The Central Bank of Nigeria (CBN) has mandated all financial institutions in the country to commence deductions for a cybersecurity levy on electronic transactions, effective May 20, 2024, following a directive issued six years after its initial issuance.

The levy, to be remitted to the National Security Fund administered by the Office of the National Security Adviser (ONSA), will be deducted from all electronic transactions conducted through various financial channels, including commercial banks, merchant banks, non-interest banks, payment system banks, mobile money operators, and payment service providers.

Non-compliance with the directive and failure to remit the levy within the stipulated timeframe will attract a penalty of two percent of the institution's annual turnover.

Originally introduced in 2018 with a levy rate of 0.5 percent on electronic transactions, the implementation was delayed. However, a recent circular jointly signed by the CBN's director of payments systems management and director of financial policy and regulation now mandates the deduction and remittance of the levy.

As per the circular, the levy, equivalent to 0.5 percent of all electronic transaction values, will be applied at the point of transaction origination and reflected in customers' accounts with the narration "Cybersecurity Levy." Deductions are to commence within two weeks from the circular's date, with monthly remittances to the NCF account domiciled at the CBN by the fifth business day of each subsequent month.

Financial institutions are required to complete system reconfigurations to ensure timely submission of remittance files to the Nigeria Interbank Settlement System (NIBSS) Plc within four weeks for commercial, merchant, non-interest, and payment service banks, as well as mobile money operators. Other financial institutions have eight weeks to complete the reconfigurations.

Certain transactions are exempted from the levy to prevent double application. Failure to remit the levy is considered an offence under Section 44 (8) of the Cybercrime (Prohibition, Prevention, etc) (amendment) Act 2024 and is subject to penalties, including fines of not less than two percent of the defaulting business's annual turnover.