The Provisions Of Section 44(2)(A) Of The Cybercrimes Act 2015 (As Amended) Vis-À-Vis The CBN’s Directive To Banks And Other Financial Institutions: Did CBN Get It Right?

INTRODUCTION

Within the last 48 hours, the attention of Nigerians have been on the recent Circular by the Central Bank of Nigeria (CBN) to banks and other financial institution under its regulatory purview to, within the next 2 week of the Circular, commence deduction of 0.5% levy on all electronic transaction by them and remit same to the National Cybersecurity Fund to be administered by the Office of the National Security Adviser (ONSA).

The directive was predicated upon the provision of Section 44(2)(a) of the Cybercrimes (Prohibition, Prevention etc) Act 2015 (as amended) {Cybercrimes Act} and the recent directive by the ONSA for the full implementation of the provision of Section 44(2)(a) of the Cybercrimes Act. The said directive of the ONSA was conveyed in a statement signed by its Head, Strategic Communication, Zakari Mijinyawa.

This writeup would, therefore, take a cursory look at the said provision of section 44(2)(a) of the Cybercrimes Act with a view to determine whether the CBN was right to have issued the said circular to institutions under its regulatory purview and whether or not the directives contained in the Circular are the correct interpretation of the provision of the Cybercrimes Act.

PROVISION OF SECTION 44(2)(A) OF CYBERCRIMES ACT 2015 (AS AMENDED)

Section 44 of the Cybercrimes Act establishes the National Cyber Security Fund and directed some businesses to remit 0.5% of all electronic transactions by them into the Fund. The Provision of section 44(1) and (2) of the Cybercrimes Act is reproduced hereunder for emphasis:

1. 44. (1) There is established a Fund, which shall be known as the National Cyber security Fund (in this Act referred to as “The Fund”).

(2) There shall be paid and credited into the Fund established under subsection (1) of this section and domiciled in the Central Bank of Nigeria:

• • • a) A levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the businesses specified in the second schedule to this Act.

The Second Schedule to the Cybercrimes Act listed these businesses where it states:

Businesses which section 44 (2)(a) refers to are:

(a) GSM Service providers and all telecommunication companies;

(b) Internet Service Providers;

(c) Banks and other Financial Institutions;

(d) Insurance Companies;

(e) Nigerian Stock Exchange.

CBN DIRECTIVE ON THE LEVY

By virtue of the provision of section 29(1) of the Banks and Other Financial Institutions Act 2020 (BOFI Act) the CBN has exclusive regulatory and supervisory power over banks, other financial institutions and specialised banks.

 Furthermore, Section 30 of BOFI Act empowers the CBN Governor to issue regulations, guidelines and policies to banks, specialised banks and other financial institutions in Nigeria.

It is in the exercise of these statutory powers that the CBN issued the Circular under reference. For the purposes of emphasis, the content of the said Circular is reproduced hereunder:

The earlier Central Bank of Nigeria (CBN) circular and Letter to all Banks dated June 25, 2018 (Ref: BPS/DIR/GEN/CIR/05/008) and October 5, 2018 (Ref: BSD/DIR/GEN/LAB/11/023) respectively on compliance with the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015 refer. The recent public engagements by the Office of the National Security Adviser (ONSA) on the above subject, also refers.

Following the enactment of the Cybercrime (Prohibition, Prevention, etc) (amendment) Act 2024 and pursuant to the provision of Section 44 (2)(a) of the Act, “a levy of 0.5% (0.005) equivalent to a half percent of all electronic transactions value by the business specified in the Second Schedule of the Act“, is to be remitted to the National Cybersecurity Fund (NCF), which shall be administered by the Office of the National Security Adviser (ONSA).

Accordingly, all Banks, Other Financial Institutions and Payments Service Providers are hereby required to implement the above provision of the Act as follows:

1. 1. The levy shall be applied at the point of electronic transfer origination, then deducted and remitted by the financial institution.
   2. The deducted amount shall be reflected in the customer’s account with the narration: “Cybersecurity Levy”.
   3. Deductions shall commence within two (2) weeks from the date of this circular for all financial institutions and the monthly remittance of the levies collected in bulk to the NCF account domiciled at the CBN by the 5^th business day of every subsequent month.
   4. System reconfigurations towards ensuring complete and timely submission of remittance files to the Nigeria Interbank Settlement System (NIBSS) PIc shall be completed as follows:
   5. Within four (4) weeks of this circular – Commercial, Merchant, Non-Interest and Payment Service Banks; And Mobile Money Operators.
   6. Within eight (8) weeks of this circular – all Other Financial Institutions (Microfinance banks, Primary Mortgage banks, Development Finance Institutions).
   7. Exemptions – To avoid multiple application of the levy on the same transaction/transfer, Appendix 1 (attached) captures transactions currently deemed eligible and are exempted from the application of the levy
   8. Penalties for Non-compliance

Section 44 (8) of the Act prescribes that failure to remit the levy is an offence and is liable on conviction to a fine of not less than 2% of the annual turnover of the defaulting business, amongst others.

Finally, all institutions under the regulatory purview of the CBN are hereby directed to note and comply with the provisions of the Act and this circular.

Please be guided accordingly.

APPENDIX 1

IMPLEMENTATION OF THE CYBERCRIMES (PROHIBITION, PREVENTION, ETC) (AMENDMENT) ACT 2024

SCHEDULE OF EXEMPTIONS FROM CYBERSECURITY LEVY

1. Loan disbursements and repayments
2. Salary payments
3. Intra-account transfers within the same bank or between different banks for

the same customer

4. Intra-bank transfers between customers of the same bank
5. Other Financial Institutions (OFIs) instructions to their correspondent banks
6. Interbank placements
7. Banks’ transfers to CBN and vice-versa
8. Inter-branch transfers within a bank
9. Cheques clearing and settlements
10. Letters of Credits (LCs)
11. Banks’ recapitalization related funding only bulk funds movement from collection accounts

12 Savings and deposits including transactions involving long-term investments such as Treasury Bills, Bonds, and Commercial Papers.

13.Government Social Welfare Programs transactions e.g. Pension payments

14.Non-profit and charitable transactions including donations to registered non-profit organisations or charities.

15.Educational Institutions transactions, including tuition payments and other transaction involving schools, universities, or other educational institutions.

16.Transactions involving bank’s internal accounts such as suspense accounts, clearing accounts, profit and loss accounts, inter-branch accounts, reserve accounts.

OPINION

From the above provision of section 44(1) of the Cybercrimes Act is that:

1. the law establishes the National Cyber Security Fund.
2. a levy of 0.5% of all electronic transactions conducted by businesses mentioned in the second schedule to the Act.
3. banks and other financial institutions under the regulatory purview of CBN are listed as item (c) in the Second Schedule to the Act.

It is equally not in doubt that the CBN’s directive as contained in the said Circular is for banks and other financial institutions under its regulatory purview to deduct from customers’ account the said levy of 0.5% of all electronic transactions conducted by its customers and remit same to the designated account of the Fund domiciled with the CBN.

The question that may arise is whether the CBN was right to have directed the institutions under its regulatory purview to deduct the 0.5% levy from its customers account?

As stated early, it is clear from the above provision of section 44(2)(a) of the Cybercrime Act that the 0.5% levy is imposed on all “electronic transactions” value by the “businesses” specified in the second schedule to the Act and not the customers of those businesses.

It is an elementary principle of interpretation of statutes that where the words used are clear and unambiguous they shall be given their ordinary meaning. This is the recent decision of the Court of Appeal in the case of OLURIN & ORS v. SANGOLANA & ORS (2021) LPELR-56280(CA) @43 where the Court held that:

“The law is trite that where the words of a statute are plain, clear and unambiguous, the Court shall give it its ordinary meaning.”

Applying the literal rule of interpretation of statute in this regard, the correct interpretation of the law would be for the businesses listed in the second Schedule to the Act to be liable to the payment of the said levy from their own fund and not their customer.

If the draftsman or the legislators had intended that the levy shall be charged from the customers account, it would have used the phrase “electronic transfer of fund” instead of “electronic transactions”. This is because Section 58 of the Cybercrimes Act, i.e. the Interpretation Section, defines “Electronic transfer of fund” to means:

any transfer of funds which is initiated by a person by way of instruction, authorization or order to a bank to debit or credit an account maintained with that bank through electronic means and includes point of sales transfers, automated teller machine transactions, direct deposits or withdrawal of funds, transfer initiated by telephone, internet and card payment.

It is clear from the above definition of electronic transfer of fund that if the draftsmen had intended that the levy shall applies to “customers” of the businesses, the phrase “electronic transfer of fund”, (which definition is given by the Act and is sufficient to cover that) would have been the appropriate phrase to be used in that section of the Act and not “electronic transactions” as was used.

Furthermore, government imposes taxes and levies on its citizens for a reason. These reasons include as where a value has been added to a transaction or the citizen has gain any benefit from a transaction. In the instant case, no gain or value can be said to be added to an electronic transaction to warrant government imposing a levy on same. The mere fact that a citizen use an electronic medium to transfer fund, the reason for which the government would not know, cannot warrant imposition of a levy.

Similarly, the essence of the creation of the Nigerian Cyber Security Fund is to secure Nigeria’s Critical National Information Infrastructure (CNII). The major beneficiaries of the CNII are the businesses listed in the second schedule to the Act. It follows, therefore, that these businesses should contribute to secure CNII.

In view of the foregoing, it is my humble opinion that the CBN gave a wrong interpretation of the provision of the Cybercrimes Act by directing banks and other financial institutions under its regulatory purview to deduct the said levy from their customers’ accounts.