On May 6, 2024, the Central Bank of Nigeria issued a circular directing all banks, financial institutions, and payment service providers to remit 0.5% (0.005) of all electronic transactions to the National Cybersecurity Fund (NCF). In this article, we will explore the scope of the guidelines and recent developments since the issuance of the directive.
KEY PROVISIONS OF THE CIRCULAR AS PUBLISHED
Before diving into the main provisions of this circular, it’s important to note that the CBN guideline aims to enforce compliance with the Cybercrimes (Prohibition, Prevention) Act of 2015, which has been amended to the Cybercrimes Prohibition, Prevention (Amendment) Act of 2024. In addition to banks and other financial institutions, the 0.5% levy remittance to the National CyberSecurity Fund (NCF) as stipulated by Section 44 of the Cybercrimes (Prohibition and Prevention) Act 2015 applies to other commercial institutions such as:
(a) GSM service providers and all telecommunication companies;
(b) Internet service providers;
(c) Insurance companies;
(d) Nigerian Stock Exchange.
All of these entities are required to remit the same levy to the NCF as outlined in the Second Schedule of the Act.
Some important points to note in this circular are as follows:
1. Deduction of the levy during transactions
According to the guidelines, financial institutions are required to remit deductions to the National Cybersecurity Fund when a customer initiates an electronic transfer transaction.
2. Cyber security levy must be reflected in the customer’s account
According to the CBN guidelines, the deduction of the levy must be reflected in the customer’s account with the narration “Cybersecurity Levy”.
3. Commencement of deductions
Banks and financial institutions are expected to commence deductions within 2 weeks from the date of the CBN circular and bulk remittances of the levy to the NCSF account is to be processed by the 5th business day of every subsequent month.
4. Duration for system reconfiguration by financial institutions to enforce compliance
a. Commercial, merchant, non-interest, payment service banks, and mobile money operators are required to respond within 4 weeks from the date of the circular.
b. Other financial institutions such as Microfinance Banks, Primary Mortgage Banks, and Development Finance Institutions are required to respond within 8 weeks from the date of the circular.
5. Exemptions from application of the levy
In other to avoid cases of multiple levy deductions over the same transactions, the following transactions are exempted:
Loan disbursement and repayment, salary payment, intra-account transfer within the same bank or between different banks for the same customer, intra-bank transfer between customers of the same bank, other financial institutions instructions to their correspondence banks, Inter-bank placement, bank transfer to CBN and vice- versa, Inter-branch transfer within a bank, Cheques clearing and settlement, letters of credits, banks’ recapitalization related funding-only bulk fund movement from collection accounts, Saving and deposit including transactions involving long-term investment such as treasury bills, bonds and commercial papers, Government social welfare transactions such as pension payments, Non-profit and charitable transactions including donations to register non-profitable organisation or charities, Educational institutions transactions, including tuition payments and other transactions involving schools, universities or other educational institutions, Transactions involving bank’s internal account such as suspense account, clearing account, profit and loss account, inter-branch account, reserve account, nostro and Vostro account, and escrow account.
6. Penalty for non-compliance
Section 44(8) of the Cybercrime Prohibition and Prevention Act stipulates that failure to remit the levy will result in a fine of not less than 2% of the annual turnover of the defaulting business (refer to Section 11 of the Cybercrimes Prohibition, Prevention, etc. Amendment Act 2024). Furthermore, non-compliance may lead to business closure or revocation of the business operational license.
CONCLUSION
The recent implementation of the cybersecurity levy by financial institutions has been met with negative reactions from individuals and organizations. Many believe that while the policy may have legal standing, its timing is inappropriate given the current harsh economic realities in the country, especially considering the existing deductions made by financial institutions on customer transactions, such as electronic money transfer levy, ATM maintenance, Value Added Tax, etc.
In response to this, the Socio-Economic Rights and Accountability Project (SERAP) and other concerned members of the public have taken action against the Central Bank of Nigeria (CBN) regarding the policy. Additionally, the House of Representatives has called for a halt in the implementation of the levy to address ambiguous aspects of the circular.
There are also concerns about the ambiguity of the Cybercrimes Prohibition and Prevention Act, particularly regarding who the levy is to be deducted from – the transactions of customers of these institutions listed in the Second schedule of the Act or the institutions themselves.
The decision on whether the CBN will address the concerns raised over the implementation of this levy is at its discretion, as it is an independent body. However, we hope for a positive outcome from the ongoing deliberations on this policy as we await the result.
For legal inquiries, please contact us via the WhatsApp icon on this page or HERE, and we’ll attend to you.
Leave a Reply