On May 6, 2024, the Central Bank of Nigeria published a circular providing “Implementation Guidance on the Collection and Remittance of the National Cybersecurity Levy” introduced by the Cybercrime (Prohibition, Prevention, etc.) Act of 2015 and amended by the Cybercrime (Prohibition, Prevention, etc.) Amendment Act 2024. The Circular has raised concerns about its implications for businesses and individuals. There are also concerns about whether the CBN has properly interpreted the application of the levy.
In Nigeria, Cybercrime is primarily regulated by the Cybercrime (Prohibition, Prevention, etc.) Amendment Act 2024. The Act addresses various cyber-related offences and is aimed at instituting an effective regulatory framework that prohibits and prosecutes cybercrime in Nigeria. It prescribes different cybersecurity obligations for organizations including financial institutions in the country.
It also grants the President the right to designate certain major computer systems, programs, and networks as critical national information infrastructure and prescribe minimum standards, guidelines and rules in respect of such infrastructure.
The Act provides a list of different activities that will be considered to be Cybercrime in Nigeria including:
(i) knowingly altering data with the intention that such data will be acted upon as if it were authentic;
(ii) misdirecting electronic mail with the intention to fraudulently obtain financial gains;
(iii) unlawfully destroying or aborting any electronic mail through which money or valuable information is being conveyed, etc. The Act also states the penalties for such activities.
The Cybersecurity Levy (the “Levy”) was introduced by section 44(2)(a) of the Act and amended by the Cybersecurity Amendment Act. The Act (as amended) provides that a Levy of 0.5% or 0.005 is to be remitted by the following businesses (set out in the second schedule of the Act) to a National Security Fund domiciled with the CBN:
i. Banks and other Financial Institutions
ii. GSM Service providers and all telecommunication Companies
iii. Internet Service Providers
iv. Insurance Companies
v. Nigerian Stock Exchange.
What is clear from the Act is that the levy collected is to be administered by the Office of the National Security Adviser and included as part of the National Security Fund. The Act states that 40% of the Fund (which comprises of various levies collected by government) may be used for programs relating to countering violent extremism.
Although the Cybersecurity Levy is a levy introduced by the Act, there had been no steps taken by regulators to implement it until the recent CBN Circular.
With the recently issued CBN Circular, CBN placed a responsibility on Banks, Payment Service Providers, and other Financial Institutions (the “Financial Institutions”) to commence the collection of the Cybersecurity Levy from businesses and customers in the course of their transactions. The Circular requires Financial Institutions to collect a Cybersecurity levy of 0.5% on all electronic transactions at the point of the electronic transfer origination and remit the sums collected to the Fund. The deducted amount is to be reflected as “Cybersecurity Levy” in the customer’s account.
According to the Circular, all deductions from electronic transactions is to commence 2 weeks from the date the circular was published. Commercial, Merchant, Non-Interest Banks, and Mobile Money Operator are to ensure they configure their systems within 4weeks to collect the levy in an automated manner whilst all other Financial Institutions have been given eight weeks to configure their systems to collect the levy in an automated manner.
The Circular sets out 16 transactions excluded from the Cybersecurity levy including the following:
i. loan disbursement and repayment;
ii. salary payments;
iii. inter-branch transfers with one bank;
iv. letters of credits;
v. intra-bank transfers between customers of the same bank;
vi. bank transfers to CBN;
vii. educational institution transactions including tuition payments and other
related transactions;
viii. non-profit organization transactions, etc.
The Guidance states that institutions that fail to deduct the Levy as prescribed will be fined at least 2% of the institution’s annual turnover.
A review of Section 44 of the Act on its own, suggests that the intention of the draftsman when introducing the Cybersecurity Levy was for the levy to apply to businesses as stated in the Second Schedule listed above; and not to broaden its implementation to affect all individuals and businesses in the Country in the manner that the CBN Circular purports to achieve.
We note that the implementation of the Circular by the CBN is currently being challenged by the House of Representatives and the public. We expect that more clarity will be provided on the application of the Cybersecurity Levy once deliberations have been concluded.
--
Read the original publication at Pavestones