Introduction
The Cybercrimes (Prohibition, Prevention, Etc) (Amendment) Act 2024 (the "Amendment Act") was signed into law by President Bola Tinubu on 28th February 2024. The Amendment Act amended some provisions of the Cybercrimes (Prohibition, Prevention, Etc) Act. No 17 2015 (the "Cybercrimes Act"). One of the amendments is in relation to the National Cybersecurity Fund and the cybersecurity levy.
The National Cybersecurity Fund
Section 44 (1) of the Cybercrimes Act establishes the National Cybersecurity Fund ("Fund") to be held by the Central Bank of Nigeria and provides that certain payments shall be credited to the Fund which shall be held by the Central Bank of Nigeria ("CBN"). According to section 44(2) of the Cybercrimes Act, the payments to be made to the Funds include a levy of 0.005 of all electronic transactions by the businesses specified in the second schedule to the Act. The affected businesses specified in the second schedule to the Act are (a) GSM service providers and all telecommunications companies; (b) internet service providers; (c) banks and other financial institutions; (d) insurance companies; and (e) the Nigerian Stock Exchange.
The Amendments to the Provisions Relating to the Fund
The Amendment Act amended section 44 (2) (a) to provide that the sums due to the Fund shall include "a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the businesses specified in the Second Schedule to this Act".
The Amendment Act made no changes to the businesses outlined in the Second Schedule of the Cybercrimes Act as set out above. Other key amendments made by the Amendment Act include imposing a penalty of 2% of the annual turnover on businesses that neglect to remit the levy to the Fund, and failure to pay the penalty may result in the closure or revocation of the business's operational licence. In addition, the Amendment Act has now empowered the Office of the National Security Adviser ("ONSA") to administer the Fund.
The Commencement of collecting the Levy
Prior to 2024, the Nigerian government did not give effect to the collection of the levy under the Cybercrimes Act. Following the enactment of the Amendment Act, on 6th May, 2024 the CBN released a circular titled "Cybercrimes (Prohibition, Prevention, Etc) (Amendment) Act 2024 – Implementation Guidance on the Collection and Remittance of the National Cybersecurity Levy" (the "CBN Circular") addressed to all the financial institutions regulated by it. The CBN Circular reiterates that the administration of the Fund will fall under the purview of the ONSA.
The CBN Circular outlined the procedure for the implementation and collection of the levy. This includes: (i) applying and collecting the levy at the point of electronic transfer and the amount collected and remitted to the Fund by the financial institution; (ii) reflecting the term "Cybersecurity Levy" in the narration in the customer's account; (iii) commencing the deductions of the levy within two weeks from the date of the CBN Circular; (iv) the levies collected in bulk shall be remitted to the Fund's account with the CBN on the fifth business day of every month; and (v) the completion of the system reconfiguration1 towards ensuring complete and timely submission of the remittance files.
Liability to the Levy
Any electronic payment transaction that does not fall within any of the exemptions set out below will be liable to the levy. The CBN Circular suggests that all the customers (corporates and individuals) of financial institutions are liable to pay the levy where their electronic transaction does not fall within any of the exemptions. The levy will be collected from the customer originating the transaction, and the financial institutions from which the electronic transaction is initiated have the obligation to collect the levy and remit it to the Fund.
Exemptions
The CBN Circular exempts certain transactions from the application of the levy. The excluded transactions include: (a) loan disbursements and repayments; (b) salary payments; (c) intra-account transfers within the same bank or between different banks for the same customer; (d) intra-bank transfers between customers of the same bank; (e) other financial institutions (OFls) instructions to their correspondent banks; (f) interbank placements; (g) banks' transfers to CBN and vice-versa; (h) inter-branch transfers within a bank; (i) cheques clearing and settlements; (j) letters of credits (LCs); (k) banks' recapitalisation related funding - only bulk funds movement from collection accounts; (l) savings and deposits including transactions involving long-term investments such as treasury bills, bonds, and commercial papers; (m) government social welfare programmes transactions such as pension payments; (n) non-profit and charitable transactions including donations to registered nonprofit organisations or charities; (o) educational institutions transactions, including tuition payments and other transaction involving schools, universities, or other educational institutions; and (p) transactions involving bank's internal accounts such as suspense accounts, clearing accounts, profit and loss accounts, inter-branch accounts, reserve accounts, nostro and vostro accounts, and escrow accounts.
Question on the Applicability of the Levy to All the Customers of Financial Institutions
As we have stated above, the implication of the CBN Circular is that the levy is payable by all customers (corporates and individuals) of financial institutions (irrespective of the amount involved in the electronic transaction), excluding the exempted transactions. The question is whether the levy is payable by all the customers of financial institutions or by only the businesses set out in the Second Schedule of the Cybercrimes Act. We say this because the amendment to section 44(2)(a) by the Amendment Act expressly imposes "a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule to this Act" (emphasis ours). This provision does not expressly impose the liability to pay the levy on all customers of financial institutions. The section states that the levy is on "all electronic transactions value by the businesses specified in the Second Schedule to this Act".
The above appears to suggest, in our view, that the levy is only applicable to the businesses specified in the Cybercrimes Act which are (a) GSM service providers and all telecommunication companies; (b) internet service providers; (c) banks and other financial institutions; (d) insurance companies; and (e) the Nigerian Stock Exchange. In our opinion, these specified businesses are the only institutions that should pay the levy on their electronic transactions. It is on this basis that the statute requires the affected businesses or organisations to remit the levy into the Fund and provides that contributions to the Fund is tax deductible. Other corporate and individual customers of financial institutions are not liable to pay the levy under the Cybercrimes Act and the Amendment Act.
We hold the view above because section 44(2)(a) of the Amendment Act is clear that the levy is on all electronic transactions value by the businesses specified in the Second Schedule to this Act. The implication of this is that all the electronic transactions by the specified businesses will attract the levy. Conversely, all electronic transactions that are conducted by other businesses not listed in the Second Schedule of the Cybercrimes Act and by individuals should not be subject to the levy. This approach, we believe, is the intendment of the National Assembly in the enactment of the Cybercrimes Act and the Amendment Act. If the lawmakers' intention was for the levy to apply to all electronic transactions carried out by any customer of financial institutions, they would have included that in the statutes and would have empowered the specified businesses to deduct the levies from eligible customers' account and remit to the Fund.
The above view is because taxing statutes must not be ambiguous and must clearly identify the person who is subject to a tax. If there is an ambiguity in the interpretation and application of a taxing statute, that ambiguity will be resolved in favour of the taxpayer.
This approach should be adopted in the interpretation and application of the Cybercrimes Act and the Amendment Act – that is, the imposition of the levy by the statutes should be interpreted to apply only to the businesses expressly stated in the Second Schedule.
Recommendation
Following the release of the CBN Circular, there has been controversy regarding the applicability of the levy, with certain arguments stating that the levy may apply to individuals. While we do not agree with this view as the law appears clear on the issue, we recommend that the CBN will need to issue a clarification circular to confirm the entities that the levy is applicable to as set out in the statutes and whether the application extends to parties other than the specified businesses in the Cybercrimes Act. If the CBN's view is that the levy applies to all customers of financial institutions, then the statute will need to be amended to specifically provide for that.
Footnote
1. The system reconfiguration must be completed by commercial banks, merchants, non interest banks, and payment service banks within four weeks from the date of the CBN Circular. All other financial institutions, including microfinance banks, primary mortgage banks, and development financial institutions, must complete the reconfiguration within eight weeks from the date of the CBN Circular.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.