AG raises doubts about security of Postbank
• Auditor-general’s office raises concerns by pointing to antiquated systems and poor internal controls
The office of the auditorgeneral (AG) has raised doubt about Postbank’s ability to offer a “world class” service, saying it has an unsecure network and is susceptible to cyber attacks and fraud. Postbank, which has been operating under the SA Post Office, is pushing for a full banking licence to allow it to engage in a full spread of banking activities, such as credit facilities. But officials of the AG’s office suggested on Tuesday that Postbank is not ready to become a fully fledged bank, citing its antiquated systems and poor internal controls.
The auditor-general’s office has raised doubt about Postbank’s ability to offer a “world class” service, saying it has an unsecure network and is susceptible to cyber attacks and fraud.
Postbank, which has been operating under technically insolvent state-owned company the SA Post Office [Sapo], is pushing for a full banking licence to allow it to engage in a full spread of banking activities, such as credit facilities. It has been operating in limited conditions, such as accepting deposits and offering card-based transactional and savings accounts predominantly to the underbanked and unbanked segments of the population.
But officials of the auditorgeneral’s office suggested on Tuesday that Postbank was not ready to become a fully fledged bank, citing its antiquated systems and poor internal controls partly responsible for its financial statements for the year to end-March 2022 being issued with a disclaimer, the worst possible audit outcome.
“We are concerned about the internal controls that the entity has as a bank,” Joyce Nkonyana, a senior manager at the auditorgeneral’s office, told members of parliament’s communications & digital technologies portfolio committee.
“A bank is supposed to be guarded and have world-class internal controls ... what we noted is that the entity has a lot of arrangements at an operational level to ensure that they close all the possible loopholes and safeguard the healthy financial position they find themselves in,” Nkonyana said. But she pointed out that there had not been much progress so far.
She was briefing MPs on Postbank’s financial statements, amid discussions on the Postbank Limited Amendment Bill, which could allow the ANC finally to realise plans to set up a state-owned bank. The bill now before parliament seeks to separate Postbank from Sapo completely. Separation is necessary for Postbank to get a full banking licence from the Reserve Bank. The Post Office is not in a sound enough financial position to meet requirements for registration as a bank-controlling company in terms of the Banks Act.
But, Nkonyana emphasised that the Reserve Bank had issued Postbank with a “variation order”, warning it of its weak internal controls and vulnerability to cyber attacks. This could jeopardise its chances of getting a full banking licence, which will affect its ability to grow revenue. Despite losing R90m to fraudulent activities, Postbank is in a relatively healthy financial state, recording a R324m surplus for the year. It also has a net current asset position of R3.3bn, indicating that it will not struggle to pay its debts when they become due.
But, the auditor-general’s office said Postbank’s overreliance on Sapo for critical information technology services could be its undoing.
“Sapo’s infrastructure is old, Sapo faces instability in key vacant positions and has weak internal controls, thereby spreading to Postbank as well,” said Nkonyana.
Flagging some of the incidents of concern, Nkonyana said the Postbank grant distribution contract with the SA Social Security Agency (Sassa) could potentially be interrupted if the Reserve Bank decides to revoke Postbank’s banking privileges due to the highlighted poor internal controls and security systems.
Its weak systems mean Sassa cards are routinely cloned to withdraw grants intended for legitimate beneficiaries. Creation of ghost or fraudulent users on the internal system is common in committing fraud.
This means hackers can easily gain access to the network and post credit transactions to increase balances available for withdrawal; lift blocks on cards or reset card PINs; and delete transactions. There is also a risk of collusion between service providers, grant beneficiaries, syndicates and employees at Sassa, the department of home affairs, Sapo and Postbank.
Postbank IT officials have been told to review various user accesses as well as implement the right general and application controls in various applications. Postbank is also designing its own network separate from Sapo.
Deputy communications & digital technologies minister Philly Mapulane said forensic auditors had been appointed to follow up on issues raised by the auditor-general’s office and ensure lost funds are recovered.
“But most importantly to deal with the ICT environment ... the process of ICT modernisation has been commenced with and management and the board is working on that,” he said. Mapulane said parliament must finalise the amendment bill so that Postbank can be granted a full banking licence.
DA MP Dianne Kohler Barnard said the situation at Postbank raises more questions than answers.
“When I read that there are staff members who add and subtract by hand, it’s catastrophic ... it’s a huge concern that a bank cannot track down deposits, and withdrawals. The outcomes from the auditorgeneral on every single matrix are absolutely catastrophic ... where will the customer confidence come from? You are relying on a bankrupt entity [Sapo] for ICT infrastructure.”