Skip to content
South Africa: New requirement for issuers of electronic funds transfer credit payment instructions on behalf of payers in the national payment system to register with the South African Reserve Bank

6 December 2024

– 3 Minute Read

South Africa: New requirement for issuers of electronic funds transfer credit payment instructions on behalf of payers in the national payment system to register with the South African Reserve Bank

6 December 2024
- 3 Minute Read

Overview

  • The South African Reserve Bank has published a directive concerning the issuing of electronic funds transfer (EFT) credit payment instructions on behalf of payers in the national payment system.
  • The Directive applies to EFT credit payment instruction issuers, for example, a payment service provider that processes EFT payment transactions.
  • The Directive technically applies to any system operators authorised by the Payment Association of South Africa that process EFT payment transactions.
  • These issuers are required to be registered with the SARB in the manner and form prescribed by the SARB and to obtain the informed consent of the payer prior to issuing such a payment instruction or initiating such a payment.

On 15 November 2024, the South African Reserve Bank (SARB) published Directive No. 2 of 2024 in accordance with section 12(8) of the National Payment System Act, 1998 (NPSA) concerning the issuing of electronic funds transfer (EFT) credit payment instructions on behalf of payers in the national payment system (NPS)(Directive).

The purpose of the Directive is to impose requirements on persons issuing EFT credit payment instructions on behalf of payers using screen scraping or any other tool in the NPS (EFT Credit Payment Instruction Issuer), to mitigate the risks that have a negative impact on the integrity, efficiency, security and confidence in the NPS.

Screen scraping in payments means the use of computer techniques to solicit the payer’s online banking login credentials to access the clearing system participant’s online banking website to issue an EFT credit payment instruction on behalf of the payer.

The risks associated with screen scraping which the Directive intends to mitigate are: (i) the payers’ lack of informed consent and understanding of the implications of sharing their credentials online; (ii)  the misleading perception that the payment is instant; (iii) conducting sort-at-source which results in the bypassing of the clearing system; (iv) the lack of data privacy; (v) the exposure to fraud; and (vi) the risk of financial loss or non-delivery of the goods/ services purchased.

The Directive applies to EFT Credit Payment Instruction Issuers, for example, a payment service provider that processes EFT payment transactions. The Directive technically applies to any system operator authorised by the Payment Association of South Africa that processes EFT payment transactions.

These issuers are required to be registered with the SARB in the manner and form prescribed by the SARB and to obtain the informed consent of the payer prior to issuing such a payment instruction or initiating such a payment.

The Directive sets out the conditions for registration, which include, among others, that the EFT Credit Payment Instruction Issuer must employ or appoint a qualified person(s) with relevant experience responsible for ensuring compliance with the relevant legislation, rules, regulatory frameworks, and agreements; be satisfied that the key person(s) is honest and has integrity; demonstrate to the SARB, subject to the approval of the SARB, the manner in which informed consent will be requested from payers; and demonstrate to the SARB that it has the necessary processes and systems in place to secure a payer’s data and online banking credentials to mitigate risks of fraud and cyberattacks.

The Directive also sets out the ongoing obligations for EFT Credit Payment Instruction Issuers including requirements that relate to marketing practices obtaining informed consumer consent; operational risk; payer data protection; dispute resolution; traceability, audit and recordkeeping; liability risk management; and reporting.

The Directive is effective 90 days after the date of its publication. Accordingly, all existing EFT Credit Payment Instruction Issuers must register with the SARB and comply with the Directive within 90 days from 15 November 2024.

The Directive is available here.