The state of online banking at Africa's biggest banks

Digital transformation Banking
Many African countries are undergoing what is called “financial deepening” – a process of increasing the banked population, improving market infrastructure, widening funding access, and diversifying investment options. According to Bernhard Kotanko and Jason Ekberg of the Nikkei Asian Review, efficient and deep financial markets are a prerequisite for macroeconomic growth and prosperity. Moody’s also predicts that the fast growth of mobile banking across Africa, and the accompanying increase in access to financial services, will boost economic growth and create opportunities for banks to expand across the continent.

A large proportion of the African populace nevertheless remains unbanked. Penetration is as low as 36 percent in some of the larger economies, according to KPMG. Commercial bank branches and ATMs are expensive to establish and maintain, and thus not well suited to the large and widely dispersed populations in many African countries. To bridge this gap, banks have started to explore alternative operating models, one of which is mobile banking. The emergence of mobile technology and the rapid spread of affordable cellular communications throughout the continent have allowed for financial services to be provided to lower-income households that often reside in isolated rural locations.

Mobile banking or a mobile payments functionality offers banks a great opportunity to expand their client base. The trouble is that the security of the current offering of online and mobile banking services in Africa leaves much to be desired. A quick investigation that I conducted, which entailed clicking through several African banks’ websites and login pages, was an eye-opener in this regard.

As protection for Internet banking, the majority of banks appear to rely on only the traditional username and PIN/password combination, with no second factor, much less something out of band. Another outdated feature that cropped up often was so-called challenge questions, where users answer a preselected question in order to prove their identity. This approach is too easily overcome through simple sleuthing on social media.

Virtual keyboards for completing sensitive fields also seem to be a popular safety precaution, because they are trusted to be immune to keylogging. However, this is not necessarily the case – some commercially available virtual keyboards have failed penetration testing.

One of the sampled banks describes its primary security measure as follows:

The risks for using the service have been minimised in that funds can only be transferred to nominated accounts. Even if someone steals your mobile phone and somehow finds out your PIN, the worst thing that can happen is they can check your balance, transfer funds to your nominated accounts (spouse, child etc.), top up your phone and probably pay your bills. They can’t transfer funds to their own accounts if they have not been nominated. Please note that you can nominate an account for a one-time transfer and immediately request for a deletion.
Aside from the fact that this strategy still leaves room for exploitation, it also exemplifies the pivotal problem of digital banking technology: greater convenience brings greater risk. If a bank cannot fully protect its users’ data and transactions, there is only so much it can reasonably allow those users to do. Additional security measures, on the other hand, increase friction, defeating the “on-the-go” appeal of new digital functionality.

It is clear to me that many of Africa’s banks must improve their approach to digital security, whether they currently only offer Internet banking or have already broadened their channel offerings to include mobile. They need a security solution that will grow with them as they embrace mobile technology, so that they are able to keep offering customers more, responsibly.
Several African banks have already equipped themselves for such a future by securing their online and mobile banking services with Entersekt’s Transakt and Interakt products. Equity Bank is currently implementing these products to enable out-of-band, multi-factor authentication of online banking, mobile banking, mobile money transfer, e-commerce, call center interactions, in-branch interactions, and more. Nedbank offers full-service banking via website or app, including adding beneficiaries, transfers anywhere (no need for nominated accounts), share trading, and insurance. In the same way, Investec’s online banking gives its users access to 24/7 transactional banking for multiple bank accounts from one place. Capitec Bank’s app allows users to make payments securely, track spending, change credit card limits, and even dispute or stop debit orders – a new safety measure.

That’s on-the-go banking that also wins the trust of digital users.