth for the roadmap design in Phase 3.
IT Asset Inventory
Full mapping of your technology environment: Core Banking System, payment infrastructure, cloud or on-premise hosting, network architecture, API connections, third-party integrations, and data storage locations. Every system that touches customer or transaction data is catalogued.
AML Infrastructure Assessment
Current state of all AML and fraud monitoring capabilities — what exists, what is manual, what is automated, what is absent. Every tool, every process, and every workflow scored against the 12 CBN Baseline Standards: COMPLIANT / PARTIAL / GAP / NOT STARTED.
Data Flow Mapping
How customer and transaction data moves through your systems — from CBS ingestion to monitoring, case management, and regulatory reporting. Identifies the precise integration points where Sentinel connects and any data residency risks relative to NDPA requirements.
Compliance Control Review
Assessment of existing governance controls: Maker-Checker workflow, RBAC configuration, audit trail availability, staff training records, STR filing history, and existing vendor contracts. Maps directly to CBN Standards 5, 7, 10, 11, and 12.
📄 Phase 2 Deliverable
D1 — Cyber Asset Discovery Report: Comprehensive current-state inventory of your entire IT and compliance environment. 12-standard gap matrix with evidence-based findings, risk severity ratings, and the precise remediation priorities that will form the backbone of your CBN Roadmap. This report is your institution's most accurate AML compliance baseline — regardless of what happens next with the Sprint.
Phase
Three
Roadmap
CBN Roadmap Design
Step 3 · Discovery Report Drives Every Roadmap Decision
The Discovery Report from Phase 2 is the direct input to the roadmap. Nothing in the CBN submission is generic — every section is built from the specific findings of your institution's discovery. The architecture diagram uses your actual CBS version. The gap remediation plan addresses your actual gaps. The 18-month milestone schedule is calibrated to your actual compliance team size and budget. SJULTRA designs the full roadmap document internally before any draft reaches you.
Institution-Specific Architecture
Target architecture diagram drawn specifically for your CBS (Finacle, T24, or Flexcube), showing exactly how Sentinel integrates above your existing core infrastructure — Kafka CDC layer, Sentinel screening engine, AWS af-south-1 data residency, and the case management dashboard.
Gap-to-Milestone Mapping
Each gap identified in the Discovery Report is assigned to a specific phase in the 18-month implementation timeline, with resources, costs, and CBN deadline alignment. DMBs mapped to September 2027. PSPs and MMOs mapped to March 2028.
Vendor Evaluation Matrix
Five AML vendors evaluated against your specific profile: Sentinel, NICE Actimize, Oracle FCCM, SAS AML, and one alternative. Scored on CBN coverage, deployment time, Nigerian data residency, cost, and alignment with your CBS version.
10-Section Document Assembly
Full CBN Roadmap Document built from the discovery data: institution profile, executive commitment, gap analysis, target architecture, phased 18-month implementation plan, vendor policy, AI/ML governance framework, data sovereignty statement, compliance budget, and MD sign-off page.
📄 Phase 3 Internal Output
Complete internal draft of the CBN Roadmap Document and all supporting deliverables — reviewed and validated by your SJULTRA consultant before the first draft is sent to your institution. Nothing leaves SJULTRA until the consultant has confirmed accuracy against the Discovery Report.
Phase
Four
Delivery
First Draft Delivered for Bank Review
Step 4 · Client Review, Revisions & CBN Submission
SJULTRA delivers the complete first draft of the CBN Roadmap Document to your CCO and CTO. This is a fully formed, submission-quality document — not a skeleton for your team to complete. Your institution reviews, requests any revisions, and confirms accuracy of institution-specific data. SJULTRA incorporates feedback and prepares the final, MD-signed submission package.
First Draft Delivery
Complete 10-section CBN Roadmap Document delivered to your CCO — on your institution's letterhead, with the Discovery Report findings fully incorporated, all diagrams included, and the Executive Commitment Statement ready for MD signature.
Client Review Cycle
Your CCO and CTO review the draft and provide consolidated feedback. SJULTRA incorporates all revisions within 48 hours. The review cycle is designed to be a single pass — the Discovery Report foundation means there are no factual gaps requiring additional research.
MD Sign-Off
The finalised document is presented to your MD for the Executive Commitment Statement signature. SJULTRA prepares the MD briefing pack — a concise summary of the document's key commitments — so the MD can sign with full confidence and minimal time required.
CBN Submission Support
SJULTRA prepares the complete submission pack — covering letter, all attachments, and CBN Compliance Department addressing. We assist with the submission process or provide a complete submission-ready folder with step-by-step filing guidance for your CCO.
📄 Final Sprint Package — All Deliverables
D1 — Cyber Asset Discovery Report  ·  D2 — CBN Roadmap Document (final, MD-signed, submission-ready)  ·  D3 — Target Architecture Diagram (CBS-specific)  ·  D4 — Vendor Evaluation Matrix  ·  D5 — 18-Month Implementation Timeline  ·  D6 — Sentinel Early Access Briefing
What We Need From You

The discovery starts with
your information.

Before SJULTRA begins the cyber asset discovery, your institution submits the information below. This is the foundation of the entire Sprint — the quality of your discovery report and roadmap depends directly on the completeness of what you provide here. Most of this information is already in your CCO's or CTO's files. The table below shows every category organised by phase.

📋
Phase 1 — Institutional Data
Submitted to SJULTRA before the discovery begins
Full legal institution name, CBN licence number, and licence category
CCO, CTO, and MD full names, direct phone, and email
Total customer/merchant accounts (approximate)
Average monthly transaction volume — count and total Naira value
Active transaction channels: POS, mobile, web, USSD, NEFT, RTGS, cards, agent banking
Current AML monitoring method: manual, spreadsheet, legacy tool, or automated system
If automated — vendor name and version number
Core Banking System name and version
Finacle vX / T24 vX / Flexcube vX / Other
Compliance team size and structure
How many analysts? Is Maker-Checker workflow in place?
Any CBN AML-related correspondence received in last 24 months
Examination reports, queries, directives — not for disclosure, for gap calibration
Number of STRs/SARs filed in last 12 months and filing method
NFIU goAML portal registration status
Registered / Not registered / Registration in progress
💻
Week 2 — Technical Data
Needed before Architecture Session
CBS API availability confirmation
Is REST API or CDC access enabled on your Finacle/T24/Flexcube instance?
Current cloud or data centre hosting provider
AWS, Azure, GCP, local DC — specify region if cloud
High-level IT architecture diagram
Any version — even a whiteboard photo. Needed to design the Sentinel integration layer.
Transaction event data format
What fields are in a transaction record? JSON / XML / database schema extract.
Current BVN/NIN verification process
Manual lookup / NIBSS direct / third-party API (which?)
Any current sanctions or PEP screening tool
Vendor name, API or manual, how often are lists updated?
IT security framework: network segmentation, VPN, firewall policies
Summary level only — relevant to CBS API access design
Data classification policy (if any)
What data is classified as sensitive/restricted? Any existing NDPA DPIA?
For PSPs/Fintechs: payment engine or wallet backend technology
Can it emit JSON webhooks? What event types are available?
Any previous AML vendor evaluation documents or RFPs
📝
Week 3 — Governance Data
Needed before MD Briefing
MD/CEO full name, title, and wet signature (for Executive Commitment Statement)
Board resolution or confirmation of board-level AML compliance approval
Or: confirmation that board approval will be obtained before June 10 submission
Compliance budget range approved for the 18-month implementation
Even an estimate — needed for Section 9 (Budget) of the CBN submission
Compliance team organisational chart
Who are the Maker and Checker roles for the AML alert workflow?
Data Protection Officer: name and contact, or status of DPO appointment
Existing vendor management policy (any version)
CBN Standard 11 — if none exists, SJULTRA will create it as part of the Sprint
AML risk appetite statement (board or CCO level)
What transaction patterns or sectors does the institution treat as elevated risk?
Customer base segmentation
Retail / SME / corporate / HNI — approximate percentages. Needed for risk profiling section.
High-risk sector exposure
Does the institution serve real estate, petroleum, NGOs, cash-intensive businesses, PEP-connected clients?
Official institution letterhead template (Word/PDF)
The final CBN submission is produced on your letterhead, not SJULTRA's
Cross-border transaction corridors
Top 5 countries by outbound transaction volume — needed for FATF jurisdiction risk section
IMPORTANT — CONFIDENTIALITY

All information provided to SJULTRA is subject to a Non-Disclosure Agreement signed before the Sprint begins. No institutional data, transaction information, or gap assessment findings will be disclosed to any third party. SJULTRA holds Professional Indemnity Insurance covering all consulting engagements. A Data Processing Agreement (NDPA-compliant) is executed with every client before any data is shared.

Three Segments, One Standard

The same 12 standards.
Three different approaches.

The CBN's proportionality principle means institutions are not all measured by the same ruler. SJULTRA's Sprint is calibrated to each segment's specific risk profile, technical infrastructure, and internal capacity.

Segment A
Tier 2 Banks (DMBs)
18-month deadline · September 2027
"When the CBN examiner walks in, I need a complete, tamper-proof audit trail showing every suspicious transaction decision — who made it, why, and what happened next."
Standard Sprint: 2 weeks, full 10-section CBN document
CBS connector design: Finacle / T24 / Flexcube specific
Audit trail specification — cryptographic hash-chain
Maker-Checker RBAC workflow architecture
MD personal liability framing in the board deck
NFIU goAML submission path documented
Segment B
Payment Service Providers
24-month deadline · March 2028
"We process 10 million transactions a month. If the CBN runs a thematic review of PSPs and we can't demonstrate real-time mule-network detection, our licence is at risk."
Velocity risk assessment: mule detection, aggregation patterns
REST API integration plan — no CBS, webhook-based ingestion
Per-transaction cost analysis: ₦1.60 per transaction at scale
Sentinel merchant + counterparty screening demonstration
Proportionality justification for PSP transaction profile
Developer API documentation for CTO review
Segment C
Wallet Operators & Fintechs
24-month deadline · March 2028
"Our AML is still spreadsheets. If the CBN runs a thematic review of fintechs this year, we will fail immediately and our licence renewal — and investor due diligence — will be affected."
Lean 3-week sprint — faster to close, lighter on burden
Proportionality assessment: calibrate to actual risk profile
API sandbox access: Sentinel Screening Engine + identity verification from Day 1
NDPA data residency plan — AWS af-south-1 migration path
Investor/partner due diligence compliance narrative
Scaling clause: auto-upgrade path as transaction volume grows
Why SJULTRA Sentinel

The only Nigerian-built answer
to a Nigerian regulation.

Foreign AML vendors offer powerful platforms built for European and North American banks. They cannot offer Nigerian data residency by architecture, knowledge of the CBN examiner's process, or a team that picks up a Lagos phone number when your CCO needs support on June 9.

01

Built for CBN, Not Retrofitted

Sentinel was designed from the language of Circular BSD/DIR/PUB/LAB/019/002 — not adapted from a generic AML framework. Every feature, every rule, every reporting format maps to a specific CBN requirement.

NICE Actimize and Oracle FCCM take 12–24 months to deploy and are not calibrated to Nigerian CBN requirements. Sentinel is being developed to support all 12 standards, with pilot testing targeted for November 2026. The Sprint delivers the roadmap, architecture, and implementation plan needed for institutions to begin compliance execution immediately.
02

Nigerian Data Residency — By Architecture

SJULTRA deploys on AWS af-south-1 (Cape Town). All customer PII, transaction records, and case data are processed and stored within Nigeria. The Sentinel screening engine processes only the signals required for compliance checks — no customer names, BVNs, or account numbers leave Nigeria.

Foreign vendors store data in EU or US. NDPA compliance then requires complex contractual arrangements that may not fully satisfy the CBN. SJULTRA's compliance is architectural — not contractual.
03

Usage-Based Licensing — Pay for What You Use

Sentinel will operate on a usage-based licence model. Institutions are licensed for platform access and consume tokens as they screen customers, monitor transactions, and generate reports — so cost scales with actual activity, not a fixed monthly commitment regardless of usage.

Big 4 AML advisory (KPMG/PwC): ₦150M–₦300M for an equivalent engagement · SJULTRA Premium Sprint: ₦75,000,000
Flat-rate legacy vendors lock you into annual contracts. Sentinel's licence model aligns cost directly to your institution's compliance workload.
04

Enterprise-Grade Screening Intelligence

Sentinel's sanctions, PEP, and adverse media screening is powered by an enterprise-grade intelligence engine covering 200+ global watchlists, 1M+ monitored entities, and a response time under 300ms — the same calibre of infrastructure used by global Tier 1 banks and fintechs.

The intelligence layer is world-class. The delivery, data residency, and CBN calibration are Nigerian-first. That combination exists nowhere else in the market.
Platform Intelligence

Sentinel is built on
enterprise-grade infrastructure.

Smile ID
BVN · NIN · Liveness · Identity Verification
Nigeria's native identity verification API. BVN and NIN verification via direct NIBSS integration. Liveness checks and document verification for the Unified Entity Profile (CBN Standard 1).
Direct NIBSS integration
Nigerian-native — built for the market
CBN Standard 1 — full KYC/KYB coverage
Sub-1 second verification response
AWS Africa
Cloud · Data Residency · Security · Scalability
Amazon Web Services af-south-1 region (Cape Town). NDPA-compliant data residency. Auto-scaling EKS for high transaction volumes. AES-256 encryption at rest via KMS. VPC PrivateLink — no public internet egress for customer data.
NDPA-compliant data residency
AES-256 encryption — AWS KMS
99.99% SLA uptime
DR site: Lagos co-location (hot standby)
Pricing & Early Access

A consulting service first.
A platform licence second.

The Sprint is a standalone consulting engagement. You do not need to commit to any software to receive your CBN roadmap. The Early Access Agreement is optional — but those who sign receive 20% off the Sprint fee, applied immediately, and priority access to Sentinel's usage-based pilot licence when the platform launches in November 2026.

Sprint Pricing by Institution Tier

Starter Sprint
₦7,500,000 fixed fee  ·  ₦6,000,000 with EAA
Regional banks · Smaller PSPs · Early-stage fintechs
Standard Sprint
₦32,500,000 fixed fee  ·  ₦26,000,000 with EAA
National Tier 2 DMBs · Major PSPs · Scaled MMOs
Premium Sprint
₦75,000,000 fixed fee  ·  ₦60,000,000 with EAA
Complex institutions · Group banks · Stanbic IBTC / Fidelity-level · CBN fine anchor: ₦2B+ per major infraction
Sentinel Platform Licensing

Sentinel will operate on a usage-based licence model — institutions are licensed for access and consume tokens as they use the platform. Pricing is calibrated to transaction volume and screening activity, not a fixed monthly flat fee. Pilot pricing details will be confirmed to Early Access Agreement holders ahead of the November 2026 pilot launch.

Early Access Agreement
No payment.
No obligation.
Sign the Early Access Agreement today and receive 20% off your Sprint fee — applied immediately. The EAA is a Letter of Intent. No financial obligation arises until Sentinel’s pilot testing phase, currently targeted for November 2026.
1
Sign EAA (no payment) — 20% Sprint discount applied
2
Complete Sprint — CBN roadmap filed by June 10
3
Sentinel is currently in development and is targeted for pilot testing in November 2026 — Early Access Agreement holders receive priority pilot access with preferential usage-based licensing rates
4
Exit right at end of Pilot Month 1 if not satisfied — 30 days' notice
Schedule a 20-Minute Assessment →
No software purchase required · Confidential · NDA signed before Sprint begins
sentinel.sjultr.ng · [[email protected]]