PII & Compliance
Nigerian fintech operates under specific regulatory requirements from the CBN (Central Bank of Nigeria) and NDPR (Nigeria Data Protection Regulation). This page draws a clear line between what PayKore handles on your behalf and what remains your responsibility as the partner building on top of PayKore.
What PayKore handles
- Encryption at rest for all BVN and NIN values submitted for KYC verification, using AES-256-GCM.
- Secure transmission of identity data to verification providers (Mono, Smile Identity) over encrypted channels.
- Compliance with CBN KYC guidelines for the verification process itself — the mechanics of checking a BVN or NIN against the relevant authoritative source.
- PCI-DSS-aligned handling of payment data. PayKore does not store card numbers — all wallet-based transactions move through bank account rails (NUBAN) rather than card networks, which removes an entire category of PCI scope from your integration.
- Audit logs for all transactions, retained for compliance and dispute-resolution purposes.
What you are responsible for
- Collecting and storing your users' consent for data processing. PayKore processes the data you send it, but obtaining a lawful basis for collecting that data from your user in the first place is your obligation.
- Maintaining your own data privacy policy, covering what data your application collects and how it's used — independent of PayKore's own policy, which covers only PayKore's processing.
- Complying with NDPR for any PII you collect and store on your own systems (names, emails, phone numbers, addresses — anything beyond what you pass through to PayKore for verification).
- Ensuring your application never logs BVN or NIN values. This is straightforward to comply with structurally: PayKore never returns the raw BVN/NIN value back to you after initial submission (see KYC Verification), so as long as you don't separately store the value your user typed into your own form before sending it, there's nothing to accidentally log.
If your application's frontend or backend logs full request bodies for debugging (a common default in many logging setups), make sure your KYC submission endpoint is excluded or has its sensitive fields redacted. A logging pipeline that captures POST /v1/kyc/bvn request bodies verbatim is logging your user's BVN, regardless of what PayKore does on its end.
CBN wallet tiers
The CBN mandates tiered transaction limits based on the level of identity verification completed. You are responsible for enforcing these limits in your own application logic — PayKore does not automatically block a transaction for exceeding a tier limit. You query the user's KYC status and apply the relevant cap yourself before initiating a transaction.
| Tier | Verification required | Single transaction limit | Monthly cumulative limit |
|---|---|---|---|
| Tier 1 | None | ₦50,000 | ₦300,000 |
| Tier 2 | BVN | ₦200,000 | ₦500,000 |
| Tier 3 | BVN + address verification | No limit | No limit |
PayKore's KYC Verification guide covers BVN submission, which is what's needed to move a user from Tier 1 to Tier 2. Address verification for Tier 3 is not yet supported via the API — contact your account manager if a Tier 3 use case is part of your launch plan.
Data retention
PayKore retains transaction records and KYC verification status indefinitely, as required by CBN regulations governing financial record-keeping. This is not configurable — it's a regulatory floor, not a PayKore policy choice.
For sandbox/test data specifically, you can request deletion at any time by contacting support, since sandbox data carries none of the same regulatory retention requirements as live financial activity.
NDPR compliance note
Under NDPR, you are the data controller for the personal data you collect from your own users — meaning you decide why and how that data is processed, even when PayKore (acting as a data processor for the specific data you send it) handles parts of that processing on your behalf.
As a data controller, you need your own privacy policy covering what you collect, how it's used, and how users can exercise their rights under NDPR (access, correction, deletion requests, etc.). PayKore's own privacy policy covers PayKore's processing role, but does not substitute for your obligations as the controller of your own user base.
This page is general orientation, not legal advice. NDPR compliance specifics depend on your exact data flows and business model. Consult a Nigerian data privacy lawyer to confirm your specific obligations before launch, particularly if you're collecting any personal data beyond what you pass to PayKore.
Next steps
- KYC Verification → — The technical flow for BVN/NIN submission referenced throughout this page.
- API Key Best Practices → — Securing the credentials that authenticate your access to this data.