‘Twin Peaks’ financial regulators: Sheep in sheep’s clothing

I conducted a consumer test of the recently introduced much-vaunted “Twin Peaks” regulators and found them deficient. 

South Africa has implemented the "Twin Peaks" model of financial sector regulation. Two regulators, the Finance Sector Control Authority (FSCA) and Prudential Authority housed in the South African Reserve Bank (SARB), are the twin agencies – “peaks” – of the new model.

They were formed with the passing of the Financial Services Regulation Act that “gives the SARB an explicit mandate to maintain and enhance financial stability”. Both came into operation on 1 April 2018.

The FSCA replaces the Financial Services Board (FSB) and has control over financial service providers, insurance companies and banks, the last of which was excluded under the old FSB.  It’s responsible for “protecting the consumer and enforcing market conduct”: 

• ·         Protect financial customers by promoting their fair treatment by financial institutions.
• ·         Enhance and support the efficiency and integrity of financial markets.
• ·         Assist in maintaining financial integrity. 

The Prudential Authority’s mandate is to “to promote and enhance the safety and soundness of regulated financial institutions”: 

• ·         Promote the safety and soundness of financial institutions and market structures.
• ·         Protect financial customers against the risk of financial institutions failing to meet their obligations.
• ·         Assist in maintaining financial stability. 

According to its website, the PA is committed to the SARB’s values, policies and procedures and the “values of respect and trust, open communication, integrity, accountability and excellence”.

South Africa’s banking sector is highly regulated with high barriers to entry which is one of the reasons, if not the main one, the sector is so concentrated.  The concentration ratio is over 80%, which is oligarchy to near monopoly. In 2016 six banks – Standard Bank, Absa, First National Bank, Nedbank, Capitec and Investec – accounted for over 90% of all retail deposits. 

In 2016 the IMF’s David Lipton said South Africa’s banks are among the country’s private sector’s “privileged markets” – eerily reminiscent of the EFF’s “white monopoly capital” accusation although he never meant it that way – that “damage competitiveness by keeping business costs high”.  He pointed out “success” and “innovations” in other countries including Kenya that “resulted in “higher rates of financial inclusion” which is absent in this country.

While there is some competition in the sector particularly after the entrance of start-up Capitec, Munacinga Simatele found the larger – big four banks – have relatively high transactions fees which in 2015 was over R53 billion from R38 billion in 2010, a significant contributor to revenue. 

The Reserve Bank’s stringent regulations include capital adequacy ratios that must be maintained, prudential laws and other requirements of the Banks Act. 

However, government and SARB gave banks the power to self-regulate their market conduct and customer relations, extraordinary power – the keys to the financial kingdom, so to speak – other sectors don’t have particularly after the introduction of the Consumer Protection Act (CPA) that established clear rules of market conduct for various industries.  Indeed, the Financial Services Laws General Amendment Act 45 of 2013 exempts the banking industry from the operation of the CPA and the purview of the National Consumer Commission.  

Customers who experienced unfair or poor treatment could either try to resolve the problem on their own with their bank, and good luck with that, or refer it to the industry-funded, nominally “independent” Ombudsman for Banking Services, a unit of The Banking Association South Africa. 

The Banking Ombudsman is not a statutory regulator but a voluntary organisation, although there’s a proposal the twin peaks model will include an ombudsman. Until then, the introduction and scope of the FSCA and PA, the “new sheriffs in town”, which have explicit mandates of protecting financial customers, appear encouraging.  But are they all they make out to be?

Remember that historically the (post-1994) government has been reluctant to take issue with banks’ practices and prefer to leave them to their own devices.  (How with all its regulations the SARB never foresaw African Bank’s collapse is a mystery.)   

In 2008 the Competitions Commissions wound up its tepid investigation into excessive bank charges, among the highest in the world.  At the time newly appointed finance minister Pravin Gordhan (later in some circles considered “Sir” Pravin, South Africa’s “Horatius at the bridge”) backtracked from a similar undertaking after the banking association reportedly threatened to review their interests in the country.  He allowed them to continue “self-regulating” despite everyone knowing high charges and confusing fee structures were inhibiting customers and the economy including the poor who lacked banking services.

Soon after his intervention ostensibly on behalf of customers, charges and fees went up significantly. This matches banks’ fee revenue escalating 40% from 2010 to 2015.  Today there’s still dissatisfaction including among social grant beneficiaries having to pay R10 a transaction to get money from an ATM when it was originally understood it would be free or at minimal charge.  R10 buys a litre of milk, a loaf of supermarket bread or other basics, significant if you’re poor.

But already a harbinger is the twin peak sheriffs appear unwilling to take on the powerful banking empire leaving me wondering if their mandates are nothing more than the usual rhetoric.  One matter concerns Standard Bank charging its credit card customers for “value-added services”. (Disclosure: I’m a customer.) 

The National Credit Regulator (NCR) investigated Standard Bank because value-added services charges may not be permitted under the list of regulated charges under the credit agreement. Included among the compulsory services is basic travel insurance which previously was a free benefit I believe is still so with other credit card companies.  The compulsory fees – unlike similar services from other providers, there’s no opt-out – range from R10 to over R200 a month depending on the type of card.

This is called “bundling” under the Consumer Protection Act and is outlawed.  The CPA states customers are not obliged to buy bundled products because it infringes on the consumer’s right to choose a supplier, i.e., the constitution’s economic right.

Early May, only one month after the FSCA began operating, they declined to investigate Standard Bank for the case when customers do not want the services but are still forced to pay the fees.  They claimed it does not “fall within our jurisdiction. The best forum to deal with this matter is the Banking Ombudsman”.  (Later, the ombudsman made a legally defective finding for the bank that charging for value-added services was within their “commercial decision-making”.  I told a legal expert “hell would freeze over” before they made a finding that endangered the revenue of a member bank.)

It's strange the FSCA should take this position when their mandate is purportedly to “protect the consumer and enforce market conduct”; that Standard Bank already was under regulatory scrutiny for a different aspect of the same matter and that it’s flouting the CPA.  

They refused to say why it fell outside their jurisdiction, or what their purpose is if not to investigate banks’ problematic conduct.  However, last week the FSCA advertised on RSG radio station stating their mandate includes “control over financial service providers, insurance companies ... and banks" and "protecting customers".

Instead they outsource their legal duty of “protecting financial customers” and resolving financial institutions’ alleged unfair treatment to the banks’ representative body, continuing to allow the pre-twin peaks practice of self-regulation. Wasn’t twin peaks supposed to be the start of a new consumer-protection era?

I put these issues to a legal expert (he’s also a law lecturer and advocate and advisor to National Treasury) on financial regulation and the twin peaks model.  He was nonplussed as he understood the FSCA should have jurisdiction.  In the absence of them giving reasons, he suggested they only “protect consumers at scale”.  I didn’t agree because if we assume one million customers (I don’t know how many customers are affected) are being charged for value-added services they don’t want or need, potentially Standard Bank is earning R10 million a month for nothing.  Is that not “at scale”?  (The bank didn’t respond except that they’re not doing anything illegal.)

The second matter is during June and July fraudsters impersonated Standard Bank fraud department and UCounts Rewards to obtain customers’ card numbers. (Disclosure: I was defrauded which I’m trying to get refunded.) 

On July 18, after the fact, they sent customers this SMS:

“Fraudsters are impersonating UCount Rewards and the Fraud Department requesting one-time passwords (OTPs) to perform online transactions. Do not share your OTP, the number on the back of your card or the expiry date.”

There was a recorded message containing similar on their call centre line.  During August they sent an email headed “Protect yourself” warning of a “remote access control scam: be wary of fraudsters who send you emails or phone and claim to be from the bank and then ask you to update your personal account information or software on your computer”. 

It appears to be an organised, large-scale fraud attack – “scam” – on their customers.  It’s at the heart of the Prudential Authority’s mandate of “safety and soundness of regulated financial institutions” and “protect financial customers against the risk of financial institutions failing to meet their obligations”.

It was not widely reported – I found only one article by Businesstech – and haven’t seen any statements from either bank executives, FSCA or Reserve Bank saying they are concerned and investigating how fraudsters obtained customers’ personal and contact information. 

In at least in my case, Standard Bank has made customers entirely liable for being defrauded (I acknowledge customers must exercise care over their personal information but it can happen to the best of us including giving personal information to bank employees who refuse to adequately identify themselves) and for the bank’s tardy response to customers’ reports of fraud.  (In my case they didn’t respond within the stipulated 48 hours but only a week later during which time I believe, according to a SMS, the transaction had not been processed and it was still possible to cancel or reverse the transaction.)  

Although it’s an “an ongoing scam targeting its customers ... fraudsters did not gain access to customers’ sensitive data from the bank”, but if not from them, then who?  They say it’s ongoing, but for how long and why are customers only hearing about this iteration now?

Compare how British Airways managed the theft of 380 000 customers’ data.  “We have notified the police and relevant authorities", and BA CEO Alex Cruz apologised for the security breach and promised customers full compensation.  (Standard Bank didn’t respond to my emails if they reported the frauds – I assume many customers were affected – to the police and relevant authorities.)

The BA example illustrates the fundamentally different ways, and a fundamentally different governance and corporate ethics and culture, Britain and other developed countries from whom South Africa obtained its financial model and laws, among them the twin peaks regulatory model, approach what authorities here in all seriousness call “protecting financial customers”, “promoting the safety of institutions and market structures” and “enforcing market conduct”.

A link on the Businesstech article about the fraud leads to Standard Bank CEO scores a R48 million payday.  He and his fellow executives are not losing sleep or their bonuses over their customers, already hard pressed paying millions in value-added service fees, losing millions more to fraud that possibly – who knows – emanated from within the bank.

Remember the Prudential Authority’s values – in a classic lack of self-irony – of “respect, open communication, integrity, accountability and excellence” I mentioned at the beginning.  Neither they nor FSCA responded to emails I copied them about the fraud and how the fraudsters obtained confidential customer details, whether from the bank or elsewhere.  Instead, from them and the bank there’s a persistent and ominous silence.

The conclusion I've come to is like most of South Africa's statutory agencies, the FSCA and Prudential Authority are sheep in sheep's clothing.  I acknowledge it’s early days yet and they may improve, but the manner they perform now sets the tone for the future, and it’s not encouraging.  As I discovered with only one example, which I’m loath to generalise but in the absence of an explanation must gp with, banks are not answerable to anyone except themselves regarding their customers and market conduct.

Consumers and citizens must not be misled into believing the regulators' function is to protect them, but to maintain the status quo of and for the privileged markets – big businesses’ and banks’ interests.  We are in for more disappointment unless the National Treasury and South African Reserve Bank clarify and strengthen their intended purpose, operation and commitment to ethical market conduct.