On 23 May, the South African Reserve Bank released a draft directive regarding the issuance of Instant EFT payments. Get an overview of the directive and the steps Stitch is taking to ensure our products and merchants remain compliant.
On 23rd May, The South African Reserve Bank (SARB), via its National Payment System Department (NPSD), released a draft directive regarding issuance of Instant Electronic Funds Transfer Credit (Instant EFT) payments. The draft directive is open for comments from stakeholders and interested parties from now until 23 June 2023, after which the SARB will consider all points raised and issue the final and enforceable directive.
This directive marks a positive step toward regulation and security within South Africa’s financial landscape, as new payments innovations continue to take hold in the market in response to genuine consumer demand for faster, more secure ways to pay. As a payments service provider operating within South Africa’s NPS, Stitch will be working with the NPSD team over the next month to supply comments, register as needed and ensure we comply with the final directive.
There are no interruptions expected to any of our clients and based on the final directive, Stitch will take all steps necessary to ensure our products and merchants remain compliant.
The directive was released in an effort to ensure the safety and security of South African payers and merchants that leverage Instant EFT payments, as well as to ensure that all payment providers that utilise electronic funds transfer credit do so within the bounds of the National Payment System.
The directive illustrates requirements for any businesses that issue electronic funds transfer credit payment instructions on behalf of payers, and recommended protocols and procedures that can ensure the safety of all parties involved.
An Instant EFT payment is an automated form of bank transfer designed to be embedded in online purchase flows. As opposed to a manual bank transfer, the payment is created automatically – there is no need for the user to manually type account numbers, bank information, references, etc. – thus reducing friction. The payment is then made using EFT (settles in 1-2 days) or RTC (settles within four hours) rails. At Stitch, our settlement times have always been made clear in our Terms of Service.
The merchant receiving an Instant EFT payment will get an instant notification when the payment is initiated from a user's account so they can allocate that payment to the requested account, product or service. This makes allocation of value much easier for merchants who need to rely on slow and error-prone bank account statement reconciliation when using manual EFTs, in contrast.
In the draft directive, the NPSD outlines potential risks associated with players that access banking portals via screen scraping. At Stitch, we’re acutely aware of security risks to all our clients and their customers, and address the concerns outlined in the following ways:
We hold TPPP licenses with major banks across South Africa, ensuring we continue to meet the highest regulatory standards and work closely with these institutions.
We take end user experience and safety very seriously at Stitch. We believe it’s imperative that end users leveraging digital payments solutions are fully aware that they are authorising a transaction to be initiated on their behalf, and have provided full consent.
In addition to fraud prevention measures, such as requiring MFA when a user authorises a transaction, we inform users about the steps they’re taking along the way.
We also have end user-facing information publicly available on our website to inform them about Stitch, illustrate how we manage data and security and answer any specific questions they might have - including access to our support team.
When it comes to end user consent:
Stitch is a registered TPPP and SO, and we are listed with the Payment Association of South Africa as such. Concerned parties can reach out to PASA for an updated list of TPPP/SO license holders. We conduct regular penetration tests using external, CREST-certified vendors to ensure that our systems follow the strongest security practices available and that they’re protected against attackers. We are also now PCI DSS Level 1 certified.
Our compliance team - including our Lead Security Engineer and IT team, Regulatory and Compliance Lead, and Fraud and Risk Analysts - are well-versed in the fintech space in South Africa and actively maintain cybersecurity response plans and up-to-date measures.
If you have any further questions regarding the SARB directive, or the ways in which Stitch ensures the safety and security of our clients and their end users, please reach out to a member of the team.