- Rising to the Risk
Online shopping is on the increase in South Africa, with a recent Deloitte study noting that up to 70% of the country is making purchases in this way.
With this rise in online payments, the risk of exposing personal and confidential information, such as banking login details, to third parties has also risen sharply. It’s therefore no surprise that 86% of people are concerned about data privacy and security.
Worryingly, criminals can now more effortlessly steal personal data when payments are made, due to the use of screen scraping, where sensitive customer banking information is taken during transactions.
This has even set off alarm bells at the Intergovernmental Fintech Working Group (IFWG) and the South African Reserve Bank (SARB). The IFWG has stressed the importance of taking greater action in the online payment space, citing that it is critical to balance consumer protection and innovation.
The risks can no longer be ignored, which is why open banking has emerged as a solution – one that must be considered by all financial institutions in the country.
The Source of the Scamming
In South Africa, consumers are heavily reliant on their mobile phones to shop online. However, in many cases consumers need their physical card on hand or have to switch between their banking app and the merchant’s site to enter their card details manually.
Additionally, some online stores don’t accept card payments due to the unaffordability of card commission fees and only allow Instant EFT payments, which force consumers to share sensitive bank account login details when paying online. Herein lies the risk.
This process exposes consumers to screen scraping which can allow harvesting of personal data.
Additionally, some instant EFT providers share customer information, increasing the concerns expressed by industry bodies.
Screen scraping businesses have full access to your internet banking and can mine personal information, including banking statements, debit orders, and salary.
The usage terms and conditions of some well-known screen-scraping businesses even mention that the personal data they harvest can be shared or sold. Making matters worse is that this harvested data is stored in the cloud and most likely in other countries.
Sharing internet banking login information is the equivalent of walking into a store, then handing your card and pin to a well-dressed stranger, allowing them to leave with it to withdraw cash on your behalf and return with the money, so you can pay the store – trusting that this is simply part of the payment process.
Compounding the concerns is Social Engineering, yet another risk factor consumers face, as they are manipulating and influenced by savvy hackers to hand over sensitive information through the phone, email and social media to gain illegal access.
A Solution Open to All
To help address the need for secure EFT payments, Capitec enlisted Pay@, a leading payments aggregator in South Africa, to ensure enhanced security and convenience would be at the core of the Capitec Pay offering.
This collaboration led to the launch of Capitec Pay. The solution makes full use of the alternative to screen scraping, Open Banking, which allows secure access for payment providers to request payment from a customer. In this scenario, there is no stranger able to take advantage of gaps or loopholes.
A proof of concept (POC) was launched in February 2022 after Pay@ processed the first successful Capitec Pay transaction in December 2021. The POC provided secure payments to over two million Capitec customers in South Africa during the last 12 months and offered a trusted alternative to sharing their card or banking login credentials with third parties.
Essentially, customers can make payments directly by simply opening their Capitec banking App and approving the payment.
The Application Programming Interface (API) implemented by Capitec enables third-party providers to securely initiate payment requests to Capitec clients, while allowing them to choose the account they want to pay from and authenticate the payment safely through the banking app.
The need to use screen scrapping is alleviated.
The Results are Remarkable
Since the launch, there has been exponential growth in the number of transactions processed month-on-month via Capitec Pay.
The rapid adoption rate highlights that a need is being addressed. To achieve it Pay@ played the role of the bridge to the consumer, reacting swiftly to feedback and implementing changes to fully test the capabilities of Capitec Pay API.
This allowed Capitec to experiment in a safe and controlled manner. Pay@, already an enabler for billers and their customers for the payment of bills including satellite tv, municipal bills, telco accounts, insurance, or traffic fines, has used the Capitec collaboration to develop their technology even further.
According to Pay@’s Clinton Leask, “It’s essential that consumers not only feel protected from fraud, but actually are. Working closely with Capitec by securely testing efficiency and measuring success rates, we have taken a massive stride forward to securing the details and livelihoods of South Africans.
It is a level of care that we have also implemented with EFT payments that are shielded from data breaches.
We believe that collaborating with banks to better secure their customers is vitally important to the economy.” Additionally, Capitec has further enabled Pay@ to process payments directly in the Capitec App under the Pay Bills section.
Expanding the Concept is Vital
While reviewing screen scraping, regulators such as SARB have proposed policy changes in respect of open banking.
According to SARB’s November 2020 paper, “a new class of third-party providers, with access to customers’ financial information, should be introduced to improve offerings for customers, increase competition, and promote innovation. ‘Good’ permissible open-banking practices must be distinguished.”
The Financial Sector Conduct Authority (FSCA) expanded on this view in their 2020 survey to uncover sentiments and perspectives around financial data.
They concluded that before consumer financial data is shared, informed consent between the consumer, financial service provider and third-party provider needs to have been obtained. Consumers need to be fully aware of terms and conditions of what they are consenting to and how their data will be used to serve them.
Clearly, policymakers, development partners, governments, and financial institutions must work together to develop more inclusive financial services for all South Africans – with security right at the top of the list of priorities.
Currently, nearly one in four South Africans are unbanked, with cash seen by many as safer or even more affordable. To enhance accessibility and instil trust, more inclusive financial service technologies must be introduced. For the over 11 million people that already use Capitec’s digital channels, Capitec Pay and the innovation that comes with it, translates into a banking experience that’s safer, secure, and infinitely more accessible. Pay@, through Capitec Pay is fully utilising open banking by harnessing the convenience of unique facial biometric scans and cardless online payments.
“Pay@ was progressive in their understanding of the payment industry and had the foresight to see how our product idea would solve a shared problem. They were willing to test the customer journey and their willingness to switch. This has proven to be a complete success. Our collaboration on Capitec Pay led to invaluable learnings, which helped to significantly improve the product and client experience to reduce drop-offs and abandonment rates, increase first-time conversions and very importantly, reduce the likelihood of fraud, “said Capitec’s Jerome Passmore.
The fact is, financial services are a significant enabler of social and economic development and therefore policymakers, development partners, governments and financial institutions alike need to work together to make strides in developing safe and secure products, especially at a time of economic instability.
It is critical to continue the evolution of fintech innovation, with regulators working hand in hand with financial institutions to decrease fraud, while finding new pathways to greater financial inclusion in the economy.
As banks continue to work with fintechs, the industry can focus on greater levels of transparency, informed consent and data security. Ultimately, with the industry rising to the risks, fintech innovation can safely unlock a new world of infinite possibilities.