Authored By: Tsiane Lekekela
Eduvos
Abstract
The world is evolving through the advancements of technology and South Africa is forced to adapt, particularly in the case of the banking sector, where South African financial institutions are continuously navigating towards digital financial innovative concepts to implement within their operations. However, the issue lies in the lack of cyber risk assessment of the digital systems facilitating electronic funds transfers as well as the assessment of the unjust liability of South African financial institutions in terms of the bank-customer agreement. South African banking laws lacks comprehensive legislation for electronic funds transfers, enabling financial institutions to set their own terms of liability for losses incurred as a result.
Introduction
Internet banking in South Africa started in 1996, which captured customers with convenience. Although, in those times electronic funds transfers (EFTs) were slower and took days to reflect. The evolution of Electronic Funds Transfers in South Africa began in the mid-1990s due to the South African Reserve Bank’s initiative of implementing and leading reforms which began with the South African Multiple Option Settlement System (SAMOS) that was launched in 1998 for real-time gross settlement, which ultimately evolved into the foundation of the National Payment System (NPS) of South Africa with aims of moving away from cash risks. The SAMOS project established a new interbank-settlement system enabling for faster and real-time electronic payments for high value transactions.3 Due to the advancements of technology along the years and the need for efficiency, the National Payment System evolved and was managed by the South African Reserve Bank (SARB) and the Payments Association of South Africa (PASA), which is regulated by SARB and manages payment streams including EFTs.1 Many challenges were faced with regards to fragmentated regulations, which lead to integrated payment solutions such as real-time clearing (RTC) to improve customer experience. EFT developments grew rapidly. However, little to no legal developments in the regulation of EFTs were implemented with common law and contracts governing disputes most likely with reversal of payments of EFTs.2 This revealed how financial institutions such as banks could escape liability and all loss carried by the client as banks are the ones who set the terms of the bank-customer agreement. 2The other issue is the emergence of EFT crimes due to cybercrimes targeting online banking systems and the SARB warning clients of these EFT scams.2 The implementation of online banking bears so many risks for the client and there is a lack of accountability with banks. The main objective of this article is to highlight the impact of the lack of independent legislation for EFTs as well as to expose how certain clauses in contracts rid banks of liability for unauthorised EFTs to manage their risks.
Legal framework for EFTs
The primary sources of South African Banking Law are Roman law, Roman-Dutch law, Islamic law, Indigenous law, Legislation, Judicial precedents and Custom/Trade law. The legislature governing banking practices as well as being relevant to EFTs are the National Payment System Act 78 of 1998, The National Credit Act 34 of 2005, The Consumer Protection Act 64 of 2008, The Financial Advisory and Intermediary Services Act 37 of 2002, Prevention Of Organised Crime Act 121 of 1998, The Financial Intelligence Centre Act 38 of 2001 and The Code of Banking Practice. South African Banking Law regulates EFT transactions under the Electronic Communication and Transactions Act 25 of 2002. As stated in the act, its purpose is” to provide for the facilitation and regulation of electronic communications and transactions” 5 The ECTA provides for the legal recognition of “electronic transactions”, which includes EFTs.4 An EFT is considered valid if both sending and receiving banks are registered financial institutions. This is defined in the Banks Act 94 of 1990, the main regulatory legislation in South Africa’s banking sector. The purpose of the Banks Act 94 of 1990 is to protect the public against any losses occurred as a result of lack of solvency or the malpractices of banks, as well as to protect the public against unfair competition by institutions that offer the same services.5 Credit and Debit electronic transactions are protected under the National Credit Act 34 of 2005.7 The purpose of this act as stated is “to promote a fair and non-discriminatory marketplace for access to consumer credit and for that purpose to provide for the general regulation of consumer credit and improved standards of consumer information”. The National Payment System (NPS) is the set of instruments, procedures and rules that enable funds to be transferred from one institution to another.3 The National Payment System is governed by the South African Reserve Bank and the National Payment System Act 78 of 1998.
The purpose of the National Payment System Act as stated is “to provide for the management, administration, operation, regulation and supervision of payment clearing and settlements in South Africa”. The South African Reserve Bank is the central bank of South Africa. The South African Reserve Bank is governed by the South African Reserve Bank Act 90 of 1989.9 The mandate of the South African Reserve Bank is derived from the Constitution of South Africa 1996. The purpose of this act as stated is “to protect the currency of the Rand”. Mobile Banking and Internet banking services facilitate quick electronic transactions as opposed to the traditional banking avenues.7 In this case, the Financial Intelligence Centre Act 38 of 2001 is involved as it requires these platforms to maintain their standards of security as well as to ensure they are not facilitating the operation of money laundering and fraudulent transactions.7 The purpose of the Financial Intelligence Centre Act 38 of 2001 is “ to establish a Financial Intelligence Centre and a Money Laundering Advisory Council in order to combat money laundering activities”. The Consumer Protection Act 64 of 2008 aims “to promote a fair, accessible and sustainable marketplace for consumer products and services and for that purpose to establish national norms and standards relating to consumer protection”. The Financial Advisory and Intermediary Services Act 37 of 2002, aims “to regulate the rendering of certain financial advisory and intermediary services to clients; to repeal or amend certain laws; and to provide for matters incidental thereto”. The Prevention Of Organised Crime Act 121 of 1998 aims to combat organised crime, money laundering and criminal gang activities. The Code of Banking Practice is a voluntary code which all banks who are members of the Bank Association of South Africa (BASA) are subscribed to, which sets out the minimum standards of service and conduct that the client can expect from the bank.
Protection of the consumer in electronic funds transfers
The Consumer Protection Act 64 of 2008 applies to electronic transactions as it provides the customer of the bank with rights when partaking in these electronic transactions, such as the right to disclosure of information, the right to fair contractual terms and the right to a cooling-off period.8 The bank-customer agreement contains clauses where duties of the bank and the customer, which are set by the bank, are stipulated. However, in terms of liability it is set in a way that the bank is not liable for any losses occurred and all loss is barred with the customer. These clauses are also relevant to EFTs. However, considering the ruling of the Constitutional Court in the landmark case Barkhuizen v Napier where it stated that these clauses are indeed contestable and that the application of the pacta sunt servanda (agreement must be kept) is subject to constitutional control and that it is important to factor the bargaining position of contractual parties in terms of inequality in this regard. This is implemented through Section 48-52 of the Consumer Protection Act 64 of 2008, providing for customer’s right to fair, just and reasonable contractual terms and conditions that are to be available to the customer whenever the bank seeks to enforce unfair contractual clauses onto them.8
Legal effect of EFTs on duties of banks
Banking services are accessible all over the world due to the implementation of mobile banking services, internet banking services and telephone banking services.4 The contracts regulating or governing the relationship between parties to the bank-customer agreement in terms of these banking services are Standard-form contracts which is evident that the bank’s intention are to ensure that the customer carries the greatest extent of liability.4 Banks contract out of liability for any loss incurred due to the malfunction of the client’s devices, network or other defects.4 However, as seen in the ruling of Barkhuizen v Napier, these clauses in the contract are contestable through the application of Section 48-52 of the Consumer Protection Act 64 of 2008.18The originator’s bank is vicariously liable for the negligence of its employees or agents acting on its behalf. 4 In terms of a countermand of an electronic funds transfer (EFTs), the originator’s bank must adhere to the notice of countermand of a payment order, especially if the notice is clear, concise and acknowledged by the bank.4 In terms of the problematic issue of a recovery of erroneous payment and reversibility of payment of a payment instruction given by the originator to the originators bank; the originators banks is to adhere to that mandate regardless of the beneficiary’s fraud, misrepresentation or by mistake of the originator as it is immaterial to the originator’s bank according to the bank-customer agreement clauses particularly with EFTs.4 This is the case provided the originators bank acted in good faith. The recovery of funds will only be attainable by the originator seeking it from the beneficiary on legal grounds of unjustified enrichment.4
Bank’s liability for Unauthorised EFTs
In terms of the bank-customer agreement, the bank’s duties are to adhere to their mandate with reasonable care and skill and to act in good faith as per the common law of mandatum.4 They are also responsible for the implementation of a reliable security system for EFTs.4 It is also the duty of the customer to draft their payment orders meticulously to avoid fraud.4 Even though the method of EFTs differs from cheques, their legal constructions remain similar.4 As a result, the legal relationship between both the bank and the customer is ultimately determined by common law, contract law and the legislation mentioned above (legal framework of EFTs).4 The main challenge with EFTs is the significant security risk that lies with the customer. Since there is no specific legislation for EFTs, banks exploit this opportunity to set contractual terms and clauses that strategically leave them with no liability in terms of unauthorised EFTs.4 However, this is of course contestable if terms are contradictory to existing legislation. Additionally, banks are further protected by the Code of Banking Practice.
The lack of legislation governing EFTs leaves the bank-customer agreement as a standard for determining the responsibility for loss from unauthorised EFTs and the Code of Banking Practice supports the measures banks use against being held liable.4 They are however held liable in terms of transferring funds without customer consent. In the case of Diners Club SA (Pty) Ltd v Singh, the bank-customer agreement was examined for unauthorised credit card transactions and the verdict of the matter had favoured a clause in the bank-customer agreement set by the bank. However, it was identified that the Consumer Protection Act 64 of 2008 has a determining role in the verdict as well to safeguard the interest of the consumer essentially.19 When it comes to losses, the bank-customer agreement stipulates that if the customers loss is due to the card misplacements, theft and the bank not being informed, the customer bears the risk of any monetary loss, and it is not the bank’s liability.4 This is also the case if the customer negligently shares their PIN and does not inform the bank about unauthorised transactions.4 In the case of Absa Bank Ltd v Hanley, the court held the bank liable for its negligence for an unauthorised transfer. So, unless the customer does not inform the bank promptly, they will be held liable for negligence. Additionally, there is no legislation governing the revocation of EFTs so if the payment for an electronic funds transfer has been processed it is irrevocable. However, the bank may reverse a credit transfer if it was an error of if there was fraudulent activity.4 In the Take & Save Trading CC v The Standard Bank of SA Ltd case it was stated that once a credit transfer is executed it is irrevocable without the beneficiary’s consent. However, in the Nissan South Africa (Pty)Ltd v Marnitz NO case, the judgement differentiated between valid transfers and transfers where beneficiary was not entitled to the funds. It was stated that the transfer is reversible without the beneficiary’s consent. Depending on the bank-customer agreement, banks recover funds based on the principles of unjustified enrichment action or recover funds by the reversal of credit transfers.4
This is evident from the Absa Bank Ltd v Lombard Insurance Co Ltd case where the court used the application of the principles from a cheque context to an electronic transfer and discussed when and how a recovery would be valid. In terms of a countermand of payment, the bank cannot make a payment if the instruction was countermanded and this is problematic in terms of the instantaneous nature of EFTs. The Bank can only reverse a credit transfer with the consent of the beneficiary and without the consent of the beneficiary if the transfer was invalid due to fraudulent activity or authorisation.4 In the Nedbank v Pestana case the bank stated that it could not reverse credit transfer payments once completed, however in the case or fraud/theft it could do so. The way forward in terms of unauthorised EFTs and the liability of banks is for the South African Parliament, President and relevant government departments to enact an Electronic Funds Transfer Act governing electronic funds transfers independently and apportioning liability proportionately between parties to the bank-customer agreement.
Conclusion
Although South African banks have the responsibility to implement reliable systems for EFTs, based on the countless EFT scams and theft, including data breaches and customer data being compromised, it is evident that obligation has not been satisfied and needs to be addressed. Their unjust clauses need to be re-evaluated to account for the underlying negligence on their part for not having secure systems that put the customer at risk. It is ultimately their fault for EFT scams and unauthorised transactions due to their lack of adequate security systems, not the customer. The demand for tightened cyber security measures for online banking systems is evident and urgent. The demand for EFT regulations, particularly the enactment of legislature for EFTs is evident to address the unjust contractual clauses banks enforce against their customers. This will drive the sustainable advancement of banking practices, strengthening the transition towards a secure, efficient and cashless society in South Africa.
Reference(S):
Cases
Barkhuizen v Napier, (2007) 5 SA 323 (per Ngcobo, J., dissenting) (RSA).
Diners Club SA (Pty)Ltd v Singh, (2004), 3 SA 630 (per Levinsohn, J.) (RSA).
Absa Bank Ltd v Hanley, (2014), 1 SA 249 (per Malan, JA., concurring) (RSA). Take & Save Trading CC v The Standard Bank of SA Ltd, (2004), 4 SA 1 (per Harms, JA., concurring) (RSA). Nissan South Africa (Pty)Ltd v Marnitz NO, (2004) 1 SA 441 (per Streicher, JA., concurring) (RSA). Absa Bank Ltd v Lombard Insurance Co Ltd, (2012) 6 SA 569 (per Malan, JA., concurring) (RSA). Nedbank v Pestana, (2009) 2 SA 189 (per Streicher, JA., concurring) (RSA).
Legislation
Electronic Communications and Transactions Act, 2002, §2(1) (RSA). Banks Act, 1990, §1(a) (RSA). Constitution of South Africa, 1996 (RSA). National Credit Act, 2005, §3 (RSA).
National Payment System Act, 1998, §3-12 (RSA). South African Reserve Bank Act, 1989, §3(1) (RSA). Financial Intelligence Centre Act, 2001, §2 (RSA). Consumer Protection Act, 2008, §3 (RSA). Financial Advisory and Intermediary Services Act,2002 (RSA). Prevention of Organised Crime Act, 1998, §38 (RSA).
Books
Sharrock, R, The Law of Banking and Payments in South Africa, Chapter 1 2 6 8 (Juta, ed. 2016).
Circulars, Directions and Guidelines
South African Reserve Bank, Faster payment consultation paper, (Issued on June 12, 2020).
Government Gazette, National Payment System Act; Directive: issuing of electronic funds transfer credit payment instructions on behalf of the payer in the national payment system, (Issued on November 15, 2024).
Internet sources
Standard Bank, The Code of Banking Practice, Standardbank.co.ca, https://www.standardbank.co.za/southafrica/personal/about-us/regulatory/code-of-banking-practice.
South African Reserve Bank, Payments and Settlements, resbank.co.za, (2018), https://www.resbank.co.za/en/home/what-we-do/payments-and-settlements.
