Introduction
The Cybercrimes (Prohibition, Prevention etc) Act 2015 (the “Principal Act”) was enacted to provide an effective and unified legal, regulatory and institutional framework for the protection of the Nigerian cyberspace. The Act was enacted to promote cybersecurity, as well as protect computer systems and networks, electronic communications, data and computer programs, intellectual property and privacy rights.
Following the inadvertent omissions made in the Principal Act and several strategic litigations on certain provisions of the Principal Act, the National Assembly deemed it fit to amend the Principal Act via the Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act, 2024 (the “Amendment”) on February 28, 2024. This article examines the revised provisions of the Principal Act and focuses on clarifying whether bank customers are obligated to pay the Cybersecurity Levy imposed under the Principal Act (as amended).
Significant Amendments in the Cybersecurity Act
The Amendment primarily reiterates the creation of the Cybersecurity Fund (the “Fund”) and the payment of a levy of 0.5% (0.005) of the value of all electronic transactions by specific businesses, including banks and other financial institutions, internet service providers, and insurance companies, among others.
The Amendment also extends criminal liability for conspiracy to perpetrate fraud using computer system(s) or network to employees of any public or private organisation. Previously, criminal liability only applied to employees of financial institutions. Additionally, the Act broadens the scope of payment technology means to include newer technology, rather than just Automated Teller Machines and Point of Sales terminals.
Another of the numerous innovations of the Act is the imposition of the duty on the Office of the National Security Adviser (“ONSA”) to establish both sectoral Computer Emergency Response Teams (“CERTs”) and sectoral Security Operation Centres (“SOCs”) to feed into the national CERT for optimal administration and security of the national cyberspace.
In a bid to better protect the national cyberspace, the Principal Act (as amended) imputes an obligation on public and private organisations to integrate and route their internet and data traffic to the sectoral SOCs. While a welcome development, this raises concerns about possible breaches of privacy and excessive censorship by the government through the intelligence agencies. It would be best for ONSA to outline what specific data points are to be included to ensure that constitutional freedoms are not contravened.
On a related note, pursuant to the Nigeria Data Protection Act 2023(“NDPA”) and as may be prescribed by the regulatory authority for communication services in Nigeria (the National Communications Commission), the Amendment requires service providers to keep and protect specific traffic data and subscriber information for a period of 2 (two) years.
It is also laudable that the Principal Act is amended to mandate Financial Institutions to require National Identification Numbers (“NIN”) issued by the National Identity Management Commission in addition to other valid means of identification before issuing ATM cards, credit cards, debit cards and other related electronic devices.
CBN Circular: Implications
Sequel to the enactment of the Amendment and recent public engagements by ONSA on the implementation of the Cybersecurity Levy (the Levy”) as imposed by Section 44(2) of the Principal Act, the Central Bank of Nigeria (“CBN”), in its capacity as the regulator[1] of Banks and other Financial Institutions, issued a circular dated May 6, 2024 directing the implementation of the collection and remittance of the Levy by Commercial, Merchant, Non-Interest and Payment Service Banks; other financial institutions; mobile money operators; and payment service providers. Thus, businesses subject to CBN regulations must ensure full compliance by deducting 0.5% from the originating customer’s account as directed.
This directive from the CBN appears to have generated some controversy as it seems to increase the tax burden placed on bank customers (businesses (including Medium and Small Enterprises and Startups) and individuals), particularly, with regard to the harsh economic climate and the ill timing of the operationalization of the Fund. Consequently, the President of the Federal Republic of Nigeria has intervened, directing the CBN to halt the enforcement of the contentious cybersecurity levy policy outlined in the Circular slated to begin on May 20, 2024. Instead, a comprehensive review of the policy has been ordered.[2]
[1] Banks and Other Financial Institutions Act 2020 (“BOFIA”)
[2] The Punch Newspaper, “Suspend implementation of cybersecurity levy, Tinubu orders CBN”, 12th May 2024, https://punchng.com/suspend-implementation-of-cybersecurity-levy-tinubu-orders-cbn/ accessed on 12th May 2024
TLC’s Opinion: No Obligation is Bestowed on Bank Customers to pay the Cybersecurity Levy
Contrary to popular misconception, the Principal Act (as amended) does not impose a cybersecurity levy on bank customers. Instead, the responsibility primarily rests with banks, financial institutions, and other designated entities outlined in the Second Schedule of the Principal Act (as amended). Section 44(2) of the Principal Act (as amended) provides: “(2) There shall be paid and credited into the Fund established under subsection (1) of this section and domiciled in the Central Bank of Nigeria (a) levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule to this Act”.
The essence of the provision above is twofold: (i) It clarifies that the businesses listed in the Second Schedule of the Principal Act are not only required to remit the Levy but also to directly pay it; and (ii) it specifies that the calculation of the Levy for these businesses is 0.5% (.005), which equates to half a percent of the total value of electronic transactions. It is crucial to note that the Principal Act (as amended) does not impose any obligation on bank customers to pay the Levy. If the legislative intent were for bank customers to bear this burden and for banks and other financial institutions to merely remit it, it would have been explicitly stated in the law. The Levy operates in the form of a tax, and tax laws are interpreted strictly by adhering to the ordinary meaning of the language used, without adding any interpretation beyond that.[1]
The obligation to pay the Levy cannot be extended to bank customers based solely on their utilisation of banking services. Instead, the Levy pertains to entities engaged in the provision of the services mentioned in the Second Schedule, as expressly stated in the Principal Act (as amended). The CBN directive does not align with the Principal Act (as amended), rendering it void.
[1] AG & CJ Anambra State v. Registered Trustees of the Cattle Dealers Association Lagos State & Ors (2016) LPELR-40474(CA) Pages 13-16 Paragraphs F-A
Conclusion
The Amendment represents a commendable effort by the National Assembly to enhance the protection of the Nigerian cyberspace by elucidating specific provisions in the Principal Act. However, it is imperative to exercise caution to prevent misinterpretation of the Principal Act (as amended), thereby averting any unintended repercussions.
