A recent survey by Trust Online has found that the websites of South Africa’s largest banks are not fully compliant with new Internet and e-commerce legislation. Certain banks do not provide consumers with sufficient ways of determining whether or not the website is safe and secure, notwithstanding statements made by those banks regarding security on their websites.
Of all the banks surveyed, Standard Bank came up tops with a compliance rating of 84%. The other banks surveyed had the following compliance ratings:
First National Bank: 63%
Standard Bank: 89%
Trust Online, a company that certifies website compliance with new Internet legislation, said that the terms and conditions and website notices of all the major banks were tested according to the provisions of the Electronic Communications and Transactions (ECT) Act, the Promotion of Access to Information Act (PAIA) and international best practices for banking websites.
As part of the survey, the logon/login page of every bank's website were checked to determine whether:
1. communications of sensitive information like account numbers and usernames and passwords with the bank were secure and
2. whether the website has a valid digital certificate for authentication purposes.
For example, the security notice on the Absa Web page states the following: "Check to make sure that the URL begins with 'https' rather than 'http'. The initial connection to www.absadirect.co.za
will redirect the connection to an available Internet banking server. The logon page will be displayed. This page contains three frames. The outer two frames are not secure as they contain marketing and general information. The login frame, where the account number and PIN are entered is secured using SSL (secure sockets layer) encryption technology."
Although the Absa logon page is secure, as confirmed by its certificate, the logon page is a nested page and consumers cannot visually confirm the security status as there were neither the stated https:// connection nor the little padlock at the bottom of the browser that confirms the consumer is visiting a site that encrypts communications between the consumer and the bank.
The other banks surveyed, including online banks such as Icanonline and 20Twenty have the necessary SSL and certificates on their logon pages. All the banks provide 128 bit encryption and use Verisign digital certificates. BOE does not have a Web-based online banking system accessible from its home page.
Security experts confirmed that browsers may create problems when consumers view digital certificates, as some of the websites have different and in some instances no certificates, depending on the time of access and the computer used - this does not apply to Standard Bank, where the SSL and certificate were consistently present.
"Websites that are not secure make it possible for account details, usernames and passwords to be stolen over the Internet. Consumers are at a great risk if a website does not live up to its stated security measures and policies. Also, the ECT Act read with the King II Report on Corporate Governance places the responsibility of ensuring security on the website owner," says Mijo Skoro, managing director of Trust Online. Ironically, all the banks surveyed disclaimed any liability for loss and damage in their terms and conditions.
None of the banks provide users with access to fast and cost-effective online dispute resolution as provided for in the online consumer protection principles of the Organisation for Economic Co-operation and Development (OECD). Some of the websites do, however, refer disputes to traditional offline arbitration forums. These include Nedbank and Standard Bank.
PAIA (Promotion of access to information Act) manuals
Only Absa and Standard Bank had the required section 51 PAIA manuals available from their website's home pages. In terms of section 51 of the PAIA every business must have a so-called PAIA manual available on their websites to assist requests for information by the public. The deadline for compliance was 31 August 2002 but this has been extended to 28 February 2003.
Standard Bank and BOE regulate linking to and framing of their websites and are the only two banks that have disclaimers in respect of the content and service of third party websites available from the bank's website.
Only the Standard Bank and Absa websites have clear website usage policies that detail how the website content may be used. Interestingly, the banking websites surveyed did not opt into the voluntary privacy regime of the ECT Act.
"Banks open themselves up to a whole range of online liabilities if they do not deal with the correct issues in their online legal notices," says Reinhardt Buys, managing partner of Buys Inc. Attorneys, a Cape Town based law firm that specialise in Internet and e-commerce law.
A previous survey of B2C (business-to-consumer) e-commerce sites showed that less than 3% of South African websites comply with new Internet and e-commerce related legislation. "Many of the online risks and liabilities are not clearly defined in South African law, and the most prudent course of action for banks would be to detail this in their legal notices and remove any uncertainty," says Buys.
Only Standard Bank's legal notices expressly prevents third parties from searching the banks website for information through the use of so-called spider technology.
Buys Inc. and Trust Online are also conducting an online survey to determine the attitudes of website owners towards the ECT Act and PAIA. Website owners are encouraged to participate in the survey available on the Internet at www.sasurvey.co.za
Mijo Skoro, managing director, Trust Online, t: 021 461 7353