Banks must up their game, or cough up

Published Nov 29, 2014

Share

When a bank coughs up to cover a customer who has been the victim of fraud, it means one thing: the bank is acknowledging that its systems were breached due to weaknesses in its systems. “That’s why they pay,” said a well-placed source who asked not to be named.

They pay with the proviso that they are not accepting liability – but more about that later.

This week, it was announced that the banking industry suffered gross losses of R454 million this year owing to credit card fraud, which shot up by 23 percent in a year.

“The biggest contributor to the increase has been false application fraud [identity theft], which saw a very significant increase from R6.2 million in 2013 to R78.3 million in 2014,” Kalyani Pillay, the chief executive of the South African Banking Risk Information Centre (Sabric), said in a media release.

“Sabric has found that criminals misuse the online application channels provided by banks by using false details to open multiple credit card accounts. Consequently, they obtain legitimate cards and PINs,” according to the release.

In an interview with Personal Finance this week, Pillay said the perpetrators had stolen the identities of customers and provided the required documentation, which the banks had “verified” – and that there had been compliance with the Know-Your-Customer provisions in the Financial Intelligence Centre Act (better known as Fica).

How then did the fraud occur?

Pillay told me that, during a television interview on Wednesday morning, she was asked if the banks are being reckless. “I had to put it in context,” she said. “If banks had to physically verify their customers, you would have to wait months for an investigator to check [the information provided].”

Why would the banks make available to the public an online credit application system that is inherently risky? To make it easy for you, the legitimate customer, to access credit. The banks also want to take the pain out of banking, and to keep you out of their branches.

So what if card fraud is on the increase? If the banks are taking the knock, why should you care? Because someone, eventually, has got to cover the cost of these losses, and the banks are not known for their benevolence – or fairness, for that matter.

Clive Pillay, the Ombudsman for Banking Services, is collating statistics that he will present to the Financial Services Board early next year. The report will analyse cases finalised by his office to determine where banks have made gratuitous payments to customers (meaning payments without accepting liability), and where payments have been made with an acceptance of liability. The ombudsman says that it is relatively rare for a bank to admit liability.

This is unfair, and will not fly when the Treating Customers Fairly initiative, which will underpin the new regulatory regime, is in force (apparently by the end of next year).

“It means that one can never isolate the problem – whether it is bank-specific or systemic – or remedy it,” Pillay says.

According to the Sabric release, there has also been an increase in lost or stolen card fraud (a 521-percent increase), card-not-present fraud (21 percent) and debit card fraud (five percent). Percentage increases can make a problem look worse than it is when coming off a low base.

The debit card losses relate mostly to counterfeit card fraud, according to the release. For a fraudster to create a counterfeit card, he first has to skim your card.

Card skimming involves the illegal copying of encoded information from the magnetic strip of a legitimate card by means of a card reader. Fraudsters use a handheld skimming device at the point of sale or fit a device into an ATM card reader. Devices inserted into ATM card readers are not visible, at least to users with an untrained eye.

Sabric’s Pillay admits that there’s not a lot we can do to protect ourselves from this type of fraud or from false application fraud. The banks will introduce measures to make it harder for criminals to get credit in your name, she says.

But Peter Hill, an expert in IT governance and privacy, says Sabric’s statistics show that fraudsters have easy access to our personal information. “Poor control over personal information by financial institutions and cell phone companies makes the loss of personal details inevitable,” Hill says.

The president signed the Protection of Personal Information (Popi) Act more than a year ago, but it has yet to be fully enacted. Consequently, consumers continue to be exposed to high levels of risk in their daily transactions, as many enterprises don’t have adequate procedures in place to securely process the personal information that they so often collect, Hill says.

The sections of the Act that are effective empower the Minister of Justice and Constitutional Development to issue regulations and establish the Information Regulator, the first two basic steps towards implementing Popi, Hill says.

“Popi will require banks to implement generally acceptable standards of information security and to be transparent about this. Every fraud will be reportable to the Information Regulator and those affected. Right now we don’t know whether banks are meeting acceptable standards for information security. We don’t know exactly how prevalent the security weaknesses are. We know from the Paygate incident that the banks were not compliant with PCI-DSS (a security standard for the payment card industry), even though they force this standard on all retailers and don’t tell everyone who is affected about breaches when they occur.”

Until Popi is fully enacted and giving you the protection you need, there is something that you can do. If you regularly check your credit report, you will be able to pick up whether credit has been acquired in your name. Credit bureaus give you one free report a year.

There are four major consumer bureaus: Compuscan, Experian, TransUnion and XDS. By exercising your right to a free report a year from each of the bureaus, you are able to check your report once a quarter, at no cost.

WHAT IS PERSONAL INFORMATION?

Your identity document (ID), passport, driver’s licence, salary advice, bank account statements, municipal bills and store account statements are all personal and should to kept under lock and key, the South African Banking Risk Information Centre advises. You should also avoid: carrying personal information in your wallet or purse; disclosing personal information, such as passwords and PINs, via fax or email; and the use of obvious passwords, such as birth dates and first names. Furthermore, when destroying personal information, shred or burn it rather than tearing it up and throwing it in the bin or sending it for recycling.

If your ID or driver’s licence is lost or stolen, report it to the police immediately and alert the South African Fraud Prevention Service (SAFPS) on 0860 101 248 or at www.safps.org.za. The SAFPS will put your details on a database used by banks and retailers to try to prevent fraudsters from acquiring credit in your name.

Related Topics: