Business Report

Calls grow for banks to reimburse cyber-fraud victims, but experts warn against blanket payouts

Tracy-Lynn Ruiters|Published
South Africans demand bank reimbursements for cyber-fraud losses

South Africans demand bank reimbursements for cyber-fraud losses

Image: File

A petition calling on Finance Minister Enoch Godongwana to introduce a mandatory reimbursement policy for victims of bank fraud has gained traction as concerns mount over the devastating financial impact of cyber-fraud on ordinary South Africans.

The petition calls for banks to be obliged to reimburse victims who lose money through fraudulent and unauthorised transactions.

It comes against the backdrop of cases such as that of 38-year-old Abigail Jooste, who was sentenced in the Plettenberg Bay Regional Court to an effective 10 years’ direct imprisonment after defrauding an elderly couple of more than R94 000 after manipulating the elderly couple into trusting her with confidential banking information. 

The case has again raised questions about how vulnerable consumers, particularly the elderly, are targeted through banking scams and how difficult it can be to recover stolen money once fraud has taken place.

Consumer lawyer Trudie Broekmann said South African consumers did not have adequate protection when money was stolen through cyber-fraud or unauthorised transactions on their bank accounts.

She said, in practice, consumers had little recourse because banks typically responded by saying customers were negligent and therefore refused to reimburse them, or only paid a nominal amount.

To date Broekmann said 16 clients approached their firm and the losses range from R16 000 to over R1million, mostly between R400 000 and R600 000 per person.

Broekmann said banks should be required to prove that a consumer was grossly negligent before holding them liable for losses.

“A bank should be required to prove that the consumer was grossly negligent after conducting an in-depth investigation,” Broekmann said.

She said gross negligence was not the same as a consumer disclosing access codes, adding that there were cases where customers were “primed” by their banks to give out sensitive information.

Broekmann explained that bank fraud departments often asked customers extensive security questions, and if customers did not provide the requested information, their accounts could be frozen. She said this could create confusion when fraudsters posed as bank officials and asked for similar information.

According to Broekmann, banks currently conduct internal investigations and, in most cases, absolve themselves of liability before passing the loss on to the consumer.

She said the current Code of Banking Practice was not strong enough to protect consumers because, while it addressed customer negligence, it did not contain sufficient provisions holding banks accountable for cyber-fraud losses.

Broekmann said South Africa needed a clear mandatory reimbursement policy that placed the burden on banks, especially because banks were the institutions with the expertise, systems, resources and technical knowledge to investigate and prevent fraud.

“The mandatory reimbursement policy would correct the imbalance and ensure accountability rests with the banks, who are best equipped to investigate and prevent cyber-fraud,” she said.

She said such a policy would encourage banks to upgrade their security and increase their vigilance at a time when cybercrime had become one of the fastest-growing crimes in the country.

At the heart of the petition is a proposed reimbursement model similar to those used in other jurisdictions, where banks may be held responsible for reimbursing victims of certain scams unless the customer was grossly negligent.

Priya Rajah, from the National Financial Ombud of South Africa, said disputes involving cyber-fraud and unauthorised banking transactions were assessed on the specific facts of each case.

Rajah said the relationship between a bank and its customer was based mainly on contract, with both parties carrying rights and responsibilities. Consumers were usually held liable where they had compromised confidential banking information and this led to the loss.

She said the NFO considered the conduct of both the bank and the customer, including whether the bank acted reasonably and in line with its contractual, regulatory and industry obligations.

Rajah said reimbursement may be appropriate where a bank failed to act with reasonable care or where its systems, processes or fraud-prevention measures were deficient.

However, she warned that a blanket reimbursement policy could have unintended consequences, including reducing the incentive for customers to remain vigilant. She said it could also lead to more claims, including cases where customers may have contributed to the loss.

Rajah said banks may be required to reimburse customers where they failed to follow proper security procedures or where there were weaknesses in their systems.

She said factors such as whether PINs, passwords, OTPs or authentication approvals were shared, whether warnings were ignored, and whether the fraud was reported promptly were also considered.

Once fraud was reported, Rajah said banks had to mitigate the customer’s loss by tracing the movement of funds, identifying recipient accounts and trying to recover any remaining money through interbank processes.

She said POPIA limited what banks could disclose directly to victims, but banks could share information with law enforcement, regulators and other financial institutions where permitted by law.

Mike Bolhuis, an expert in serious crimes including cybercrime, said banks and other financial institutions were constantly warning customers to be careful with their personal information and PIN numbers.

He said digital banking fraud and cyber-fraud were at an all-time high in South Africa, with criminals using bogus calls, fake bank officials and other methods to trick customers into accessing accounts or approving transactions.

Bolhuis said customers carried a heavy burden in preventing cyber-fraud, but added that many scams could not “occur and flourish” without some form of insider assistance.

He said it was an excellent idea to petition banks and expect them to do more, but cautioned that a mandatory reimbursement policy could create practical risks with criminals using such a system to their advantage.

A second crime expert, who has dealt with banking fraud matters, said consumers were often placed in a difficult position when banks asked them to click “I acknowledge” during online banking processes.

He said the button was often presented as a safety warning or confirmation step, but ultimately protected banks when fraud complaints were later lodged.

“That button protects the banks,” he said.

According to the expert, once a customer clicks “I acknowledge”, banks can argue that the customer accepted the warning, authorised the step, or took responsibility for what followed.

He said this often made it harder for ordinary consumers, especially elderly victims, to dispute fraudulent transactions.

The petition argues that victims are often expected to investigate fraud themselves, despite banks having access to critical information, including recipient account details, transaction dates and times, and in some cases where stolen funds were withdrawn.

Broekmann said protecting personal information was important, but should not shield fraudsters or prevent victims from recovering stolen funds.

National Treasury said it was aware of the increase in digital banking and cyber-fraud and the impact on affected consumers. "Trust in the financial system depends not only on access to financial services, but also on the extent to which consumers are appropriately protected when risks materialise. These matters are complex and multi-faceted, with implications for fraud prevention and detection, institutional responsibilities, complaints handling processes, information-sharing practices, and consumer protection frameworks."

National Treasury noted international developments, including the United Kingdom’s approach to reimbursement for Authorised Push Payment fraud. "While such frameworks provide useful reference points, any potential policy response in South Africa would need to be carefully assessed within the domestic legal and regulatory context. This includes consideration of the national payment system, consumer protection frameworks, data protection requirements (including POPIA), and financial integrity obligations."

National Treasury said consumer protection in the financial sector was supported through a combination of regulatory oversight, conduct standards, dispute resolution mechanisms, and prudential safeguards. And, given the evolving nature of digital fraud risks, it is important that the regulatory framework remains responsive and fit for purpose. "The issues raised cut across the mandates of several authorities, including National Treasury, the South African Reserve Bank, the Financial Sector Conduct Authority, the Financial Intelligence Centre, and the banking industry. "The issues raised warrant careful and coordinated consideration, including the potential need for policy, regulatory or operational enhancements over time." 

[email protected]

Weekend Argus