National Payment System Act, 1998 (Act No. 78 of 1998)NoticesDirective in respect of issuing of Electronic Funds Transfer Credit Payment instructions on behalf of the payer in the National Payment System5. Directive |
| 5.1 | Registration requirements |
| 5.1.1 | No person may issue electronic funds transfer credit payment instructions on behalf of a payer in the NPS unless that person: |
| a. | is registered with the SARB in the manner and form prescribed by the SARB; and |
| b. | has obtained informed consent of the payer prior to issuing such a payment instruction or initiating such a payment; or |
| c. | has been exempted from registration by the SARB. |
| 5.1.2 | A juristic person must apply for registration with the SARB to issue payment instructions or initiate payment on behalf of a payer. |
| 5.1.3 | The application to register with the SARB must be addressed to the Head of the National Payment System Department at [email protected]. |
| 5.1.4 | The application for registration must be accompanied by the following information and supporting documents: |
| a. | proof of business registration and/or founding documents of a juristic or legal person, issued by the applicable competent South African authorities; |
| b. | proof of physical address of the place of business in South Africa; |
| c. | disclosure of ownership, including the names and certified copies of the identity documents of the shareholders, trustees and ultimate beneficial owners; |
| d. | organisational structure; |
| e. | the types and sources of funding, including the capital contribution for the establishment and operation of the business. In the case of a loan, the funding details of the name of the lender and their domicile must also be provided; |
| f. | a reasonably measurable forecast budget calculation for the next three financial years which demonstrates that the applicant is able to employ appropriate systems, resources and procedures to operate in a sound manner; and |
| g. | a description of the applicant’s governance arrangements and internal control mechanisms relating to, inter alia, IT systems, data security, administrative, risk management and accounting procedures, which demonstrates that these governance arrangements, control mechanisms and procedures are appropriate, sound and adequate. |
| 5.2 | Conditions for registration |
| 5.2.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | employ or appoint a qualified person(s) with relevant experience responsible to ensure compliance with the relevant legislation, rules, regulatory frameworks and agreements; |
| b. | employ or appoint a qualified person(s) with relevant experience responsible for risk management, including but not limited to fraud risk, operational risk and IT risk, and compliance function; |
| c. | be satisfied that the key person(s) is honest and has integrity; |
| d. | furnish the SARB with the curriculum vitae and copies of supporting documents, including but not limited to the identity document, proof of physical address and certificates of qualifications of a key person(s) upon their appointment; |
| e. | demonstrate to the SARB, subject to the approval of the SARB, the manner in which informed consent will be requested from payers; |
| f. | where it is not acting as a beneficiary, have clear and transparent policies and procedures approved by its governing body for on-boarding beneficiaries; |
| g. | have terms and conditions approved by its governing body for the use of its service by payers and beneficiaries. The terms and conditions must be lawful, objective, non-discriminatory and proportionate; |
| h. | ensure that contractual agreements with beneficiaries and the terms and conditions for payers clearly state that a party responsible for a fraudulent or unauthorised or incorrectly issued electronic funds transfer credit payment instruction must bear the risk; |
| i. | demonstrate to the SARB that it has the necessary processes and systems in place to secure the payer’s data and online banking credentials to mitigate risks of fraud and cyber attacks; |
| j. | not enter into contractual arrangements with beneficiaries that conduct illegal business; and |
| k. | where is not acting as a beneficiary, perform due diligence on beneficiaries prior to entering into contractual arrangements and on an ongoing basis; |
| l. | due diligence must include at least the following: |
| i. | verification of the true identity of the beneficiary; |
| ii. | establishment of whether the beneficiary’s business is legal and/or registered with the relevant authorities; |
| iii. | understanding the business activity of a beneficiary; |
| iv. | regular monitoring of a beneficiary’s transactions for any irregularities; and |
| v. | keeping information obtained for the purpose of establishing and verifying the identities of beneficiaries in line with section 5.3.7.1. |
| 5.2.2 | The SARB reserves the right to decline an application for registration if the requirements in this directive are not met. Where an application is declined, the SARB shall disclose reasons for declining the application to the applicant. |
| 5.3 | Ongoing obligations |
| 5.3.1 | Marketing |
| 5.3.1.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | apply responsible marketing practices on its product or service to payers in a manner that is not fraudulent or likely to create a misleading or false statement; and |
| b. | refrain from using any clearing system participant’s branding on its front-end interface or when marketing its services unless it is authorised in writing by the said clearing system participant. |
| 5.3.2 | Consumer awareness |
| 5.3.2.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | where it has contracted with a clearing system participant to issue electronic funds transfer credit payment instruction on behalf of the payer, inform its payers and beneficiaries explicitly and clearly of such a contract; |
| b. | publicly disclose, in simple language, terms and conditions for using its product or service, procedures for handling payer complaints, privacy policy and other terms and conditions; and |
| c. | refrain from misleading payers that transactions are compliant with standards that are not applicable to electronic funds transfer credit payments. |
| 5.3.3 | Informed consumer consent |
| 5.3.3.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must obtain and receive informed consent prior to using the payer’s online banking credentials to access the transactional accounts of the payer to issue an electronic funds transfer credit payment instruction on behalf of the payer. |
| 5.3.3.2 | The request for informed consent by the person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | be simple and clear to the payer; |
| b. | state that the payer’s login credentials will be processed and safeguarded in accordance with applicable information and data privacy legislation; |
| c. | state that electronic funds transfer credit payments are final and irrevocable and that the payer cannot reverse a transaction; |
| d. | state that by entering their login credentials, the payer is sharing the credentials with that person and is not logging on to their online banking website or application; |
| e. | state how the payer’s credentials will be safeguarded and protected while in transit and when issuing an electronic funds transfer credit payment instruction; and |
| f. | state that the payer is authorising that person to use their online banking credentials to issue the electronic funds transfer credit payment instruction on their behalf and that such details shall be used only for that purpose. |
| 5.3.3.3 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must request and receive the payer’s informed consent to share their login credentials for each electronic funds transfer credit payment instruction, including scheduled payment transactions. |
| 5.3.4 | Operational risk |
| 5.3.4.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | have sound and effective policies, systems and procedures to mitigate operational risks, including the risks it directly bears from or poses to beneficiaries, its customers, clearing system participants facilitating or enabling electronic funds transfers and/or any other relevant entities; |
| b. | have mechanisms to promptly respond to, resolve and remedy any data breaches, transmission errors, unauthorised access and fraud; |
| c. | have a comprehensive cyber-incident management plan approved by the IT function and its governance structures; |
| d. | the cyber-incident management plan must include promptly informing payers when their online banking credential have been compromised; and |
| e. | carry out regular and comprehensive security risk assessments of its critical staff, IT systems and business process environment to identify, assess and mitigate inherent risk exposures. |
| 5.3.5 | Payer data protection |
| 5.3.5.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | comply with all requirements, where applicable, as provided for in the personal data and information protection laws, including but not limited to the POPI Act; |
| b. | issue an electronic funds transfer credit payment instruction on behalf of the payer after the payer has provided informed consent and not modify any information on the payment instruction unless the payer has provided informed consent; |
| c. | encrypt the payer’s online banking credentials at the time when the payer enters the credentials on its front-end interface platform; |
| d. | use the recognised and most robust industry encryption standards to secure the payer’s credentials in transit; |
| e. | use and regularly update anti-virus software to protect its system from malware and data security breaches; |
| f. | not store payers’ online banking credentials and other sensitive payer payment data within its database or systems; |
| g. | only use the online banking credentials for issuing an electronic funds transfer credit payment instruction on behalf of the payer and safely destroy the payer’s online banking credentials immediately after executing a payment; and |
| h. | have adequate information and data security infrastructure and systems to prevent, detect and resolve any possible unauthorised access to the online banking of the payer and/or data breach. |
| 5.3.6 | Dispute resolution mechanism |
| 5.3.6.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | have a fair and formal dispute resolution mechanism that provides beneficiaries, clearing system participants and payers with practical means to lodge and resolve disputes relating to the issuing of electronic funds transfer credit payment instructions on behalf of the payer, including but not limited to instances of fraud, failure by beneficiaries to honour purchase orders, unpaid orders or failed payments after the beneficiary has already delivered the goods/services and possible data breaches; |
| b. | ensure that its dispute resolution mechanism, including the complaints handling facility is clearly and easily accessible to payers and beneficiaries through all applicable communication channels such as a phoneline, email, mobile devices and a website; |
| c. | ensure that the dispute resolution mechanism does not contravene the settlement provisions as stipulated in section 5 of the NPS Act; and |
| d. | appoint an officer(s) responsible for the regulatory and payer complaints handling functions who shall promptly respond to all complaints raised and resolve the matter within a reasonable timeline. |
| 5.3.7 | Traceability, audit and record keeping |
| 5.3.7.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | have systems that ensure that each transaction is traceable, from authorisation using the payer’s online banking credentials until the beneficiary is notified of the payment; |
| b. | have a robust internal and external audit function that will undertake an assessment of the effectiveness of that person’s risk-management and control processes; |
| c. | be able to demonstrate, when requested by the SARB, that it applies robust data security standards, including its data encryption; |
| d. | keep the information obtained during its on-boarding process pertaining to a beneficiary or prospective beneficiary throughout its business relationship and for at least five years from the date on which the business relationship is terminated; |
| e. | keep a record of every transaction, including the payer’s informed consent, whether the transaction is a once-off transaction or repeated transaction for at least five years from the date on which that transaction is concluded. A transaction record must at a minimum include the amount involved, the date on which the transaction was concluded, the parties to the transaction and the nature of the transaction; and |
| f. | report suspicious and unusual transactions to the Financial Intelligence Centre as per section 29 of the FIC Act. |
| 5.3.8 | Liability risk management |
| 5.3.8.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | have an insurance or guarantee mechanism against possible losses for payers and beneficiaries resulting from fraud and refunds; |
| b. | not mislead payers or beneficiaries in believing that the issued electronic funds transfer credit payment instruction will be credited instantly to the beneficiary’s account unless the real-time payment option is used to process the payment directly into the beneficiary’s transactional account or a transaction is an intrabank transaction processed directly into the beneficiary’s transactional account; |
| c. | have an effective mechanism to detect and identify incidents of fraudulent or unauthorised or incorrectly issued electronic funds transfer credit payment instructions and conduct reviews of audit trails to identify the source of the incident to determine the party liable for losses; |
| d. | prove that, where a payer denies having authorised a payment instruction, the informed consent or authorisation was obtained from the payer, with the accurate payment amount and accurate beneficiary name and transactional account number and that the payment was not affected by technical deficiencies within its systems; and |
| e. | pay a refund where it bears the liability or responsibility for fraudulent, unauthorised or incorrectly facilitated transactions to the payer within a reasonable time through the original method of payment, unless specifically agreed by the payer to have the credit processed through an alternate mode. |
| 5.3.9 | Attestation of compliance |
| 5.3.9.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must have an audit function or appoint a qualified internal auditor to attest to the declaration of compliance with this directive in the manner and form prescribed by the SARB. |
| 5.3.9.2 | The attestation of compliance referred to in paragraph 5.3.9.1 must be submitted to the SARB by 31 March and 30 September each year using the following email address: [email protected]. |
| 5.3.10 | Reporting requirements |
| 5.3.10.1 | A person issuing electronic funds transfer credit payment instructions on behalf of the payer must: |
| a. | submit to the SARB its monthly data on volumes and values of transactions processed on or before the 15th of every month, using the email address in paragraph 5.3.9.2; and |
| b. | report data security incidents (data breach, cyber attack, fraud and other related types of incidents) to the SARB immediately after being made aware of such incident and provide an analysis of the root cause and preventive measures undertaken to prevent recurrence, using the email address in paragraph 5.3.9.2. |
| 5.3.10.2 | The information provided in terms of paragraph 5.3.10.1 will be processed in accordance with section 33 of the SARB Act and section 10 of the NPS Act. |