Should it always be the fault of the banking customer if their money is stolen from their bank accounts through cybercrime?
Banks started warning customers long before the start of the festive season that they must beware of cybercrime. Consumers took the advice to heart, but what do you do if you are kidnapped, your phone is taken and you are thrown out of a moving car, ending up under sedation in hospital?
This is what happened to a Johannesburg woman who could only report that her bank account was accessed by cybercriminals days after the incident. Her bank’s answer: it feels very sorry for everything she has been through, but it did not find in its investigation that the bank was at fault. She would therefore not be refunded.
She spent the happiest time of the year in a wheelchair with no money. But this is nothing new, as you hardly hear of consumers who are paid back after losing money in cybercrime.
ALSO READ: Woman thrown out of vehicle after phone grab has fraud claim with bank declined
SA not only country to hold banking customer liable
“Like in many other countries, the law in South Africa generally holds the consumer liable for any fraudulent transactions until the point where the bank is notified of the loss. Only after this notification does liability shift to the bank,” said Prof. Michelle Kelly-Louw, head of the department of commercial law at the University of Cape Town.
“Therefore, the consumer remains responsible for any losses that occur before reporting the loss of the card or credentials, unless the terms of the agreement provide otherwise and the consumer gave timely notice.
“This creates a significant practical challenge, particularly for vulnerable consumers, such as the elderly, low-income individuals, or those lacking digital and financial literacy. Contacting the bank to report a loss often involves long delays on call centres, during which time further fraudulent transactions can occur. Despite these inefficiencies, banks often still assign the loss to the consumer.”
She says while South Africa is still a cash-driven society, there has been an increase in the use of electronic payments, mainly by using payment cards. However, she points out that debit cards, South Africa’s second most commonly used payment method, are not governed by specific legislation regarding liability for fraud.
ALSO READ: Banks or scammers? Who’s responsible?
National Credit Act and credit cards
However, she says, credit cards are regulated under section 94 of the National Credit Act.
“This section outlines the consumer’s liability for unauthorised transactions after the loss or theft of a credit card or identification device and the credit provider’s duty to take reasonable steps to limit the consumer’s loss.”
Section 94 states that the document that records the credit agreement for credit facilities providing access to it by using a card, personal Identification code or number or similar identification device, must provide a contact telephone number where the consumer can report the loss or theft.
It goes on to provide that a credit provider must not impose a liability on a consumer for any use of a credit facility after reporting the loss or theft, unless the consumer’s signature appears on the voucher, sales slip, or similar record evidencing that particular use of the credit facility or the credit provider has sufficient other evidence to establish that the consumer authorised or was responsible for.
ALSO READ: Banks blow off scams too easily
Shift in authentication methods makes it more difficult
However, today, Louw says, physical signatures are largely obsolete and cardholders now commonly authenticate transactions through PINs or one-time passwords (OTPs), especially for online purchases or higher-value transactions.
“This shift in authentication methods reflects a broader evolution in payment technology and fraud prevention. It is now extremely difficult, if not impractical, for banks to verify a consumer’s identity at each point of transaction through any means other than a PIN or OTP.”
Consumers therefore have an implied duty to safeguard their cards, PINs and personal information and to report the loss or compromise thereof promptly. However, Louw says a key issue arises when consumers fall victim to scams despite receiving prior warnings from their banks but vulnerable groups, such as the elderly or consumers without reliable digital access, are often left behind.
ALSO READ: Banks urged to share greater responsibility for fraud prevention
Is it enough for banks to simply warn consumers about cybercrime?
For Louw this raises a pertinent question: Is it enough for banks to simply warn consumers? And does this meet a legal duty of care?
“Currently, there is no definitive case law in South Africa that establishes the precise legal obligations of banks in this evolving context. As scams become more sophisticated and target less digitally savvy populations, the question of the bank’s evolving role and responsibility remains open.
“Another common clause in cardholder agreements is that notification of the card’s loss, after the issuer already incurred liability to a merchant, does not absolve the cardholder of responsibility for the transaction. In other words, if the bank has already processed and paid the merchant before being notified of the loss, the cardholder may still be held liable.”
ALSO READ: New scams but the same psychology applies
Reputation plays significant role in banks refunding
Louw says reputation also plays a significant role. “The reputational risk for banks of being seen as unsympathetic or unhelpful to fraud victims often leads to them compensating customers as a gesture of goodwill or due to long-standing customer loyalty.
“However, this is a discretionary practice, not a legal obligation. South African law does not currently require banks to refund losses unless bank employees were involved in the fraud or the bank itself was negligent.”
And proving bank employee complicity in scams is extremely difficult, Louw warns. In most cases, the loss occurs due to consumer negligence, such as sharing PINs or personal information and absent concrete evidence of wrongdoing by bank staff, the burden of loss remains on the consumer.
Apart from certain limited provisions in the National Credit Act, there is no specific legislation in South Africa that comprehensively governs liability for losses arising from fraud involving debit or credit card transactions.
ALSO READ: Your money, your rules – these are your banking rights
Code of Banking Practice
There is a form of “soft law” in the form of the 2012 Code of Banking Practice, to which all banks subscribe via the Banking Association of South Africa (BASA) and while the code sets out various duties and responsibilities for banks and consumers, it remains non-binding because it is a voluntary code.
Louw says it is also important to note that the Code, as currently drafted, is tilted in favour of the banks, placing most of the risk and responsibility on consumers. “It lacks a fair and balanced approach and there is a clear need for greater equity between consumer rights and responsibilities and those of financial institutions.
Who should bear the risk of cybercrime?
“This raises a fundamental and unresolved question in financial consumer protection: Who should bear the risk of loss when a consumer is defrauded through the use of their credit or debit card – the bank or the customer?
ALSO READ: FSCA finds banks do not handle consumer complaints properly
“From a consumer perspective, a financial loss, even a relatively modest one, can have a devastating impact, particularly for vulnerable individuals. While it is true that losses often occur due to consumer negligence, scammers have become increasingly sophisticated. Even highly intelligent and financially literate individuals are frequently deceived through phishing attacks, social engineering and advanced impersonation scams.
“In these cases, placing the entire burden on consumers may be unjust and disproportionate, especially when banks could take more proactive steps to prevent or mitigate fraud.
“On the other hand, from a systemic perspective, imposing unlimited liability on banks for customer losses could pose serious financial and operational risks, particularly specially in high-value fraud cases.
“A single customer losing millions of rands and expecting full compensation could have significant repercussions for the bank. However, smaller losses, while meaningful to individual consumers, are often negligible in the broader context of a bank’s operations and could reasonably be absorbed as part of a bank’s risk management strategy or customer care commitments.”
ALSO READ: Banking scams are increasing – here’s how to protect yourself
Time to reassess current approach to losses through cybercrime?
Therefore, she says, it may be time to reassess the current approach to liability allocation, particularly in cases where:
- the bank could have reasonably prevented the fraud with better security, AI or more effective warnings,
- the consumer acted reasonably, yet was still defrauded due to the sophistication of the scam, or
- the loss was partly attributable to both parties, warranting a shared liability model rather than an “all-or-nothing” approach.
Ultimately, Louw says, a more nuanced and balanced framework is needed, one that reflects the evolving nature of cyber fraud, better protects consumers and fairly distributes the risk between banks and customers. This may require reforming the Code of Banking Practice, introducing more robust legislation, or developing case law that sets clearer legal standards in this area.