Finance Minister Enoch Godongwana. Consumers are increasingly falling victim to cybercrime through banks, leaving them vulnerable and without recourse. This open letter urges the Minister of Finance to implement accountability measures for financial institutions to protect consumers.
Image: Armand Hough/Independent Newspapers
Consumers are increasingly falling victim to cybercrime through banks, leaving them vulnerable and without recourse.
This open letter by Trudie Broekmann Attorneys urges the Minister of Finance to implement accountability measures for financial institutions to protect consumers.
We are a law firm specialising in Consumer Law. We assist ordinary consumers to enforce their legal rights and as a result we have a keen interest in the legislation as well as systems of redress available to consumers.
We have recently been inundated with consumers complaining that they have fallen victim to cybercrime perpetrated through the very institutions entrusted with safeguarding their money, the banks.
Every day, ordinary South Africans are faced with the devastating reality that their hard-earned money may be stolen through fraudulent and unauthorised transactions, with little to no prospect of recovering the stolen funds, because banks frequently point the finger back at the affected consumers.
We find that South African consumers are provided with little to no meaningful explanation by the banks as to how their systems were infiltrated by unauthorised third parties and we are left to wonder whether the perpetrators may be bank staff, or assisted by staff working at the bank. Instead, affected consumers are often met with allegations that they have somehow acted negligently and compromised their login credentials.
The code of banking practice provides that should customers act fraudulently, negligently or without reasonable care then they will be liable for the loss they have incurred.
South Africa is experiencing an alarming rise in cyberfraud, with millions of rands disappearing from consumers’ bank accounts, whilst banks routinely escape liability and seek to pass the blame onto the very consumers they are meant to protect, all the while protecting the individuals and syndicates who have managed to bypass the banks’ systems and commit what has become South Africa’s fastest growing crime.
When incidents of cyberfraud take place, the affected consumers are left to investigate the fraud themselves in an attempt to recover the stolen funds. However, when those same consumers approach the banks for assistance, the banks, despite having access to critical information, including the identities and account details of the recipients of the stolen funds, the time at which the transactions took place and the date, time and place at which the stolen funds were withdrawn, are quick to cite the Protection of Personal Information Act, 4 of 2013 (“POPIA”) as a basis to refuse disclosure of such information. Consequently, consumers are left entirely vulnerable and without adequate mechanisms through which to obtain the necessary information required to trace and recover their stolen funds.
In summary, consumers who are hit by cyberfraud are novices to the experience, while our SA banks are experts at dealing with cyberfraud. Nevertheless, the novice is expected to avoid the fraud and if they fall victim, put up all of the proof of fraud despite not having access to the necessary information or technical expertise on banking security. This is completely back to front.
In contrast, other jurisdictions have implemented progressive policies aimed at restoring trust between consumers and banks. These policies serve to incentivise the banks to strengthen and continuously improve their fraud detection and prevention systems.
By way of example, in the United Kingdom, the Payment Systems Regulator has introduced the Authorised Push Payment (APP) scam mandatory reimbursement policy, which can be perused at: https://www.psr.org.uk/media/rhelv4op/ps25-5-app-scams-reimbursement-consolidated-policy-statement-may-2025.pdf
In terms of this policy, where fraudulent transactions take place, both the bank that effected the fraudulent transaction and the bank that received the stolen funds are held jointly liable to reimburse the victim for the losses suffered, except in cases where the victim was grossly negligent.
This system of shared liability raises the stakes for banks and encourages them to enhance their fraud detection and risk compliance systems.
The reimbursement policy further makes it mandatory for banks to collaborate and implement systems to identity and prevent fraud, build and increase consumer awareness and enhance ecosystem resilience.
In practical terms, this means that where a consumer’s bank account is fraudulently accessed and funds are fraudulently transferred, both the sending and receiving banks bear the responsibility of investigating and determining how the affected consumer’s account was accessed, when and under what circumstances the receiving bank account was opened and whether such account was opened for purposes of effecting the fraudulent transactions.
In order to enforce the policy and ensure accountability, the Payment Systems Regulator publishes a report on reimbursement to victims of banking fraud across the United Kingdom’s largest 14 banking groups, including data reflecting how much money is transferred from victims’ accounts by each payment firm as well as how much money is received into fraudsters’ accounts by each bank as a result of APP scams.
This approach takes the burden from the vulnerable consumer and instead places responsibility in the hands of the banks, which are experts in the payment industry and have the necessary resources and systems to prevent these fraudulent transactions from taking place.
Given the vulnerable position of the ordinary South African consumer, a mandatory reimbursement policy similar to that adopted in the United Kingdom seems imperative. It could be introduced through the collective efforts of key role players in the payment system, including the Finance Ministry, Payment Association of South Africa, the Banking Association of South Africa, the South African Reserve Bank, the Financial Sector Regulator and the Financial Intelligence Centre. Surely we have no other option, since South Africa is currently the most targeted country in the continent for cybercrime and digital banking fraud. In 2024 alone, there was an 86% increase in banking fraud.
Banks which have the necessary expertise and technologies to combat fraud and cybercrime, are not held accountable nearly enough for the constant security breaches which leave consumers’ hard-earned money exposed to fraudsters and often have a devastating and long lasting impact on the victims’ financial security and ability to provide for themselves and their dependents.
We invite the addressees of this letter to each respond to us with their proposed next steps in order to introduce such a policy in South Africa, along with proposed timelines.
Trudie Broekmann is a commercial attorney with over twenty years’ experience. She established her firm, Trudie Broekmann Attorneys, during January 2013, specialising in commercial, corporate and consumer law.
Trudie is a commercial attorney with over twenty years’ experience. She established her firm, Trudie Broekmann Attorneys, during January 2013, specialising in commercial, corporate and consumer law.
Image: Supplied.
PERSONAL FINANCE