With the advancement of various technologies and the use of information and communications technology (ICT) for daily activities and economic interactions, cybercrimes have significantly intensified, coupled with the diverse tactics of cybercriminals and hackers to gain unauthorised access to protected data, particularly in the corporate sector. This surge has necessitated an urgent need for comprehensive, effective, and practical laws and policies to combat cyber threats and criminal activities.
Recently, the National Assembly of the Federal Republic of Nigeria amended the Cybercrimes (Prohibition, Prevention, etc.) Act 2015 (the "Principal Act"),1 a legislation that regulates cybersecurity and makes provisions for the prosecution of cybercrimes in Nigeria. The legislature enacted the Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act 2024, (the "Amendment Act")2 which was assented to by President Bola Ahmed Tinubu on Thursday, February 28, 2024. The Amendment Act rectified some salient provisions that were erroneously stipulated,3 inserted some keywords for the proper interpretation of some sections,4 substituted and introduced new sections,5 and enacted extensive provisions for effective implementation. The Amendment Act is a significant progressive step for cybersecurity in the country as it strives to equip law enforcement agencies with the necessary resources needed to effectively combat contemporary cyber threats in the country.
In a bid to implement the amended provisions of section 44 of the Act, the Central Bank of Nigeria (CBN) on the 6th of May 2024 passed a circular to all commercial merchants on the implementation guidance for the collection and remittance of the National Cybersecurity Levy. (the "circular")6 However, the circular sparked widespread criticisms from Nigerians and various stakeholders. Stakeholders pointed up that introduction of the levy and the deduction of the proposed charges from electronic transactions was il-timed, and would negatively impact on consumers under the current economic climate, thereby calling for the withdrawal of the circular.
This article reviews the provision of section 44 of the Act, the constitutionality of that section of the Act vis-a-vis section 14(2) of the 1999 Constitution, the CBN circular and likely consequences of its implementation.
The Stipulations contained in Section 44 of the Act.
Amongst the sections that were amended by the Cybercrimes (Prohibition, Prevention, etc., Amendment Act) 2024, section 44 of the Principal Act is a key provision that was modified with the insertion of additional subsections.
The Amendment Act modified section 44 of the Principal Act as follows:
- in subsection (1) by substituting for paragraph (a) a new paragraph "(a)"
"(a) a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule to the Act;"7
It is essential to note that this provision on the levy is not new but formed part of the initial section 44 of the Principal Act. The original section provided as follows:
"a levy of 0.005 of all electronic transactions by the businesses specified in the second schedule to the Act."8
The levy was introduced by the Principal Act as a revenue-generating instrument amid other types of revenues9 for the establishment of the National Cybersecurity Fund. The Fund was created to aid the Office of the National Security Adviser and the Council of Cybercrime Advisory10 in implementing their functions and combating cybercrimes in the country.11
The amended section introduced the percentage equivalent (0.5%) of the levy for proper interpretation of the decimal value (i.e., 0.005) provided in the Principal Act. The amended section aims to ensure accurate calculation of the levy during the implementation of the section. The amended section maintained the initial value of the levy stated in the Principal Act and merely stipulated the accurate percentage equivalent of the levy.
Additionally, the Amendment Act substituted the initial subsection (6) of the Principal Act with new subsections (6) – (8).
(6) The office of the National Security Adviser shall administer, keep proper records of the accounts and shall ensure compliance monitoring mechanism.
(7) The account of the Fund shall be audited in accordance with guidelines provided by the Auditor General for the Federation.
(8) A business specified in the Second Schedule to this Act that fails to remit the levy under Section 44(2)(a) of the Act commits an offence and is liable on conviction to a fine of not less than 2% of the annual turnover of the defaulting business and failure to comply shall lead to closure or withdrawal of the business operational licence.
Subsection (8) of the Amendment Act is a new provision that seeks to enforce non-compliance with section 44(2)(a) of the Act by affected businesses. The section provides that non-compliance will result in conviction with a fine not less than 2% of the annual turnover of the defaulting business and failure to comply with the fine shall warrant the closure or withdrawal of the business's operational licence.
The regularity of the cybersecurity levy vis-à-vis section 14(2) of the Constitution.
As a sovereign state, the security and welfare of Nigerian citizens is the primary purpose of the federal government as entrenched in section 14(2)(b) of the 1999 Constitution.12 The federal government is vested with the responsibility to ensure the citizens' welfare and security within its territorial jurisdiction and this includes cybersecurity in the digital space especially with the inflow of technological development that poses high risks of security challenges.
Over the years, Nigeria has experienced a significant increase in cyber threats and crimes. Cases of hacking financial information, emails, websites, and infringing on privacy rights of persons and institutions necessitated the federal government's attempt to regulate the usage of the internet and advanced technologies in the digital space.13 The Cybersecurity Act was enacted to ensure the adequate protection of vital national information infrastructure, to promote cybersecurity, protect computer systems, networks, electronic communications, data, and computer programs, intellectual property, and privacy rights in Nigeria.14
The introduction of the cybersecurity levy as a revenue-generating instrument by the Act was intended to ensure effective implementation of the provisions of the Act and internationally agreed-upon cybersecurity protocols binding on Nigeria.15 However, the introduction of the levy imposes a financial burden on the citizens considering the current high inflation in Nigeria's economy and persistent economic hardship. The addition of the cybersecurity levy to the list of various taxes and levies obtained by financial institutions on behalf of the federal government increases the cost of electronic transaction usage at banks that could disrupt the financial intermediation role of banks.16 The levy appears to have a major negative impact on the welfare of the people which is inconsistent with the provisions of section 14(2)(b) of the Constitution.
Also, the enforcement of the non-remittance of the levy on businesses imposed by section 44(8) of the Amendment Act appears to be contrary to the provisions of section 14(2)(b) of the Nigerian Constitution.17 In a call for a review and subsequent amendment of the section, The Socio-Economic Rights and Accountability Project (SERAP) reported that the provision is "clearly inconsistent and incompatible with the public trust and the overall objectives of the Constitution. A false oath lacks truth and justice. The oath statements require the oath takers to commit to uphold and defend the Constitution."18
Generally, section 14(2)(b) of the Constitution is categorized under the Fundamental Objectives and Directive Principles of State Policy set out in Chapter II of the and is non-justiciable in court.19 However, pursuant to the Supreme Court judgment in the case of AG. Ondo State v. AG. Federation,20 the court held that "items 60(a) under the Exclusive Legislative list21 gives the power to the National Assembly to legislate for the establishment and regulation of authorities for the Federation or any part thereof to promote and enforce the observance of the Fundamental Objectives and Principles contained in the Constitution." This means that the National Assembly can enact specific legislation that gives legal backing to any of the fundamental objectives and directive principles and such legislation shall be justiciable. It has been established that the Cybersecurity Act was enacted by the National Assembly to regulate the security of Nigerians and to provide a regulatory framework for the observance of section 14(2)(b) of the Constitution. The enforcement of the proposed cybersecurity levy can be challenged by individuals in the courts as it falls short of full observance of the government's primary purpose stipulated in the Constitution. The case of Olafisoye v. Federal Republic of Nigeria22 lends judicial backing to the justiciability of chapter II of the Constitution.
In an attempt to guarantee the security of the people as its primary purpose, the federal government must ensure that laws, policies, protocols, and their implementations are not detrimental to the welfare of the people. The provisions relating to "security and welfare" in section 14(2)(b) are in tandem and must be implemented pari passu and not against each other. The government must uphold and defend the Constitution by ensuring that laws, policies, protocols, and implementation processes are consistent and compatible with the public trust and overall objectives of the Constitution.23
Implementation of the provisions of section 44 of the Act.
In furtherance of the policy objectives of the federal government enunciated above, the cybersecurity levy was introduced as a revenue-generating instrument for the National Cyber Security Fund to curtail the increase in cybercrimes and to enhance cybersecurity infrastructure in Nigeria. The Officer of the National Security Advisor (NSA) is charged with the responsibilities of combating cybercrimes, regulating cybersecurity protocols, and implementing laws and sanctions to aid the cybersecurity challenges in the country. The creation of the National Cyber Security Fund and the remittance of the cybersecurity levy are essential for the effective functionality of the NSA.
Following the enactment of the Amendment Act, the Central Bank of Nigeria (CBN) disseminated a circular termed "Re: Cybercrimes (Prohibition, Prevention, Etc) (Amendment) Act – Implementation Guidance on the Collection and Remittance of the National Cybersecurity Levy", directing all financial institutions to remit the cybersecurity levy as provided in section 44(2)(a) of the Act by deducting a levy of 0.5% at the point of electronic transfer originated from customer's account. The circular indicated that customers' accounts domiciled in commercial, merchant, non-interest, and payment service banks; Other Financial Institutions (OFIs), mobile money operators, and payment service providers are expected to be affected by the deduction of the 0.5% levy.
The circular mandates financial institutions to commence the deduction of the levy within two (2 weeks) from the date of the circular (May 6th, 2024) and remit the levies collected in bulk to the National Cyber Security Fund account domiciled at the CBN monthly by the 5th business day of every subsequent month.
Financial institutions have deadlines to update their systems to handle levy deductions and remittances. Failure to remit the levy can result in penalties, including a fine of up to 2% of a financial institution's annual turnover.
The impact of the implementation of the Cybersecurity Levy
The circular passed by CBN elicited diverse reactions from individuals and stakeholders in the country. Arguably, the deduction of 0.5% levy from electronic transactions from customers' bank accounts would negatively affect the cost of business activities and the development of digital transactions in Nigeria. Considering the present economic realities and hardship ongoing in Nigeria, the implementation of the cybersecurity levy detailed in the circular imposes a financial burden on Nigerians under the threat of sanctions for non-compliance.
The cybersecurity levy in addition to various levies and taxes in place, could strain the aggregate demand and limit the country's economic development. The Gross Domestic Product (GDP) could decline during the policy implementation period, particularly in the face of increased product prices and stagnant income and wages. Additional levies and tax increments could spark up the prices of goods and services and further elevate inflationary pressure on businesses.24 The introduction of the new levy might worsen the social restiveness among the people as compliance with the policy could exert a negative impact on individuals whose incomes are already affected by the current economic hardship.
Financial institutions are required to reconfigure their operational systems and strategies to accommodate and account for the new levy for compliance. This would result in additional costs of compliance and business owners who depend heavily on digital transactions may experience an increase in operational costs due to the adjustments in pricing and cost transfers. Imposing additional charges on individuals might reduce customers' activities in financial institutions and the utilization of formal banking services and digital transactions will drastically diminish especially among low-income earners and small businesses. This hinders the government's efforts to promote a cashless economy.
The operating costs of businesses and citizens' welfare have constantly been perturbed by the impacts of the recent fuel subsidy removal, removal of electricity subsidies, and exchange rate reform. Hence, the introduction of the cybersecurity levy could worsen the welfare of citizens and organizations and limit the purchasing power of Nigerians.25
Conclusion
The Amendment Act signifies the federal government's imperative step of enhancing cybersecurity infrastructure, preventing, and protecting against cyber threats, and fostering a safe digital landscape in Nigeria. However, the implementation of a 0.5% cybersecurity levy on electronic transactions could spawn extreme strain on the welfare of the citizens as it coincides with the economic crisis in the country. In ensuring the successful implementation of the Act and safeguarding Nigeria's digital landscape, the federal government should provide alternative solutions in funding the National Cyber Security Fund and eliminate the financial burden imposed on citizens as the security and welfare of the people is the primary purpose of the government. It is understandable that government requires funding to deliver on its mandate, but rather than increase the yolk of Nigerians, government can better manage and channel available resources from taxes, dues, levies, and revenues from other sources, while avoiding wasteful spending to eke out the funds required to implement its policies.
Notably, the House of Representatives directed the Central Bank of Nigeria to withdraw the circular directing financial institutions to commence implementation of the 0.5% cybersecurity levy, as such circular was likely to be misunderstood by Nigerians.26 The House of Representatives pointed out that the circular was not framed in accordance with the legal provisions of the Cybercrimes Prohibition Act, as amended.
Consequently, it has been reported that the Federal government has suspended the policy on cybersecurity levy and the cybersecurity levy has been put on hold and is currently under review by relevant stakeholders.27
Footnotes
1. Act No.17, 2015. Available at: https://www.nfiu.gov.ng/images/Downloads/downloads/cybercrime.pdf accessed on 9th May 2024.
2. Amendment Act No. 17, 2015. Available at:
https://placng.org/i/wp-content/uploads/2024/05/Cybercrimes-Prohibition-Prevention-etc-Amendment-Act-2024.pdf accessed on 9th May 2024.
3. Section 17 of the Principal Act.
4. Section 21, 22, 30, 37, of the Principal Act.
5. Section 24, 27, 38, 41, 44 of the Principal Act.
6. See, CBN, "Cybercrimes (Prohibition, Prevention, Etc.) (Amendment) Act 2024 - Implementation on the Collection and Remittance of the National Cybersecurity Levy" available at https://www.cbn.gov.ng/Out/2024/CCD/CIRCULAR%20REF%20PSMDIRPUBLAB017004%2006052024.pdf accessed 9th May 2024.
7. Section 11 of the Amendment Act.
8. Section 44 (2)(a) of the Principal Act.
9. Section 44 (2) (b-e) of the Principal Act.
10. Section 42 of the Principal Act.
11. Section 43 of the Principal Act.
12. The section provides that, 'the security and welfare of the people shall be the primary purpose of government".
13. Onadeko O. And Afolayan A., "A Critical Appraisal of the Cybercrimes Act, 2015 in Nigeria", a paper presented at the 29th International Conference of the International Society for the Reform of Criminal Law (ISRCL) held at Halifax, Nova Scotia, Canada July 24 – 28, 2016. Available at https://www.isrcl.com/wp-content/uploads/2021/05/Onadeko-Afolaya-A-critical-appraisal-of-the-cybercrimes-act-in-Nigeria.pdf accessed on 10th May 2024.
14. See, 1 of the Principal Act.
15 See, Punch Newspaper, "Cybersecurity levy: Intent, timing right, but strategic communication lacking – Ex-lawmaker" available at https://punchng.com/cybersecurity-levy-intent-timing-right-but-strategic-communication-lacking-ex-lawmaker/?utm_source=auto-read-also&utm_medium=web#google_vignette accessed on 13th May 2024.
16. See, Nigerian Economic Summit Group (NESG), "NESG Position on the Central Bank of Nigeria's Cybersecurity Levy" available at https://www.nesgroup.org/blog/NESG-Position-on-the-Central-Bank-of-Nigeria%E2%80%99s-Cybersecurity-Levy accessed on 13th May 2024.
17. 1999 (as amended).
18. See, Channels TV, "SERAP Gives Tinubu 48 Hours To Withdraw CBN Directive On Cybersecurity Levy" available at https://www.channelstv.com/2024/05/07/serap-gives-tinubu-48-hours-to-withdraw-cbn-directive-on-cybersecurity-levy/ accessed on 13th May 2024.
19. Section 6(6)(c) of the 1999 Constitution as amended.
20. (2002) 9 NWLR (Pt.772) at 222.
21. See, Part 1 of the second schedule to the Constitution as amended.
22. (2004) 4 NWLR, Part 864, p 580.
23. Ibid.
24. Ibid, 16.
25. See, Nigerian Economic Summit Group (NESG), "NESG Position on the Central Bank of Nigeria's Cybersecurity Levy" available at https://www.nesgroup.org/blog/NESG-Position-on-the-Central-Bank-of-Nigeria%E2%80%99s-Cybersecurity-Levy accessed on 13th May 2024.
26. See, Peoples Gazette, "Reps direct CBN to halt cybersecurity levy implementation, say it's for companies not individuals" available at https://gazettengr.com/reps-direct-cbn-to-halt-cybersecurity-levy-implementation-says-its-for-companies-not-individuals/ accessed 9th May 2024.
27. See, Channels TV, "FG suspends cybersecurity levy" available at: https://www.channelstv.com/2024/05/14/just-in-fg-suspends-cybersecurity-levy/ accessed 16th May 2024.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.