In this article, Professor of Law, Gbenga Bamodu argues that the Central Bank of Nigeria, CBN, circular mandating payment for cybercrime charges, does not apply to individuals and is contrary to the provisions of the Cybercrims (Provision , Prevention, ETC.) Act, 2015
On May 6, 2024, the Central Bank of Nigeria, CBN, issued a circular (PSM/DIR/PUB/LAB/017/004) addressed to ‘all commercial, merchant, non-interest and payment service banks; other financial institutions, mobile money operators and payment service providers.’ The circular self-describes as an ‘implementation guidance on the collection and remittance of the National Cybersecurity Levy’.
As a matter of background information, the Cybercrime (Prohibition, Prevention, Etc.) Act 2015 had by its section 44(1) established a Fund to be known as the National Cyber Security Fund. Section 44(2)(a), which has now been amended as to be explained shortly, indicates that the Fund is to be domiciled at the CBN and had provided that there shall be paid and credited into the Fund a ‘levy of 0.005 of all electronic transactions by the businesses specified in the second Schedule’ to the Act. Further provisions in section 44(2)(b)-(e) list other sources of monies and accruals to the Fund while section 44(3) exempts monies accruing to the Fund from income tax, and also makes contributions into it tax deductible.
The second Schedule to the Act provides that businesses which section 44(2)(a) refers to are:
a. GSM Service providers and all telecommunications companies;
b. Internet Service Providers;
c. Banks and other Financial Institutions;
d. Insurance Companies;
e. Nigerian Stock Exchange.
Section 44(2)(a) has now been amended by section 11(a) of the Cybercrime (Prohibition, Prevention, Etc.) (Amendment) Act 2024 to clarify the amount of levy to be collected and remitted as ‘a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule’ to the Act. Rather curiously, the amended version uses the word ‘business’ as opposed to the almost certainly more accurate and intended ‘businesses’ in the original provision. In any event, the new section 44(2)(a) at least seemingly now clarifies prior apparent ambiguity in relation to the amount of the levy.
Other provisions in section 44 of the Act indicate, if not indeed make evident, that the intention under the section is that the levy is due from and payable by the businesses specified in the second Schedule to the Act. For example, section 44(4) provides that the levy ‘shall be remitted directly by the affected businesses or organizations into the Fund domiciled in the Central Bank within a period of 30 days’. The new section 44(8), introduced by the 2024 amendment legislation, now provides that a business specified in the second Schedule to the Act which fails to remit the levy commits an offence and is liable to a fine, and that failure to comply shall lead to closure or withdrawal of the business operational licence.
Controversy: Are Nigerians Generally and Non-Specified Businesses Obliged to Pay the Cybersecurity Levy?
Following the publication of the CBN’s circular of 6th May 2024, reactions in both traditional news media and on social media evinced some concern, if not indeed dismay, based on the supposition that the circular directs the institutions to which it is addressed to make deductions for the levy from bank accounts of members of the public involved in electronic payment transactions. To take just one example for the sake of brevity, the Socio-Economic Rights and Accountability Project (SERAP) is widely reported to have given the Federal Government a 48-hour ultimatum to reverse the levy imposed ‘on Nigerians’. The organisation is quoted to have said: “The Tinubu administration must immediately withdraw the grossly unlawful CBN directive to implement section 44 of the Cybercrime Act 2024, which imposes a 0.5% ‘cybersecurity levy’ on Nigerians]
While ordinarily, the Act itself seems clear that the levy is directed at the businesses specified in the Act, which may in fact pass on the costs to their clients and customers, the CBN’s circular does seem to contain some ambiguity and is perhaps in a sense capable of being interpreted in a manner that suggests that deductions may be made from accounts of members of the public. Quite significant, and a possible root of the potential ambiguity, is that the guidance given by the CBN in the circular on the implementation of the levy provided for in section 44 of the Act is susceptible to interpretation which makes it contradictory to the provisions of section 44.
The CBN circular states, inter alia, that:
1. The levy shall be applied at the point of electronic transfer origination, then deducted and remitted by the financial institution.
2. The deducted amount shall be reflected in the customer’s account with the narration: “Cybersecurity Levy”.
3. Deductions shall commence within two (2) weeks from the date of [the] circular … and the monthly remittance of the levies collected in bulk to the [Fund] … by the 5th business day of every subsequent month.
This implementation guidance or procedure suggested in the CBN’s circular is apparently at variance with the provisions of section 44 of the Act which impose the obligation to remit the levy on the businesses specified in the second Schedule to the Act. Section 44 does not seem, either, to make provisions for the collection of the levy by or through any other institutions; penalties are even outlined to be imposed on a business specified in the second Schedule of the Act which fails to make due remittance.
That the implementation guidance states that the levy shall be applied at the point of electronic transfer, then deducted and remitted by the financial institution and reflected in ‘the customer’s account’ raises curious eyebrows and questions of interpretation. In the first place, who and who fall within the category of ‘customer’ in whose account deductions are to be reflected with the narration ‘Cybersecurity Levy’?
Further, although section 44 of the Act provides that the levy shall be on transactions by the businesses specified in the second Schedule to the Act, the transactions must surely of necessity be with another person or entity and may indeed be with another person or entity not falling within the businesses specified. Thus, the danger is that, for example, a transaction between a private individual and a business specified in the second Schedule to the Act will attract imposition of the levy. If that is the case, then there is at least the risk that the CBN’s implementation guidance may be read to mean that the private individual is to be debited with the amount of the levy to be remitted and that individual becomes the ‘customer’ in whose account the levy is reflected as ‘Cybersecurity Levy’! The result is that the provision of section 44 of the Act that the levy is to be imposed on transactions by the businesses specified essentially becomes that the levy is to be imposed on transactions with or through or involving the businesses specified.
Imperative for Clarification by the CBN
Considering that the provisions of the Cybercrime (Prohibition, Prevention, Etc.) Act 2015 (as amended) appear to be sufficiently clear that the intention under section 44 of the Act is that the levy is due from and payable by the businesses specified in the second Schedule to the Act, it is imperative and of utmost urgency that the CBN provides clarification about its implementation guidance and, specifically, whether deductions can be made from the accounts of individuals and entities not falling within the businesses specified in the second Schedule to the Act but who are involved in transactions with such businesses.
Finally, there is another dimension in which the standpoint of or clarification by the CBN is desirable.
There is an extant argument that the Federal Government is not entitled to withhold from the Federation Account funds that it collects, including levies collected from companies. The argument is predicated on the further consideration that it was decided in relation to the Police Trust Fund in an unreported first instance case, Rivers State v Attorney General of the Federation & ors FHC/ABJ/CS/511/2020, that all revenues collected by the Federation of Nigeria, except for some personal income taxes, are required to be paid into the Federation Account for distribution between federal, state and local governments. It is also desirable to have the perspective of the CBN on this line of argument in order at least to demonstrate and reassure the public that the actions of the Federal Government and the CBN are in conformity with extant laws, whether statutory or case law.