Sending money to others over EFT is a common action, but these transactions can take some time if you do not pay an additional fee for express payment.
To circumvent express fees and improve the transfer time of EFTs, many South Africans opt to use third-party instant EFT services.
Using third-party instant EFT platforms requires the user to supply the provider with their online banking details, including their username and password.
The instant EFT service then logs into the user’s online banking account and makes the transaction on their behalf, with the user receiving an OTP confirmation.
While this can result in faster EFTs, it also places the user at risk of having their online banking credentials compromised – and can be a violation of a bank’s terms and conditions.
MyBroadband asked major South African banks about their stance on instant EFT services and the possible security risks involved in using these platforms.
Absa told MyBroadband it does not approve third-party EFT services.
“Absa does not approve of third-party service providers who utilise screen scraping to facilitate these EFT payments,” the bank said.
“Only approved vendors will be allowed to enter the Absa domain to facilitate third-party EFT services via secure API.”
Absa added that customers who use these services would be liable in the event of their credentials being compromised, as they provided them to the third-party service.
“Absa’s terms and conditions stipulate that customers should never provide their security information to anyone,” Absa said.
“Should customers knowingly provide third-party vendors with their online banking logon details, the customer will be held liable in the event of cybercrime.”
Absa added that it is in the process of enabling more secure connection models via the utilisation of secure API’s for use by third-party payment service providers.
FNB EFT Product House CEO Ravi Shunmugam told MyBroadband they do not support third-party instant EFT providers.
“FNB does not support the practice of third-party services providers requesting customers to enter their banking login credentials into third-party websites or applications,” Shunmugam said.
“The bank is working with the payments industry bodies, PASA and SABRIC to highlight this practice and potential risks to customers at an industry level.”
“These services are not PCI DSS-certified and we are working with the industry to have similar standards established and enforced,” he added.
Shunmugam said that customers should not share their online banking credentials with any third parties.
“We would like to remind our customers not to enter their login credentials into any third-party website or application and to safeguard their login credentials at all times.”
Shunmugam said customers who have entered their login credentials in any website or application other than their bank’s platforms are advised to change their passwords.
Nedbank Emerging Payments head of business development Clinton Leask said that clients voluntarily disclosing their banking credentials to third-party EFT services were putting themselves at risk.
“We continually advise our clients to ensure the safekeeping and confidentiality of their banking information and not disclose such information to unknown or unauthorised third parties,” Leask told MyBroadband.
“In instances where clients voluntarily disclose their confidential information to a third-party they put themselves at risk by giving third parties the ability to access information about their accounts, banking history, and other confidential information,” he added.
“Consumers currently have the ability to effect instant payments, other than instant EFT, with real time credit payments, which is accessible via Internet banking and with card via 3DSecure.”
Standard Bank – No comment
MyBroadband contacted Standard Bank for comment, but the bank did not provide feedback.