Source: Getty
article

Dividend or Liability? Financial Inclusion, Digital Deprivation, and Cyber Risk Proliferation in South Africa

South Africa is a leading financial hub in Africa, with around $1 trillion in annual cross-border banking transactions. Yet this is being undermined by high levels of physical, political, and digital risk.

by Noëlle Van Der Waag-Cowling
Published on May 2, 2022

The Cybersecurity, Capacity Development, and Financial Inclusion project, or CyberFI, brings together a robust, transparent community of practitioners and researchers working on digital financial inclusion. This series focuses on understanding financial inclusion ecosystems on their own terms—what countries are doing, what is working, and what isn’t. Six country case studies help capture the diversity of financial markets on the African continent: South Africa, Nigeria, Cameroon, Uganda, Ghana, and Zimbabwe.

Introduction

South Africa, as a middle-income country and a member of the Group of Twenty (G20), occupies a unique position among African states. Its robust and well-developed financial and information technology sectors ensure that it serves as a leading financial hub in Africa, with around $1 trillion in annual cross-border banking transactions (excluding remittances).1 Regrettably, the fruits of this financial and digital sophistication are being undermined by high levels of physical, political, and digital risk. Critically, South Africa’s approach and commitment to cybersecurity trails several smaller and less-developed African states.

South Africa’s lack of a national cyber strategy has resulted directly in a disjointed and reactive national cyber posture and indirectly in a significant escalation in serious cyber threats over the past twenty-four months.2 The National Cybersecurity Policy Framework, published in 2013, acts as a substitute for a comprehensive strategy. It is outdated and insufficient for today’s evolving threat landscape.3 South Africa is one of the most digitally dependent states in Africa, yet cyber crime is degrading services, eroding lean profits for businesses, and impacting financially stressed consumers.

Digital financial services (DFS) and the wider financial technology (fintech) ecosystem grow rapidly in this context of insecurity.4 While fintech offers a broader range of tailored products and services to previously underbanked South African consumers, many of the service providers fall within a less-regulated space than those in the formal banking sector.5 They also lack the substantial digital security resources of the established corporate actors in the market.

Fintech’s potential vulnerability to cyber attacks is further complicated by risks on the client side. The growing customer base of previously financially excluded customers and microenterprise owners increases overall susceptibility to digital compromise. This is due to the impacts of digital deprivation on this consumer demographic resulting in lower levels of digital and technology resilience.6

This case study explores the implications of including new, often less-resourced customers in a digital financial ecosystem that is already ill-suited to provide security and resilience against various threats. It assesses the intersection of common weaknesses and misalignments in the digital financial ecosystem with the contextual realities of underbanked users. Combined, these factors propagate potential cyber risk. Better understanding these dynamics will be necessary to foster secure digital development in South Africa and other countries.

Digital Security and the Financial Context

The South African banking system is mature, digitally advanced, and internationally competitive.7 It is accompanied by a comprehensive legal and regulatory framework. The major banks manage cyber risk at the corporate level as well as the sectoral level through the collective South African Banking Risk Information Centre (SABRIC).8 To date, the banks’ dedication to cybersecurity has been laudable. Unfortunately, it has been somewhat offset by wider systemic entropy arising from inadequate national cybersecurity responses and constrained law enforcement capability.9

The international Financial Action Task Force’s 2021 report on South Africa spotlights substantial fiscal issues that affect both financial security and cybersecurity. One of the report’s dominant themes is that, outside of the large banks, there is a limited appreciation of the risk environment. Other issues include the lack of international cooperation in investigations, high levels of corruption, and a high national risk profile. The report identifies cyber crime as a major threat.10

In the age of digital banking, one critically significant factor is that the regulatory regime of the South African telecommunications sector is significantly weaker than that of the financial sector. As a result, there is a disjuncture in the required cooperative approaches to security between the two sectors.

These systemic issues are compounded by a compliance- or audit-based—as opposed to risk-based—approach to security matters in the wider national context, which has resulted in a period of accumulating cyber risk.11 The compliance-oriented culture of many South African organizations is largely driven by the government’s prescriptive management of the economy, which has resulted in a complex web of legislation, oversight agencies, and a considerable amount of red tape.12

This situation poses a particularly large challenge for small and medium-size enterprises (SMEs), which include most digital financial institutions (DFIs) and software design firms. Due to the negative effect this has had on business growth, both the International Monetary Fund and the World Bank have repeatedly called for structural reforms.13

For a substantial number of companies, the fear of penalties (including fines and the potential loss of trading licenses) motivates compliance with the wide-ranging regulations. The cost of regulatory compliance, however, runs up against high tax rates and expensive overheads. This has given rise to the perception that many businesses utilize a disproportionate amount of their constrained financial and human resources on compliance-related functions at the expense of other business needs, such as technology budgets and cybersecurity. The financial challenges related to conducting business have regrettably resulted in underresourced cybersecurity for SMEs.

Digital Financial Services in South Africa

South Africa’s advanced and well-distributed banking network means that approximately 80 percent of the population qualifies as banked.14 However, a more nuanced analysis reveals that around 45 percent of the population uses banking solely for low-end transactional purposes, such as sending small sums of cash or collecting social grants. This consumer grouping is usually referred to as underbanked rather than unbanked or financially excluded.15

In 2018, the South African Reserve Bank (SARB) released “SARB Vision 2025,” its framework and strategy for a national payment system. Importantly, the strategy set out the aim of expanding digital payment options to service all South Africans.16 This is an especially important DFS provision for the underbanked—unlike the rest of Africa, South Africa has not taken quickly to mobile money.

The SARB strategy also stressed the importance of improving the security of its national payment system through technological developments.17 As no entity in South Africa other than a registered bank may take deposits or issue electronic money, DFS providers are obliged to forge partnerships with banks to offer any form of financial transaction service. Banks and DFIs therefore form part of one broader financial service ecosystem.

The nascent uptake of financial services by the underbanked is being driven by a new generation of fintechs. There are approximately 200 fintech firms operating in South Africa, and the fledgling industry is rapidly expanding. The demand for DFS goes beyond payment solutions and extends to new forms of investment opportunities, thanks to lower costs, accessibility, innovative product offerings, and new models of investment. The massive interest in investment opportunities in particular—through local platforms such as LUNO, StokFella and EasyEquities—reveals South Africa’s appetite for real-time, lower-fee investments with a direct line of sight.

These products have enabled the fractional ownership of domestic and international instruments such as shares and cryptocurrencies. Fractional ownership removes the previous barriers to entry by enabling investors to begin investing with miniscule amounts of money. StokFella has reimagined the traditional savings clubs known as Stokvels,18 enabling them to build investment portfolios. EasyEquities has overturned traditional investment models—95 percent of EasyEquities customers are first-time investors. The average age of an EasyEquities user is just twenty-nine, compared to investors on the Johannesburg Securities Exchange who average fifty-five years of age. Both platforms have onboarded most of their customers within the past twenty-four months.19 The uptake of fintech offerings has been critical to creating an investment class in a country that traditionally has very low rates of individual savings and investments.

For fintechs, the dual challenges of survival and growth are central factors during the start-up phase. The dominance of the major banks means that scaling is significantly difficult.20 One way fintechs overcome these issues is by rapidly developing and launching products with a “limited number of design, development and testing sprints.”21 The so-called ‘minimum viable product’ required to test adoption and usability is key.22 Some believe that these accelerated development timelines could compromise the security aspects of product development, prioritizing first-to-market advantage and user experience over robust security by design.

Another dynamic that has potentially influenced security culture at fintechs is the sector’s outsized appetite for risk. As one former chief information technology officer at a fintech notes, “They chase aggressive growth and as a result take higher risks while operating in ecosystems with larger, more established players who are beholden to stringent regulatory and corporate governance requirements.”23 Investors in fintech companies and start-ups could play an important role by requiring security by design before funding new projects and products.

One positive security intervention via the SARB has been the introduction of a regulatory sandbox, where fintechs can test their new products for regulatory compliance.24 While this is a step in the right direction, such a sandbox will not help to assess possible software vulnerabilities. A sandbox geared toward testing vulnerabilities in beta versions is an important next step. Granted, this does not necessarily fall within the ambit of the SARB. Rather, it may require involvement from the financial and telecommunications sectors. The SARB has, however, extended its support for fintechs by establishing a fintech unit that includes the Global Fintech Hackcelerator, the blockchain-focused Project Khokha, and the Intergovernmental Fintech Working Group (IFWG).25

A potential risk going forward is the linking of new-generation DFS to e-wallets, which fall under a regulatory framework with less-rigorous requirements. Unlike a formal bank account, the regulatory framework for e-wallet accounts does not require account holder registration under the Financial Intelligence Center Act.26 E-wallets are instead linked directly to the account holder’s cell phone number. These accounts fall outside the national payments system and offer limited functionality as well as a maximum balance of ZAR 25,000 (about $1,650).27 Low-fee, mobile models appeal to the underbanked and there are many advantages to such products. But the incorporation of Unstructured Supplementary Service Data (USSD)–based services in these products as well as the cell phone–driven link create increased potential for consumer security risk.

The Telecommunications Sector

One factor that dominates the entire financial sector is that the overwhelming majority of South Africans now access financial services via mobile channels. Traditional internet penetration rates are low compared to other G20 countries, but mobile penetration is deep. For most financial service providers, new products now focus on mobile delivery. In the context of security, though, this introduces an important new player into the ecosystem: the mobile network operators (MNOs).

The South African telecommunications sector has been less effectively regulated than the country’s financial sector. There are several persistent issues and practices that affect customer security. The regulator for the sector—the Independent Communications Authority of South Africa (ICASA)28—has been widely criticized for failing to hold the mobile telecommunications industry to account.29 ICASA’s lack of effective governance in the sector has also resulted in a multiyear stalled spectrum allocation process, which has halted the 5G rollout and is hampering digital progress.30 South Africa’s parliament has also shouldered blame for failing to provide oversight and allowing ICASA’s regulatory deficiencies to continue.31

From a customer security perspective, key areas of concern caused by a lack of regulatory rigor and accountability include Wireless Application Service Providers (WASPs) and the ever-present SIM swap issue.32

WASPs—many of them offshore entities—offer subscription services and utilize the MNOs as digital tenants. WASPS do not appear to fall under ICASA’s area of responsibility—which in and of itself requires redress. Instead, they are, in their own words, self-regulating. Ongoing customer complaints about illegal subscriptions, airtime theft, the sharing of personal data, and other illegal activities by WASPs abound.33 In late 2020, South Africa’s two largest listed MNOs knowingly allowed private security companiesto access to their platforms via WASPs.34 This allowed certain companies to track and trace subscribers without their knowledge.35 In one particularly high-profile case, it resulted in the assassination of a police officer who was investigating organized crime.36 His assassins repeatedly pinged his cell phone via a WASP to locate him. This points to a mass failure of governance, ethics, know-your-customer protocol implementation, and subscriber protection.37 Both of the MNOs involved were able to escape censure by the Information Regulator because the Protection of Personal Information Act (POPIA) was still in its grace period.38 For its part, ICASA did not censure the MNOs or comment on the issue. WASPs appear to have engaged in other forms of illegal behavior as well, including widescale airtime theft and so-called clickjacking—charging users for subscriber services they never selected.39 For the poor, this compounds affordability challenges.

The SIM swap—when fraudsters register an existing phone number to a new SIM card so as to intercept communications—is another threat to people who use their mobile devices for transactions.40 Subscribers are sent an SMS warning that a SIM swap on their account has been requested and that they need to opt out within a set number of hours. But these messages are easily missed or overlooked. Even when a subscriber does alert their mobile operator, SIM swaps are difficult to stop without going to a provider outlet. This is especially difficult for poor people who usually live some distance from retail outlets and do not have transport. The banks are usually faster to react and assist by blocking the affected subscriber’s accounts. However, if the subscriber has already been compromised, they quickly find themselves stuck as both the bank and the MNO to cover the consumer’s losses.

It is incomprehensible that this long-standing issue has not already been addressed by subjecting SIM swaps to a double opt-in process, with one step requiring biometric authentication. South Africa’s Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) presents something of a stumbling block.41 All MNOs are required by RICA to adhere to an onerous paper-driven exercise before onboarding a new client and issuing a SIM card. This ensures compliance but not customer cybersecurity. A risk-based approach would be more adaptive to consumer security, but it competes with compliance requirements and their significant administrative burden on providers. Unlike MNOs in some African states, MNOs in South Africa have not introduced biometric technologies alongside the RICA process for SIM registration.42 The reasons for this are unclear—they could be related to constitutional concerns. Nonetheless, the industry and ISACA should provide an update.

Given the widespread mobile usage for DFS, the lack of accountability by MNOs and failure by regulators to sanction them is problematic.43 Martha van Niekerk and Nkgolodishe Phaladi make the point that the potential exposure to criminal activities deters customers from transacting online.44 Yet ICASA has been consistently silent on consumer security matters. The MNOs have leveraged the Information Regulator’s passive stance and, additionally, they have resisted working with an alternative body for consumer complaints—namely, the Consumer Goods and Services Ombudsman (CGSO). The CGSO reported that a staggering 24 percent of all consumer complaints in 2021 related to MNOs, but that “almost all providers have declined to sign up with the ombudsman, as they argue that they are already governed by regulator ICASA.”45

The lack of protection and regulation in this sector poses a security risk to all consumers. If the tepid telecommunications regulatory environment continues, the scale of this risk will only increase. MNOs have begun to compete with banks as the primary providers of DFS in South Africa.46 The MNOs who are approaching saturation with their subscriber bases have identified financial services as a major new revenue stream. They “have several advantages in potentially tapping into the opportunities available, including the ability to speedily deploy technologies and services at a much faster pace than traditional financial services institutions.”47 MNOs are also utilizing their larger customer bases by partnering with fintechs to offer a range of new products via so-called super apps (which combine services into one interface).48 Banks may have more regulatory support, but they are slower to innovate.49

The government-commissioned review of digital matters in the National Development Plan (NDP) recognizes these failures in the telecommunications sector. In the section titled “Digital Futures,” the report describes the situation:

Weak political appointments to key institutions, coupled with a lack of leadership, have consistently plagued the Department of Communication, Department of Telecommunications and Postal Services (DTPS), the Independent Communications Authority of South Africa (ICASA) and the Universal Service and Access Agency of South Africa (USAASA). USAASA which receives public funding together with significant levies via the MNOs has been criticised for misdirected projects and irregular expenditure. These factors all served to undermine the vision of the NDP for the sector as the cornerstone of an equitable and resilient digital economy.50

The openness and expert assessments in the review are refreshing and hold promise. The report proceeds to add a cautionary note regarding security: “To foster data justice, a framework should be instituted to prevent harm and mitigate the risks associated with the rapid expansion of digital services and large numbers of people coming online for the first time.”51 Overwhelmingly, this cohort of new online users overlaps with the underbanked.

One positive development is the formation of the Communication Risk Information Centre (COMRiC) by mobile operators in January 2022. Although details remain vague, it is apparent that COMRiC’s goal is to identify, mitigate, and prevent common risks in the industry. This includes critical infrastructure protection and cybersecurity.52 The successful rollout of COMRiC could redefine the mobile security landscape.

Digital Deprivation as a Driver of Cyber Insecurity

Understanding the context and online behavior of underbanked South African customers, together with how they access DFS, is a critical step toward analyzing the possible cybersecurity risks these consumers face. South Africa is one of the most unequal countries in the world, with a Gini coefficient—the statistical measure of income inequality—of 63 percent. It is often described as two distinct worlds in one country.53 High inequality yields some rather unique challenges for cybersecurity risks within the financial sector. Simply put, for the millions of South Africans who live in poverty, the phenomenon of so-called digital deprivation results in cyber risk proliferation.54 Marta Kuc-Czarnecka defines digital deprivation as:

A socio-economic phenomenon describing the gap in both the access and usage of information and communication technologies (ICTs) among individuals, households or geographic areas. This concept has evolved over recent years and is being currently considered in three categories: binary Internet access (first-order digital divide), digital skills (second-order digital divide), and as the outcomes of Internet use (third-order digital divide).55

Within the context of this security-focused discussion, digital deprivation in South Africa is characterized by the following:

Lower rates of digital literacy: Studies have underscored the importance of digital and technology literacy in terms of personal cyber risk mitigation. Marginalized populations are particularly targeted by cyber criminals. SABRIC’s findings underscore the perception that criminals prefer to exploit vulnerable users rather than attempt to bypass a bank’s robust security defenses.56 The low level of financial literacy in South Africa further compounds this problem.

Suboptimal hardware platforms: While feature phone usage is much lower than elsewhere in Africa, many users own older Apple or Android smartphones with legacy operating systems for which operating system and app security patches are no longer available. This is compounded by the possibility that DFS apps may also not run on these phones. In such cases, users will pivot to USSD services that offer insecure SMS protocol interfaces.

Data deprivation: South Africa has some of the highest data costs in Africa. For the country’s poor, who primarily use prepaid cell phone access, data costs even more. These users make up 85 percent of the data market.57 Referred to as the “poverty premium,”58 this way of purchasing data has two punitive outcomes: the premium cost of prepaid data and the higher expense of low-volume data bundles.59 The high cost of data and the security ramifications thereof cannot be overstated. The net effect of data unaffordability is that low-income users sacrifice cybersecurity hygiene when they prioritize data usage. This means that users frequently decline data-intensive software patch updates, use SMS to send sensitive information to others, and access public Wi-Fi when available to conduct sensitive financial transactions. Even though banks have zero-rated banking apps for data (in other words, carriers do not charge for associated data), users still consume data to make the initial connection.60

Reduced access to security software: Security software is, simply put, unaffordable to most South Africans. In general, many people from all income groups fail to install antivirus software on their personal devices, mainly due to a lack of security awareness. However, for poorer people, this is aggravated by the cost of security software. Generally, an antivirus suite from a reputable security vendor will cost anywhere between ZAR 800 (about $53) and ZAR 2,000 (about $132) annually. More than 30 percent of South Africa’s adult population survives on the country’s Basic Income Grant, which is only ZAR 350 (about $23) per month. Suffice to say, very few people would be willing to spend a significant proportion of their entire annual grant income on security software.

Reduced access to technical support: The challenge of accessing support is two-fold: both technical and human. Given the cost of new devices, low-income users often purchase secondhand phones. Technical problems most often occur on unsupported devices. From a human interface perspective, accessing customer service support at either a financial service provider or MNO involves navigating call centers and adequately identifying and explaining the problem.61 This is often difficult for users who may not be digitally or financially literate, particularly when doing so in their third or fourth language.

Digital deprivation in South Africa is compounded by certain governance and technology challenges that pose cyber risks for digital financial inclusion. The importance of creating a secure ecosystem that will allow the underbanked to fully embrace DFS is vital. Through these services, economically marginalized people can move from a transactional financial existence toward asset and investment growth.62 However, to benefit from DFS, they require the security to safeguard and grow what they start with. There are still too many obvious and persistent risks in the digital financial ecosystem that place all customers at risk. These include:

One-time-password SMS protocol for payment verification: The SMS protocol, which is over thirty years old, is inherently insecure.63 The use of one-time passwords via SMS is still widely prevalent in the South African market. Such messages are easily intercepted by criminals—this may, in fact, be a driver of SIM swaps. All DFS providers should aim to migrate to digital authentication with two-factor authentication, preferably through biometrics. Voice biometrics are widely used across Africa, due to both user ease and the low rollout cost for providers.64

USSD-based services for DFS products: Many new fintech products give the user a choice between USSD interfaces or more advanced mobile app interfaces.65 This is arguably to enhance uptake in a market where data deprivation is a persistent problem. USSD interfaces are, however, inherently insecure and place customers at far greater risk. The overarching problems remain South Africa’s sky-high data costs, delays in new spectrum allocation, and suboptimal cellular infrastructure in rural regions. These factors are stifling innovation, security, and access.

Third-party risks—the credit bureaus: The high incidence of massive data breaches involving credit bureaus over the past two years holds the spectre of introducing endemic security threats into the entire financial ecosystem. It appears as if these entities are being targeted for their weak information security practices and the high volumes of sensitive customer data they hold. The latest such incident, the TransUnion Hack,66 has resulted in 54 million detailed South African financial records being exposed to additional risk. The credit industry is another “self regulating67 entity but—given its breach record—the information security practices within this industry require the urgent attention of both financial actors and the relevant authorities.

The South African identification number. The official South African ID number is one of the most compromised government-based identifiers in the world.68 A series of massive breaches has released the bulk of all citizens’ unique numbers onto the dark web. ID numbers nevertheless are still the mandatory departure point for registering new clients and are demanded as the standard security check by call centers attending to customer queries.69 The ability to triangulate an ID number, cell phone number, and bank account number opens the door for cyber criminals. Somewhat inexplicably, it is still common practice for most financial actors to use ID numbers as the password to unlock allegedly encrypted account or portfolio information sent to customers via email. Given the compromised nature of the ID number and the prevalence of email interception in Africa, the implementation of digital identity technologies and biometrics should be an urgent priority.70 As a late adopter of such technologies, South Africa is well-placed to incorporate lessons learned, including constraints, from other markets.

Conclusion

As fintech growth surges in Africa, South Africa has emerged as a hub for start-up development.71 DFS provide substantial opportunities for the underbanked to access services, build credit profiles, fund assets, and invest. At the same time, though, new consumers are likely to encounter higher digital risk due to the consequences of digital deprivation and financial literacy challenges. South Africa’s already high rate of cyber crime rose sharply in 2020. Urgent measures are needed to reduce impacts on the individual as well as negative effects on the country’s economy.72

These realities must be factored into product design, access pathways, and after-sales support by DFS providers. Some of the key elements that contribute to security in this market are:

  • User behaviors and contexts should be factored into the design and security elements of the development cycle.
  • Service delivery interfaces and customer processes should be consistently aligned with user behaviors and contexts.
  • Enhanced alignment between the financial and communications sectors is required to close known and persistent risks in the system.
  • The use of digital identity solutions and biometrics across the industry will help thwart cyber criminals by eliminating easy targets.
  • Phasing out SMS-based financial services and one-time passwords will further help reduce the attack surface.
  • MNOs hold the key to moving customers away from cellular interfaces to digital platforms and enabling them to transact safely. MNOs should be strongly encouraged to lower data costs, restructure prepaid data premiums, and issue data rebates for mobile operating system and security software updates.

There are two significant systemic challenges at the national level that will prove less simple to address. The first is nurturing cybersecurity awareness and financial literacy rates within the population. This will require a horizontal approach across government, education, and corporate entities. The second is the issue of affordability. For low-income households, access to supported and secure mobile devices, data, and security software is hampered by South Africa’s increasing economic decline and rising unemployment. Potential solutions to these affordability constraints and their far-reaching impacts on security—as well as their economically damaging consequences—will require a partnered national approach.

Ultimately, the security challenges inherent in the proliferation of DFS in South Africa are perhaps less technical than they might appear. Rather, their genesis lies in the social and governance spheres. For DFS providers, digital security objectives must be conceived and implemented within the context of the people who will use their products. For the authorities and regulators, it is essential to address governance and regulatory issues to ensure that the vulnerable segment of the population who should be uplifted by digital financial inclusion is not further left behind by undue cyber risk.

About the Author

Noëlle Van der Waag-Cowling is the Cyber Programme Lead at the Security Institute for Governance and Leadership (SIGLA), Stellenbosch University. Her work cuts across both the public and private sectors and has a strong focus on governance, policy, and geostrategic issues in information security. She teaches cyber warfare and low intensity conflict in the Department of Strategic Studies and serves on the review board of the International Journal of Cyber Warfare and Terrorism.

Notes

1 “Anti-Money Laundering and Counter-Terrorist Financing Measures: South Africa Mutual Evaluation Report,” Financial Action Task Force and Eastern and Southern African Anti-Money Laundering Group, October 2021, p. 23, https://www.fatf-gafi.org/media/fatf/documents/reports/mer4/Mutual-Evaluation-Report-South-Africa.pdf.

2 “Internet Crime Report 2020,” Federal Bureau of Investigation Internet Crime Complaint Center, p. 17, https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf.

3 “National Cybersecurity Policy Framework,” South African Government, published December 4, 2015, https://www.gov.za/documents/national-cybersecurity-policy-framework-4-dec-2015-0000.

4 “African Cyber Threat Assessment Report,” Interpol, October 2021, p. 8.

5 Rob Bainbridge, “Reflections on FinTech Security Leadership,” Medium, October 6, 2020, https://robbainbridge.medium.com/reflections-on-fintech-security-leadership-279ce0256804.

6 Digital deprivation is a multifaceted challenge encompassing aspects such as data poverty, cybersecurity awareness, and outdated technology and software platforms.

7 “Fintech Scoping in South Africa,” Genesis Analytics, October 2019, p. 2.

8 “Home,” Sabric, accessed April 5, 2022, https://www.sabric.co.za/.

9 Martha Gertruida van Niekerk and Nkgolodishe Hermit Phaladi, “Digital Financial Services: Prospects and Challenges,” Potchefstroom Electronic Law Journal 24 (2021): 16, http://dx.doi.org/10.17159/1727-3781/2021/v24i0a10744.

10 “Anti-Money Laundering and Counter-Terrorist Financing Measures,” Financial Action Task Force and Eastern and Southern African Anti-Money Laundering Group, 23.

11 Quoting Dr. Brett van Niekerk, Durban University of Technology, 2021: “The FBI’s Internet Crime Complaint Centre (IC3, 2018; 2019; 2020; 2021) has South Africa ranked fairly consistently at about 11 to 13 in terms of the number of complaints received; however in 2020 this changed to 6th.”

12 Sarah Smit, “Business Reacts: Sona Commitments Will Not Move the Dial – Yet,” Mail & Guardian, February 11, 2022, https://mg.co.za/business/2022-02-11-business-reacts-sona-commitments-will-not-move-the-dial-yet/.

13 Gareth Stokes, “SA’s SMMEs Face a Slow Strangle as Red Tape Litters the Business Environment,” FA News, October 15, 2021, https://www.fanews.co.za/article/talked-about-features/25/straight-talk/1146/sa-s-smmes-face-a-slow-strangle-as-red-tape-litters-the-business-environment/33119.

14 Palesa Shipalana, “Digitising Financial Services: A Tool for Financial Inclusion in South Africa?,” South African Institute of International Affairs Occasional Paper no. 301, September 30, 2019, 15.

15 “Anti-Money Laundering and Counter-Terrorist Financing Measures,” Financial Action Task Force and Eastern and Southern African Anti-Money Laundering Group, 43.

16 “The National Payment System Framework and Strategy Vision 2025,” South African Reserve Bank, March 12, 2018, p. 3, https://www.resbank.co.za/en/home/publications/publication-detail-pages/media-releases/2018/8319.

17 “The National Payment System Framework and Strategy Vision 2025,” South African Reserve Bank, p. 7.

18 “A Stokvel is a type of credit union in which a group of people enter into an agreement to contribute a fixed amount of money to a common pool weekly, fortnightly or monthly. Universally, such a system is known as a rotating savings and credit association (ROSCA), which is a group of individuals who agree to meet for a defined period in order to save together.” “About Stokvels,” National Stokvel Association of South Africa, accessed April 20, 2021, https://nasasa.co.za/about-stokvels/.

19 Ryk van Niekerk, “EasyEquities has Disrupted the SA Investment Market since Inception,” MoneyWeb, February 20, 2022, https://www.moneyweb.co.za/moneyweb-podcasts/market-commentator-moneyweb-radio/easyequities-has-disrupted-the-sa-investment-market-since-inception/.

20 “Fintech Scoping in South Africa,” Genesis Analytics, p. 3.

21 Jorge Camarate and Chantal Maritz, “A Marketplace Without Boundaries 2.0: Digital Disruption in the South African Banking Sector,” PricewaterhouseCoopers, 2019, p. 6.

22 Ibid.

23 Bainbridge, “FinTech Security Leadership.”

24 “Fintech,” South African Reserve Bank, accessed April 26, 2022, https://www.resbank.co.za/en/home/quick-links/fintech.

25 Ibid.

26 “Financial Intelligence Centre Act 38 of 2001,” South African Government, accessed April 26, 2022, https://www.gov.za/documents/financial-intelligence-centre-act.

27 “Shoprite Quietly Launches Mobile Banking to 20 Million Customers,” Tech Central, November 17, 2021, https://techcentral.co.za/shoprite-quietly-launches-mobile-banking-to-20-million-customers/204869/.

28 “Home,” Independent Communications Authority of South Africa, accessed April 26, 2022, https://www.icasa.org.za/.

29 Ewan Sutherland, “Data Must Fall – The Politics of Mobile Telecommunications Tariffs in South Africa,” (paper, South African Association of Political Studies 15th Biennial Conference, Rhodes University, August 26–18, 2021), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2154165.

30 National Planning Commission and Research ICT Africa, “Digital Futures: South Africa’s Digital Readiness for the 4th Industrial Revolution,” August 2020, p. 33, https://researchictafrica.net/wp/wp-content/uploads/2021/01/021220_Digital-Futures_SAs-Digital-Readiness-for-4IR_01.pdf.

31 Sutherland, “Data Must Fall.”

32 “Why This Type of Fraud is Still so Common in South Africa After so Many Years,” Business Tech, November 21, 2021, https://businesstech.co.za/news/business-opinion/539972/why-this-type-of-fraud-is-still-so-common-in-south-africa-after-so-many-years/.

33 “Fraud and Airtime Theft on Vodacom’s Network,” Tech Report, August 3, 2020, https://www.techreport.co.za/fraud-and-airtime-theft-on-vodacoms-network.

34 Noëlle Van der Waag-Cowling, Brett Van Niekerk, and Trishana Ramluckan, “Submission to the Call for Inputs: Report on the Provision of Military and Security Cyber Products and Services by ‘Cyber Mercenaries’ and Its Human Rights Impact,” 2020, p. 12.

35 Jeff Wicks and Kyle Cowan, “Targeting AGU Team C,” News 24, https://specialprojects.news24.com/zane-kilian-charl-kinnear-cellphone-tracking/index.html.

36 Ibid.

37 “Vodacom and MTN Can Face Legal Action over Kinnear Murder,” My Broadband, October 22, 2020, https://mybroadband.co.za/news/cellular/372354-vodacom-and-mtn-can-face-legal-action-over-kinnear-murder.html.

38 Ibid.

39 “Cellular Looting in SA by ‘WASPS,’” African Wireless Communications, September 4, 2020, https://www.africanwirelesscomms.com/news-details?itemid=3359; Rudolph Muller, “Damning Evidence About Mass Airtime Theft From Vodacom Subscribers,” My Broadband, August 30, 2020, https://mybroadband.co.za/news/cellular/365418-damning-evidence-about-mass-airtime-theft-from-vodacom-subscribers.html.

40 A change of the subscriber identity module which is specific to a mobile phone number and account.

41 “Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002,” South African Government, accessed April 26, 2022, https://www.gov.za/documents/regulation-interception-communications-and-provision-communication-related-information--13.

42 Frank Hersey, “Digital ID in Africa This Week: Mammoth Biometric Registration Plan for Nigeria and Interpol in the Sahel,” Biometric Update, September 26, 2019, https://www.id-day.org/post/digital-id-in-africa-this-week-mammoth-biometric-registration-plans-for-nigeria-and-interpol-in-the.

43 Sutherland, “Data Must Fall.”

44 Van Niekerk and Phaladi, “Digital Financial Services,” p. 15.

45 “The Biggest Mobile Network Complaints in South Africa,” Business Tech, December 23, 2021, https://businesstech.co.za/news/telecommunications/533842/the-biggest-mobile-network-complaints-in-south-africa/.

46 Mudiwa Gavaza, “The Battle for Fintech Supremacy is On,” Business Day, January 16, 2022, https://www.businesslive.co.za/bd/companies/telecoms-and-technology/2022-01-16-the-battle-for-fintech-supremacy-is-on/.

47 Natasha Odendaal, “SA Telcos Moving Aggressively to Add Fintech Offerings to Mobile Money Base,” Engineering News, September 17, 2021, https://www.engineeringnews.co.za/article/sa-telcos-moving-aggressively-to-add-fintech-offerings-to-mobile-money-base-2021-09-17.

48 “Super-apps allow citizens to combine applications like pay, commerce, mobility and communication into one platform - instead of juggling multiple apps.” Conrad Onyango, “One App to Rule Them All: The Rise of African Super-Apps,” World Economic Forum, December 21, 2021, https://www.weforum.org/agenda/2021/12/africans-super-apps-make-life-easier/.

49 Gavaza, “The Battle for Fintech Supremacy.”

50 “Digital Futures,” National Planning Commission and Research ICT Africa, p. 33. The DTPS became the Department of Communications and Digital Technologies. See their website at https://nationalgovernment.co.za/units/view/428/department-of-communications-and-digital-technologies-dcdt.

51 Ibid.

52 Christopher Tredger, “No Question, SA Operators Will Work Together Says Newly Formed Anti-Crime Org COMRiC,” ITWeb Africa, January 25, 2022, https://itweb.africa/content/j5alrvQad9LvpYQk.

53 “The World Bank in South Africa,” World Bank, accessed April 26, 2022, https://www.worldbank.org/en/country/southafrica/overview#1.

54 Marta Kuc-Czarnecka, “COVID-19 and Digital Deprivation in Poland,” Oeconomia Copernicana, Institute of Economic Research 11, no. 3 (September 2020), 415–431.

55 Ibid.

56 “Digital Banking Crime Statistics,” Sabric, accessed April 26, 2022, https://www.sabric.co.za/media-and-news/press-releases/digital-banking-crime-statistics/.

57 Alison Gillwald, “Digital Equality: South Africa Still Has a Long Way to Go,” Tech Central, March 7, 2020, https://techcentral.co.za/digital-equality-south-africa-still-has-a-long-way-to-go/175421/.

58 Ibid.

59 Ibid.

60 Alex Comninos, David Johnson, and Alison Gillwald, “Has South Africa’s COVID Alert Contact Tracing App Been Zero-Rated?,” Research ICT Africa, September 25, 2020, https://researchictafrica.net/2020/09/25/has-south-africas-covid-alert-app-been-zero-rated/.

61 “Complaints Against SA Telecom Companies are Starting to Stack up,” Business Tech, October 26, 2018, https://businesstech.co.za/news/telecommunications/279405/complaints-against-sa-telecom-companies-are-starting-to-stack-up/.

62 “Draft Financial Inclusion Policy: Media Statement,” National Treasury of South Africa, October 28, 2019, http://www.treasury.gov.za/comm_media/press/2020/20201028%20Media%20Statement%20-%20Updated%20Financial%20Inclusion%20Policy.pdf.

63 Abraham Morake, Lucas T. Khoza, and Tebogo Bokaba, “Biometric Technology in Banking Institutions: The Customers’ Perspectives,” South African Journal of Information Management 23, no. 1 (Fall 2021), https://sajim.co.za/index.php/sajim/article/view/1407/2100.

64 “Biometrics in Digital Financial Services: An Overview,” FSD Africa, August 2017, p. 18.

65 “SA Retailer Quietly Launches Bank Account to 20M Customers,” MoneyWeb, November 17, 2021, https://www.moneyweb.co.za/news/companies-and-deals/sa-retailer-quietly-launches-bank-account-to-20m-customers/.

66 Ciaran Ryan, “Deadline Passes for R220m Extortion Demand in TransUnion Cyber Attack,” MoneyWeb, March 28, 2022, https://www.moneyweb.co.za/news/south-africa/deadline-passes-for-r220m-extortion-demand-in-transunion-cyber-attack/.

67 “Welcome to CBA,” Credit Bureau Association, accessed April 26, 2022, https://www.cba.co.za/#:~:text=All%20credit%20bureaus%20are%20regulated%20by%20the%20National,2005%20and%20the%20Regulations%20and%20amendments%20pertaining%20thereto.

68 “Timeline of Cyber Incidents Involving Financial Institutions,” Carnegie Endowment for International Peace, accessed April 27, 2022, https://carnegieendowment.org/specialprojects/protectingfinancialstability/timeline#click-hide.

69 Van Niekerk and Phaladi, “Digital Financial Services,” p. 19.

70 “African Cyberthreat Assessment Report,” Interpol.

71 Charu Sudan Kasturi, “Global Investment Money is Flooding in to Africa’s Fintechs,” Al Jazeera, November 19, 2021, https://www.aljazeera.com/economy/2021/11/19/global-investment-money-is-flooding-into-africas-fintechs.

72 “Internet Crime Report 2020,” Federal Bureau of Investigation Internet Crime Complaint Center, p. 17.

Carnegie does not take institutional positions on public policy issues; the views represented herein are those of the author(s) and do not necessarily reflect the views of Carnegie, its staff, or its trustees.