Picture: ISTOCK
Picture: ISTOCK

Absa is tight-lipped about its meeting this week with the banking regulator about how the bank handles cyber risks.

Caroline da Silva, head of regulatory strategy at the Financial Sector Conduct Authority (FSCA), told Money that the regulator's meeting with Absa was the first of a series it will have with all banks. This comes after a "market conduct risk" across the sector was flagged in a retail banking diagnostic, as well as reports from customers, including one from Johannesburg attorney Mark Heyink.

In June last year, Heyink made submissions to the FSCA detailing Absa clients' allegations of unfair treatment by the bank in dealing with online banking frauds.

Though the meeting with Absa was general, Da Silva said the issues in Heyink's submission were discussed, including the predominance of Absa clients in cases of online fraud dealt with by the attorney.

64%

The percentage by which online banking crime surged between 2017 and August 2018

In his report to the FSCA, Heyink, acting for 29 Absa customers referred to him by a digital forensic expert and a computer scientist, claimed that the bank had "improperly" held clients liable for losses resulting from online banking fraud and called on the regulator to investigate Absa and the ombud for banking services.

But Da Silva told Money this week that the FSCA is in an "interim position", without legislation in place yet to regulate the conduct of banks - the Conduct of Financial Institutions Bill was published in December for comment. "We don't want to wait for that to take action on their conduct, so we've drafted a set of conduct standards which will be published for comment before the end of March and will hopefully be in force before the middle of the year."

On the question of the conduct of the banking ombudsman, Da Silva said the Twin Peaks regulatory model envisages a stronger ombud system, with a chief ombud to look at the independence, governance and decisions made by both statutory and voluntary/industry ombuds.

In October last year, the South African Banking Risk Information Centre released statistics on digital banking crime for the first time, showing that the number of incidents of online fraud had increased by 64% between 2017 and August 2018.

The conduct Heyink reported to the FSCA relates to Absa holding clients responsible for losses when the bank had allegedly:

• No evidence of negligence on the part of its clients;

• Applied incorrect interpretation of the law relating to the client's assumption of risk;

• Failed to comply with applicable consumer protection legislation; and

• Failed in its duty of care to its customers.

Heyink and the digital experts quoted in the submission also question whether the security measures taken by Absa were appropriate.

Absa, which would not be drawn on the meeting with the FSCA, also declined to respond to these specific allegations.

Ulrich Janse van Rensburg, head of fraud strategy at retail and business banking at Absa, said internet fraud is of "huge concern" to Absa. "It has an adverse impact on the much-needed relationship of trust between Absa and its customers. For this reason, it is entirely in our interest to ensure not only that world-class security measures are in place, but that when fraud is committed, those responsible are apprehended and made to account. And expeditiously so.

"That's why Absa takes every possible precaution to safeguard our customers' money and co-operates closely with the SAPS and industry fraud-prevention bodies such as Sabric [South African Banking Risk Information Centre].

"However, we are unfortunately constrained in instances where the customer would have caused vulnerability by divulging their confidential banking details to third parties, very often without intending to do so. Regrettably, this weakness impacts the entire industry, not only Absa.

"Although Absa is ordinarily not liable for the frauds perpetrated on its customers by third parties in the strict legal sense, it recognises that these crimes have a significant personal impact on the victim and for this reason will come to their financial assistance," Van Rensburg said.

Almost half of Heyink's 29 clients accepted settlement offers from Absa covering 50% of their losses. The settlement offers, which were valid for seven days only, were confidential, ex gratia and in full and final settlement of claims against the bank.

In his submission to the FSCA, Heyink said that in consultation with clients who accepted such settlements, in every instance the client said they had accepted the settlement under duress. One client said: "We felt we had a gun to our head."

Clients who did not accept settlements said they also felt Absa was trying to force them to accept the offer.

Absa said that it does not put pressure on clients and a week is reasonable time for a client to decide whether to accept a settlement. But Heyink said that the circumstances under which the offers were made by Absa placed clients in an unfair bargaining position.