South African banks have supported a recent warning from the South African Reserve Bank (SARB), the Financial Sector Conduct Authority (FSCA), and the Payments Association of South Africa (PASA) regarding the risks of using instant electronic fund transfer (EFT) services.
Local regulators raised concerns over Instant EFT services because they work by customers giving a third-party provider their Internet banking username and password.
Using screen scraping, the Instant EFT provider makes the payment on your behalf and verifies that the payment has gone through.
Ozow argued that it has not had a single incident of fraud on its platform since its launch in 2014, whereas banks have reported large increases in card-related fraud.
MyBroadband asked South Africa’s major banks for their view on Instant EFT services.
Cowyk Fox, the managing executive for Everyday Banking at Absa Retail and Business Bank, said that Absa fully supports the industry’s caution against screen scraping as part of its commitment to combating fraud.
“It is important to differentiate between a blanket reference to Instant EFT payments, which also includes legitimate interbank Real-Time Clearing payments and screen scraping,” Fox said.
“The inherent risk lies in cases where EFT payments are processed by using a customer’s login details to access their online profile to then process an EFT payment, i.e. screen scraping.”
Fox stated that once you have disclosed your login details, you lose control over that data.
“Should it be compromised or abused then armed with the customer’s login credentials, and with the account now ‘logged into’, fraudsters or unscrupulous third parties now have complete access to the account,” warned Fox.
Screen scraping is not illegal, nor do all third party providers use screen scraping for fraudulent means.
However, Absa still cautions against sharing your confidential banking login credentials with third parties.
Fox said that sharing your “keys to the safe” in the form of your banking login credentials with a site other than your bank’s secure website undoubtedly exposes you to fraud risks.
“With the increased activity in electronic payments and online transactions, Absa is proactively exploring new technologies to better protect and meet the needs of all our consumers. It, however, remains imperative that customers avoid entering their details into screen scraping tools, particularly for third party EFT payment processes to protect their private data and account security.”
Ravi Shunmugam, the CEO of FNB’s EFT product house also said that Instant EFT services that rely on screen scraping have inherent risks that service providers and consumers need to be aware of.
“No matter how reputable the retailer or platform may be, the simple fact is that when you share your bank login credentials details with a third party, even in a secure environment, you expose yourself to significant financial crime and privacy risks,” Shunmugam warned.
“EFT payments are final and irrevocable. When using secure payment instruments like card, consumers enjoy the benefit of additional security as well as purchase protection such as dispute rights.”
Nedbank also said that it discourages clients from disclosing information to unknown or unauthorised third parties.
“In instances where clients voluntarily disclose their confidential information to an unknown third-party they put themselves at risk by giving third parties the ability to access information about their accounts, banking history, and other confidential information,” a spokesperson for the bank said.
The bank said that its clients currently have the ability to make instant payments, other than instant EFT, with real-time credit payments that are accessible via Internet banking and card via 3DSecure.
“Nedbank is in support of developing solutions, such as the API Market place to enable instant payments via open banking capabilities moving forward.”
Instant EFT promoting financial inclusion?
Another argument Ozow made was that its platform helps drive digital and financial inclusion by opening up online shopping to people who don’t have debit or credit cards.
MyBroadband asked banks under what circumstances a client would have access to online banking and EFTs, but not a debit card.
Absa’s Cowyk Fox said that they issue you with a debit card by default when you open an account. To use online banking, or to create an Internet banking profile, Absa clients must have a cheque or savings account.
FNB’s Ravi Shunmugam also said that all their transactional banking customers are issued with a debit card and/or credit card.
When has using Instant EFT resulted in fraud?
MyBroadband also asked the banks if they can provide examples of when a client has made use of Instant EFT payments and later had their online banking profiles compromised.
They could not provide concrete examples at the time of publication.
“The industry has seen a significant increase in fraud relating to online banking credentials being compromised as fraudsters evolve their techniques in response to the significant improvements made to combat transaction fraud, such as chip and pin cards,” said Absa’s Cowyk Fox.
“It is always very risky sharing one’s online banking details with a third party. Ultimately, in sharing your login details you give away control over your account and expose yourself to unknown risk, including potential fraud should those details land up in the wrong hands.”
FNB’s Ravi said that they have also had instances where customers suffered fraud and privacy breaches due to compromised login credentials.
“The bank strongly encourages customers to protect their sensitive online banking credentials and never capture these on any third-party platform,” Shunmugam emphasised.
Shunmugam also stated that FNB offers several ways for clients to pay online including its Scan to Pay functionality in the FNB App and RMB Private Bank App.
“FNB or RMB Private Bank credit, debit, and Fusion cards are the ideal way to transact digitally without compromising your security,” said Shunmugam.
MyBroadband asked the South African Banking Risk Information Centre (SABRIC) for its views on Instant EFT, but the organisation said that the issue is beyond its mandate as no fraud has been committed.
“In addition, SABRIC has no statistics about fraud committed as a result of an instant EFT,” SABRIC stated.
SABRIC suggested that we ask PASA for further comment. PASA did not respond by the time of publication.