The South African Reserve Bank (SARB) and the Financial Sector Conduct Authority (FSCA), in consultation with the Payments Association of South Africa (PASA), has issued a warning to consumers to be aware of the risks associated with the use of instant electronic funds transfer (EFT) online payment services offered at e-commerce stores
An instant EFT is a payment method offered by a third party which automates the initiation of payments for consumers to e-commerce stores and also provides immediate confirmation of payment to the e-commerce store to enable them to dispatch the goods or services purchased.
Instant EFT payments use a method called ‘screen scraping’, which makes it possible for third parties to access bank account data and automate actions on behalf of a consumer using that consumer’s online banking access credentials.
Access to the consumer’s screen data is then used to facilitate payments.
The SARB, the FSCA and the payments industry said that they do not support the use of screen scraping to effect payments, given that it exposes consumers to the following risks.
The method of using screen scraping to effect payments puts consumers’ access credentials at risk of being compromised.
Consumers have no control over how their credentials, and any other data or personal information, are accessed and used by the third-party.
Account numbers and account statements can be stored and utilised without the consumer’s knowledge or consent.
Rogue entities might pose as third parties offering instant EFT services on fake ecommerce sites to capture consumers’ access credentials for their bank’s Internet banking websites.
From there, such entities might impersonate the consumer and conduct any activity that the consumer would have access to on their online banking platform
This includes making real-time payments to themselves, applying for a personal loan, increasing transaction limits, and ultimately initiating payments to mule accounts.
Rogue entities might also access relevant data and personal information such as account information and monthly statements from which fraudulent collections through debit orders might occur.
Breach of contractual agreements
By providing their Internet banking login credentials to a third party, consumers that use instant EFT products might be in breach of their banks’ terms and conditions which regulate Internet banking.
As a result, knowingly or unknowingly, consumers might be giving up their rights of recourse and any legal protection in the event of suffering fraud and/or subsequent loss.
Risk of financial loss and the goods purchased being lost EFT payments are final and irrevocable in nature, and consumers are unable to lodge disputes to reverse a transaction in the event of the online store not honouring their agreement – such as not delivering the goods or delivering counterfeit goods.
Consumers might also be held liable for the interest payable on such amounts when payment was made from their credit card account or overdraft facilities.