Following the COVID-19 pandemic, more people than ever are ordering goods online based on the variety of good and services available, convenience, quick delivery times and usually competitively prices, however, the risks associated with issuing an electronic funds transfer credit payment instruction (“EFT Payment Instruction“) to make payment for such online goods and services have been mostly understated.

The emergence of financial technology (fintech) companies that use technology to provide innovative tools, products and services has offered the e‑commerce environment various tools to “optimise” e-commerce transactions, with screen-scraping being one of such tools. Screen scraping refers to the process where computer techniques are deployed to solicit a payer (being a consumer)[1] to divulge his/ her online banking login credentials so that the “screen scraper” can use the payer’s online banking login credentials to issue an EFT Payment Instruction on behalf of the payer.[2] Unbeknownst to most payers at the time of the transaction, they are unwittingly authorising an independent third party to issue an EFT Payment Instruction on their behalf without having actually logged onto their online banking account (either via the website or mobile application versions). This transfer of personal information leaves the payer more susceptible to (i) cyberattacks, (ii) data breaches (including in relation to the payer’s personal information), (ii) fraud and (iv) financial losses.[3]

In response to growing number of ‘authorised’ independent third party payments taking place via EFT Payment Instructions and the increasing risks to consumers, on 15 November 2024, the South African Reserve Bank (“SARB“), in accordance with section 12 of the National Payment System Act No. 78 of 1998 (“NPS Act“), published the “Directive in respect of issuing of electronic funds transfer credit payment instructions on behalf of the payer in the national payment system” (“Directive 2“). The purpose of Directive 2 is to impose more stringent requirements on independent third parties issuing EFT Payment Instructions on behalf of payers, using screen scraping or any other technology tools, in the national payment system.

Directive 2 prohibits any person (including a juristic person) from issuing an EFT Payment Instruction on behalf of a payer unless that person –

• is registered with the SARB, in such manner and form that the SARB prescribes in Directive 2, which, inter alia, involves –

• supplying the SARB with the requisite supporting documents;

• employing or appointing a qualified person(s) with relevant experience who will ensure compliance with the relevant legislation, rules, regulatory frameworks and agreements;

• demonstrating the manner in which the informed consent of the payer will be obtained before issuing an EFT Payment Instruction on behalf of such payer; and

• demonstrating to the SARB that it has the necessary processes and systems in place to secure the payer’s data and online banking credentials;[4]

• has obtained the informed consent of the payer before issuing any EFT Payment Instructions on behalf of the payer; or

• is exempted by the SARB from registering in accordance with Directive 2.[5]

In addition to the registration requirements, Directive 2 imposes ongoing obligations on persons issuing EFT Payment Instructions on behalf of payers. In this regard, such persons must, inter alia, –

• ensure that the marketing practices of its products and services to payers are not fraudulent or likely to create false and misleading statements;

• inform the payer if it has entered into any contract with a clearing system participant[6] to issue EFT Payment Instructions on behalf of the payer and publicly disclose the terms and conditions for using its services;

• obtain the informed consent of the payer, in the manner prescribed in Directive 2, before using his/ her online banking credentials to access the transactional accounts of the payer to issue an EFT Payment Instruction on behalf of the payer;

• have sound and effective policies, systems and procedures in place to mitigate operational risks;

• comply with all requirements of the Protection of Personal Information Act No. 4 of 2013 to protect the personal information of the payers;

• have an insurance or guarantee mechanism against possible losses for payers and beneficiaries resulting from fraud or refunds; and

• submit monthly reports to the SARB by no later than the 15^th day of each month.[7]

Paragraph 6 of Directive 2 authorises the SARB and its representatives to monitor compliance with these directives and any person that contravenes Directive 2 may be liable to pay a fine not exceeding R1,000,000 or sentenced to a term of imprisonment not exceeding five years, or both a fine and a term of imprisonment.[8]

Directive 2 comes into effect 90 days after the publication thereof, or on such later date as may be communicated by the SARB. All persons who issue EFT Payment Instructions on behalf of payers are therefore encouraged to initiate discussions with the SARB to align its current and/ or future business practices with Directive 2.

[1]        “Payer” is defined in paragraph 1.18 of Directive 2 as “a person that holds a payment account and allows a payment instruction to be issued from that payment account”

[2]        Paragraph 1.23 of Directive 2

[3]        Paragraph 2.5 of Directive 2

[4]        Paragraphs 5.1.4 and 5.2.1 of Directive 2

[5]        Paragraphs 5.1.1 and 5.1.2 of Directive 2

[6]        “Clearing system participant” is defined in section 1 of the NPS Act as “a bank, a mutual bank, a co-operative bank, a branch of a foreign institution or designated clearing system participant that clears in the manner contemplated in section 4(2)(d)(i) [of the NPS Act]”

[7]        Paragraph 5.3 of Directive 2

[8]        Paragraph 7.3 of Directive 2, read with sections 12(8) and 14(a) of the NPS Act