Picture: 123RF/SCAN RAIL
Picture: 123RF/SCAN RAIL

Banks are known to offer secret settlements to some of their clients following online banking fraud. But this practice has caught the attention of the body regulating the market conduct of banks and will be subject to scrutiny in terms of a conduct standard for banks, which will come into operation on October 1.

The Financial Sector Conduct Authority (FSCA) has published for comment a draft conduct standard for the banks, aimed at ensuring that banks treat their customers fairly.

These standards are a response to a number of conduct weaknesses identified in reports by the Competition Commission and the World Bank Group.

One of the draft conduct standards obliges banks to regularly monitor their systems and processes to ensure customers are not exposed to risks.

Caroline da Silva, the head of regulatory strategy at the FSCA, told Money her office had had extensive engagements with banks to find out how they deal with cyber risks in digital banking, including how criminal attacks are evolving and how nimble the banks are in identifying, fixing and recovering from attacks.

In addition, Da Silva says her office has been asking banks to explain their philosophy on warning, educating and compensating you, their customer, in the event of an attack.

When it comes to settlements with customers after a cyber attack, Da Silva says the conduct standards oblige banks to treat you fairly and so the FSCA is asking the banks about their compensation practices.

“We are asking, ‘Why did this customer get compensated, and [why did] this customer get 50% and this customer get none? What is your practice when it comes to compensation’?”

The banks have had to answer tough questions, such as, How did you make this determination? What is your practice? How is this fair? What are your disclosures? What forensic analysis did you do to ensure that it wasn’t a breach of your systems?

“But more importantly, if you are aware that this kind of thing is happening, what are you doing to change your systems to defend and protect the customer?”

Patterns of complaints

Da Silva says the FSCA has asked for “certain reports”, particularly where there have been patterns of complaints about specific banks.

Almost a year ago Johannesburg attorney Mark Heyink, who specialises in information security law, made a submission to the FSCA detailing allegations of unfair treatment by Absa in its handling of about 30 cases of online banking fraud.

Heyink, acting pro bono for the Absa customers, claimed the bank had “improperly” held clients liable for losses resulting from online banking fraud and called on the regulator to investigate Absa and the Ombud for Banking Services.

Heyink said 15 of his Absa clients accepted settlement offers made by the bank — all of which were for 50% of the amount stolen — yet in five cases, clients were not provided with forensic reports establishing their negligence.

He said all those who accepted settlement offers did so under duress. The offers were made on a confidential, ex gratia, one-off basis. Once accepted, the bank considered the client to have accepted that he or she was at fault and the case was closed.

In terms of your relationship with your bank, if payments are made from your account without your authorisation, the bank is obliged to credit your account.

However, with internet banking, you are said to agree to take the risk that if your password or PIN was used to log on, you authorised the payment.

But in terms of the Consumer Protection Act, banks are obliged to draw your attention to this shift in risk in their agreements with you. The banks’ inconsistency — and in some cases failure to do so — is highlighted the World Bank Group’s Retail Banking Diagnostic report.

In his submission to the FSCA, Heyink said banks are responsible for providing a payment system that is secure and if they fail to do so, they are liable for any damages you suffer.

It has been well-known for many years that cellphone SIM swaps undermine one-time passwords, introduced by the banks as a security measure to protect high-risk transactions, such as the adding of a beneficiary.

Heyink contended that the banking ombud’s failure to consider the bank’s responsibility relating to these passwords is a failure to deal with a critical factor in internet banking fraud.