You can educate banking customers all you want, but there are times that they will not be able to protect themselves
Banks consider consumer education as one of the best ways to protect their customers against cybercrime, but when you are lying at the side of the road with injuries and no phone, it is not always that easy to do what the bank told you to.
While consumer education is important, is it not unfair to expect users to defend themselves when the defences in place do not empower them? It seems that the same warnings banks give to protect customers are often repurposed by fraudsters to gain consumers’ trust while impersonating the bank.
Prof. Michelle Kelly-Louw, head of the department of commercial law at the University of Cape Town, says that is true, but how do you then balance the rights and duties of the parties?
“The duty to educate consumers and improve financial literacy was placed on the Financial Sector Conduct Authority (FSCA) and the National Credit Regulator (NCR) respectively in terms of legislation.
“However, they cannot carry this burden on their own and financial institutions are under no specific legal obligation to do so, although indirectly they are expected to. In my view, financial institutions should also have a statutory duty to play a role. They hold consumers’ funds and therefore it is just natural that they too should have such a duty.
“If financial institutions do alert consumers or at least try to do so, what more can they reasonably or practically do? However, there is still the possible systemic risk banks may be exposed to given the large amounts these scams run into if they were to bear the brunt.”
ALSO READ: Banks urged to share greater responsibility for fraud prevention
Is it not time to shift the burden of paying for the losses back to the platform or system and not the customer? And what about using better technology and systems? Louw says when payment instruments, such as credit and debit cards, are used, the underlying transfer of funds typically occurs through an electronic funds transfer (EFT).
“In this way, the card serves as the instrument, while the EFT is the method making the payment, showing that cards and EFTs are closely linked in practice. There is also no specific legislation governing EFTs.
“Generally, a consumer cannot just merely ask the bank to reverse a wrong EFT payment made as the beneficiary must give permission for the reversal. However, the Supreme Court of Appeal did indicate in a case that if the transfer was due to fraud, permission may not be required. Usually, the fraudster is long gone, as is the money.”
She points out that banks already have the duty in terms of various pieces of legislation, such as the Protection of Personal Information Act and the Electronic Communication Act to ensure that they keep consumers’ data safe and provide adequate technology.
However, the Electronic Communications and Transactions Act, Electronic Communications Act and the Protection of Personal Information Act provide a broad and general framework for the facilitation and regulation of electronic communications and transactions, but do not deal specifically or comprehensively with EFTs and electronic banking services.
Louw says the Electronic Communications Act does not cover various issues related to the use of electronic products in a financial environment.
“One serious flaw, for example, is that the Act fails to address the circumstances where an electronic transaction can be reversed or truncated, or at whose initiative it can be done.
“This is the one area in the SA law of electronic payments which is currently clouded in uncertainty and lagging behind international developments. Another flaw is that the ECT Act does not provide guidance on which party’s consent is required to reverse an electronic transaction.”
ALSO READ: Watch out: scammers clone social media and websites to steal from you
Is it possible for banks to have the technology to flag transactions that are out of the ordinary and check with you first? Louw says AI can and is already being used by banks to detect fraudulent transactions, similar to how they monitor for money laundering. While effective, this area lacks specific legislation, creating a regulatory gap that needs attention.
“Banks often call customers to verify suspicious activity, but many consumers ignore unknown numbers due to spam calls, despite protections under the Consumer Protection Act. As a result, important fraud alerts may be missed and legitimate transactions may be blocked if flagged as unusual. Clearer AI regulation, better consumer communication and improved awareness are essential going forward.”
Until now banks worked on the principle of who gave permission for the transaction to go through. But is the line between authorised and unauthorised transaction not getting a bit more blurred, making it necessary for banks to take more responsibility? Louw says it is perhaps time. “The banks use the PIN and OTPs to verify that it is their card holder/consumer/client transacting. Unless there is another way to verify the identity this will not change and the lines will stay blurred. The issue is that OTPs are intercepted so consumers do not get the OTPs or when they do get it they may be fake.”
ALSO READ: Banks or scammers? Who’s responsible?
Can SA banks not consider measures such as those other countries use to tackle cybercrime? Examples include Singapore’s Shared Responsibility Framework, the UK requiring payment service providers to make reimbursements to victims of authorised push payment fraud under a new regime applicable to payments or the EU’s proposed third Payment Services Directive and the proposed Payment Services Regulation which expand the liabilities of PSPs to make reimbursements for fraud losses.
There are also the Australian Scams Prevention Framework Bill and the US “Protecting Consumers from Payment Scams Act”.
Louw says South Africa is lagging significantly behind several other jurisdictions in this area. “This is particularly notable given the continued influence of English law on South African banking and financial law.
“Many of these international frameworks provide substantial protection and compensation to consumers for losses incurred due to fraud, often through well-established mechanisms that shift or share liability in a more balanced manner.
“Introducing similar protections in South Africa would likely face resistance from the banking sector, particularly around the potential financial and operational implications. One of the key arguments raised will be the issue of systemic risk, particularly if banks are expected to absorb high-value losses across a large customer base.”
ALSO READ: Beware: Personalised cyber scams on the rise
Who will fund these frameworks?
Louw says an equally important consideration is the funding of these frameworks. “Whether through a central compensation scheme, mandatory insurance, or enhanced card protection products, the ultimate cost is likely to be passed on to consumers, either through increased bank fees, product pricing, or other indirect mechanisms.
“However, this should not deter reform. A transparent and well-regulated system, where costs are shared fairly and fraud risks mitigated through collaborative efforts, can enhance public trust in the banking system and provide better outcomes for both banks and consumers.”
ALSO READ: Bank employee gets five years in jail for fraud and cybercrime
Banking consumers need broader systemic response to cybercrime
Therefore, she says, what we need is not only legislation, although that is essential, but also a broader systemic response that includes inclusive financial education, accessible dispute resolution mechanisms and industry-wide standards that place fair and proportionate obligations on both consumers and banks.
Ideally, she would like to see policymakers develop bespoke legislation covering all forms of electronic payments that would promote the safe use of financial technology and support financial inclusion across all sectors of society as existing laws are outdated and insufficient.
Louw says new legislation should govern digital payment methods, including debit and credit card use, EFTs and unauthorised or incorrect transfers, while clearly allocating risk and responsibility. “It should be written in plain language, set out the general rules for the use of these instruments and define the duties of all parties involved.
“Such a framework would provide legal certainty, protect data privacy and enhance consumer protection. Importantly, banks should be regulated to ensure fair contract terms, preventing imbalances that disadvantage consumers. Any new law must be balanced, ensuring equal protection for both consumers and financial institutions.”