Compliance

Regulatory Compliance Explained: What Businesses Must Know

Regulatory compliance is not a one-time activity or a box to be checked during an annual review. It is an ongoing organizational discipline that requires systematic management, dedicated resources, and board-level accountability. This page covers the fundamentals of building and maintaining an effective compliance management system (CMS) in the Nigerian regulatory environment.

"Compliance is not a department. It is a culture — and like all cultures, it is set at the top and lived at every level."
Regulatory compliance encompasses all the policies, procedures, and controls that an organization maintains to ensure it operates within applicable laws, regulations, industry standards, and internal policies. In Nigeria's increasingly active regulatory environment — with the CBN, EFCC, ICPC, NDPC, SEC, NAICOM, and FIRS all actively enforcing their respective mandates — compliance failure is a business risk, not merely a legal formality.

The Nigerian Regulatory Landscape

RegulatorPrimary JurisdictionKey Requirements
Central Bank of Nigeria (CBN)Banks and financial institutionsAML/CFT, KYC, capital adequacy, consumer protection
Securities and Exchange Commission (SEC)Capital market operatorsDisclosure, registration, market conduct
NAICOMInsurance companiesSolvency, product standards, claims handling
FIRSAll taxable entitiesCIT, VAT, PAYE, transfer pricing
NDPCData controllers and processorsNDPA 2023 — data protection, breach notification
EFCC / ICPCAll organizationsFinancial crimes, corruption, asset recovery
CACAll registered companiesCAMA 2020 — annual returns, beneficial ownership

Building a Compliance Management System (CMS)

A Compliance Management System provides the organizational structure, processes, and tools to systematically identify, assess, and manage compliance obligations. ISO 19600 (now superseded by ISO 37301) provides the international standard for CMS design.

  • Leadership and commitment: Board and senior management must visibly own compliance — not delegate it entirely to the compliance function
  • Compliance obligations register: A comprehensive, living document of all applicable laws, regulations, standards, and contractual commitments — updated as the regulatory environment changes
  • Risk-based compliance planning: Resources allocated based on the potential impact and likelihood of compliance failure, not on regulatory category alone
  • Compliance controls: Specific policies, procedures, and operational controls designed to ensure each compliance obligation is met
  • Training and awareness: All staff understand their specific compliance obligations and the consequences of failure
  • Monitoring and review: Ongoing assessment of whether compliance controls are working and whether the regulatory landscape has changed
  • Reporting and escalation: Compliance failures, near-misses, and regulatory communications reported promptly to appropriate organizational levels

The Role of the Compliance Officer

The Compliance Officer (or Chief Compliance Officer in larger organizations) is responsible for designing, implementing, and monitoring the CMS. Critically, the CCO must have:

  • Direct access to the board and audit committee — not just management
  • Authority to halt non-compliant activities — not just report them
  • Adequate resources — staff, budget, and technology — to fulfil the function's mandate
  • Independence from revenue-generating functions to avoid conflict of interest

Compliance Programme Effectiveness — Key Metrics

  • Number of regulatory breaches in the period vs. prior period
  • Percentage of staff who have completed mandatory compliance training
  • Number of regulatory enquiries or examinations initiated
  • Time from identification to resolution of compliance issues
  • Percentage of compliance action items closed within agreed timelines

Key Takeaway

Regulatory compliance in Nigeria's active enforcement environment is not optional — it is a survival requirement. Organizations that build genuine compliance management systems, allocate adequate resources, and hold management accountable for compliance outcomes protect themselves from regulatory action, reputational damage, and the operational disruption that follows a significant compliance failure.

Read: AML & Financial Crime →