Postbank, which is eager for a full banking licence, says it is fast tracking the overhaul of its IT infrastructure, in a bid to stem losses after criminals managed to bypass its antiquated systems, siphoning at least R100m since 2021.
“Postbank has experienced multiple fraudulent incidents on the SA Social Security Agency (Sassa) beneficiary grant system. The system has been flagged by the auditor-general as having control weaknesses,” Postbank acting CEO Lucas Ndala told MPs on Tuesday.
Earlier in November, officials from the auditor-general’s office told parliament that under the existing set-up, Postbank was very unlikely to be able to offer a “world-class” banking service due to its unsecure network, which is susceptible to cyberattack and fraud.
Postbank has been operating under technically insolvent state-owned company the SA Post Office (Sapo), and is heavily reliant on the company's poor systems which have been found to be outdated. This could preclude Postbank from accessing a full banking licence from the Reserve Bank.
The government, which is keen to establish a state bank, has been pushing for a full banking licence to be granted to Postbank to allow it to engage in a complete spread of banking activities, including credit facilities. It has been operating under limited conditions, such as accepting deposits and offering card-based transactional and savings accounts predominantly to the underbanked and unbanked segments of the population.
Ndala, who was part of a delegation briefing parliament’s portfolio committee on communications and digital technologies on concerns raised by the auditor-general, said Postbank had already started putting measures in place to secure its systems while it awaited its complete separation from Sapo. This includes reviewing and revoking access to the system; resetting passwords for “privilege accounts”; introduction of controlled access management for third party vendors; and the introduction of early fraud detection and warning tools.
Ndala said the Postbank is already in the process of introducing its own stand-alone IT system which will be separate from Sapo. He did not provide timelines, or the total cost of the new system citing security reasons.
“The Postbank is in the process of implementing the long overdue IT modernisation project to address shortcomings. We are moving away from the Post Office environment and creating our own stand-alone IT environment. It is also part of the Reserve Bank requirements,” he said.
This is also highlighted in the Postbank Limited Amendment Bill, which could see the ANC finally realise plans to set up a state-owned bank. The bill now before parliament seeks to separate Postbank from Sapo completely. Separation is necessary for Postbank to get a full banking licence from the Reserve Bank. This is because the Post Office is not in a sound enough financial position to meet requirements for registration as a bank-controlling company in terms of the Banks Act.
Highlighting some of the recent cybersecurity incidents, Ndala said some time in 2021, about 900 Sassa grant beneficiary accounts were inflated from the back-end database. The inflated funds were withdrawn through ATMs in the month of October, with losses amounting to R89m.
In August, the Postbank fraud team detected and reported some accounts had differences in the closing and opening balances, which flagged a fraudulent pattern. In one instance an account with a closing balance of R25.64 ended up have an opening balance of just over R600, without any transaction visible. Some other samples were reviewed and on those the balance had reduced overnight. No debit transactions were visible on the statement, which resulted in the fraud team reporting the matter. The total losses amounted to R5.8m. Another R10m was also recently lost to fraudulent activities.
Ndala said forensic investigations were continuing and the Hawks were part of the process to trace the money flows.
“Cyber risks are something that the whole [banking] industry and country has to deal with. So there is a need for quite a concerted effort for us to collaborate and also ensure that we mitigate future risk as we move towards a more digitised world.”
But DA MP Dianne Kohler Barnard was not impressed, saying the recent cyberattacks were “clearly an inside job, and yet no-one has been arrested”.
“You will need to overhaul the IT system, obviously. But despite numerous requests, no indication has been given what this IT overhaul will cost the taxpayer.”
phakathib@businesslive.co.za
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.