AI reshaping compliance for Nigerian startups – Fintech expert, Opeyemi

One of the most common compliance mistakes made by fast-growing startups is scaling too quickly without putting adequate structures in place. This often results in underinvestment in foundational controls, largely because the complexity of compliance is often underestimated as the business scales. This concern became even more evident in 2024, when the CBN sanctioned several fintechs, including Moniepoint and Opay, for inadequate KYC procedures, which inhibit transaction monitoring and reporting.

A lot of startups treat compliance as a “checkbox” exercise and implement basic reporting infrastructure. Unfortunately, they could not be more wrong. Proactive compliance should be the minimum requirement because history has shown that just one regulatory infraction could stop a fintech from being a going concern. Common root causes include tone at the top, inadequate human resources, especially as they become overwhelmed by increased scale, undertrained staff, inconsistent transaction monitoring rules, inadequate escalation protocols, and poor data integration leading to delayed or incomplete filings. Fast growth without a proactive and scalable control environment is a recipe for disaster.

How are startups coping with overlapping rules from CBN, NFIU, and others? Are RegTech tools helping untangle this?

It is a mess, no doubt. From the prudential guidelines and licensing requirements of the CBN to the sector-specific rules from the SEC, and the AML directives from the NFIU, startups must deal with overlapping and sometimes conflicting regulations. But this is understandable, especially in sectors like financial services that have far-reaching impacts and involve multiple stakeholders. In risk management, the ultimate advice is that when you have overlapping compliance requirements, always comply with the most stringent one. That way, you are certain to comply with both regulations. The good news is that RegTech is helping tremendously. Development of tools that help to consolidate reporting, automate reconciliations, and map controls to regulatory frameworks is gaining traction and enabling more holistic oversight across entire transaction flows. However, it is important to note that these are not substitutes for strategic compliance leadership. Startups cannot and should not rely on automation blindly. There is still a critical need for professionals who can interpret overlaps, identify conflict, determine the best approach, and engage with regulators proactively.

Kudos to players in Nigeria’s fintech space. Although some innovations came in response to CBN sanctions, they reflect the sector’s potential and the power of compliance as a growth driver.

How would you describe the way Nigerian startups use AI to automate STRs in ways that meet NFIU expectations and reduce human error?

There are early but promising signs. AI models are being trained to monitor Key Risk Indicators (KRIs), identify red flags to improve oversight of suspicious transaction patterns, reduce false positives, and even pre-populate reports for compliance teams. This improves the speed, accuracy, and scalability of suspicious transaction reporting. However, it is important to remember that regulators expect explainability. In other words, it is not enough to automate controls; startups must be able to justify, for example, why a Suspicious Transaction Report (STR) was or was not filed for a given transaction. This means automation cannot be a “black box.” Transparency in the model’s decision-making and human validation remain critical.

Given our fragmented ID systems (BVN, NIN, etc.), how effective is AI-powered KYC in speeding up onboarding locally?

This remains a significant challenge. While AI is helping to manage this, fintechs still struggle with data access, consumer trust, and data security risks. That said, AI-powered KYC is effectively and efficiently speeding up KYC locally, and a good example is Smile ID. Now, it is possible to reconcile BVN and NIN in real time, and have your address and identification verified without having to physically visit an outlet. Automation also does a great job (better than humans) in reconciling multiple IDs, handling fuzzy matches, and spotting duplicates. However, as the popular saying goes, “garbage in, garbage out,” if the underlying database is inadequate, there is only so much automation can do. As such, investment is not only needed in fintech innovation, but also in improving the national ID infrastructure and continuously pushing for better system unification, like we have in some developed countries. Kudos to the government for progress so far, such as linking the NIN with passports and mobile numbers. These are good initiatives towards consolidating identity systems in Nigeria.

For startups reporting to both CBN and SEC, how is RegTech streamlining dual compliance without duplication or risk?First, it is important to note that tools are enablers, not substitutes for governance. That means tools will only be effective when there are several other elements in place, such as data quality, internal alignment, and strategic governance and oversight.

That said, RegTech platforms offer what is known as modular reporting, which allows the same data set to generate tailored outputs for individual regulators. These help to harmonise data collection, centralise risk management, keep audit trails, and significantly reduce duplication and risks of delays or omission.

Why do many startups still view compliance as a cost, and what’s stopping wider adoption of RegTech solutions?

Compliance is a cost. But so are employees, managers, rent for office space, utilities, and every other expense incurred by a startup. Interestingly, there is also a cost for noncompliance.

The major challenge is that startups often prioritise growth metrics over governance, which leads to seeing compliance as an obstacle instead of a driver. This is a wrong mindset and a recipe for disaster. A useful analogy is that of car brakes. A lot of people believe that brakes are there to slow down the car. But if you were driving and found out your brakes were bad, you would look for the fastest opportunity to bring the car to a halt and get help. However, if you knew your brakes were good, you would be able to go as fast as you can within the allowable safety limits, trusting that your brakes would work when required. This is what compliance should mean to startups. Compliance allows you to achieve your strategic objectives while confident that you have controls in place to proactively identify concerns before they escalate.

Aside from the mindset illustrated above, wider adoption of RegTech solutions is limited by factors such as limited local vendor options, cost concerns, lack of awareness, difficulty in getting tailored solutions, and limited in-house expertise.

In your opinion, what are the risks of relying on foreign-hosted RegTech tools, especially under Nigeria’s data protection laws?

There is a real exposure, and this comes with significant risks that should be evaluated when considering the use of foreign-hosted RegTech tools. These include data sovereignty and control, like restrictions on cross-border transfer of data under the NDPR, as well as misalignment with local regulatory nuances. It also calls for enhanced due diligence. For example, startups must be able to identify where their data is hosted, local context impact, access and authorisation to the data, escalation procedures, availability of support, incident resolution, and other regulatory requirements like GDPR. It is also important to ensure that local compliance is not lost while exploring global capabilities.

Where do you think startups should draw the line between automation and human oversight, especially in sensitive compliance areas like PEP checks?

The line should be drawn at the point of decision-making. Automation should identify red flags that trigger actions, not make decisions. For high-risk categories like politically exposed persons (PEP) and high net worth individuals (HNIs), amongst others, automation can help review vast datasets and identify red flags, but the final judgement rests with trained compliance officers. For example, in deposit money banks where there is a requirement to flag and report transactions on accounts belonging to PEPs above a particular threshold, automation can help ensure no transaction is omitted. More importantly, it can identify instances where multiple transactions below the limit will surpass the threshold when consolidated and trigger an action from the compliance officer. In essence, automation enhances efficiency, but humans provide context, judgement, and accountability. Considering that AI cannot take responsibility for failures, it is important to have a human in the loop to ensure oversight and retain accountability.

Do you believe more startups are starting to see compliance as a competitive edge for fundraising or banking partnerships?

Absolutely, and this is a welcome shift that is also being seen globally. With the dire consequences that regulatory infractions can have on a company’s going concern, banking partners, investors, and other stakeholders are paying more attention to startups they invest in or do business with. Robust compliance is increasingly being viewed as a signal of long-term viability, resilience, and operational maturity. Startups with strong risk frameworks and a robust compliance environment can negotiate better terms, as risk management and compliance reduce the likelihood of risks crystallising, and this is starting to appear more on pitch decks and investor presentations. As such, more startups are starting to rightly see compliance as a value proposition, a major differentiator, and a key driver for growth.

Given our mobile-first, cash-heavy economy, what areas of RegTech are most ripe for local innovation?

Mobile KYC is gaining significant traction, and it is pleasing to see the progress made so far, despite the infrastructure and database bottlenecks in Nigeria. That said, the areas that are most exciting for local innovation at this time, especially with our cash-heavy economy experiencing growth in agency and mobile banking in a bid to enhance financial inclusion, are agency network monitoring, informal sector onboarding, and micro-transaction anti-money laundering (AML) services. This is particularly important because local innovators understand the uniqueness of the environment. They know how to validate identities and addresses where formal documentation is lean, and how to monitor cash-to-digital flows without inhibiting access. These solutions address key challenges in the Nigerian market and will go a long way in complementing other products and services in the market.

From your KPMG background, what structural gaps do you see in how Nigerian startups build compliance systems, and what should they change early on?

Too often, compliance is an afterthought for startups. From my experience at KPMG, I noticed that many startups tend to address compliance issues reactively rather than proactively. And that is the biggest structural gap. Compliance should be embedded from day one and proactively scaled to fit the startup’s expansion plans. To break it down even further, there is insufficient board-level oversight, a lack of documented policies, unclear roles and responsibilities, omission of compliance from product/service design, and inadequate engagement with regulators. Startups are encouraged to see investment in compliance as an early investment with long-term value and engage with regulators as strategic partners and not adversaries.

AI-Powered Fintech Compliance: Reshaping Nigerian Startups