Global Standards

Nigeria vs Europe: The Coming AML Reckoning for Cross-Border Institutions

As Nigerian and European AML expectations converge from very different starting points, cross-border institutions are caught between two supervisory cultures. The reckoning is in the gap between them.

By Cognitive Compliance 9 min read

Cross-border institutions operating between West Africa and Europe have, for years, managed two AML worlds as if they were separate problems. The European entity answers to the FCA, to ECB-supervised expectations, to a mature and exacting supervisory culture. The Nigerian entity answers to the CBN and the NFIU, within a framework that has historically been read — fairly or not — as less demanding in practice.

That separation is ending — faster than most cross-border groups have adjusted to. The two worlds are converging, and they are converging from opposite directions: Europe tightening its expectations of how institutions evidence control effectiveness, and Nigeria having materially strengthened its regime under sustained international pressure. The clearest signal of that came in October 2025, when the FATF removed Nigeria from its grey list, with the EU following by delisting Nigeria from its high-risk list at the start of 2026. The reckoning will land hardest on the institutions that sit across the gap and have been quietly running to the lower of the two standards — a gap that has just closed beneath them.

Two supervisory cultures, converging

European AML supervision has moved decisively from rules to effectiveness. It is no longer enough to have a policy; the institution must evidence that the control works — that monitoring detects, that screening catches, that risk-rating reflects reality. The FCA’s expectations around systems and controls, senior-management accountability and demonstrable control effectiveness set a high bar for proof, not just presence.

Nigeria’s trajectory is different but pointed in the same direction — and it has moved quickly. The legal foundation was rebuilt with the Money Laundering (Prevention and Prohibition) Act 2022, alongside the Terrorism (Prevention and Prohibition) Act 2022, and the CBN gave it operational teeth through the CBN (AML/CFT/CPF in Financial Institutions) Regulations 2022. Those reforms, and the enforcement posture behind them, are what carried Nigeria off the FATF grey list in October 2025 — two years and eight months after it was listed in February 2023 — and off the EU high-risk list in January 2026. A follow-up mutual evaluation is expected to keep the pressure on rather than release it.

The two systems are not becoming identical. But the distance between them is closing, and the direction of travel removes the arbitrage that cross-border institutions have implicitly relied on. Delisting is not a signal to relax; it is confirmation that the Nigerian standard has risen to meet the international one.

The arbitrage that is about to close

The uncomfortable truth is that some cross-border groups have run their African operations to a materially lighter AML standard than their European ones — not always by design, often by drift. Local CDD is thinner. Risk models are less rigorously maintained. Transaction monitoring is configured more loosely. The group rationalises this as proportionate to the local environment, and for a long time the supervisory consequences were modest enough that the rationalisation held.

Three forces are dismantling that position:

  • Group-level accountability. European parents are increasingly answerable for the financial crime risk in their entire group, not just their domestic entity. A weak African subsidiary is no longer a contained local issue; it is a group exposure that a European supervisor can and will probe.
  • Convergence of standards. As Nigerian expectations rise toward international norms, the gap that the lighter local standard exploited simply shrinks. What was tolerated becomes a finding.
  • Correspondent banking pressure. International correspondents, wary of their own exposure, demand demonstrable AML standards from the institutions they bank. A cross-border group that cannot evidence consistent control across its footprint risks the de-risking that has already cut correspondent relationships across the region.

Where the gap actually shows

For institutions caught across this convergence, the exposure concentrates in a few predictable places.

Inconsistent customer risk rating. The same customer type rated high-risk in the European entity and standard in the African one is a contradiction a supervisor will seize on. Convergence demands a coherent, group-wide risk methodology — the kind of work covered by risk-model recalibration — not two methodologies that happen to disagree.

Divergent transaction monitoring. Monitoring tuned to very different standards across entities produces a group that cannot describe its detection coverage coherently. As expectations converge, the looser configuration becomes the weak point that defines the group’s risk.

UBO and complex structures across jurisdictions. Cross-border ownership structures — trusts, holding vehicles, layered entities spanning both regions — are exactly where standard CDD breaks down, and exactly where a converging supervisory environment will look hardest. This is the territory of UBO and complex-ownership resolution.

MI that cannot speak across the group. When each entity reports differently, the group cannot give either supervisor a coherent account of its financial crime risk. Connected MI across the footprint is the connective tissue of a defensible cross-border position.

What an insider knows that a checklist does not

Navigating this convergence well requires more than mapping one rulebook against another. It requires understanding both supervisory cultures — how the FCA actually tests effectiveness, how the CBN and NFIU actually approach enforcement, where each places its emphasis, and how a credible institution is expected to behave in each environment.

That insider perspective matters because the gap is not only in the written standards; it is in expectation and practice. An institution can be technically compliant with both rulebooks and still fail, because it has not understood what each supervisor is really looking for. Bridging the two requires experience that spans both — the practitioner who has worked inside UK retail and private banking, Channel Islands wealth, and West African financial institutions, and who reads the CBN circular and the FCA expectation with the same fluency. That cross-jurisdictional grounding is core to CCL’s about and to its end-to-end financial crime transformation work.

Preparing for the reckoning

The institutions that will come through this convergence cleanly are not waiting for the gap to close on them. They are closing it themselves, on their own terms: harmonising risk methodology across the group, bringing the lighter-standard entity up rather than hoping the standard stays low, and building MI that can speak coherently to both supervisory worlds.

The reckoning is not a single event. It is the steady disappearance of the space between two standards that cross-border institutions have quietly lived in. The advantage goes to those who move before the space closes — who treat convergence as a transformation to lead rather than a finding to wait for.

Cognitive Compliance advises institutions operating across UK, Channel Islands and West African frameworks (FCA, GFSC, CBN). To assess your group’s cross-border AML coherence, book an advisory call.

AML West Africa CBN NFIU FATF Cross-Border FCA

Keep reading

Related insights

Regulatory Strategy 10 min read

Why KYC Is Broken in Most Banks (And Everyone Pretends Otherwise)

KYC failure is rarely a people problem. It is a design problem — flat effort, drifting standards, and MI that cannot answer the regulator's question. Here is what actually breaks, and how it gets fixed.

Read analysis
Delivery Model 9 min read

How a Boutique Scales: The Specialist-Led, Partner-Enabled Delivery Model

The objection to a boutique on a large programme is bench depth. The answer is the delivery model: specialists lead design, QA and governance; vetted partners and client teams execute volume under one standard.

Read analysis
AI Compliance Series 8 min read

Perpetual KYC Is Not an Automation Problem. It's an Architecture Problem.

Perpetual KYC is sold as an automation upgrade. Automate a broken review model and you get faster noise. The real work is architecture: triggers, data and escalation logic designed before any tool is bought.

Read analysis

Speak to the practice

Before it becomes a regulatory finding, make it a closed action.

A short, confidential advisory call to pressure-test where your KYC, AML, sanctions or risk-classification framework is exposed — and what a defensible fix looks like.

Book an Advisory Call View Case Portfolio