Compliance & Security

Built on regulatory
foundation

Compliance is not a feature we added — it's the architectural foundation of TrustQI. Every component is designed to the standards set by CBN, NFIU, NDPC, and FATF.

CBN KYC Framework

Central Bank of Nigeria KYC Tiers

TrustQI fully implements the CBN's three-tier KYC framework with automated classification, enforcement, and audit trails.

KYC Tier 1Daily: ₦50,000 | Balance: ₦300,000
CBN Requirements
  • Valid phone number (linked to NIN for new accounts)
  • BVN (for microfinance banks)
  • Self-declaration of name and address
TrustQI Implementation

Phone + NIN/BVN validation via NIMC and NIBSS APIs. Auto-classified with no manual review.

KYC Tier 2Daily: ₦200,000 | Balance: ₦500,000
CBN Requirements
  • BVN verification
  • One valid government-issued photo ID (NIN slip, international passport, or driver's license)
TrustQI Implementation

Document OCR, biometric face match, and BVN cross-reference. 99.6% accuracy rate.

KYC Tier 3No daily limit (subject to monitoring)
CBN Requirements
  • Completed Tier 2
  • Proof of address (utility bill, bank statement)
  • Video KYC or in-person verification
TrustQI Implementation

Video KYC integration, address verification, full identity graph enrichment with Credit Registry data.

NDPA Compliance

Nigeria Data Protection Act 2023

TrustQI is designed to be fully compliant with the NDPA from day one — not retrofitted.

Nigeria-First Data Residency

All Nigerian customer PII is stored exclusively in Nigerian data centres (AWS af-south-1). No Nigerian customer data is processed or stored outside Nigeria.

Encryption at Rest

All databases and object storage are encrypted with AES-256. Encryption keys are managed via AWS KMS with automatic annual rotation.

Encryption in Transit

All API communications use TLS 1.3. Legacy TLS versions are rejected. Mutual TLS (mTLS) is available for enterprise and government integrations.

PII Tokenisation

All PII fields (name, DOB, BVN, NIN, etc.) are tokenised before storage. Raw PII values are only accessible on authorised request via the detokenisation API.

Data Subject Rights

TrustQI provides an API for data subjects to request access, correction, or erasure of their personal data in compliance with NDPA Section 28-35. All requests fulfilled within 30 days.

Breach Notification

In the event of a data breach, TrustQI notifies affected data controllers within 72 hours and assists with NDPC notification obligations per NDPA Section 40.

NFIU AML/CFT

NFIU & FATF Alignment

TrustQI's AML engine is built to the NFIU's AML/CFT compliance framework and aligned with FATF Recommendations 10, 20, and 23 on Customer Due Diligence, Transaction Monitoring, and Reporting.

  • Automated SAR filing within 24 hours of case disposition
  • CTR generation for transactions above NFIU thresholds
  • PEP screening against domestic and international lists
  • Sanctions screening (OFAC, UN, EU, CBN)
  • Enhanced Due Diligence workflows for high-risk customers
  • Ongoing transaction monitoring for all onboarded customers
Security Certifications

Security posture

SOC 2 Type IIIn Progress

In progress — target certification Q3 2026. Controls aligned with AICPA Trust Services Criteria.

ISO 27001In Progress

Implementation underway — target certification Q4 2026.

Quarterly Pen TestsActive

Third-party penetration testing by accredited security firms. No critical findings in last 2 assessments.

Bug BountyActive

Responsible disclosure program active. Rewards for critical and high severity findings.

Need compliance documentation?

We provide detailed compliance packages for enterprise clients including security questionnaires, DPA templates, and audit report summaries.

Request Compliance Pack