Nigeria’s Central Bank has introduced regulations effective May 1, 2026 that restrict Bank Verification Number holders to a single lifetime phone number change, permanently tying financial identity to mobile numbers in an ecosystem where telecom operators recycle inactive SIMs after just 360 days. The policy creates a structural conflict between banking security and telecommunications economics that could lock millions of Nigerians out of their bank accounts through no fault of their own.
The One-Time Change Rule and Its Implications
Under the revised BVN framework announced in March 2026, customers can update the phone number linked to their BVN exactly once for life. After that single change, the number becomes permanently locked to their banking identity. The Central Bank positions this as a fraud prevention measure targeting SIM-swap attacks, where criminals hijack phone numbers to gain access to bank accounts through one-time passwords and transaction alerts.
The restriction takes effect alongside other security measures including a 24-hour fraud watchlist for suspicious transactions, age limits restricting BVN enrollment to individuals 18 and above, and database access controls limiting BVN data to licensed financial institutions. As of March 2026, Nigeria’s BVN system covers 68.59 million users, making it the foundational identity layer for the country’s financial services sector.
Phone numbers linked to BVNs serve critical functions in Nigeria’s digital banking infrastructure. They authenticate users through OTPs, deliver transaction alerts, enable account recovery, and verify identity during sensitive operations. The Central Bank’s decision to make these numbers effectively permanent recognizes their importance—but ignores the reality of how Nigerian telecoms actually work.
The SIM Recycling Problem Nobody Addressed
Nigerian telecom operators recycle phone numbers after 360 days of inactivity under regulations from the Nigerian Communications Commission. The NCC’s Quality-of-Service Business Rules 2024 mandate that prepaid lines without revenue-generating events for six months must be deactivated. After an additional three months of dormancy, the number enters the recycling pool and gets reassigned to a new subscriber.
This creates scenarios the CBN’s policy fails to account for. A Nigerian travels abroad for work, maintains their SIM but doesn’t make calls or send SMS (WhatsApp calls over WiFi don’t count as activity). After six months, the line gets suspended. At nine months, it’s recycled. The original owner returns to Nigeria to discover their phone number—and with it, their permanent BVN link—now belongs to someone else.
Gbenga Adebayo, Chairman of the Association of Licensed Telecom Operators of Nigeria, explained the economics driving recycling. Telecoms pay numbering plan fees to the NCC for every allocated number. Maintaining inactive numbers means paying taxes on non-revenue-generating assets. Subscribers don’t own their phone numbers; operators do. Once a SIM goes dormant, the operator has both regulatory permission and financial incentive to recycle it.
The Nigerian Communications Commission attempted to address recycling risks with the Telecoms Identity Risk Management System portal, announced in February 2026. The TIRMS platform was designed to track recycled numbers and share data with operators to prevent fraud when numbers change hands. According to regulatory guidelines reviewed by TechCabal, the portal would go live after a 21-day consultation period ending in March 2026. However, the system addresses inter-operator coordination, not the fundamental conflict between CBN’s lifetime phone number lock and NCC’s recycling timeline.
Real-World Consequences Already Playing Out
The social media complaints cited in the National Orientation Agency’s announcement illustrate problems that will intensify under the new rules. A student who wrote JAMB had to message the new user of their recycled phone number to retrieve exam scores. The number was recycled, reassigned, and the original owner lost access to results tied to their identity. Under the May 1 rules, if that phone number was their BVN-linked number and they’d already used their one allowed change, they would face permanent complications accessing banking services.
Security researcher Shuaib Agaka documented a case where someone lost their phone and SIM card, only to discover months later they couldn’t access WhatsApp, Facebook, or email accounts because the recycled number allowed a new user to reset passwords through SMS verification. The person was locked out of their entire digital life. If that number was BVN-linked and the one-time change already exhausted, the banking implications would be catastrophic.
The NCC permits recycling after 360 days. The CBN allows one phone number change for life. These policies operate in direct contradiction. A Nigerian who travels, studies abroad, works internationally, or simply maintains a SIM without making calls could lose their permanent financial identity key through administrative recycling—with no second chance to update it.
What the CBN Should Have Done First
The National Orientation Agency’s social media engagement surfaced the correct diagnosis. Before locking phone numbers to BVNs forever, regulators needed to fix the telecommunications infrastructure that makes phone numbers unstable identifiers in the first place. Specifically:
Extended dormancy periods before recycling. The suggestion for 10 years of inactivity before disconnection, plus another 5 years before reassignment, reflects an understanding that phones tied to financial identity require different treatment than phones used purely for calls. South Korea maintains a 90-day grace period after deactivation before recycling. Singapore requires 180 days. Nigeria’s 360-day window sounds longer but includes the suspension period; actual protection is closer to 9 months before permanent loss.
Mandatory notification before recycling BVN-linked numbers. Telecoms currently have no obligation to inform previous owners when recycling occurs. The CBN could have mandated that any number linked to a BVN must trigger alerts to the registered email address and alternate contact before recycling. If the Central Bank has real-time BVN-to-phone linkage data, it should share that with the NCC to flag high-risk numbers.
Alternative authentication beyond phone numbers. South Africa’s banking sector uses biometric authentication, device fingerprinting, and app-based verification that doesn’t depend solely on SMS. Estonia’s digital identity system relies on cryptographic certificates, not phone numbers. Nigeria’s over-reliance on mobile numbers for financial authentication creates single points of failure that the one-time-change rule exacerbates rather than solves.
Account recovery pathways that don’t require the original number. The CBN’s policy assumes users will always maintain control of their BVN-linked phone number. Reality proves otherwise. Banks need documented procedures for verified account recovery when numbers are legitimately lost to recycling, theft, or damage—procedures that don’t consume the user’s one allowed change.
The Broader Policy Coordination Failure
This situation exemplifies regulatory fragmentation in Nigeria’s digital economy. The Central Bank of Nigeria sets banking identity rules. The Nigerian Communications Commission governs telecommunications. The Nigeria Data Protection Commission oversees data privacy. The National Identity Management Commission manages the National Identification Number system. Each operates independently, creating policies that work within their silos but clash when citizens interact across sectors.
The CBN’s one-time phone change rule makes sense in isolation as a fraud control measure. The NCC’s SIM recycling policy makes economic sense for telecom operators managing finite number resources. But together, they create a trap: your financial identity is permanently tied to an asset you don’t own, managed by an industry with regulatory permission to reassign it after less than a year of inactivity.
Nigeria’s data protection framework requires controllers to implement appropriate security measures for personal data. Phone numbers linked to BVNs are sensitive personal data under the Nigeria Data Protection Act 2023. The combined effect of CBN and NCC policies arguably fails the “appropriate security” test by creating conditions where users can lose control of this data through regulatory recycling rather than personal negligence.
The pattern extends beyond BVN. Nigeria’s recent mandate for crypto exchanges to report user IDs for tax compliance and the draft national AI regulation framework both rely on phone-based identity verification. Each new policy assumes phone numbers are stable, permanent identifiers. The telecoms sector treats them as recyclable inventory.
Who Bears the Risk
The Central Bank’s warnings about phishing campaigns targeting Nigerians acknowledge that fraud is a real problem requiring intervention. Social engineering schemes accounted for 62,901 fraud cases in 2023 according to Nigeria Inter-Bank Settlement System data, with SIM-related compromises playing a significant role. The one-time phone change rule addresses this.
But the policy shifts all adjustment costs to users while leaving structural problems untouched. Nigerians must now treat their phone numbers as permanent financial assets, maintaining them indefinitely to preserve banking access. They must ensure continuous revenue-generating activity every six months to prevent suspension. They must anticipate international travel, extended hospitalization, or any circumstance that could interrupt phone usage for 360 days.
Failure to maintain the number doesn’t just mean losing a contact method. It means potentially losing access to your life savings with no second chance to update your banking identity. The banks face no obligation to provide alternative authentication. The telecoms face no obligation to preserve numbers linked to financial services. The regulatory burden falls entirely on individual citizens to navigate incompatible policies.
What Happens Next
The May 1, 2026 deadline is imminent. Nigerians currently using borrowed SIMs, international numbers, or numbers they can’t reliably maintain should act before the one-time change becomes their only option. Those who’ve already used their single allowed change have no further recourse if their number gets recycled.
The National Orientation Agency’s social media post acknowledges awareness of the SIM recycling problem. Public comments demand telecom reform before banking restrictions. The question is whether regulators will coordinate policy changes or proceed with incompatible rules that create systemic risk for millions of bank customers.
A functional solution requires the Central Bank, Nigerian Communications Commission, and National Identity Management Commission to align policies around phone number stability. That means either extending dormancy periods for financially-linked numbers, creating exemptions from recycling for BVN-linked SIMs, or developing phone-independent authentication that doesn’t trap users in recycling conflicts.
Until then, Nigeria has implemented a banking security measure that assumes telecommunications infrastructure it doesn’t have, creating a permanent identity lock on a recyclable asset. The policy may reduce SIM-swap fraud. It will certainly create new categories of citizens locked out of banking services through regulatory design rather than criminal action.
Follow us on Bluesky, LinkedIn, X, and Telegram to Get Instant Updates
