INTRODUCTION
On May 6, 2024, the Central Bank of Nigeria ("CBN")
published a circular providing "Implementation Guidance on the
Collection and Remittance of theNational Cybersecurity Levy"
(the "CBN Circular") introduced by the Cybercrime
(Prohibition, Prevention, etc.) Act of 2015 and amended by the
Cybercrime (Prohibition, Prevention, etc.) Amendment Act 2024 (the
"Act"). The Circular has raised concerns about its
implications for businesses and individuals. There are also
concerns about whether the CBN has properly interpreted the
application of
the levy.
In this article, we have provided a general background on the regulation of Cybercrime in Nigeria and also set out our view on the implementation of the Cybercrime levy by the CBN.
A. What is the Applicable Law on Cybercrime in Nigeria?
In Nigeria, Cybercrime is primarily regulated by the Cybercrime (Prohibition, Prevention, etc.) Amendment Act 2024. The Act addresses various cyber-related offences and is aimed at instituting an effective regulatory framework that prohibits and prosecutes cybercrime in Nigeria. It prescribes different cybersecurity obligations for organizations including financial institutions in the country.
It also grants the President the right to designate certain major computer systems, programs, and networks as critical national information infrastructure and prescribe minimum standards, guidelines and rules in respect of such infrastructure.
B. What is Recognized as Cybercrime under the Act?
The Act provides a list of different activities that will be considered to be Cybercrime in Nigeria including:
(i) knowingly altering data with the intention that such data will be acted upon as if it were authentic;
(ii) misdirecting electronic mail with the intention to fraudulently obtain financial gains;
(iii) unlawfully destroying or aborting any electronic mail through which money or valuable information is being conveyed, etc. The Act also states the penalties for such activities.
C. Where did the Cybersecurity Levy Originate From?
The Cybersecurity Levy (the "Levy") was introduced by section 44(2)(a) of the Act and amended by the Cybersecurity Amendment Act. The Act (as amended) provides that a Levy of 0.5% or 0.005 is to be remitted by the following businesses (set out in the second schedule of the Act) to a National Security Fund domiciled with the CBN:
i. Banks and other Financial Institutions
ii. GSM Service providers and all telecommunication Companies
iii. Internet Service Providers
iv. Insurance Companies
v. Nigerian Stock Exchange.
D. What is the Cybersecurity Levy to be Used For and Who is
to
Administer the Fund?
What is clear from the Act is that the levy collected is to be administered by the Office of the National Security Adviser and included as part of the National Security Fund. The Act states that 40% of the Fund (which comprises of various levies collected by government) may be used for programs relating to countering violent extremism.
E. What is stated in the 2024 CBN Implementation Guidance on
the
Collection and Remittance of the National Cybersecurity
Levy?
Although the Cybersecurity Levy is a levy introduced by the Act, there had been no steps taken by regulators to implement it until the recent CBN Circular.
With the recently issued CBN Circular, CBN placed a
responsibility on Banks, Payment Service Providers, and other
Financial Institutions (the "Financial Institutions") to
commence the collection of the Cybersecurity Levy from
businesses and customers in the course of their transactions. The
Circular requires Financial Institutions to collect a Cybersecurity
levy of 0.5% on all electronic transactions at the point of the
electronic transfer origination and
remit the sums collected to the Fund. The deducted amount is to be
reflected as "Cybersecurity Levy" in the customer's
account.
F. When is the CBN Guidance to Take Effect?
According to the Circular, all deductions from electronic transactions is to commence 2 weeks from the date the circular was published. Commercial, Merchant, Non-Interest Banks, and Mobile Money Operator are to ensure they configure their systems within 4weeks to collect the levy in an automated manner whilst all other Financial Institutions have been given eight weeks to configure their systems to collect the levy in an automated manner.
G. What Transactions Are Exempted?
The Circular sets out 16 transactions excluded from the Cybersecurity levy including the following:
i. loan disbursement and repayment;
ii. salary payments;
iii. inter-branch transfers with one bank;
iv. letters of credits;
v. intra-bank transfers between customers of the same bank;
vi. bank transfers to CBN;
vii. educational institution transactions including tuition
payments and other
related transactions;
viii. non-profit organization transactions, etc.
H. Is There a Penalty for Failing to Deduct the Cybersecurity Levy?
The Guidance states that institutions that fail to deduct the Levy as prescribed will be fined at least 2% of the institution's annual turnover.
Conclusion
A review of Section 44 of the Act on its own, suggests that the intention of the draftsman when introducing the Cybersecurity Levy was for the levy to apply to businesses as stated in the Second Schedule listed above; and not to broaden its implementation to affect all individuals and businesses in the Country in the manner that the CBN Circular purports to achieve.
We note that the implementation of the Circular by the CBN is currently being challenged by the House of Representatives and the public. We expect that more clarity will be provided on the application of the Cybersecurity Levy once deliberations have been concluded.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.