The Postbank has been given a series of deadlines, starting in mid-January, to get its house in order, including properly securing the cards it issues and setting up for disaster recovery.
Should it fail to get everything on the list done by December 2022, the Reserve Bank says, the Postbank risks “revocation” of its status as a designated clearing system participant in the National Payment System.
In 2020 the Postbank declared itself ready as South Africa’s “future state bank”, citing its participation in the National Payment System as a key advantage when it comes to establishing such a bank.
The Postbank started handling payments of social grants for the South African Social Security Agency (Sassa) in 2018. Nearly a year later, “serious irregularities” were found on the Sassa-branded cards the bank had issued. It was given until April 2021 to sort things out – but failed to do so.
The Sunday Times later reported that the master encryption key for the cards had been printed and stolen at the Postbank’s Pretoria data center, compromising the integrity of all 12 million issued cards, and any future cards issued using the same system.
On Friday, the Reserve Bank gazetted a “variation notice” under its authority as the regulator for the National Payment System, laying out exactly what is now required of the Postbank if it is to keep its clearing system participant status.
For starters, the Reserve Bank wants to see an implementation plan from the Postbank within a month, and it wants that plan signed by the chairperson of its board as well as its executive management. It then wants a monthly report (in the first week of each month) and a monthly meeting about that report (in the second week of each month) to discuss that report.
The underlying problems those reports and meetings are supposed to address include security and continuity. Postbank must implement the card standards used by the likes of Visa and Mastercard, properly secure its encryption keys, and reissue all its Sassa-branded cards using new, secured keys.
It must also set up the kind of disaster recovery and business continuity infrastructure required of all payment system players – and “employ a sufficient number of payment experts, including independent experts”, in its payments business.
In the meanwhile, it is not allowed to sign up new clients or offer new products to existing clients, in any line of business that touches on its status as a designated clearing system participant, without sign-off from the Reserve Bank and its payments-system