NEWS & ANALYSIS

Postbank security breach highlights SASSA’s failures

Bank will reportedly have to replace close to 12m bank cards

Postbank security breach highlights SASSA’s failures

17 June 2020 

South Africa’s social grant payment system has been the subject of various scandals for almost a decade. Until recently most of the controversy over grant payments focused on the role of Net1/CPS, contracted to the South African Social Security Agency (SASSA) and accused of exploiting grant beneficiaries for financial gain. Now it is the turn of the Postbank – the banking branch of the South African Post Office (SAPO) – to demand our attention.

According to a recent article, the Postbank will have to replace close to 12 million bank cards after a security breach exposed the personal details of up to ten million social grant beneficiaries, as well as other account holders. According to a number of internal Postbank reports, bank employees stole the bank’s encrypted master key which was reportedly printed in plain, unencrypted digital language, during the move of the Postbank’s data centre in July 2018. The master key allows anyone who has it to access the bank’s systems, read and edit account balances, and change information on any of the Postbank’s 12 million cards.

Replacing these cards will reportedly cost up to R1 billion and will involve a major card-swapping exercise, similar to the SASSA’s migration from its previous payment provider (CPS) to SAPO and Postbank in 2018.

The security breach has reportedly led to 25,000 fraudulent transactions between March 2018 and December 2019, in which a whopping R56 million was stolen from SASSA cardholders.

This highlights SASSA’s inability to administer South Africa’s social grant payment system and to ensure proper oversight of its payment contractor. One of the main reasons SAPO was appointed as the country’s new social grant paymaster in the first place was to safeguard beneficiaries’ grant money from the unauthorised deductions which had dramatically increased under SASSA’s previous contractor Cash Paymaster Services (CPS) and its parent company Net1, and reportedly caused a total monetary loss of R800 million to grant beneficiaries.

Surely, a country that was ranked among the world’s top 20 financial hubs with a well-established and regulated banking system should be able to run a safe and reliable grant payment system. So why were SAPO and the Postbank put in charge in the first place? And what does the Postbank security breach tell us about the overall state of the grant payment system and the performance of SASSA?

Let’s start with a closer look at the relationship between SAPO and the social grant programme.

As a state-owned enterprise, SAPO provides various telecommunication services outlined in the Postal Act 44 of 1958 and the Postal Services Act 124 of 1998. It also offers courier and freight services, financial services, electronic bill payment, and a variety of government services such as Extended Public Works Programme payments and motor vehicle licence renewals. SAPO operates over 1,500 branches across the country and offers bank accounts and limited financial services through the Postbank.

By the time they were appointed as South Africa’s national grant paymaster in 2018, SAPO and the Postbank had been eyeing the payment contract for over a decade. SAPO assisted with grant payments in various provinces throughout the 1990s, and reports of the Department of Social Development wanting to put SAPO in charge of grant payments “as a matter of policy” date back to 2002. But before the establishment of SASSA in 2004, South Africa’s grant payment system remained fragmented, with various payment providers operating in different provinces and under different contracts.

Tasked with centralising and streamlining the payment process, SASSA issued its first Request for Proposals for a nationwide grant payment system in February 2007. Nine bids were received, but no contract was awarded and the process was cancelled due to a lack of clarity on certain requirements. Rather than issuing a new tender, SASSA reportedly entered into a direct agreement with SAPO on 1 July 2009 without following proper procurement processes. However, the agreement was nullified after CPS took the matter to court, despite the fact that SAPO had already enrolled 460,377 new beneficiaries and opened Postbank accounts for some of them.

For the next few years, SAPO and the Postbank continued to play a minor role in South Africa’s grant payment system, delivering grants to about 5% of all beneficiaries. The award of the nationwide grant payment contract to CPS in January 2012 terminated their involvement in the grant payment system – at least for the time being.

Shortly after the contract was awarded to CPS, Black Sash discovered the existence and rapid increase of irregular, unauthorised and undocumented third party debit deductions from grants beneficiaries’ bank accounts. Many of these deductions were linked to other subsidiaries of CPS’s parent company Net1 who were accused of having used CPS’s control over the beneficiary database to aggressively market financial services to grant beneficiaries. It has been estimated that approximately 2.3 million out of the ten million grant accounts held by Grindrod Bank (CPS’s banking partner) were affected by the deductions – in other words almost one quarter of all grant recipients.

The deduction scandal caused a massive public outcry over Net1’s business practices and growing opposition to its role as the country’s grant paymaster. Moreover, the Constitutional Court declared the award of the contract to CPS invalid in November 2013 and ordered SASSA to re-run the tender process. Initially, SASSA declared that it would take over grant payments itself and that an in-house payment solution would be developed. However, with only a few weeks left until the expiry date of the CPS contract on 31 March 2017, SASSA had to ‘acknowledge we have failed‘ and that an external provider would still be required.

Enter SAPO.

Despite resistance from SASSA – and particularly Department of Social Development Minister Bathabile Dlamini – and months of back-and-forth negotiations, SAPO was appointed to run the grant payment system in November 2017.

Initially, however, this appointment was only for one of the four key services SASSA was looking to provide: the provision of an integrated payment system which could also handle beneficiaries’ biometric data. Banking services, the production of payment cards, and cash payouts at pay points were not part of the deal. SAPO was not impressed and informed SASSA in a letter that it would only avail its services if it was appointed for all four services. Dlamini was quick to declare that the deal with SAPO was now off in its entirety, causing the Treasury and Parliament’s Standing Committee on Public Accounts to intervene on SAPO’s behalf.

The result was the announcement of a so-called ‘hybrid model’ for grant payments which would include SASSA, SAPO, the Department of Home Affairs and the State Security Agency. This new model would give beneficiaries ‘maximum choice, access and convenience’ by enabling payments through bank accounts at commercial banks, large retail shops, and a ‘second tier’ of merchants such as village banks, general dealers, small retail outlets, and spaza shops. The ‘hybrid model’ would be phased in over the next five years, with SAPO taking over electronic payments from 1 April 2018.

This, however, still did not solve the problem of how to deliver cash payments to the 2.5 million beneficiaries who collected their grants from pay points. Failing to find a suitable provider for these payments – or to deliver them themselves – SAPO and SASSA announced in February 2018 that they would require the services of CPS after the contract expiry date on 31 March. The Constitutional Court agreed to allow CPS to operate for an additional six months to give SASSA time to find a solution for the cash payment issue.

SASSA’s solution was to ask SAPO in June 2018 to extend its original agreement with the agency and take over cash payments in addition to its other functions. SASSA – reportedly in consultation with SAPO – also decided to reduce the number of beneficiaries paid in cash as far as possible, hoping to scrap cash pay-outs altogether. Until then, SAPO would procure mobile cash dispensing machines to serve beneficiaries in rural areas or contract the South African National Defence Force (SANDF) “to go and pay grants in those areas that are still not fully covered by the various payment channels infrastructure.” Fortunately, SASSA never had to enlist the SANDF to deliver cash to rural villages and the contract with CPS was indeed terminated at the end of September.

Concerns over choice of Post Office

SASSA’s costly experiment with a private high-tech service provider had thus come to an end, following several years of court battles (some of which were only resolved in early 2020), media outcries and political infighting. And SAPO had finally achieved its goal of becoming South Africa’s social grant paymaster.

But there were concerns– including from the Panel of Experts tasked with overseeing the transition – about SAPO’s ability to run a payment system of this magnitude. These concerns included SAPO’s poor track record in delivering mail (its most basic function), its financial difficulties, its limited infrastructure in rural areas, and the fact that the Postbank did not have a full banking licence at the time.

Unsurprisingly, the transition from CPS to SAPO and the Postbank in 2018 was far from smooth, starting with the mammoth task of replacing over ten million payment cards issued by CPS with new cards issued by SAPO. This exercise – which took more than half a year and considerable efforts by both SASSA and SAPO – may have to be repeated in response to the Postbank’s security breach. The question of who will pay for this is another matter.

In addition, ‘technical glitches’ left beneficiaries stranded without their money on several occasions, there was confusion over the new payment arrangements and dates, post offices repeatedly ran out of cash, and an increase in armed robberies at post offices was reported.

Moreover, the cost of the new payment system (including the cost of upgrading the Post Office’s infrastructure) soon threatened to escalate. Initial cost estimates in December 2017 of R2.2 billion in the first year did not take into account the cost of delivering cash payments in rural areas, which was later added to the list of services SAPO was expected to provide. In August 2018, the payment transition was estimated to cost R3.2 billion in the first year and it was unclear how annual costs would develop in the remainder of the 5-year contract.

In its tenth and final report on the payment transition on 15 October 2018, the Panel of Experts concluded that it was “highly unlikely” that the decision to use the Post Office would “result in the best use of taxpayers’ money”. The panel said the selection of the Post Office was “flawed” as there had been no competition from other bidders, and SASSA had failed to consider alternative payment technologies and providers, such as the commercial banks or mobile money providers.

Now once again SASSA has failed to exercise adequate oversight over its payment provider. Once again, grant beneficiaries are affected by unexplained deductions from their accounts and will have to go through the hassle of having their payment cards replaced, without knowing when the next security breach will happen. This time neither SASSA nor the government can hide behind a “greedy” financial corporation. Instead, they must add yet another state-owned entity to the growing list of state-owned entities in trouble and try to clean up the mess.

But is the Postbank – which repeatedly assured that it was providing a public service with no ulterior profit motive – really that different from its predecessor CPS? A closer look at its business model suggests that the two entities may have more in common than one might think.

SAPO’s CEO at the time of the payment transition, a former investment banker, was hired to turn the ailing Post Office around and to transform the Postbank, among other things, into ‘a bank which can lend money’. In order to do so, it was not only vital to obtain a full banking licence (which the Postbank has still not been able to achieve) but to grow (or at least maintain) its customer base. So a five-year government contract to pay grants to millions of beneficiaries certainly came in handy. SAPO further expressed its commitment to offering credit and life insurance to its clients – including grant beneficiaries – earlier this year, calling it “a critical element of Postbank’s mandate and strategy”. Sounds familiar? Indeed.

SAPO’s predecessor CPS and its parent company Net1 pursued a similar strategy, telling their investors during the run-up to the 2012 tender that they were planning to use the social grant payment infrastructure “to provide users, at a low incremental cost to us, with a wide array of financial products and services for which we can charge fees”. Once it had been awarded the contract, Net1 proceeded to implement its business model in a rather aggressive fashion and was widely criticized for exploiting poor people and taking unfair advantage of its role as national grant paymaster.

The question of whether social grants should be used as collateral for loans, or whether the company in charge of grant payments should be allowed to sell financial services to beneficiaries is highly controversial and morally charged. But while the pursuit of profits and shareholder value is – unfortunately – in the very nature of most private companies, this is supposedly not the case for state-owned companies, particularly when it comes to the provision of an essential service to poor people. And was the whole point of awarding the grant payment contract to SAPO not to avoid a repetition of the “Net1 scenario”?

Once again, SASSA has put the incomes and personal information of millions of the country’s poorest and most vulnerable citizens at risk. The agency’s repeated failure to engage with the commercial banks – who certainly have more sophisticated security systems in place than the Postbank – as contenders for the grant payment contract, or to consider alternative payment options such as mobile money, have cost grant beneficiaries and taxpayers dearly. Appointing SAPO as “a matter of policy” and in the belief that a state-owned entity would be better suited for the task, has not brought about the positive change beneficiaries were promised. However, rather than blaming the Postbank for not being up to a task it was never ready for, we should see the latest grant payment scandal as an urgent call for SASSA to finally get its own house in order.

Lena Gronbach is a PhD student at the University of Cape Town, working on social grant payment systems, payment digitisation and financial inclusion in sub-Saharan Africa.

Groundup