Central Bank Issues Guidance On The Collection And Remittance Of The National Cybersecurity Levy

KPMG Nigeria


KPMG Nigeria is a member firm of KPMG International. We provide Audit, Advisory and Tax & Regulatory services, across various industries, to national and multinational companies. Our purpose is to inspire confidence and empower change. We have a relentless focus on delivering quality and excellent service to clients. We, therefore, provide insights and innovative ideas to clients to help them achieve their corporate objectives.
The Central Bank of Nigeria (CBN) has issued an implementation guideline (hereafter referred to as "the Circular" or "the Guidance") to all commercial, merchant, non-interest and payment service banks...
Nigeria Technology
To print this article, all you need is to be registered or login on Mondaq.com.

The Central Bank of Nigeria (CBN) has issued an implementation guideline (hereafter referred to as "the Circular" or "the Guidance") to all commercial, merchant, non-interest and payment service banks, other financial institutions, mobile money operators and payment service providers on the collection and remittance of the national cybersecurity levy. This Guidance, pursuant to the provision of Section 44 (2) of the Cybercrime (Prohibition, Prevention, etc.) Act 2015 (the Act), is in line with recent developments and aims to bolster cybersecurity measures in Nigeria. The Act and the 2024 Cybercrimes Amendment Act mandate the imposition of a levy on electronic transactions, with the proceeds paid into the National Cybersecurity Fund (NCF) under the administration of the Office of the National Security Adviser (ONSA).

Key Provisions of the Circular

All Banks, other financial institutions and payment service providers are required to implement the key provisions of the Act as stated below:

  1. Levy Application: A Cybersecurity levy (levy) of 0.5% (0.005) of all electronic transactions' value is to be deducted and remitted to the NCF by the businesses specified in the Second Schedule of the Act. It should be noted that the levy is not limited to financial institutions but also payable by GSM service providers and all telecommunication companies, internet service providers, insurance companies and the Nigerian Stock Exchange. It is expected that the regulators of these other businesses may issue their implementation guidelines soon.

  2. Implementation Process: Financial institutions are required to deduct the levy at the point of electronic transfer origination and reflect it in the customer's account with the narration "Cybersecurity Levy".

  3. Remittance Procedure: Deductions will commence within two (2) weeks of this circular (The CBN issued the circular on 6th May, 2024), with monthly remittances to the NCF account domiciled at the CBN by the 5th business day of every subsequent month.

  4. System Reconfigurations: Institutions must reconfigure systems for timely submission of remittance files to the Nigeria Interbank Settlement System (NIBSS) Plc, within the following specified timelines:

    (a) Within four (4) weeks of this circular - Commercial, Merchant, Non-Interest and Payment Service Banks; and Mobile Money Operators.

    (b) Within eight (8) weeks of this circular - all Other Financial Institutions (Microfinance banks, Primary Mortgage banks, Development Finance Institutions).

  5. Exemptions: The Circular lists 16 specific transactions that are exempted from the levy. Some of these include loan disbursements and repayments, salary payments, intra-account transfers within the same bank or between different banks of the same customer, intra-bank transfers between customers of the same bank, Cheques clearing and settlements, letters of credits and transactions relating to education.

  6. Penalties for Non-compliance: Non-compliance attracts a fine, on conviction, of not less than 2% of the defaulting business' annual turnover.


Undoubtedly, Nigeria faces significant revenue challenge. This has, therefore, constrained, and continues to constrain, the country's capacity for achieving sustainable growth. Given this context, government may go to any length to mobilize the required revenue. However, research has shown that higher taxes do not lead to sustainable growth. In fact, no country can tax itself to prosperity! Perhaps, it is in recognition of this that the current administration and the Presidential Committee on Fiscal Reforms have often emphasized that the government will not introduce new taxes. Though the cybercrime levy is not new as it has been in existence since 2015, the question is why implement it now given the prevailing economic challenges? The timing of any reforms is essential to the success of such reforms. This underscores the current public resistance to the implementation of the levy. This is certainly not the right time to implement this levy. Hopefully, the National Insurance Commission (NAICOM) and the Nigerian Communications Commission (NCC) will consider this before introducing their own guidelines with respect to those businesses under their purview.

The key objective of the cybercrime levy is to ensure that there is dedicated and adequate funding available to address the growing threats of cyber-attacks. This explains why some countries have implemented various forms of cyber security levies to fund cyber security initiatives. However, consideration must be given to the country's prevailing economic conditions. The current economic climate does not justify its implementation now.

Various reports have indicated that Government will raise about N3trillion annually from the levy. However, there has been no formal presentation to the public of the cost and benefit analysis. It is always critical that the enactment of any tax or levy be accompanied by the tax expenditure statement to provide information as to whether the benefits of such tax or levy outweigh its cost. It is not sufficient to provide only the revenue projection, which is not certain as no details have been provided with respect to this; albeit there have been reports on how the money would be spent.

Under the enabling Act, the Office of the National Security Adviser will be responsible for administering the fund. Though the Act provides that the fund shall be audited in accordance with guidelines issued by the Auditor General of the Federation, this does not provide enough comfort. There are many government agencies that have not been audited for years and nothing has happened! It is, therefore, critical that practical measures be put in place to ensure transparency and accountability.

One key question that the implementation of the levy has triggered is whether we are back to the era of cheque transactions since they do not qualify as electronic transfers under the enabling Act? Of course, the issue is not that cheque transactions do not pose cyber security risks but more about behaviour. Businesses may, therefore, resort to any measures to avoid the payment of the levy. This is why unintended consequences of any measure must be adequately evaluated before implementation. A related question is how the implementation of this levy will contribute to financial inclusion in the light of the financial burden that customers of financial institutions will experience.

Hopefully, government will reconsider delaying the implementation of the levy, which has been in the books since 2015! Government should focus on tax reforms that address revenue leakages and be financially prudent in the utilization of public fund. Combining revenue-raising initiatives with responsible spending practices is essential for fiscal sustainability. It is also important that government consider phasing in tax reforms on a gradual basis to minimize potential shocks to the economy.

Please click here to download a copy of the Guidance.

The opinion expressed in this article is solely personal and does not represent the views of any organization or association to which the authors belong.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More