Regulators across West Africa and South Africa are not waiting anymore. In 2025 and 2026, the CBN, the Bank of Ghana, and the South African Prudential Authority have all issued directives that move risk management from best practice to binding obligation. Here is what each one is asking for — in plain language.
Nigeria — CBN
Two requirements stand out heading into 2026.
First, recapitalisation. The CBN's March 2024 circular set a compliance deadline of March 31, 2026 for banks to meet new minimum capital thresholds. For risk managers, this is not just a finance exercise — it requires recalibrating your entire risk appetite and capital adequacy framework to reflect the new capital structure.
Second, operational risk controls with real teeth. The CBN directed banks in January 2026 to reduce fraud response times to under 30 minutes. Alongside this, a 2025 AML exposure draft mandated real-time monitoring for high-risk transactions. The message is clear: documented policies are not enough — your controls need to be measurable and demonstrable.
Ghana — BoG
The BoG has had an unusually active 12 months. Three directives deserve immediate attention.
The Risk Management Directive requires every regulated institution to maintain a framework appropriate to its size and complexity — board-approved and actively maintained, not filed away.
The Liquidity Risk Management Directive 2026 requires board-level review of liquidity risk strategy at least annually, alongside new Basel-aligned monitoring tools.
And the Climate-Related Financial Risk Directive, effective January 2026 for banks, makes climate risk a formal part of the risk management framework — not a sustainability footnote.
South Africa — Prudential Authority
The PA's priorities for 2025–2026 are focused and specific.
Third-party risk management was named the PA's primary supervisory focus for 2025. Banks that rely on external service providers — which is essentially all of them — should expect detailed scrutiny of their vendor risk assessments, concentration risk analysis, and operational resilience plans.
On capital, the SARB's Basel III post-crisis reforms draft directive updates the standardised approach for credit risk, the operational risk framework, and the leverage ratio. If your BA returns still reflect transitional standards, now is the time to close that gap.
Finally, the PA's updated climate disclosure guidance (G3/2025) is currently voluntary — but the PA has been explicit that mandatory requirements are coming. Early movers will have a significant advantage.
The One Thing All Three Share
Board-level governance. Every directive across all three regulators points to the same expectation: your board must be actively involved in risk oversight, with documented evidence. Not annual reports that land in an inbox — real, minuted engagement with risk appetite, framework approvals, and material risk decisions.
If your risk framework is not yet structured to support that, ISO 31000 and COSO ERM are the two frameworks most directly aligned with what these regulators are looking for. Pirani's free Risk Framework Selector can help you figure out where to start.
Want to go deeper? Join the next session of the Pirani Risk Management School. Or let's talk about how Pirani supports regulatory alignment in practice.
FAQ
-
What is the CBN requiring from banks in 2026? The Central Bank of Nigeria is requiring banks to meet new minimum capital thresholds by March 31, 2026, reduce fraud response times to under 30 minutes, and implement real-time AML monitoring for high-risk transactions. Risk frameworks must be operational and demonstrable — not just documented.
-
What does the Bank of Ghana's Risk Management Directive require? The BoG's Risk Management Directive requires all regulated financial institutions to maintain a board-approved risk management framework appropriate to their size and complexity, with active systems for identifying, measuring, controlling, and reporting material risks.
-
Is climate risk management mandatory for banks in Ghana? Yes. The Bank of Ghana's Climate-Related Financial Risk Directive became effective in January 2026 for banks, making climate risk a formal component of the institution's risk management framework. For specialised deposit-taking institutions and non-bank financial institutions, the effective date is January 2027.
-
What is the South African Prudential Authority focusing on in 2025–2026? The PA's primary supervisory focus for 2025 is third-party risk management — covering concentration risk, cybersecurity, and operational resilience. Alongside this, the PA is implementing Basel III post-crisis reforms and moving toward mandatory climate risk disclosure.
-
What risk framework should a West African bank use to meet CBN and BoG requirements? Most institutions will benefit from combining ISO 31000 as the operational risk management framework with Basel III capital standards where applicable. For institutions with more mature governance structures, COSO ERM adds the strategic layer that connects risk to board-level decision-making. Pirani's free Risk Framework Selector helps you identify the right combination for your context.
-
What do CBN, BoG, and the Prudential Authority have in common? All three regulators are converging on the same expectation: board-level risk governance that is active, documented, and proportionate to the institution's complexity. Risk frameworks that sit on paper but do not drive real decisions are increasingly a supervisory red flag across all three markets.
Emerging Risks in Africa: PAPSS, Cybersecurity, Fintech & Climate
When the Storm Hits: Managing Operational and Climate Risks Effectively
Risk-Management Milestones in the US 2025
Get to know the fundamental principles of Basel in banking
Banking Risk in Nigeria & Ghana: 2026 CBN & BoG Expectations
No Comments Yet
Let us know what you think