Skip to content

A review of the CBN circular on cybersecurity levy- A business intelligence perspective

In a circular issued on May 6, 2024, by the Central Bank of Nigeria, all banks, payment service providers, mobile money operators, and other financial institutions are mandated to implement a cybersecurity levy of 0.5 percent, equivalent to a half percent of the value of all electronic transactions. Failure to implement this would lead to a conviction fine of not less than 2 percent of the annual turnover of all defaulting businesses.

This circular has generated a significant outcry from not just the banks, payment service providers, mobile money operators, and the House of Representatives but also Nigerians in the diaspora. A major flaw with the issue of this circular is its inability to take into consideration a data-driven approach while focusing on the possible impact of stakeholder engagement and its levels. The CBN should now have an idea of the height of customer dissatisfaction based on the outcry generated.

This policy seems like an overstretch to the capabilities of the Nigerian economy and more of a money-generating scheme without due consideration to the existing financial capacity and capabilities of these financial institutions as well as their customers and the current economic instability in the country. This is alarming, especially coming from the country’s apex financial institution, which is supposed to provide a stable framework for the country’s economic development while regulating and supervising the entire banking system in Nigeria.

Pros of the cybersecurity levy:

Truthfully, this policy would be beneficial if the funds were rightly allocated and used to implement top cybersecurity initiatives compared to other working cybersecurity initiatives adopted in different countries but curated to fit Nigerian cyberspace. This could lead to a significant reduction in cyberattacks and possible financial losses.

In addition to the above, as a valuable tool for proactive defence, the transaction data collected for the levy can be anonymized and used for cybersecurity threat modelling and identifying vulnerabilities in the financial system. Trends could be discovered based on data analytics of transaction volumes and patterns that financial institutions can leverage to improve their risk management strategies and new product development or process optimisation.

However, this would only be a benefit if transparency and accountability for these cybersecurity funds are available and the cycle doesn’t repeat itself in the same way as other money-making and revenue-generating policies implemented by the government.

Cons of the cybersecurity levy

This policy is expected to lead to significant operational and transactional costs. Operational costs are on the part of the banks and financial operators, and transaction costs are on the part of all customers and possibly Nigerians in the diaspora who send money back home electronically.

The system reconfiguration requirement would lead to possible and unplanned system analysis costs, and there doesn’t seem to be sufficient time to weigh the effects this change would have on the existing systems in use by these financial institutions. This is particularly important as it could be a functional requirement that could change the overall scope of the company’s existing financial and technological system solutions.

To offset these increased operational costs, these financial institutions may have no option but to offset these costs by spreading these costs under the guise of customer transaction charges, thus possibly increasing cost prices.

Data security is also a concern, as the collection and storage of transactions for levy deduction purposes based on the mandatory system reconfigurations, as clearly stated in the circular, could lead to data security issues. The circular mentions that the levy should be applied at the point of electronic transfer origination and clearly stated in the customer’s account, which gives sufficient rise to data security and privacy concerns.

Recommendations:

-The CBN should explore alternative funding mechanisms for cybersecurity initiatives that could, in turn, lessen the burden on financial institutions and Nigerians abroad. These alternative funding mechanisms should be sustainable funding models and should go beyond the levy.

-It is also recommended that financial institutions, fintech companies, and mobile money operators, with the inclusion of cyber security experts, collaborate with the end goal of developing innovative and creative solutions that could help boost government revenue generation and provide these recommendations to the Apex Bank while overall helping to create a robust cyber security ecosystem.

-Furthermore, the Apex Bank should implement strict accountability and transparency measures that could serve as a buffer for public outcry and ensure there is clear communication of the purpose of this levy, how the funds would be used and disbursed, and its expected benefits to the Nigerian financial ecosystem. Depending on the appropriate medium, this could be done through another circular or a public notice.

-Based on the drawback and negative response to this circular, The CBN could consider scrapping the two-week implementation plan for deductions and four weeks of system reconfigurations for commercial, Merchant, Non-interest, and Payment Service banks and other mobile money operations as well as the eight weeks for all other financial institutions (Microfinance banks, primary mortgage banks, and development finance institutions) while adopting a phased implementation procedure to minimise to a substantial extent, disruption to already existing business practices and allow for possible adjustments as most companies would have to conduct a detailed impact assessment as well as an enterprise readiness assessment to gauge their readiness for this change and the resources in place to meet up with this change. From a business analysis perspective, regulatory requirements lead to requirement prioritisation.

-Finally, for Apex Bank, there would be a need for established metrics or key performance indicators to measure the levy’s effectiveness in achieving possible cybersecurity goals. Internally, for the companies affected, based on their remittances, there should also be internal reporting mechanisms to ensure compliance with this requirement.

In conclusion, this policy might have been the right step in strengthening the country’s present and non-existent cybersecurity posture. Still, the country’s Apex Bank needs to objectively conduct an impact assessment and seek ways to minimise this levy’s negative impact on customers and financial institutions.

About the Author:

Esther Oluwabusayo Folorunso, MBA, CBAP, is an experienced and certified business analyst currently working in the Higher Education Industry in the United States. She serves on the Board of the IIBA Tampa Bay Florida Chapter.