Understanding the Suspended Cybersecurity Levy in Nigeria.

    Aarndale Solicitors > Blog > Uncategorized > Understanding the Suspended Cybersecurity Levy in Nigeria.
May 31, 2024
Aarndale
Uncategorized
0

On the 6th of May, 2024, the Central Bank of Nigeria (CBN) issued a circular requiring banks and other financial institutions to levy a cybersecurity fee on all electronic transactions to enhance the country’s cybersecurity defenses.

The circular was a follow-up on an earlier letter dated June 25, 2018, and October 5, 2018 on compliance with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 directed to all commercial, merchant, non-interest, and payment service banks.[1]

However, on the 14th of May, 2024, the Minister of Information and National Orientation, Mohammed Idris, announced the suspension of the proposed cybersecurity levy following widespread public outcry. He confirmed that the policy is currently on hold and is under review.

Key Highlights of the Suspended Cybersecurity Levy

  • Levy Implementation: Following the enactment of the Cybercrime (Prohibition, Prevention etc.) (Amendment) Act of 2015 and under the provision of section 44(2)(a) of the Act, businesses specified in the Second Schedule were mandated to remit a levy of 0.5 percent (0.005) – equivalent to half a percent of the value of all electronic transactions. However, the implementation of tis levy has been suspended.
  • Originator Responsibility: The originator of an electronic transaction is responsible for paying the levy. Financial institutions will deduct the amount from the originator and reflect it in the customer’s account with the label “Cybersecurity Levy”.
  • Remittance to National Cybersecurity Fund: Financial institutions are required to remit the collected levies to the National Cybersecurity Fund, administered by the Office of the National Security Adviser.
  • Timelines: Deductions were scheduled to commence within two weeks from the date of the circular (May 6th, 2024). Financial institutions were to remit the collected levies in bulk to the National Cybersecurity Fund account domiciled at the CBN by the fifth business day of the following month.[2] However, these timelines are now on hold due to suspension.
  • System Updates and Penalties: Financial institutions need to update their systems to handle levy deductions and remittances. Failure to comply may result in penalties, including fines of up to 2% of the institution’s annual turnover. With the suspension, these requirements are currently not in effect.

Sectors in Nigeria affected by the Cybersecurity Levy

Although the implementation of the cybersecurity levy has been suspended, it is important to note which sectors were initially targeted by the levy under Section 44(4) of the Cybersecurity (Prohibition, Prevention, etc.) (Amendment) Act of 2015. The affected companies and organizations included:

  • GSM service providers and all telecommunication companies
  • Internet service providers
  • Banks and other financial institutions
  • Insurance companies
  • The Nigerian Stock Exchange

These sectors were chosen for their significant role in electronic transactions and the critical need for enhanced cybersecurity measures within these industries.

Transaction types exempted from the Cybersecurity Levy

The cybersecurity levy had some exemptions. According to the regulator, the exemptions include[3]:

Loan disbursements and repayments, Salary payments, Intra-account transfers within the same bank or between different banks for the same customer, Intra-bank transfers between customers of the same bank, Other Financial Institutions (OFIs) instructions to their correspondent, Banks Interbank placements, Banks’ transfers to CBN and vice-versa, Inter-branch transfers within a bank, Cheques clearing and settlements, Letters of Credits (LCs), Banks’ recapitalization-related funding – only bulk funds movement from collection accounts, Savings and deposits including transactions involving long-term investments such as Treasury Bills, Bonds, and Commercial Papers, Government Social Welfare Programs transactions e.g. Pension payments, Non-profit and charitable transactions including donations to registered nonprofit organizations or charities., Educational Institutions transactions, including tuition payments and other transactions involving schools, universities, or other educational institutions, Transactions involving the bank’s internal accounts such as suspense accounts, clearing accounts, profit and loss accounts, inter-branch accounts, reserve accounts, nostro and vostro accounts, and escrow accounts.

Purpose of the Cybersecurity Levy

The primary purpose of the recently suspended Cybersecurity levy was to fund the National Cybersecurity Fund, administered by the Office of the National Security Adviser (ONSA). The fund aimed to support the nation’s cybersecurity initiatives and infrastructure, enhancing protection against cyber threats.[4]As Cyber threats increase, the necessity for strong defensive measures heightens. Revenue from this levy was intended to advance cybersecurity technologies, enhance training for cybersecurity professionals, and facilitate public awareness campaigns to educate both individuals and businesses about cyber risks. Although the levy’s implementation has been suspended, the need for robust cybersecurity measures remains critical.

Possible Adverse Effects of the Suspended Cybersecurity Levy

Although the implementation of the cybersecurity levy has been suspended, it’s important to consider the potential adverse effects had it been enacted:

  • Increased Cost for Businesses: The cybersecurity levy would have introduced additional financial burdens for businesses, particularly small and medium enterprises (SMEs) operating with tight profit margins. This increase in operational expenses could have led to higher prices for consumers, reduced investment in other critical areas, or, in severe cases, business closures.
  • Cost Transfer to Consumers: Businesses, especially those with slim profit margins, might have offset the added expenses from the cybersecurity levy by raising the prices of their goods and services. This increase could have elevated the cost of living, reduced disposable income, and subsequently decreased consumer spending, potentially harming the economy.
  • Decreased Competitiveness: For sectors engaged in international trade, the cybersecurity levy could have weakened competitive advantages. Businesses facing higher operational costs due to the levy might have struggled to match the price points of overseas competitors not subject to similar charges, leading to a loss of market share, reduced earnings, and potential deterrence of foreign investors.
  • Economic Imbalance: The cybersecurity levy could have caused economic imbalances, with certain industries bearing a heavier burden than others, resulting in an unequal competitive landscape. Additionally, if the levy was imposed per transaction, it could have disproportionately affected businesses with high transaction volumes but limited profit margins.
  • Regulatory and Administrative Burden: Implementing and administering a new levy would have required significant regulatory and administrative efforts, potentially leading to inefficiencies and increased bureaucracy. Businesses would have needed to allocate resources to comply with the new regulations, which could have otherwise been used more productively.
  • Potential for Misallocation of Funds: There was always a risk that the funds collected through the levy might not have been used efficiently or effectively. Mismanagement, lack of transparency, or inadequate allocation of funds could have undermined the intended benefits of improving cybersecurity infrastructure, leading to skepticism and resistance among those paying the levy.
  • Barrier to Digital Adoption: In sectors where digital adoption was already lagging, additional costs like a cybersecurity levy could have further hindered technological progress. Businesses might have been reluctant to invest in digital technologies if they perceived the levy as a financial barrier, thereby slowing down digital transformation initiatives.

What did the 0.5% (0.005) percentage rate mean?

Percentage Explanation

  • 0.5% translates to 0.005 in decimal form, meaning half of 1 percent.
  • This rate, if implemented, would have been deducted from the value of electronic transfers by the Central Bank of Nigeria (CBN).[5]

Calculation Method

To convert the percentage to a decimal for calculation purposes, you divide by 100:

0.5% ÷100=0.005

Levy Calculation Formulas

Formula One: Multiply the transfer amount by 0.5 and then divide by 100 to get the levy.

Formula Two: Multiply the transfer amount directly by 0.005 to determine the levy.

Example Calculation

For a transfer amount of N10,000:

Using Formula One:

10,000×0.5÷100=50

Using Formula Two:

10,000×0.005=50

Thus, N50 would have been charged as the cybersecurity levy on a N10,000 transaction, in addition to standard bank transaction fees and applicable VAT.[6]

Although the cybersecurity levy implementation has been suspended, understanding its calculation helps in comprehending the financial impact it could have had on electronic transactions.

Impact of the Cybersecurity Levy on Financial Institutions[7]:

  • Financial Burden: The requirement for financial institutions to collect and remit the cybersecurity levy would have introduced additional financial responsibilities. This could have increased operational costs, as these institutions would need to allocate resources towards compliance and management of the levy contributions.
  • Operational Adjustments: Implementing the levy would have required financial institutions to adjust their existing systems and processes. This would involve updating software, training staff on new compliance requirements, and ensuring accurate deductions and remittances. These changes would necessitate investments in both technology and human resources to ensure seamless integration.
  • Compliance Costs: Beyond operational costs, financial institutions would also face compliance costs. Ensuring full compliance with the regulations governing the levy to avoid penalties would require regular audits and system updates, which can be resource-intensive and costly.
  • Penalties for Non-compliance: The levy included strict penalties for financial institutions failing to comply with the collection and remittance processes. Penalties could have been as severe as fines amounting to 2% of the institution’s annual turnover, significantly impacting the financial health of the institution.
  • Customer Relations: The levy might have affected customer perceptions of their financial service providers. Additional charges could lead to dissatisfaction among clients, especially if the reasons behind the levy were not well communicated.
  • Enhanced Security Posture: On the positive side, the funds raised through this levy were intended to bolster the nation’s cybersecurity infrastructure. This would mean better protection for the institutions themselves as well as their customers, potentially reducing losses due to cybercrimes in the long term.

Implications of the Cybersecurity Levy on Businesses and Consumers[8]

The proposed cybersecurity levy would have had several implications for both businesses and consumers. For businesses, especially small and medium-sized enterprises, the levy could have resulted in additional financial strain due to increased costs related to compliance, record-keeping, and potential competitive disadvantages depending on its application across different regions or sectors. However, it might have also encouraged greater investment in cybersecurity measures.

For consumers, the levy could have translated into higher prices for goods and services, adding to household living expenses. On the positive side, if the levy funds were effectively used, consumers could have benefited from improved protection against cyber threats.

Both businesses and consumers may demand greater transparency and accountability from the government regarding the utilization of the funds that would have been collected through the cybersecurity levy, to ensure their effective use in enhancing cybersecurity measures.

Conclusion

The suspension of the cybersecurity levy allows stakeholders to reassess funding strategies for cybersecurity initiatives in Nigeria. It further highlights the need for a balanced approach that addresses cybersecurity threats without imposing undue financial burdens on consumers and businesses. Despite the suspension, the importance of strong cybersecurity measures remains. The CBN and other stakeholders must collaborate to develop effective strategies that enhance cybersecurity while considering the economic impact. Working together, they can ensure that cybersecurity initiatives are adequately funded and support both national security and economic stability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[1] Emma Ujah (7th May, 2024) “CBN orders ‘Cybersecurity Levy’ deductions on electronic transfers” VANGUARD https://www.vanguardngr.com/2024/05/cbn-orders-cybersecurity-levy-deductions-on-electronic-transfers/ Accessed 7/05/2024

[2] James Emejo & Nume Ekeghe (7th MaY, 2024) “CBN Mandates 0.5% Cybersecurity Levy on Electronic Transactions To Curb Cybercrime” ARISE NEWS https://www.arise.tv/cbn-mandates-0-5-cybersecurity-levy-on-electronic-transactions-to-curb-cybercrime Accessed 7/05/2024

[3] Samson Akintaro (7th March, 2024) “Here are 16 transaction types exempted from CBN’s cybersecurity levy” NAIRAMETRICS Here are 16 transaction types exempted from CBN’s cybersecurity levy – Nairametrics Accessed 7/05/2024

[4] Oladeinde Olawoyin (7th May, 2024) “CBN directs banks to charge 0.5% cybersecurity levy on transactions” PREMIUM TIMES https://www.premiumtimesng.com/business/business-news/691956-cbn-directs-banks-to-charge-0-5-cybersecurity-levy-on-transactions.html Accessed 7/05/2024

[5] Makua Ubanagu (7th May, 2024) “What CBN’s 0.5% (0.005) cybersecurity levy means” PUNCH https://punchng.com/explainer-what-cbns-0-5-0-005-cybersecurity-levy-means/ Accessed 9/05/2024

[6] Ibid.

[7] Ken Ibenne (7th May, 2024) “Nigeria’s 0.5% Cybersecurity Levy: A Financial Critique of CBN’s Initiative” Nigeria’s 0.5% Cybersecurity Levy: A Financial Critique of CBN’s Initiative – The News Chronicle (thenews-chronicle.com) Accessed 7/05/2024

[8] Ken Ibenne (7th May, 2024) “Nigeria’s 0.5% Cybersecurity Levy: A Financial Critique of CBN’s Initiative” Nigeria’s 0.5% Cybersecurity Levy: A Financial Critique of CBN’s Initiative – The News Chronicle (thenews-chronicle.com) Accessed 7/05/2024

© 2021 Aarndale Solicitors. All rights reserved. | Privacy Policy | Disclaimer