What's the fuss about the Nigerian Cybersecurity Levy?

What’s the fuss about the Nigerian Cybersecurity Levy?

Recently, the populous nation in Africa was stirred up by an intended 0.5% levy to be imposed by the Nigerian government on every transaction on account of cybersecurity. That is currently on hold. 

But then, that stir can not go for nothing. Techpression is here with all the details, from what cybersecurity is to what it has to do with Nigeria.

Cybersecurity refers to the practice of protecting critical systems, networks, and data from digital attacks. As our reliance on technology grows, so do the threats posed by cybercriminals. It encompasses various measures to protect against unauthorised access, data breaches, and other malicious activities.

Read also: Master your money: Top-rated apps for financial success

There are various types of threats that cybersecurity prevents.

Malware: Malware is a broad term for malicious software, including viruses, worms, ransomware, and spyware. It can alter or delete files, extract sensitive data, or send malicious emails. Individuals may unwittingly deploy malware by clicking on bad links or downloading infected attachments.

Ransomware: Ransomware encrypts files, making them inaccessible. Attackers demand payment (usually in cryptocurrency) in exchange for a decryption key. However, payment doesn’t guarantee file recovery.

Social Engineering: In social engineering attacks, bad actors manipulate people’s trust to obtain sensitive information. They masquerade as known brands, coworkers, or friends to deceive individuals.

Phishing: Phishing uses emails, text messages, or voicemails that appear legitimate to trick people into revealing sensitive information or clicking on unfamiliar links. Spear phishing targets specific individuals.

Cybersecurity Levy in Nigeria

The Central Bank of Nigeria (CBN)  mandated a 0.5% cybersecurity levy on all electronic transactions. This levy aims to enhance cybersecurity measures and protect against digital attacks.  

Key points about the levy: The levy is applied to electronic transactions as mandated by the Cybercrime (Prohibition, Prevention, etc) (Amendment) Act 2024. Financial institutions deduct the levy from the originator of the electronic transaction and remit it to the National Cybersecurity Fund administered by the Office of the National Security Adviser. 

Deductions started within two weeks from the date of the circular (May 6, 2024), and financial institutions must remit collected levies monthly. Failure to remit the levy can result in penalties, including fines based on a percentage of the financial institution’s annual turnover.

Cybersecurity is crucial for protecting our digital world, and measures like the cybersecurity levy contribute to a safer online environment.

The Impact of Nigeria’s Cyber Security Levy on Businesses and Individuals

The cyber security levy introduced by the Nigerian government in May 2024 affects primarily businesses and organisations operating within Nigeria’s digital ecosystem. This includes tech companies, financial institutions, e-commerce platforms, and any entity involved in online transactions or data handling. Small businesses and startups may also feel the impact, depending on their digital operations. On the other hand, individuals not directly involved in such digital enterprises are generally not affected by this levy in terms of direct financial implications, but they may indirectly experience changes in online services or prices due to businesses adjusting to the new levy.

A circular was sent to commercial banks, mobile money operators, payment service providers, and others, indicating that the cybersecurity levy is being introduced following the enactment of the 2024 Cybercrime (Prohibition, Prevention, etc) Amendment Act. This legislation mandates a 0.5% deduction from the value of all electronic transactions to fund the National Cyber Security Fund, administered by the NSA office. While the levy applies to most electronic transactions at their point of origin, the Central Bank of Nigeria has outlined 16 exempted transactions in an appendix to the circular.

16 transaction types exempted from CBN’s cybersecurity levy:

  • Loan disbursements and repayments
  • Salary payments
  • Intra-account transfers within the same bank or between different banks for the same customer
  • Intra-bank transfers between customers of the same bank
  • Other Financial Institutions (OFIs) instructions to their correspondent
  • Banks Interbank placements
  • Banks’ transfers to CBN and vice-versa
  • Inter-branch transfers within a bank
  • Cheques clearing and settlements
  • Letters of Credits (LCs)
  • Banks’ recapitalization-related funding – only bulk funds movement from collection accounts
  • Savings and deposits, including transactions involving long-term investments such as Treasury Bills, Bonds, and Commercial Papers.
  • Government Social Welfare Programs transactions, e.g. Pension payments
  • Non-profit and charitable transactions, including donations to registered nonprofit organisations or charities.
  • Educational Institutions transactions, including tuition payments and other transactions involving schools, universities, or other educational institutions.
  • Transactions involving the bank’s internal accounts, such as suspense accounts, clearing accounts, profit and loss accounts, inter-branch accounts, reserve accounts, nostro and vostro accounts, and escrow accounts.

The controversy surrounding Nigeria’s Cybersecurity Levy

Civil society groups and experts have voiced their concerns about the introduction of the cybersecurity levy. These concerns have been amplified by the fact that the levy was introduced during a period of high inflation, a weakening naira, and rising living costs, further burdening already struggling citizens. 

Critics argue that the National Assembly lacked transparency. Many Nigerians were aware of the amendment when the CBN circular was issued. Many Nigerians have expressed concerns about the timing and impact of the levy, arguing that it adds to the already high cost of living and burdens businesses and vulnerable groups. Critics contend that the levy is unconstitutional, as it bypasses the provisions of Section 162 of the 1999 Constitution, which mandates that all federally collected revenue be paid into the Federation Account. 

Notable figures have taken action in response to the controversy. Olisa Agbakoba, a Senior Advocate of Nigeria (SAN), has announced his intention to challenge the law in court, while the Socio-Economic Rights and Accountability Project (SERAP) has already filed a suit seeking an interim injunction against the CBN. President Bola Tinubu has also intervened, directing the suspension of the levy’s implementation to alleviate the burden on citizens facing economic hardship. However, the National Assembly, which amended the Cybercrime Act in 2024, has faced criticism for its lack of transparency and public engagement.

Senator Shehu Buba, who sponsored the amendment bill, has defended the levy, stating that it targets financial institutions and telecommunication companies, not individual citizens. Economic experts have also argued that the levy will adversely affect financial inclusion and the cashless policy, making electronic transactions more expensive than cash transactions. They suggest that the government should revisit the amended Act and explore more innovative and effective funding models for cybersecurity measures, such as prioritising budgetary and donor funding or adopting a trust-based fund management model.

The cybersecurity levy has sparked a heated debate in Nigeria, with many questioning its constitutionality, timing, and impact on citizens and businesses. The government’s response, including the suspension of the levy’s implementation and the ongoing legal challenges, highlights the need for a more transparent and inclusive approach to policy-making in the country.

Why the Government wants a Cybersecurity Levy?

The Cybersecurity Levy was found to be a follow-up to two previous letters regarding compliance with Cybercrime (Prohibition, Prevention, Etc.). Act 2015, one dated June 25, 2018 (Ref: BPS/DIR/GEN/CIR/05/008) and the other dated October 5, 2018 (Ref: BSD/DIR/GEN/LAB/11/023). The levy was to be overseen by the Office of the National Security Adviser, as per the provisions of Section 44 (2)(a) of the Cybercrime (Prohibition, Prevention, etc) (amendment) Act 2024.

The CBN has recently been active in cleaning up the banking system following a lot of fraudulent transactions. It recently made a ruling that prevents fintechs from taking on new clients. Customers of fintech companies have been cautioned not to use their platforms for cryptocurrency transactions. The government is currently facing legal battles with Binance.

This seems to be in line with its intention to tackle fraud. It also came seven days after the federal government ordered deposit money banks to start deducting a 0.375% stamp duty charge from all bonds and loans backed by mortgages.

The establishment of a cybersecurity levy is crucial as it allows organisations to invest in strong security measures to counteract ever-changing threats by providing a specific source of funding for cybersecurity initiatives.

The levy itself is not a bad development as it could contribute to strengthening the capacity to identify and respond to threats, enable the use of cutting-edge security measures and perform security audits and tests on a regular basis. It would also be used to educate staff on best cybersecurity practices and back plans for responding to incidents and recovering from disasters.

However, it might not be the best decision given the economy situation of Nigeria which is filled with impoverished citizens.

Why President Tinubu suspended the levy temporarily

After widespread controversy and economic concerns, President Bola Tinubu banned the CBN’s 0.5% cybersecurity fee on electronic transactions. The Cybercrime (Prohibition, Prevention, etc.) Act of 2015 proposed a tax on electronic banking transactions to support national cybersecurity initiatives. Despite Nigerians’ economic difficulties, this levy’s timing and possible economic consequences drew widespread criticism from citizens and financial professionals.

The levy was seen as an extra cost that people already dealing with high inflation and other money problems would have to pay. It made Tinubu make the decision he made. As the President stressed, the levy’s goal of improving safety was good, but it needed to be done differently so it didn’t look like it didn’t care about the public’s situation.

Adding to the debate were problems with how the policy was being put into place and complaints about how quickly it was being implemented. Instead, Tinubu ordered a short-term stop to the levy and a full review of it to ensure that any future application would consider the present state of the economy and include consultations with all relevant parties.

Read also: Five ways to fund your startup in Africa

How CBN ensures safe and transparent management of the cybersecurity levy

The CBN has outlined several measures to ensure transparency and the security of funds collected through this levy:

Designated Account and Remittance Process: Financial institutions must remit the collected levies in bulk to the NCF account domiciled at the CBN by the fifth business day of each subsequent month. This centralised approach ensures that the funds are managed and utilised to bolster cybersecurity infrastructure and efforts against cybercrime.

Regulatory Compliance and Penalties: The CBN has mandated strict compliance from all financial institutions under its purview. Non-compliance, such as failure to remit the levy, is a significant offence. It attracts penalties that include a fine of at least 2% of the defaulting institution’s annual turnover. This regulation is in place to enforce compliance and ensure that funds are appropriately directed towards cybersecurity initiatives, underscoring the seriousness of the matter.

Transparency Measures: The CBN has directed that system reconfigurations should ensure complete and timely submission of remittance files to the Nigeria Interbank Settlement System (NIBSS). This requirement not only promotes transparency but also provides a clear and accurate tracking and reporting of the collected levies, giving financial institutions and the public a sense of reassurance about the process.

These measures collectively aim to secure the funds collected through the levy and ensure they are used effectively to enhance the cybersecurity landscape in Nigeria. The transparency of the process is upheld through stringent regulatory requirements and penalties for non-compliance, providing a level of assurance to the public about the security and appropriate use of their money after paying the levy.

 

Contributors: Hauwa Ali, Temitayo Olumofe, Esther Abayomi, Felicia Akindurodoye, Modupe Olalere, Olanrewaju Adeniyi