Nigeria’s cybersecurity levy: to be or not to be?

On Monday, the Central Bank of Nigeria made a post on X (formerly Twitter) announcing a new cybersecurity levy of 0.5% of all electronic transfers, to be effected two weeks after the stipulated date on the circular, May 6.

It’s safe to say that Nigerians did not take the news too well, and that’s just putting it mildly.

The levy is in accordance with Section 44 of the Cybersecurity Act of 2024. It states that the charges are to be “remitted to the National Cybersecurity Fund (NCF), which is to be administered to the Office of the National Security Agency (NSA).” The Act was made in order to provide support for strengthening measures to combat cyber fraud and terrorism.

Do Nigerians need this cybersecurity levy?

The answer is yes, especially when you take a look at Nigeria’s track record regarding cyber fraud and attacks.

A 2023 global study released by Amsterdam-based cybersecurity agency Surfshark ranked Nigeria as the 32nd most breached country in the first quarter. In December 2023, the National Information Technology Development Agency (NITDA) revealed that Nigeria loses $2.4 billion annually to cybercrime. During the 2023 presidential elections alone, Nigeria recorded about 13 million cyber-attacks during the presidential and National Assembly elections period and 3.8 million cyberattacks during the governmental elections.

We may not even need to look too far into the past. Just three days ago, popular actress Shan George appealed for help in an Instagram video after a certain “Cecilia Chiagoziem Okoro” cleared N3.6 million from her Zenith Bank account to an unknown OPay account.

The incident serves as a further indication of the alarming rate of data breaches and cyber fraud that exists in the nation. Ben Allen, the CEO of US-based cyber risk advisory firm Allen Forensics, confirms the need for speedy action from the government.

“With the levy, we are better positioned to develop resilient cyber defenses that keep pace with global standards, thereby enhancing our reputation as a secure place for digital innovation and investment.”

Would the levy affect all electronic transfers?

The circular lists 16 exemptions, including transfers made between two customers of the same bank as well as transfers to two accounts owned by the same holder in different banks. Some other exemptions are:

• Loan disbursements and repayments
• Salary payments
• Other Financial Institutions instructions to their correspondent banks
• Interbank placements
• Banks’ transfers to CBN and vice-versa
• Inter-branch transfers within a bank
• Cheque clearing and settlements
• Letters of Credits
• Banks’ recapitalisation-related funding: only bulk funds movement from collection accounts
• Savings and deposits, including transactions involving long-term investments such as Treasury Bills, Bonds, and Commercial Papers
• Government social welfare programme transactions, e.g., pension payments
• Non-profit and charitable transactions, including donations to registered non-profit organisations or charities
• Educational institutions’ transactions, including tuition payments and other transactions involving schools, universities, or other educational institutions
• Transactions involving banks’ internal accounts, such as suspense accounts, clearing accounts, profit and loss accounts, inter-branch accounts, reserve accounts, nostro and vostro accounts, and escrow accounts.

So, why the outrage?

A two-word answer to this is pent-up frustrations.

The cybersecurity levy is the latest in a long line of charges imposed on bank customers. There is the stamp duty, the Nigerian Inter-Settlement System (NIBSS) charge, and the Value-Added Tax (VAT). And let’s not get started on SMS and maintenance fees charged by these financial institutions.

While speaking to some ladies, they expressed their lack of trust in financial institutions to use the money for its intended purpose, as it might only be used as “a means of extortion.”

“I would rather tuck away my savings at home than deposit them in a bank account. It is not my meager savings that I would use to fund Tinubu’s lifestyle.” — Teniola, social media manager.

A digital marketer, Obianuju, also added that the levy might also be a means to restore illegal funds used for rigging during the 2023 elections.

“Plus, we are yet to see proper accounting or an audit of previous taxes. Why then add another tax?”

What do the experts think of this?

While acknowledging the benefits of a cybersecurity levy, there are mixed feelings amongst finance analysts on the impact of this levy on bank account owners and the economy.

For instance, the Head of Financial Institutions Ratings at Agusto & Co, Ayokunle Olubunmi, expressed concern that this could bring about an increase in the cost of living for Nigerians, as the cost of transactions with point-of-sale (POS) operators and organisations would now be added to the customer’s cost.

“A 0.5% charge could seem like a small amount now, but what happens when you are transferring millions of naira at a time? That would be a lot of money,” he explained. He suggested that the government modify this charge with a cap to match different transfer ranges in order to mitigate the impending cost of transactions on bank users.

In addition, there is a growing need for government clarification on why citizens need to bear the costs and not the government.

According to the CEO of Afrinvest, Abiodun Keripe, “cybersecurity is meant to be allocated in the national budget. There needs to be an overall discussion on the costs the government should bear and the costs the citizens should bear as well,” he implied.

Common global practices for funding national cybersecurity efforts

Nigeria is only one of many countries trying to bolster their cybersecurity defenses. According to Allen, he mentioned that cybersecurity has become a pressing need for many countries across the globe, but the implementation of the financial mechanisms varies by country.

For instance:

In the U.S.

Cybersecurity is heavily funded through various federal budget allocations.

Agencies like the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, receive significant funding to enhance the nation’s cybersecurity across various sectors. CISA also works closely with state and local governments, and the private sector to fortify the country against cyber threats.

In addition, the U.S. government supports cybersecurity through grants and programs that directly assist states and critical industries in enhancing their cyber defenses.

In South Korea

Funding is made available via a combination of government budgeting and private-sector investment. Its government also includes tax breaks for companies that invest in security systems to encourage investment in the cybersecurity industry by the private sector.

European Union

The European Union allocates substantial funds for cybersecurity under programs like the Digital Europe Programme, which helps to enhance security across member states.

The cybersecurity levy: to be or not to be?

In the last three days, prominent Nigerian public figures and human rights organisations have expressed their displeasure with the levy.

The Socio-Economic Rights and Accountability Project (SERAP) has given President Bola Tinubu 48 hours to direct the CBN to withdraw the cybersecurity levy on Nigerians immediately. They have found that the levy violates the provisions of the amended Nigerian Constitution of 1999 and international human rights obligations.