Major ‘instant EFT’ changes for South Africa
The South African Reserve Bank (SARB) has issued a new directive restricting all electronic funds transfer (EFT) credit payment instructions in South Africa, in a bid to protect the National Payment System (NPS) and consumers from fraudulent activity.
In terms of the directive, no person may issue an EFT credit payment instruction on behalf of a payer in the NPS unless that person is registered with the SARB and has obtained informed consent of the payer prior to issuing the instruction.
The reason for the directive is to counter and clamp down on increased usage of screen scraping in South Africa.
Screen scraping is a process used by many payment fintech companies to issue EFT credit payment instructions on behalf of users. A key facet of the process is logging into your online banking through a third party, which is widely discouraged.
Often marketed as ‘Instant EFT’, the process itself can be used legitimately, but can be open to exploitation and is not supported in South Africa.
Despite this, the SARB has noted increased usage of the process by fintechs across various platforms.
A practical example of screen scraping would be:
- A shopper makes a purchase at an online store
- When selecting payment options, they choose ‘Instant EFT’
- The shopper is then redirected to a page where they choose their bank
- They are directed to enter their banking login details
- The shopper then chooses the account to pay from, and then moves on to payment confirmation
- The transaction is completed, and the order is processed
All of this happens on the platform the shopper is using.
In 2020, the SARB, the Payment Association of South Africa (PASA) and the Financial Sector Conduct Authority (FSCA) issued a joint statement warning consumers about the risks associated with instant online EFT payments, particularly in relation to screen-scraping.
They explicitly stated that they do no support this process.
In its latest directive, the SARB outlined a host of issues with it.
“Screen scraping is largely conducted without the informed consent of the payer, the understanding of the implications of sharing the credentials as well as using the branding of clearing system participants without approval,” it said.
“This practice exposes the NPS, including the participants and payers to risks.”
These include:
- Payers are not aware that they are giving their login details to a third party and having them perform transactions on their behalf.
- Payers are not aware of the implications and negative impact of doing so.
- Payers are misled into thinking the process is an ‘instant’ transaction when it is not.
- Payers are not aware of their private data being exposed and exploited.
- Payers are being exposed to potential fraud by rogue entities.
- Payers face financial losses or non-delivery of goods and services, and the EFT credit payments are final and irrevocable.
- Payers may face issues lodging disputes to reverse transactions with their banks.
The SARB has now moved a step further, targeting EFT credit payment instructions as a whole.
Under the directive:
- No person may issue electronic funds transfer credit payment instructions on behalf of a payer in the NPS unless they are registered with the Reserve Bank and have obtained informed consent from the payer.
- Registration involves a whole administrative process, with certain conditions needing to be met—including employing a qualified person or persons to oversee compliance with legislation, rules and regulations.
- Anyone issuing EFT credit payment instructions need to rein in their marketing, and cannot create any fraudulent, misleading or false impressions with consumers.
- They will also have to clearly indicate that they are contracted with a clearing system participant, publicly disclose terms and conditions in clear language, have procedures for handling complaints, and a privacy policy. They must also have a dispute resolution process and traceability, audit and record keeping processes.
- They must obtain informed consent, by making payers fully aware that they are issuing EFT instruction on behalf of the payer using their online banking credentials. Notably, it must be clearly communicated that by entering their login credentials, the payer is sharing the credentials with that person and is not logging on to their online banking website or application.
The new directive comes into effect 90 days from publications (around March 2025) and any contravention will be considered an offence in terms of the National Payment Systems Act.
The SARB said that failure to comply will result in the termination of anyone registered, and they will be required to cease issuing EFT instructions on behalf of any payers immediately.
The central bank said that any issuer who is not certain whether the directive applies to them should contact the SARB to clarify the matter ([email protected]).
The full directive can be read below: