Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Corporate risk and compliance management are routine elements to which attention must be paid in corporate governance in Nigeria. However, it is not presently recognised as a distinct field of law in Nigeria. Prior to the 2007 banking crisis, the amount of attention paid to corporate risk management was significantly less than that placed on compliance. An example of the emphasis placed on compliance is the provision in section 295 of the Companies and Allied Matters Act (CAMA) Cap C20, Laws of the Federation of Nigeria 2004, which is an amendment to the CAMA enacted in 1990. The 2004 amendment requires publicly traded companies to appoint a company secretary with specialised knowledge (eg, a legal practitioner, chartered accountant or chartered secretary). The company secretary is responsible for ensuring compliance with legislation and regulations. However, the 2007 crisis in the banking sector led to financial sector reforms, which put risk and compliance on the legislative front lines. An example of this was the enactment of the Investment and Securities Act 2007. This legislation required all organisations involved in the Nigerian capital market to appoint a compliance officer.

In most major corporate bodies in Nigeria, other than those involved in the capital market, corporate risk and compliance tend to be the responsibility of general counsel or in-house legal departments and it would appear that only the largest corporate bodies have a specific compliance department. This is notwithstanding provisions in the Investment and Securities Act that require registered organisations to appoint a compliance officer.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

As indicated above, corporate risk and compliance management is yet to be viewed as a distinct practice area in Nigeria. There are, however, a number of laws and regulations to which attention needs to be paid when considering these matters. The laws and regulations that address corporate risk and compliance, which tend to be in respect of specific commercial activities, include the following:



  • The Companies and Allied Matters Act 2004;
  • the Investment and Securities Act 2007;
  • the Anti-Money Laundering Act 2011;
  • the Banking and Other Financial Institutions Act 2004;
  • the Financial Reporting Council of Nigeria Act 2011;
  • the International Financial Reporting Standards;
  • the Central Bank of Nigeria (Establishment) Act 2007; and
  • the National Deposit Insurance Corporation Act 2006.



  • The Codes of Corporate Governance for Banks in Nigeria and Discount Houses, issued by the Central Bank of Nigeria (CBN);
  • the Guidelines for Risk Management Framework for Licensed Pension Operators, issued by the National Pension Commission;
  • the Code of Good Corporate Governance for the Insurance Industry in Nigeria, issued by the National Insurance Commission;
  • the Nigerian Stock Exchange Listing Requirements;
  • the Securities and Exchange Commission (SEC) Rules and Regulations;
  • the SEC Code of Corporate Governance;
  • the SEC Code of Conduct for Shareholders’ Associations;
  • the Nigerian Communications Commission Code of Corporate Governance for telecommunication companies; and
  • Credit Bureau Regulations issued by the CBN.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

The primary target of rules related to risk and compliance management are banks and other financial institutions, companies listed on stock exchanges and other, non-listed, public companies.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

There are numerous regulatory and enforcement bodies with responsibilities for corporate compliance in Nigeria, with the principal ones including the following:

  • The CBN is vested with the overall control and administration of monetary and financial sector policies of the federal government. It is empowered to carry out routine examinations of banks and other financial institutions and to demand and receive information in respect of their operations. It also has extensive powers to sanction banks and other financial institutions.
  • The Corporate Affairs Commission (CAC) is responsible for the administration of the CAMA. The functions of the Commission are to administer the CAMA, in particular, the regulation and supervision of the formation, incorporation, registration, management and winding-up of companies; the establishment and maintenance of a company’s registry with suitably and adequately equipped offices in all the states of the federation to discharge its functions under the CAMA or any other law in respect of which it is charged with responsibility; and to arrange or conduct investigations into the affairs of companies where the interests of shareholders and the public demand.
  • The functions of the Financial Reporting Council of Nigeria (FRCN), as stated in the Financial Reporting Council of Nigeria Act 2011, include the enforcement and approval of the ‘compliance with accounting, auditing, corporate governance and financial reporting standards in Nigeria’. In the performance of these functions, it has been given widely stated powers that have been the source of some controversy, such as, for example, the extent of its powers to regulate the manner in which audit firms present reports of private companies.
  • The National Deposit Insurance Corporation was established to insure all deposit liabilities of licensed banks and other deposit-taking institutions operating in Nigeria. It is mandatory for licensed financial institutions to insure their deposits with the Corporation.
  • The Department of Petroleum Resources is an agency of the Ministry of Petroleum, established to supervise and regulate the petroleum industry in Nigeria. It enforces safety and environmental regulations and ensures that those operations conform to national and international industry practices and standards. It processes all applications for petroleum sector-related licences so as to ensure compliance with laid-down guidelines before making recommendations to the Minister of Petroleum Resources.
  • The Economic and Financial Crimes Commission was established under the Economic and Financial Crimes Commission (Establishment) Act 2004. Under the Anti-Money Laundering Act, the commission receives suspicious transaction notifications from financial institutions.
  • The SEC was created under the Investment and Securities Act 2007. The Commission regulates and develops the Nigerian Capital Market. The commission also scrutinises the capital market with the mandate of ensuring orderly and equitable dealings in securities and protecting the market against insider trading abuses.


Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

As indicated above, there are no specific laws and regulations that define ‘risk management’ or ‘compliance management’. The definitions relied on are based on a combination of corporate governance legislation and regulatory bodies’ codes and regulations.


Are risk and compliance management processes set out in laws and regulations?

They are set out, to a somewhat limited extent, in various regulations and laws as general provisions by which relevant organisations are bound.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

As discussed above, there is no uniform set of risk and compliance standards applicable to all Nigerian companies. By legislation passed in 2011, the National Assembly created the FRCN. The functions of the FRCN under the statute include:

  • developing and publishing accounting and financial reporting standards to be observed in the preparation of financial statements of public interest entities;
  • reviewing, promoting and enforcing compliance with the accounting and financial reporting standards adopted;
  • receiving notices of non-compliance with approved standards;
  • receiving copies of annual reports and financial statements of public interest entities from preparers;
  • advising the federal government on matters relating to accounting and financial reporting standards;
  • maintaining a register of professional accountants and other professionals engaged in the financial reporting process;
  • monitoring compliance with the reporting requirements specified in the adopted code of corporate governance;
  • promoting compliance with the adopted standards issued by the International Federation of Accountants and the International Accounting Standards Board;
  • monitoring and promoting education, research and training in the fields of accounting, auditing, financial reporting and corporate governance;
  • conducting practice reviews of registered professionals;
  • reviewing financial statements and reports of public interest entities;
  • enforcing compliance with the legislation and the rules of the FRCN on registered professionals and the affected public interest entities;
  • receiving, in advance of publication, copies of all qualified reports, together with detailed explanations for such qualifications, from auditors of the financial statements, along with the power to prevent publication of the financial statements until all accounting issues relating to the reports are resolved by the FRCN;
  • adopting and keeping up-to-date accounting and financial reporting standards, and ensuring consistency between standards issued and the International Financial Reporting Standards;
  • specifying, in the accounting and financial reporting standards, the minimum requirements for recognition, measurement, presentation and disclosure in annual financial statements, group annual financial statements, or other financial reports by all public interest entities, in the preparation of financial statements and reports; and
  • developing or adopting and keeping up-to-date auditing standards issued by relevant professional bodies and ensuring consistency between the standards issued and the auditing standards and pronouncements of the International Auditing and Assurance Standards Board.

The granting of such wide functions and powers on such a body, not unexpectedly, created tensions between the FRCN and auditors, the Institute of Chartered Accountants of Nigeria, the Association of National Accountants of Nigeria, public companies, large private companies, public interest entities (defined in the legislation as ‘governments, government organisations, quoted and unquoted companies and all other organisations that are required by law to file returns with regulatory authorities and this excludes private companies that routinely file returns only with the Corporate Affairs Commission and the Federal Inland Revenue Service’), and numerous other bodies.

In addition to these tensions, there was also widespread dissatisfaction with the provisions in the legislation that enabled the FRCN to impose levies on registered professionals (publicly quoted companies) based on market capitalisation, and on public interest entities based on turnover.

After skirmishes in 2014-2016 between the FRCN and auditors of banks, directors of banks that the FRCN purported to suspend or remove from office, and a former governor of the CBN, the executive secretary of the FRCN was dismissed in January 2017. A new executive secretary was appointed, along with a chairman. The three Corporate Governance Codes, for the private, public and not-for-profit sectors, issued in October 2016 were suspended. A committee was established in January 2018 to review the suspended codes and to develop and recommend the revised Code(s). The issue as to what is the lawful extent of the powers of the FRCN remains unaddressed.

In the interim, the various other regulatory bodies have retained a certain level of freedom to impose their own guidelines. These tend to be strongly influenced by international standards. Common to virtually all bodies is a requirement for a compliance officer to be appointed and for there to be a risk management committee.

The general nature of the main standards and guidelines regarding risk and compliance management processes can be seen from regulations issued by the CBN in respect of banks and other financial institutions, which is probably the most regulated sector in Nigeria. The CBN regularly issues regulations and guidelines that set standards that undertakings regulated by it must follow. These include updating qualification requirements of chief compliance officers and specifying standards required for risk management procedures.

The guidelines that come from the CBN are largely influenced by international agreements and independent advisory bodies such as the Financial Action Task Force. Currently, CBN guidelines require banks and other financial institutions to adhere to the following:

  • there must be a chief compliance officer (CCO). Initially, it was required that there be one for each branch, but this was relaxed to allow one to serve clusters of branches;
  • the CCO must report directly to the board and must have the status of at least a general manager;
  • the CCO must in addition to a minimum education requirement have training in an international standard;
  • there must be a risk management committee;
  • with regard to the finance industry, there are different standards that banks may use in their risk management procedures; these are based on international standards and there is an implication that, with preapproval from the CBN, there is flexibility in acceptable standards;
  • there are different risk management standards prescribed by the CBN for different kinds of transactions and actions such as accepting new customers, providing credit services for individuals and providing credit services for companies;
  • additionally, the CBN issues extensive manuals detailing procedures required for compliance with legislation; and
  • every financial institution is required to have a comprehensive anti-money laundering/combating financial terrorism (AML/CFT) compliance programme to guide its compliance efforts and to ensure the diligent implementation of the CBN manual.


Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Generally, there is a requirement for the appointment of a compliance officer who reports directly to the board. However, the specifics vary from industry to industry as no uniform set of rules and regulations currently exist. Nevertheless, it would appear that the general requirements are that the compliance officers have specialised knowledge, independence from management and report directly to the board of directors.

What are the key risk and compliance management obligations of undertakings?

As addressed above, Nigeria does not have a singular set of risk and compliance management obligations. Financial institutions are regulated by the CBN, which has issued numerous regulations. The only obligation that applied to all corporations whether public, private, financial or non-financial, is the requirement for the appointment of a compliance or risk management committee/officer to oversee the compliance protocols of the organisation. Frequently, such officers are required to be part of senior management and to have direct reporting lines to the board of directors. Other obligations are sector-specific.


Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

As mentioned above, obligations vary from industry to industry. As the banking industry is the most developed this answer will focus on that. Obligations for the banking industry include:

  • AML/CFT compliance is ultimately the responsibility of the board/senior management;
  • an AML/CFT compliance manual must be formulated by the management and presented to the board for consideration and formal approval;
  • senior management approval is required before establishing business relationships with politically-exposed persons;
  • where a customer has been accepted or has an ongoing relationship with the financial institution, and the customer or beneficial owner is subsequently found to be, or becomes, a politically-exposed person, the financial institution is required to obtain senior management approval in order to continue the business relationship;
  • in relation to cross-border and correspondent banking and other similar relationships, in addition to performing the normal customer due diligence measures, financial institutions must obtain approval from senior management;
  • an employee training programme under the guidance of the compliance officer in collaboration with senior management is required;
  • the board and senior management may be investigated for their roles in contravention of the provisions of the AML/CFT manual produced by the CBN; and
  • on the second contravention of the CBN’s AML/CFT manual, responsible parties including but not limited to members of the board and senior management will be blacklisted from working in the financial services industry, and the officers penalised shall be reflected in the institution’s financial statements and published in the newspapers.

Do undertakings face civil liability for risk and compliance management deficiencies?

In circumstances where there are deficiencies in risk and compliance management, and such deficiencies occasion loss or injury to third parties, undertakings responsible for causing such loss or injury will have civil liability to the affected third parties.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Failure to observe laws and regulations normally result in either administrative or penal consequences for deficient undertakings. The consequences are dependent upon the legislation and regulations involved. In some circumstances, the consequences are entirely administrative and in others, they are penal and require formal prosecution and conviction before they can be applied. Examples of administrative sanctions include the imposition of administrative fines where companies fail to file requisite returns with the CAC within stipulated time frames. The failure of financial institutions to maintain minimum capital ratios at all times carries administrative penalties including, but not limited to, the prohibition of the institution from advertising for, or accepting, new deposits, and the revocation of the institution’s operating licence. The SEC has the power to prohibit an organisation from trading in particular securities if it deems that action to be necessary for the protection of persons buying and selling the particular securities.

Do undertakings face criminal liability for risk and compliance management deficiencies?

Criminal liability is imposed by some statutory provisions for risk and compliance management deficiencies. Examples include criminal sanctions to risk and compliance regulators or other bodies indicated in the legislation under the Anti-Money Laundry Act for failure to provide information, or for the provision of inaccurate information. The Banks and Other Financial Institutions Act also provides criminal sanctions, fines, and terms of imprisonment for certain management.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Civil liability for governing bodies in breach of compliance management obligations exists in relation to certain specific statutory offences. For example, section 85 of the Investment and Securities Act 2007 allows all persons who suffer damages as a result of subscribing for shares or debentures after relying on a prospectus that contains untrue misleading information, to seek damages from any director of the company at the time of the issue of the prospectus or any person who consented to be named and is named in the prospectus as a director. The act also extends this liability to employees of the company who participate in or facilitated the production of the prospectus.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

In certain circumstances, members of governing bodies and senior management may be sanctioned for regulatory deficiencies of their organisations. An example of this is section 16(4) of the Anti-Money Laundering Act that provides that if there is a serious oversight or flaw in its internal control procedures owing to a financial institution’s or the compliance officer at management level’s failure, the disciplinary authority responsible for the financial institution or the person’s professional body may take disciplinary action against the financial institution and the responsible individuals. Administrative consequences vary from dismissal to a complete ban from operating within that industry. Section 16(1)-(3) of the Anti-Money Laundering Act holds that a director or employee of a financial institution, who destroys or removes a register or record required to be kept, may be banned indefinitely, or for a period of five years, from practising the profession that provided the opportunity for the offence to be committed.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Individuals may face criminal liability for the breach of risk and compliance management obligations. Examples of such liability can be found in the CAMA, the Banks and Other Financial Institutions Act, the Food and Drugs Act, and several other statutes.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

At present, there are no provisions in any statutes or regulations that enable the existence of compliance regimes to exculpate undertakings or individuals.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

In October 2017, the SEC ordered the Nigerian Stock Exchange (NSE) to suspend trading of the stock of Oando plc. The suspension was as a result of complaints from two shareholders, who held over 70 per cent of the company’s issued equity. It was alleged that the chairman of the company’s board had mismanaged the company and the complaint sought his removal and the postponing of the company’s annual general meeting until after an examination of the company’s activities. The SEC investigated the activities of the company and concluded that the company was in breach of a number of risk and compliance regulations, including rules against related party transactions and insider trading. On 9 April 2018, there were reports in the media that the SEC had directed that the suspension be lifted. Trading resumed on 12 April, following a statement by the SEC that said ‘the SEC directed NSE to lift technical suspension and allow market determination of the share price’. A forensic audit is ongoing.

The FRCN imposed a fine of 1 billion naira (approximately US$5 million) against Stanbic IBTC, the Nigerian affiliate of the South African Bank, Standard Bank. In addition, the FRCN announced the suspension of several senior officials of the bank, including its chairman. These sanctions were imposed as a result of alleged misstatements in the bank’s 2015 financial report. The sanctions were eventually lifted, following a private agreement between the bank and the FRCN, under which the bank was able to publish its 2015 financial report at the end of 2016.

MTN, Nigeria’s largest mobile telephone operator, announced on 26 October 2015, that it had been fined 1.04 trillion naira (approximately US$5.2 billion) by the Nigerian Communication Commission (NCC) for failure to ensure that active SIM cards on its network were registered. Nigerian regulations require that every active SIM card on a Nigerian telephone network is registered to an individual, whose photograph and fingerprints are recorded against the SIM. MTN allegedly failed to disconnect unregistered SIMs, some of which the NCC claimed were being used by criminal groups such as the Boko Haram insurgents. Following negotiations, it was announced on 10 June 2016, that MTN was permitted to pay a reduced fine of 330 billion naira. In addition, MTN was required to make a public apology to the Nigerian government and the people of Nigeria. The NCC stated that it was necessary to impose a fine high enough to signal to MTN and other mobile telephone operators that it would not be ‘business as usual’ for the mobile service provider that was required to pay such a fine.

First Bank of Nigeria, United Bank for Africa and Skye Bank were fined 1.9 billion naira, 2.9 billion naira and 4 billion naira, respectively. The fines were announced via CBN circulars on 26 October 2015 for First Bank and United Bank for Africa, with the announcement of Skye Bank’s fine coming on 9 November 2015. These fines were for delays in transferring government funds to the Treasury Single Account with the Central Bank of Nigeria as required by regulations introduced in 2012 by the Goodluck Jonathan administration. These regulations had only been partially implemented prior to President Buhari taking office in May 2015 and one of the first administrative steps taken by the Buhari administration was the full implementation of the policy.

Guinness Nigeria, an affiliate of Diageo plc, was fined 1 billion naira by the National Agency for Food and Drug Administration and Control (NAFDAC) on 9 November 2015 ‘as administrative charges for various clandestine violations of NAFDAC rules, regulations and enactments over a long period of time’. Guinness was also accused by the agency of revalidating expired products without authorisation and supervision by NAFDAC, as well as failing to secure the gate of its warehouse, allowing raw materials used in the production of beer and non-alcoholic beverages by the firm to be permanently open to intrusion and exposure to the elements and rodents, which would ‘invariably affect the integrity of the raw materials’. Ultimately it was announced on 11 March 2016 that the issue had been settled out of court. As part of the resolution, NAFDAC would be present during the destruction of the expired raw materials in its rented warehouse and both parties agreed that this would be the procedure for the exercise in future. Guinness Nigeria also agreed to pay administrative and service charges to NAFDAC to cover the cost of the investigative inspection of raw materials carried out by the Agency, as well as for the supervision by NAFDAC of the destruction of the raw materials that would be carried out by Guinness Nigeria.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

Some government agencies have risk and compliance obligations. An example of such can be found in the legislation relating to the Asset Management Corporation of Nigeria (AMCON), a government agency established in the wake of bank failures with the specific remit of removing non-performing loan assets from the balance sheets of banks in Nigeria. Under section 7 of AMCON’s establishment act (Asset Management Corporation of Nigeria Act 2011) the agency is required to keep books of all transactions in compliance with CBN rules. While the AMCON legislation makes no provisions for sanctions, the application of CBN rules would appear to subject AMCON to the same rules, obligations and sanctions that apply to financial institutions.

Part 15 of the Investment and Securities Act applies to government agencies seeking to raise finance on the capital market. Such bodies, when seeking to raise finance on the market, have the same disclosure obligations as other entities seeking the same and would appear to be subject to the same governance, and sanctions, regime.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

There do not appear to be any key compliance differences between public sector and private sector compliance management obligations.