Weekend Argus (Saturday Edition)
HOW POPI WILL CHANGE BANKS’ APPROACH
The breaches at First National Bank (FNB) show the bank isn’t using a robust system, Peter Hill, an expert in IT governance, says. “Banks overseas don’t send their customers SMSes. And they take full responsibility when a customer is the victim of banking fraud.”
Online banking fraud involving phishing and SIM swops points to a failure on the part of banks and cellular service providers to protect your information, he says. “In one of the cases I read about, involving FNB and MTN, there were about 20 breaches of the Protection of Personal Information (Popi) Act.”
When Popi becomes fully effective (following the appointment of an Information Regulator and a one-year grace period for compliance), around the middle of next year, he says banks will be compelled to report to every affected person when there has been a security breach. They will also have to provide those affected with a description of the possible consequences of the breach, the measures they will or have taken to address the compromise and the measures those affected can take to mitigate any adverse effects of the compromise.
The only reason a bank can have for not releasing the information immediately is that it will impede a criminal investigation by the police or a similar body.
Hill says that if you ask any of the affected customers who they spoke to or reported the incident to, they will either all have different answers and or will tell you how they were sent from pillar to post.
“That’s because no person at the bank is personally accountable; there is no information officer in the organisation. When Popi is fully enforceable, there has to be.
“Popi sets a standard that is good practice, and if a company can’t meet good practice, it shouldn’t be in business,” he says.