What is the SARB NPSD directive re: Instant EFT payments in South Africa?

On 23rd May, The South African Reserve Bank (SARB), via its National Payment System Department (NPSD), released a draft directive regarding issuance of Instant Electronic Funds Transfer Credit (Instant EFT) payments. The draft directive is open for comments from stakeholders and interested parties from now until 23 June 2023, after which the SARB will consider all points raised and issue the final and enforceable directive.

This directive marks a positive step toward regulation and security within South Africa’s financial landscape, as new payments innovations continue to take hold in the market in response to genuine consumer demand for faster, more secure ways to pay. As a payments service provider operating within South Africa’s NPS, Stitch will be working with the NPSD team over the next month to supply comments, register as needed and ensure we comply with the final directive.  

There are no interruptions expected to any of our clients and based on the final directive, Stitch will take all steps necessary to ensure our products and merchants remain compliant.

An overview of the SARB NSPD directive regarding Instant EFT payments

The directive was released in an effort to ensure the safety and security of South African payers and merchants that leverage Instant EFT payments, as well as to ensure that all payment providers that utilise electronic funds transfer credit do so within the bounds of the National Payment System.  

The directive illustrates requirements for any businesses that issue electronic funds transfer credit payment instructions on behalf of payers, and recommended protocols and procedures that can ensure the safety of all parties involved. 

What is an Instant EFT (Instant Funds Transfer Credit)?

An Instant EFT payment is an automated form of bank transfer designed to be embedded in online purchase flows. As opposed to a manual bank transfer, the payment is created automatically – there is no need for the user to manually type account numbers, bank information, references, etc. – thus reducing friction. The payment is then made using EFT (settles in 1-2 days) or RTC (settles within four hours) rails. At Stitch, our settlement times have always been made clear in our Terms of Service.

The merchant receiving an Instant EFT payment will get an instant notification when the payment is initiated from a user's account so they can allocate that payment to the requested account, product or service. This makes allocation of value much easier for merchants who need to rely on slow and error-prone bank account statement reconciliation when using manual EFTs, in contrast.

In the draft directive, the NPSD outlines potential risks associated with players that access banking portals via screen scraping. At Stitch, we’re acutely aware of security risks to all our clients and their customers, and address the concerns outlined in the following ways:

• Lack of informed consent: All end users logging into their accounts via Stitch SafeLink give express permission to access their account and initiate a transaction, and must confirm with MFA
• Misleading conception that the payment is instant: We have always made settlement times clear through our Terms of Service and have managed the settlement process for our merchants 
• Conducting sort-at-source: This is not something Stitch conducts. We work with Clearing System Participants, and therefore do not bypass the clearing system
• Lack of data privacy and exposure to fraud: Each bank login through Stitch is assigned a unique encryption key which gets stored inside a Microsoft Azure Keyvault, using OpenIDConnect 4.0. These keys never leave this vault, and no users, clients nor anyone at Stitch has direct access to them. We also never share user data with any third parties, and individual account details cannot be viewed. See how we manage data for more.
• Risk of financial loss or non-delivery of the goods/services purchased: This is true of all online transactions and remains the responsibility of the business to ensure delivery. We perform significant KYB on all clients that have access to Stitch services, to ensure they are legitimate, reliable and trustworthy

We hold TPPP licenses with major banks across South Africa, ensuring we continue to meet the highest regulatory standards and work closely with these institutions.

End user security, education and consent

We take end user experience and safety very seriously at Stitch. We believe it’s imperative that end users leveraging digital payments solutions are fully aware that they are authorising a transaction to be initiated on their behalf, and have provided full consent.

In addition to fraud prevention measures, such as requiring MFA when a user authorises a transaction, we inform users about the steps they’re taking along the way.

We also have end user-facing information publicly available on our website to inform them about Stitch, illustrate how we manage data and security and answer any specific questions they might have - including access to our support team.

When it comes to end user consent:

• We always obtain informed payer consent prior to using a payer’s online banking credentials to issue an instant EFT
• Our directives to the end user are simple and clear, and indicate they are sharing their credentials with a third party. Terms + conditions are readily accessible before a user continues through the process
• We will never modify, or in any way alter, the initial payment request sent by an end user without their explicit consent

Operations, security + compliance

Stitch is a registered TPPP and SO, and we are listed with the Payment Association of South Africa as such. Concerned parties can reach out to PASA for an updated list of TPPP/SO license holders. We conduct regular penetration tests using external, CREST-certified vendors to ensure that our systems follow the strongest security practices available and that they’re protected against attackers. We are also now PCI DSS Level 1 certified.  

Our compliance team - including our Lead Security Engineer and IT team, Regulatory and Compliance Lead, and Fraud and Risk Analysts - are well-versed in the fintech space in South Africa and actively maintain cybersecurity response plans and up-to-date measures.

If you have any further questions regarding the SARB directive, or the ways in which Stitch ensures the safety and security of our clients and their end users, please reach out to a member of the team.