The South African Reserve Bank (SARB) has issued a warning to consumers to be aware of the risks associated with the use of instant electronic funds transfer (EFT) online payment services offered at e-commerce stores.
An instant EFT is a payment method offered by a third party, in partnership with e-commerce stores (stores which facilitate the purchase and sale of goods and/or services via the Internet), which automates the initiation of payments for consumers to e-commerce stores and also provides immediate confirmation of payment to the e-commerce store to enable them to dispatch the goods or services purchased.
Instant EFT payments use a method called ‘screen scraping’, which makes it possible for third parties to access bank account data and automate actions on behalf of a consumer using that consumer’s online banking access credentials.
The access to the consumer’s screen data is then used to facilitate payments.
In a statement on Thursday, the SARB, the Financial Sector Conduct Authority (FSCA) and the Payments Association of South Africa (PASA) said they do not support the use of screen scraping to effect payments, given that it exposes consumers to the risks, including data privacy, fraud risk and breach of contractual agreements.
The SARB, FSCA and the payments industry said the method of using screen scraping to effect payments puts consumers’ access credentials at risk of being compromised.
"Consumers have no control over how their credentials, and any other data or personal information, are accessed and used by the third party, like account numbers and account statements can be stored and utilised without the consumer’s knowledge or consent,"SARB said.
The SARB also warned that rogue entities might pose as third parties offering instant EFT services on fake ecommerce sites to capture consumers’ access credentials for their bank’s Internet banking websites.
"From there, such entities might impersonate the consumer and conduct any activity that the consumer would have access to on their online banking platform including, making real-time payments to themselves, applying for a personal loan, increasing transaction limits, and ultimately initiating payments to mule accounts.
"Rogue entities might also access relevant data and personal information such as account information and monthly statements from which fraudulent collections through debit orders might occur,” the Reserve Bank warned.
Breach of contractual agreements.
The SARB further warned that by providing their Internet banking login credentials to a third party, consumers that use instant EFT products might be in breach of their banks’ terms and conditions which regulate Internet banking.
As a result, it said, knowingly or unknowingly, consumers might be giving up their rights of recourse and any legal protection in the event of suffering fraud and/or subsequent loss.
"Risk of financial loss and the goods purchased being lost EFT payments are final and irrevocable in nature, and consumers are unable to lodge disputes to reverse a transaction in the event of the online store not honouring their agreement (e.g. not delivering the goods or delivering counterfeit goods).
"Consumers might also be held liable for the interest payable on such amounts when payment was made from their credit card account or overdraft facilities," SARB said.
As the global economy experiences an increase in the use of electronic payments and online shopping, and considering the growing role of financial technology (fintech) in payments, SARB noted that online crimes are increasing.
"It is becoming even more important for consumers to educate themselves on the risks and benefits of using online means to make payments or order goods and services. It is also becoming exceptionally difficult for regulators and the financial industry alike to keep up with such crimes before a loss is experienced by either party."
Tips for consumers.
- Consumers need to be extra vigilant. They need to do all their checks, including contacting their banks for advice, before proceeding with something marketed and disguised under the premise of convenience;
- Consumers should use industry-supported solutions, like paying with their cards (debit or credit cards);
- Consumers should not share their Internet banking logon credentials with any third party.