The New Cybersecurity Levy: Potential Impact on Startups in Nigeria
Introduction
The cybersecurity levy introduced under the Cybercrimes (Prohibition, Prevention etc.) Act 2015 was included in a circular from the central bank dated May 6th. Ths has led to a lot of questions from the general public and businesses alike. In this post, our team at BlackCrest has provided a short explanation of the Cybersecurity levy, the affected businesses and exempted transactions.
The Levy Overview
The Central Bank of Nigeria (CBN) has ordered the implementation of a
0.5% cybersecurity levy on electronic transactions to combat rising cybercrime threats.
Purpose of the Levy
The funds from the levy are intended to support the National Cybersecurity Fund
(NCF) to improve cybersecurity and protect financial institutions and customers from cyber
threats.
Who are the affected?
According to the Cybercrimes (Prohibition, Prevention ETC) Act 2015, the businesses impacted are GSM service providers and all telecommunication companies, Internet Service providers, Insurance companies, Banks and other financial institutions. This means that Fintech Startups that conduct electronic transactions, such as payments and transfers will incur a 0.5% deduction from each eligible transaction.
Exempted Transactions
Certain transactions are exempt from the levy, including:
– Loan disbursements and repayments
– Salary payments
– Intra-account transfers within the same bank or between different banks for the same
customer
– Intra-bank transfers between customers of the same bank and Other Financial Institutions
(OFIs) instructions to their correspondent banks
– Interbank placements
– Banks’ transfers to and from CBN
– Inter-branch transfers within a bank
– Cheque clearings and settlements
– Letters of Credit (LCs)
– Bank recapitalization-related funding
– Bulk funds movement from collection accounts
– Savings and deposits, including transactions involving long-term investments such as
treasury bills, bonds, and commercial papers
– Government social welfare program transactions such as pension payments
– Non-profit and charitable transactions including donations to registered non-profit
organizations or charities
– Educational institution transactions such as tuition payments and other transactions
involving schools, universities, or other educational institutions
– Transactions involving the bank’s internal accounts, such as suspense accounts, clearing
accounts, profit and loss accounts, inter-branch accounts, reserve accounts, nostro and vostro
accounts, and escrow accounts.
Implementation Timeline
Deductions begin within two weeks of the circular’s issuance on May 6, 2024. All
financial institutions must comply and begin deducting the levy.
Administration
The deducted funds are remitted to the National Cybersecurity Fund (NCF),
which is administered by the Office of the National Security Adviser (ONSA).
Remittance
The funds must be remitted to the NCF account, which is domiciled at the CBN,
by the 5th business day of every subsequent month.
Compliance and Penalty
Startups must ensure compliance with the levy requirements, as
failure to remit the levy constitutes an offence. Penalties for non-compliance include a fine of not
less than 2% of the annual turnover of the defaulting business, among other possible penalties.
Financial Planning
Startups should account for the levy in their financial planning and
budget accordingly.
Transparency
Financial institutions must include a narration of the Cybersecurity Levy in
transaction deductions for clarity.
NB: For personalized guidance and support, BlackCrest LP can provide legal advice to startups
on navigating the cybersecurity levy, compliance requirements, and the financial impact on your
business.
We are rooting for you.
Keep building,
The BlackCrest Team.