The Nigerian Cybercrime Act 2015 and its implications for financial institutions and service providers
July 2016 | EXPERT BRIEFING | RISK MANAGEMENT
Cyber crime can be defined as crimes in which a computer is the object of the crime or is used as a tool to commit an offense. Offenders may use computer technology to access personal or commercial information, or use the internet for exploitive or malicious purposes.
Nigeria has shown a growing awareness of the need to strengthen cyber security. It initiated the registration of GSM users in 2011 and in 2014 the Central Bank of Nigeria (CBN) launched a centralised biometric identification system for the banking industry, tagged Bank Verification Number (BVN).
The Cybercrimes Act 2015 is the first legislation in Nigeria that deals specifically with cyber security. Passed in May 2015, it gives effect to the 2011 ECOWAS Directive on fighting cyber crime and is broad in it scope.
The Act charges the offices of the National Security Advisor (NSA) and the Attorney-General of the Federation (AGF) with coordinating its enforcement and creates the multi-agency Cybercrime Advisory Council (the Council) and the National Cyber Security Fund (the Fund) to be overseen by the NSA.
This article contends that while the Act is a step in the right direction, it places onerous regulatory and financial burden on the institutions it intends to protect. Particularly affected are financial institutions and service providers.
The Act recognises the role of financial institutions as stakeholders in the cyber security framework and the term ‘financial institution’ is defined in s.58 of the act as including: “any individual, body, association or group of persons, whether corporate or unincorporated which carries on the business of investment and securities, a discount house, finance company and money brokerage..., insurance institutions, debt factorisation and conversion firms, dealer, clearing and settlement companies, legal practitioners, hotels, casinos, bureau de change, supermarkets and such other businesses as the Central Bank or appropriate regulatory authorities may, from time to time, designate”.
The principal responsibilities placed on financial institutions are contained in Part IV of the Act. Section 37(1) places a duty to verify the identity of customers carrying out electronic financial transactions, requiring the customers to present documents bearing their names, addresses and other relevant information before issuing ATMs, credit or debit cards and other related electronic devices. Failure to do so attracts a fine upon conviction.
Section 38 requires service providers to keep all traffic data and subscription for a period of at least two years. Further, service providers are required to turn over such information to law enforcement agencies and failure to comply with either attracts a fine of 7m naira.
Section 39 requires service providers, upon a court order, to assist competent authorities with the collection or recording of content and/or traffic data associated with specified communications. Under s.40 they are required to provide assistance to law enforcement agencies in identifying offenders, tracing proceeds of offences and the cancellation of services used to commit offences.
Section 21 creates a responsibility to report to the National Computer Emergency Response Team (CERT), any attacks, intrusions or other disruptions liable to hinder the functioning of another system or network. The section further empowers CERT to propose isolation of affected systems and networks. Additionally, failure to report any such incident within seven days is an offence rendering the offender liable to be denied internet services and a mandatory fine.
The National Cyber-Security Fund is created by s.44 of the act. It is an account to be maintained with the Central Bank of Nigeria (CBN) and administered by the NSA. It is to be funded, inter alia, by a 0.005 levy on all transactions by businesses specified in the second schedule to the Act which are as follows: (i) GSM service providers and all telecommunication companies; (ii) internet service providers; (iii) banks and other financial institutions; (iv) insurance companies; and (v) the Nigerian stock exchange.
The burden of the Act
The definition of financial institutions provided is wide reaching, encompassing businesses like legal practitioners, hotels, casinos and supermarkets. Additionally, banks and other financial institutions may be treated as ‘service providers’ as defined in s.58. Through the provision of ATM, POS and other cashless services they provide the ability to communicate by means of computer systems, mobile networks or electronic communication devices (which per the Act include ATM, credit and debit cards). These wide definitions may, in practice, represent a barrier to entry for smaller enterprises in the affected markets.
The duties placed on financial institutions to verify their customers’ identities represent a regulation of the financial sector that interferes with other regulators, particularly the CBN. It is particularly superfluous in light of the Bank Verification Numbers (BVN) policy which specifically provides for the biometric identification of bank users, making it a prerequisite for operating bank accounts in Nigeria.
The responsibility of service providers to track and keep data on users is a regulatory load, particularly on the telecommunication sector, and interferes with the regulatory competence of the Nigerian Communications Commission (NCC). The measure is a duplication of efforts such as the SIM registration initiative and may indeed be redundant as the NCC is empowered by s.64 of the Nigerian Communications Act, 2003 to gather the same information.
The duty imposed by s.21 is potentially arduous, requiring the report of all attacks or disruptions to CERT. Yet the act itself provides no definition of these terms and makes no reference to the severity or success of the attack. A financial institution, in its ordinary business may be subject to multiple attempted breaches or other disruptions. The requirement to report all such occurrences within seven days imposes a substantial duty on institutions and a mandatory fine is imposed for failure to do so. Additionally, CERT may further disrupt the institutions operations by denying it internet access under s.21(3).
Perhaps the most noticeable of the provisions is the imposition of a 0.5 percent mandatory contribution to the fund on transactions carried out by certain service providers and financial institutions. This adds an extra cost to these businesses that will ultimately be passed to consumers. The fund is at the discretion of the NSA and no indication on how it is to be applied is given in s.44 beyond stating in s.44(5) that up to 40 percent of the fund may be allocated for programmes countering violent extremism. Presumably, however, the fund will be applied toward the functions of the Council outlined in s.43, which, as well as establishing an enabling environment and formulating general policy, includes awarding research and graduate training grants in the cyber security field.
The definition section of the Act requires amendment to more unambiguously match the intentions of the legislators. Considerable attention must be given to the definitions of financial institution and service provider as well as “attacks, intrusions and other disruptions” as used in s.21. This expression should be defined narrowly with reference to gravity of the threat, as giving it a wide meaning may encompass many incidents, creating a reporting duty burdensome to both institutions and CERT. This definition is particularly needed considering the mandatory fine for failing to report such incidents.
The First Schedule of the Act lists the members of the Council and includes representatives of ministries and parastatals, law enforcement agencies, military and intelligence organisations as well as industry regulators. The committee is also required to have representatives from industry and stakeholder groups. The recently inaugurated 31 person committee chaired by the NSA must ensure efficient coordination between the different agencies to avoid duplication of efforts and unnecessary red tape in the Act’s implementation. So regard must be given to the existing policies of the CBN and the NCC and concerns voiced by stakeholders.
The NSA and the Council must ensure absolute transparency in the Fund’s application. Outside of clarifying the implied commitment to counter-extremism, a clear policy should be outlined for the investment in research and training.
Leaving aside the quantum of mandatory contributions, the Fund should be applied to the benefit of its contributors and stakeholders. It could be used to insure the transactions on which the deductions are made against cyber crime as well as raising awareness of cyber security, informing stakeholders and the general public of the Act and its implications.
The Cybercrimes (Prohibition, Prevention, Etc) Act, 2015 is landmark legislation, representing the country’s first foray into legislating on cyber security. However it must be seen as a first step, one that must be built on.
The Act in seeking to combat cyber crime creates several duties for financial institutions and service providers, the same entities most directly affected by cyber crime. Many of the duties created duplicate measures already imposed by industry specific regulators. The burden of these duties is compounded by the criminal liability imposed for failure to meet them.
The remedy to many of these problems lies in the Act’s implementation. The bodies charged with this – the NSA, the AGF and the Council – must make efforts to enforce the act in a way that doesn’t create unnecessary hindrance to business activities. To do this they must clearly define the terms used in the act, work together to avoid duplicated efforts and apply the Fund transparently in ways that will aid industry and stakeholders to bolster the Nigerian cyber security framework.
James Okoh is the deputy head of dispute resolution practice and Enyinnaya Danjuma Chukwueke is an associate at Fidelis Oditah & Co. Mr Okoh can be contacted on +234 (01) 271 0290 or by email: firstname.lastname@example.org. Mr Chukwueke can be contacted by email: email@example.com.
© Financier Worldwide
James Okoh and Enyinnaya Danjuma Chukwueke
Fidelis Oditah & Co.