DATE DOWNLOADED: Fri Nov 11 02:49:45 2022

SOURCE: Content Downloaded from HeinOnline

Citations:

Bluebook 21st ed.

Charnelle van der Bijl, SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002, 21 S. AFR. MERCANTILE L.J. 159 (2009).

ALWD 7th ed.

Charnelle van der Bijl, SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002, 21 S. Afr. Mercantile L.J. 159 (2009).

APA 7th ed.

van der Bijl, C. (2009). SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002. South African Mercantile Law Journal, 21(2), 159-173.

Chicago 17th ed.

Charnelle van der Bijl, "SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002," South African Mercantile Law Journal 21, no. 2 (2009): 159-173

McGill Guide 9th ed.

Charnelle van der Bijl, "SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002" (2009) 21:2 S Afr Mercantile LJ 159.

AGLC 4th ed.

Charnelle van der Bijl, 'SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002' (2009) 21 South African Mercantile Law Journal 159.

MLA 8th ed.

van der Bijl, Charnelle. "SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70
of 2002." South African Mercantile Law Journal, vol. 21, no. 2, 2009, p. 159-173.
HeinOnline.

OSCOLA 4th ed.

Charnelle van der Bijl, 'SIM-Card Swapping, Mobile Phone Banking Fraud and RICA 70 of
2002' (2009) 21 S Afr Mercantile LJ 159

-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
 SIM-Card Swapping, Mobile Phone Banking
Fraud and RICA 70 of 2002
CHARNELLE VAN DER BIJL*
University of South Africa

1 Introduction
SIM ('Subscriber Identity Module')-card swapping and mobile phone
banking fraud are forms of fraud encountered in the use of mobile banking
services.' Mobile banking is a form of wireless electronic banking that does
not require a client to bank within traditional banking premises. Electronic
banking is a generic term that denotes banking services provided through
different access devices.2 Electronic banking incorporates the use of ATMs,
telephone or mobile phone transactions and the Internet. 3 Wireless banking in
the form of mobile phone banking may be seen as the next step after Internet
banking on a fixed telephone line, and it allows a client to access his accounts
via a cellular phone after the mobile banking menu is downloaded onto the
SIM-card. 4 Mobile phone banking entails that an application will be loaded
onto the SIM-card so that the client can access certain banking services.5 The

* BLC LLB LLD (UP). Associate Professor, Department of Criminal and Procedural Law, College of
Law, University of South Africa.
See s 1 of the Regulation of Interception of Communications and Provision of Communication-
Related Information Act 70 of 2002. Fraud is the unlawful and intentional making of a
misrepresentation that causes actual or potential prejudice to another (CR Snyman Criminal Law 5 ed
(2008) at 531; Jonathan Burchell Principlesof CriminalLaw 3 ed (2005, revised 2008) at 833).
2 Mark Howard & Roger Masefield (eds) Butterworths Banking Law Guide (2006) at 566.
3 The terms 'mobile phone' and 'cellular phone' will be used interchangeably.
4 See Clarissa Muir ABSA 's Implementation of Mobile Banking as a Value-Added Mobile Business
Offering (unpublished LLM dissertation, University of Johannesburg (2008)) at 144 and 199, available
at http://ujdigispace.uj.ac.za:8080/dspacehandle/1021O/622. Internet banking refers to the provision of
banking services by means of the Internet. It is a remote delivery channel, utilising a fixed line or
wireless technology as in the case of cellular phones, for banking or financial services that enables the
bank's customers to open and access accounts, to transfer funds between accounts, to access general
information on banking services and products, to apply for loans and credit for business or consumer
purposes, and to do online brokerage and securities trading as well as facilitating electronic bill
presentment and payment. Mobile phone banking is easier and more accessible than Internet banking on
a PC, for instance, because most banking customers usually have a cellular phone. See AB Munir
Internet Banking: Law and Practice (2004) at 1-2; Howard & Masefield op cit note 2 at 567; Denise
Mhlanga 'Forget the Internet; Cellphone Banking Is the Way to Go' Moneyweb's PersonalFinanceJuly
2008 at 12-3.
5 'Banking on your SIM Card' FIN24Com Aug 10 2005, available at http://www.fin24.com (visited
on 1 October 2008). See Muir op cit note 4 at 137-9 for a detailed explanation of how these systems
work. WIG (Wireless Internet Gateway) opens up a channel to the Internet on the SIM-card and enables
the use of an application language (WML) that implements SIM application Toolkit based services.
WIG also brings WAP to terminals via SMS. The 'Internet' means the interconnected system of
networks that connects computers around the world using the TCP/IP and includes future versions
thereof. WAP is a security enabler that provides connectivity between a WAP-based handheld device
and a web server. 'WAP' is defined in s I of the Electronic Communications and Transactions Act 25 of
2002 ('the ECT Act') as meaning 'Wireless Application Protocol, an open international standard

© 2009. All rights reserved.

Cite as: (2009) 21 SA Merc L 159-173.
 (2009) 21 SA Merc U

Wireless Internet Gateway (WIG) is mostly used in mobile phone banking

because it is a menu-driven SIM-card application that 'opens up a channel to
the wireless Internet browser on the SIM-card', whereas Wireless Application
Protocol (WAP) allows for browsing of the web by allowing a mobile phone
to 'retrieve information from the Internet via a server installed on the mobile
phone network' .6 In other words, WIG is mobile banking by means of secure
SMS where a banking menu is downloaded onto the SIM-card and encrypted;
and WAP is mobile banking where a mobile phone is used to gain access to a
bank account via the Internet. 7 The client will normally need to gain access to
the access channel through the mobile cellular electronic communications
service provider. A bank therefore requires the co-operation of a mobile
cellular electronic communications service provider for the delivery of the
mobile banking service. 8 The client has to remember his account number and
PIN in order to utilise the service. 9 Mobile phone banking enables a client to
access his account balances and statements as well as payment histories. SMS
notification is used to inform registered users of impending transactions
waiting for user authorisation.' 0
This article investigates mobile phone banking fraud and SIM-card fraud
that are encountered in the use of mobile banking services. The legal
relationships that exist between a client, a banking institution and a mobile
cellular electronic communications service provider will be examined in order
to establish who should bear the risk of the monetary loss where SIM-card
fraud and mobile banking fraud occur. An investigation of regulatory
measures that may be applicable to banks and mobile cellular electronic
communications service providers in the case of SIM-card swapping and
mobile banking fraud will be examined and possible solutions to the problem
suggested.

2 SIM-Card Swapping
'Swapping' occurs where the fraudster gains access to sensitive information
that is sent either via SMS ('Short Messaging Service') to a cellular phone, or
to a banking client's e-mail address. The fraudster then poses as the client and
has a new card illegally assigned to the same cellular phone number as the
original SIM-card, via a SIM-card 'swap'." The one SIM-card is therefore

developed by the Wireless Application Protocol Forum Limited, a company incorporated in terms of the
laws of the United Kingdom, for applications that use wireless communication and includes Internet
access from a mobile phone'.
6 See Muir op cit note 4 at 137, 139, 213.
'ABSA Cell Phone Banking', available at http://www.absa.co.za (visited on 3 February 2009). My
present article will refer to mobile phone banking, which should be read as including both forms of
wireless electronic banking conducted by way of a mobile phone.
See Muir op cit note 4 at 211. See cl 4.1 of ABSA's terms and conditions.
See also Muir op cit note 4 at 198.
"o Mhlanga op cit note 4 at 12-3.
See, eg, 'Security Alert', available at http://www. Nedbank.co.za/terms; 'Absa Warns Internet and
Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at http://www.absa.co.za;
'Protect Yourself From Fraud', available at http://standardbanklco.za/Fraud prevention; 'Frequently
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 161
'swapped' for another SIM-card, and the cell phone service provider will then
t2
transfer the SIM-card identity of that particular client to that of the fraudster.
The previous SIM-card is then cancelled. Consequently, the legitimate owner
of the original SIM-card no longer receives any notification SMSs and is
therefore oblivious to the fraud being perpetrated against him. As the fraudster
is allocated the cellular phone number and the replacement card, the SMS
authorisation facility provided by banks to their clients is intercepted,
allowing the fraudster to receive security messages, SMS authorisation
reference numbers and the one-time password. 3 The fraudster can then
transfer money, create beneficiaries and make payments at will.
SIM-card fraud is also made possible by way of phishing e-mails. Phishing
entails that unsolicited e-mails, purportedly from the bank, are sent to clients
requesting them to update and verify details such as their PIN ('Personal
Identification Number'), password, cellular phone number and address. 14 The
client will then be requested to click on a link and update his personal details.
Once the link is clicked on, the client is diverted to a fraudulent website. The
fraudsters then gain access to the client's personal details and cellular phone
number when the client responds to such phishing e-mails.
Banks will usually not try to obtain personal information via computer
e-mails, and they usually post warning messages and newsletters to this effect
on their websites in order to curb fraud.' 5 The unauthorised use of the original
mobile phone number as a result of SIM-card swapping could therefore stem
from a combination of phishing and a lack of proper identity verification by
the mobile cellular electronic communications service provider when an
account is opened, or when a SIM-card is swapped at such provider. The next
portion of my article explores the relationship between the bank, the mobile
cellular electronic communications service provider and their client in order
to establish who should bear the loss in cases of mobile banking and SIM-card
fraud.

Asked Questions - Cell Phone Banking', available at http://www.fib.co.za; Hilda Fourie 'SIM Card
Scamsters Net Thousands', available at http://www.F1N24.Coin (all visited on 1 September 2008).
11SIM-card swapping must be distinguished from SIM-card cloning, which consists of the original
SIM-card being duplicated with another SIM-card so that calls or other services will be charged to that
account.
11A number of banks are alerting clients to this form of fraud in security alert bulletins, notices and
newsletters. See, eg, 'Security Alert', available at http://www.Nedbankco.zaterms; 'Absa Warns
Intemet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at
http://www.absa.co.za; 'Protect Yourself from Fraud', available at http://standardbanklco.zalFraud
prevention; 'Frequently Asked Questions - Cell Phone Banking', available at http://www.fnb.co.za (all
visited on I September 2008).
"4 'Absa Warns Internet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007,
available at http://www.absa.co.za; 'Protect Yourself from Fraud', available at http://
standardbanklco.za/Fraudprevention (visited on 1 September 2008); Mark T Gillett, Obrea 0
Poindexter & M Sean Ruff 'Developments in Cyberbanking' (2004-2005) 60 Business Lawyer 757 at
770-3; Lauren L Sullins '"Phishing" for a Solution: Domestic and international Approaches to
Decreasing Online Identity Theft' (2006) 20 Emory InternationalLR 397 at 400 ff.
"S See, eg, 'Security Alert', available at http:/./vww.Nedbankco.za/terms; 'Absa Warns Internet and
Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at http:/.,vww.absa.co.za;
'Protect Yourself from Fraud', available at hup://standardbankco.za/Fraudprevention; 'Frequently
Asked Questions - Cell Phone Banking', available at http://www.fnb.co.za (all visited on I September
2008).
162 (2009) 21 SA Merc U

3 The Legal Relationship between the Parties

The legal relationship between the parties to banking is regulated by the
contract itself, the general principles of contract law, the Code of Banking
Practice, the Financial Intelligence Centre Act 38 of 2001 ('FICA'), the
Electronic and Communications and Transactions Act 25 of 2002 ('the ECT
Act'), and the Regulation of Interception of Communications and Provision of
Communication-Related Information Act 70 of 2002 ('RICA') (as amended
by the Regulation of Interception of Communications and Provision of
Communication-Related Information Amendment Act 48 of 2008).

3.1 The Terms and Conditions of the Mobile Phone Banking

Contract
The relationship between the bank and its customer is usually contractual
and is classified as a contract of mandate whereby the bank renders services to
the customer upon the latter's instructions.' 6 The parties usually have
contractual freedom, and the exact terms and conditions of the contract
between the bank and its customer are mostly contained in standard
contracts. 17 A bank is under an obligation, however, to act in accordance with
its mandate with reasonable care, and a failure to do so may result in liability.
If payment is made to the wrong person, the mandate has not been complied
with, because payment does not accord with the client's instructions. The
Internet is one way of transmitting the client's mandate in digital form, and
the basic contractual obligations on banker and client will remain the same in
8
an Internet or mobile phone banking transaction.'
The customer must also exercise reasonable care so as not to facilitate fraud
and must report any unauthorised transactions.' 9 But what happens where the
fraud is not due to the client's fault and the bank pays out on the mandate of
the fraudster, not the client? In a prior article dealing with cloned cheque
fraud it was submitted that in the case of a cloned cheque where there is no
fault on the part of the drawer, the drawee bank would not be entitled to debit
the customer's account with the amount on the forged cheque unless the
alteration was apparent, in which case it was argued that the collecting bank
could also possibly incur delictual liability where it failed to notice such
alteration or if there was negligence in the collection of the cheque. 20 Such
payment would not accord with the client's instructions or mandate, and the

16JC Stassen 'Die Regsaard van die Verhouding tussen Bank en Klint' (1980) 2 Modern Business
Law 77 at 79; Standard Bank of SA Ltd v Oneanate Investments (Pty) Ltd 1995 (4) SA 510 (C) at 530;
FR Malan & .T Pretorius Malan on Bills of Exchange, Cheques and Promissory Notes in South African
Law (2009) in pars 208-9.
"7 Ross Cranston Principles of Banking Law (2002) at 144.
'8 Howard & Masefield op cit note 2 at 572.
'9 Ibid.
10 T Pretorius & Chamelle Van der BijI 'A New Mode of Forgery: The Rise of Cloned and Washed
Cheques' (2006) 18 SA Merc LU 196 at 200, 202. The cloning of a cheque entails that a cheque is
intercepted and the original cheque is used to manufacture a duplicate fraudulent cheque.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 163

risk of the loss would lie with the bank for not complying with its mandate in
21
terms of the banker-customer relationship.
In a further article dealing with cloned credit card fraud it was submitted
that a different set of principles will apply to credit cards because the Bills of
Exchange Act 34 of 1964 does not apply to credit cards and credit cards are
not negotiable instruments. 22 As regards cloned credit cards it was suggested
that payment made on a cloned credit card is not made with the authorisation
of the cardholder (the consumer) and is not conducted on behalf of or at the
direction of the consumer, and so it does not accord with the terms and
conditions of use and the instructions of the client. 23 Consequently, if payment
is made on a separate substitute credit card that purports to be the original
card, the issuer should bear the risk because the mandate has not been
24
complied with.
Can a bank be held liable where it pays on an unauthorised transaction
in the case of SIM-card or cellular phone fraud because payment is neither in
accordance with the terms of conditions of use nor on the instructions of the
client? The bank is required to make payments on behalf of the correct person,
ie, the banking client in the case of the contractual relationships pertaining to
the terms and conditions of the mobile phone banking contract. The orders
of the client would be carried out as a consequence of the use of the PIN and
mobile phone number. Where a new SIM-card is obtained, payment is still
possible with the use of the same cellular phone number. What is clear is that
the terms and conditions of use are not complied with because payment does
not accord with the client's instructions. Usually the approaches that may be
adopted by banks in relation to liability due to fraud in Internet banking are
25
regulated by contract and could include:
" the use of terms closely related to those based on card transactions; 26
" the exercise of a choice by the bank to bear the entire liability unless it can
be proved that the customer acted fraudulently;
" the exclusion of all liability by the bank until the bank is notified.
The contractual terms and conditions regarding the allocation of risk may
also be influenced by statutes such as FICA, the ECT Act, and RICA.
One would need to examine the role of the SIM-card itself to try to find

21 See Tai Hing Cotton Mill Ltd v Liu Chong Hing Bank Ltd & Others [1986] AC 80 at 106B-D. See
further Pretorius & Van der BijI op cit note 20 at 201-2; Malan & Pretorius op cit note 16 at 356.
22 Charnelle van der Bijl 'The Cloning of Credit Cards: The Dolly of the Electronic Era' (2007) 18
Stellenbosch LR 331 at 341.
23 Ibid. See the National Credit Act 34 of 2005. A consumer includes the party to whom credit is
granted under a credit facility (s 1).
24 Van der BijI op cit note 22 at 342. See further Steve Cornelius 'The Legal Nature of Payment by
Credit Card' (2003) 15 SA Merc L 153 at 168.
25 Munir op cit note 4 at 229.
26 With regard to the unauthorised use of an original credit card and alleged unfair contractual terms,
the cases of Diners Club SA (Piy) Ltd v Singh & Another 2004 (3) SA 630 (D) and Sasfin (Pty) Ltd v
Beukes 1989 (1) SA 1 (A) would normally apply. See my discussion in Van der BijI op cit note 22 at 338
ff.
164 (2009) 21 SA Merc U

clarity on who should bear the loss in the case of SIM-card fraud. A SIM-card
is defined by RICA as the:
'Subscriber Identity Module which is an independent, electronically activated device designed
for use in conjunction with a cellular phone to enable the user of the cellular phone to transmit
and receive indirect communications by providing access to telecommunication systems and
enabling such telecommunication systems 27 to identify the particular Subscriber Identity
Module and its installed information.'
The new SIM-card that enables the cellular phone number to be used in the
fraudulent transactions is not the client's but one purporting to be the client's.
However, the SIM-card is not issued by the bank. The fraud could take place
as a result of a combination of the client's reacting to the phishing e-mail
and the mobile cellular electronic communications service provider's
providing the SIM-card without proper verification, which thus allows the
SIM-card swap to take place.
The Financial Intelligence Centre Act provides that an accountable
institution, such as a bank, may not establish a business relationship or
28
conclude a single transaction without establishing the identity of the client.
Banks therefore have a duty to keep records of accounts and personal
particulars of clients. Should an unauthorised banking transaction occur as a
result of SIM-card fraud, the fraudster's account should be traceable and the
identity of the fraudster established. Should the identity not be established,
where, eg, false details were provided, it could be asked whether the risk lies
with the bank in such circumstances because it has not complied with FICA.
In this regard it could be argued that FICA is clear: its s 21 states that the
accountable institution must not only establish the identity of the client, but
29
also verify such details.
The Financial Intelligence Centre Act is aimed at preventing unlawful
activities that would include fraud, because the definition of unlawful activity
in FICA is read together with, and defined, in the Prevention of Organised
30
Crime Act 121 of 1998 as follows:
' "unlawful activity" means conduct which constitutes a crime or which contravenes any law
whether such conduct occurred before or after the commencement of this Act and whether
such conduct occurred in the Republic or elsewhere.'
The Electronic Communications and Transactions Act also provides strict
guidelines relating to the electronic collecting of personal information. It
states that the data controller must have the express written permission of a
data subject for the collection of such information, no information may be
electronically requested unless it is necessary for a lawful purpose (which
specific purpose must be disclosed), and the information may not be disclosed
to a third party unless required by law. 3' Furthermore, s 25 attributes

27 Section 1.
25 Section 21.
" Failure to identify persons is made an offence in terms of s 46 of FICA. The penalty is
imprisonment not exceeding 15 years or to a fine not exceeding RIO 000 000 in terms of s 68.
3o Section I of the definitions.
3' Section 51.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 165

messages to the originator if sent by the originator personally, or by a person

authorised to act on behalf of the originator or where an information system is
programmed to operate automatically on behalf of the originator. Obviously,
where phishing takes place, such an e-mail message cannot be attributed to
the bank in terms of this section.
As the institution liable for payment, a bank will usually be responsible for
the authentication of its customers. 32 SMS notification is used to inform
33
registered users of impending transactions waiting for user authorisation.
SMSs are also often used in mobile banking as an authentication tool,
especially in the case of a PIN or MOPIN ('Personal Identification Number'),
which is the client's five-digit authorisation code, selected during the service
registration process. 34 One of the main security features for mobile banking is
based on the PIN or MOPIN, as well as the fact that only the number
registered for the use of mobile phone banking will allow access to the mobile
35
banking service.
The risk for the security of such PIN or MOPIN number will usually lie
with the client in accordance with the terms and conditions of the mobile
phone banking contract, unless the client can prove that such access was
36
granted because of the negligence of the bank.
The bank has a duty to ensure that its client's information is secure in
transactions conducted by mobile banking. At the other end of the scale, the
client has a duty to protect his personal information, PIN, password and bank
details; should not disclose such details to unauthorised persons; must take
reasonable precautions to prevent unauthorised access and if it is suspected
that such confidential information is compromised, the bank should be
informed and the password or PIN changed.3 7 Some terms and conditions
may further provide that if an unauthorised person uses the PIN and password,
that person will be regarded as the client's agent unless the client can
prove that such person obtained the password or PIN because of the bank's

32 Muir op cit note 4 at 217.

33 Mhlanga op cit note 4 at 12-3.
34 See s A definitions in 'FNB Specific Terms and Conditions for Cell Phone Banking', available at
https://www.fnb.co.za (visited on 1 September 2008).
35 See, eg, question 9, which relates to the security of cell phone banking on 'Frequently Asked
Question - Cell Phone Banking', available at https://www.fnb.co.za (visited on 1 September 2008).
36 See s D ell 1.1 - 1.8 of the 'FNB Specific Terms and Conditions for Cell Phone Banking', also
available on hups://www.fnb.co.za; cll 8, 22 and 25 of the Standard Bank 'Electronic Banking
Agreement', available under self-service agreements on https:// wwwl.encrypt.standardbankco.zal
ADWeb/customer/terms; see also l 3-4, 7-8 on Nedbank's 'Electronic Banking Services General Terms
and Conditions', available at http://www.nedbank.co.za/terms/nedbank terms2.htm (all visited on 1
September 2008). The phone banking contract might therefore provide that if an unauthorised person
obtains the PIN or password, the client will be liable unless the client can prove that such access was
granted because of the bank's negligence. See, eg, cl 7 of ABSA's terms and conditions in 'Absa Warns
Internet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at
http://www.absa.co.za.
17 'Absa Warns Internet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007,
available at http://www.absa.co.za. See cll 6.1 - 6.2 of the ABSA 'Terms and Conditions Applicable to
Electronic Channel Banking Individual Application', available at http://www.absa.co.za (both visited on
1 September 2008).
166 (2009) 21 SA Merc U

negligence or internal fraud. 38 Other terms may provide that liability for loss
or damage is at the client's own risk and that the secrecy of the PIN lies with
39
the main user.
The Code of Banking Practice also contains provisions regarding the risk
allocation pertaining to unauthorised transactions. Under the Code, the client
should be reimbursed if the client informs the bank that the PIN or password
is compromised and unauthorised transactions take place thereafter.4° Before
the client informs the bank, the risk of unauthorised loss will usually lie
with the client.
Ironically, the situation may worsen through the remedies employed
(aegrescit medendo), since the same security measures designed to curb fraud
in fact enable cellular phone SIM-card swapping to take place! Mobile phone
banking contracts may provide clauses to address the question of PIN security
4
and allocation of risk to the effect that: '
" a bank will not act unless the client's identity has been established in
terms of the PIN;
" the client must take reasonable care to protect the password and PIN
numbers; or
" should anyone obtain the MOPIN and cell phone handset with the
registered cell phone number, it will be assumed that such person is
the client whose transactions are deemed authorised, and the client will be
liable for any transactions processed until the service is blocked or
suspended.
What has problematic implications for a client is the insertion of a clause to
the effect that only transactions requested from the registered cellular phone
number will be deemed legitimate and acted upon. 42 This means that the same
cellular phone number is used, but not the original SIM-card. When
SIM-cards are swapped, the client will also not receive SMSs after the
original SIM-card has been deactivated and so the client will inevitably bear
the risk of unauthorised use in such cases. A further clause that may place the
liability upon the client is a clause that the client will be liable for any
unauthorised transaction unless it is due to the bank's negligence or fraud, and

31 See cl 7 of the 'ABSA Terms and Conditions Applicable to Electronic Channel Banking Individual
Application', available at http://www.absa.co.za (visited on I September 2008).
39 See cll 7, 8.4 and 9 of the 'ABSA Terms and Conditions Applicable to Electronic Channel Banking
Individual Application', available at http://www.absa.co.za (visited on 1 September 2008).
40 Clause 5.9.
41 See, eg, cll 1.6 and 1.7 of the 'FNB Specific Terms and Conditions for Cell Phone Banking', also
available at hutps://www.fnb.co.za; cl 6 of the 'ABSA Terms and Conditions', available at http://
wwwabsa.co.za; cli 8, 11 and 25 of the Standard Bank 'Electronic Banking Agreement', available under
self-service agreements on https://wwwl.encryp.standardbank.co.zaADWeb/customer/terms; see also
cli 3, 4, 7-8 on Nedbank's 'Electronic Banking Services General Terms and Conditions', available at
http://www.nedbank.co.za/termslnedbankterms2.htm (visited on 1 September 2008).
42 See s D cl 1.1 of the FNB 'Specific Terms and Conditions for Cell Phone Banking', also available
on https://www.fnb.co.za (visited on I September 2008).
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 167

that the bank will be indemnified against any loss arising from the use of the
43
cell phone banking service.

3.2 Combating Fraud and the Allocation of Risk Relating to

Banks
SIM-card swapping is obviously a crime in the form of fraud and theft."4 It
is fraud because there is the unlawful and intentional misrepresentation that
the SIM-card belongs to the fraudster and there is actual prejudice in the form
of monetary loss for the victim of the mobile phone SIM-card swap. 45 It is
also an act of theft because there is the removal of property with the intention
of unlawfully and intentionally appropriating such property.46 The property
that is stolen or the subject of fraud is electronic money.
What is electronic money? Electronic money is normally viewed as a
substitute for physical cash. 47 Electronic money is defined in art 1 of the
48
European Parliament and Council Directive as follows:
'electronic money shall mean monetary value as represented by a claim on the issuer which is:
(i) stored on an electronic device; (ii) issued on receipt of funds of an amount not less in value
than the monetary value issued; (iii) accepted as means of payment by undertakings other than
the issuer.'
Electronic money is considered to be monetary value and is not considered
legal tender. 49 It does not constitute legal tender because it is not a form of
exchange that is authorised or adopted by government as would be the case,
eg, with coins or bank notes. 50
Effros identifies three basic stages of electronic money: 5 its creation; 52 its

43 See s F cll 1.1. 1 and 1.3 of the 'FN-B Specific Terms and Conditions for Cell Phone Banking', also
available on https://www.fnb.co.za (visited on 1 September 2008).
" The fraudster will obviously be criminally liable for fraud and theft but can also be held liable, in
terms of the ECT Act, for additional offences (see ss 86-8). Section 86(1) provides that a person who
intentionally accesses or intercepts any data without authority or permission to do so is guilty of an
offence, and 'access' is defined in s 85 as including the actions of a person who, after taking note of any
data, becomes aware of the fact that he or she is not authorised to access that data and still continues to
access that data.
41 For the definition of fraud, see footnote I supra.
46 Snyman op cit note I at 484 and also 503 ff. Although theft is a continuing crime, and the bank
indirectly takes possession of the 'money' when the 'money' is deposited into the fraudster's account,
the bank will not be guilty of theft because there is no intention unlawfully to appropriate the money (at
509).
11Munir op cit note 4 at 76.
Is 2000/46/EC (OJ L 275 of 27 October 2000).
49 Norbert Hom (ed) Legal Issues in Electronic Banking (2002) at 191-2, 201, 205-7. One view is that
electronic money is digital cash, and another that it is a sight deposit (at 193) or even similar to a
traveller's cheque (at 194). See also Munir op cit note 4 at 76-80. As regards the discharge of the debt,
the position will depend on whether the payment is considered analogous to cash; then the discharge
will occur when the electronic money is transferred. If it is regarded as a traveller's cheque that contains
stored obligations, then acceptance by a merchant's terminal will constitute a final discharge.
50 See Munir op cit note 4 at 82. The position is unsettled, and it is envisaged that much of the legal
relationship between the parties will be regulated by contract (see Hom op cit note 49 at 203). See also
Malan & Pretorius op cit note 16 in par 40.
"' Hom op cit note 49 at 203.
52 Ibid. The issuer will usually regulate the terms and conditions relating to the creation of electronic
money in a contract. Such terms and conditions will usually also contain a clause relating to the user's
liability for unauthorised transfers.
 (2009) 21 SA Merc U

transfer; and its discharge and settlement. The problem of SIM-card fraud will
usually present itself in the transfer stage. Who should bear the risk during
this stage in the case of an unauthorised transaction concerning electronic
53
money? As Schulze states:
'The issuers of payment cards and e-money (in South Africa, limited to banks) unilaterally
determine the rules and procedures in terms of which cards and e-money are to be used
including who bears the risk in the case of loss arising from the use of such products. Suffice it
to say that the card or purse holder bears the largest part of the risk of loss resulting from the
use of the card or electronic purse.'
It has been suggested that the risk of stolen electronic money should be
treated in the same manner as stolen credit cards whereby the liability of the
user is limited once the issuer is notified of the loss. 54 As far as the loss related
to counterfeit electronic money, it has been suggested that the loss should fall
on the issuer who is responsible for the design and underlying security of the
system. 55 One would perhaps have to consider whether the issuer could
disable the electronic money and if not, then the risk should be placed on the
56
user.

3.3 Combating Fraud and the Allocation of Risk Relating to

Mobile Phone Providers
A bank must carry out the customer's mandate with reasonable care and
skill, a duty that extends to intermediaries. 57 The question is whether a mobile
cellular electronic communications service provider qualifies as an intermedi-
ary. The Electronic Communications and Transactions Act defines an
'intermediary' as a person who, on behalf of another person, whether as agent
or not, sends, receives or stores a particular data message or provides other
services with respect to that data message. In the case of SIM-card swapping,
it is the mobile cellular electronic communications service provider who
issues the SIM-card and not the bank. If the failure is outside the bank's
control but within the control of the mobile cellular electronic communica-
tions service provider as in the case of a swapped SIM-card, one would be
hard pressed to hold the bank solely liable in such cases. It would appear that
some of the risk allocation would point towards the mobile cellular electronic
communications service provider who should also exercise reasonable care
and skill in the issuing of SIM-cards.
The Regulation of Interception of Communications and Provision of
Communication-Related Information Act was enacted to regulate the theft

SWG Schulze 'Smart Cards and E-money: New Developments Bring New Problems' (2004) 16 SA
Merc LI 703 at 715.
4 Horn op cit note 49 at 204.
11Ibid.
6 Ibid.
11Howard & Masefield op cit note 2 at 572.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 19

of mobile phones and mobile phone-related fraud. 58 This Act is an important

and welcome regulatory measure aimed at curbing fraud and which in all
likelihood will go a long way to reducing the risk of SIM-card swapping and
cellular phone fraud. As far as the provisions relating to SIM-cards are
concerned, ss 40(1)(a), 40(2) and 40(3) provide that before a SIM-card is
activated, the mobile cellular electronic communications service provider
must record and store the Mobile Subscriber Integrated Service Digital
Network Number (MSISDN) and also record, store, verify and keep proper
records of the customer's personal details. Where the person is a South
African citizen or is lawfully and permanently residing in South Africa, this
information should include the full names and surname, identification number
and at least one address of the person who requests that the SIM-card be
activated on the electronic communication system of the mobile cellular
electronic communications service provider. In the case of non-South African
citizens such information must also include the country in which the passport
was issued. In the case of juristic persons the full names, surname, identity
number and an address of the authorised representative of the juristic person
and registration number must be verified and recorded. Failure to comply is an
offence and on conviction a fine, not exceeding R100 000 per day on which
such failure to comply continues, may be imposed on the mobile cellular
electronic communications service provider. 59 If an employee or agent of
the electronic communications service provider knows or suspects that a
furnished identity document is false, the matter must be reported to the police
within 24 hours. 60 Failure to do so is an offence, and a fine or imprisonment
not exceeding 12 months may be imposed.
A customer who sells or provides another person with an activated
SIM-card without providing the electronic communications service provider
with particulars regarding such person may also be guilty of an offence and be
sentenced to a fine or imprisonment not exceeding 12 months. 6' Juristic
persons who furnish activated SIM-cards to employees, and persons who rent
activated SIM-cards to other persons, must record and verify such person's
details. A failure to do so is an offence, and the penalty could be a fine not
exceeding R2 000 000 or imprisonment not exceeding 10 years. 62 Section 41
provides that if a mobile phone or SIM-card is lost, stolen or destroyed, this
fact must be reported to a police station within a reasonable time of a person's
becoming aware of such loss, theft or destruction.
The disclosure of information obtained by a person obtained in the exercise

5s This Act has been amended by the Regulation of Interception of Communications and Provision of
Communication-Related Information Amendment Act 48 of 2008. See also Jean van Rensburg 'Cell
Phones: Use Them, but Don't Lose or Abuse Them' (2003) 11 Juta' Business Law 148.
59 Section 51(3A). The electronic conmunications service provider also has to ensure that the
particulars furnished by customers are secure because a failure to do so could also incur this same
penalty (s 40(4)(a)).
o Sections 40(8) and 51(3C).
SI Sections 40(5) and 51(3B).
62 Sections 62C and 51(3D).
170 (2009) 21 SA Merc U

of his duties is also regulated in terms of s 42 of RICA. Such information may

not be disclosed unless it is to a person who requires it for the performance of
his duties in terms of that Act or who of necessity supplies it in the
performance of such functions, or is information required by law or for
the institution of criminal proceedings. 63 Furthermore, if any person is found
in possession of a mobile phone or SIM-card where there is a reasonable
suspicion that it is stolen or is unable to give a satisfactory account of such
possession, then that person is guilty of an offence and liable to a fine or
imprisonment of not more than two years. 64 It is also an offence for a person
to acquire or receive into his possession a stolen SIM-card or mobile phone
without having reasonable cause to believe that such property is that of the
person from whom it has been acquired. 65 A further offence that can be
committed is where a SIM-card or mobile phone is modified, tampered with,
altered, reconfigured, interfered with, or where a person reverse engineers,
decompiles, interferes with or disassembles the software installed on a cell
phone or SIM-card. A fine not exceeding R2 000 000 or imprisonment not
exceeding 10 years may be imposed.66 Section 54(2)(a) also makes it a
punishable offence, imposing the same punishment as the former, if any
person 'intentionally and unlawfully, in any manner modifies, tampers with or
interferes with, any interception or monitoring equipment, device or apparatus
installed or utilised in terms of the Act'. The failure to report loss, theft or
destruction of a mobile phone or SIM-card is made punishable in s 55.
Finally, s 49(1) provides that '[a]ny person who intentionally intercepts or
attempts to intercept, or authorises or procures any other person to intercept
or attempt to intercept, at any place in the Republic, any communication in the
course of its occurrence or transmission, is guilty of an offence' .67
It is therefore evident that the mobile cellular electronic communications
service provider can be held liable for certain offences especially those
created by s 40, where, for instance, a SIM-card is swapped or activated
without proper verification of the identity of such party. On the other hand, the
customer as well as the fraudster may also be held liable for certain offences
created in terms of RICA.
Other ways in which SIM-card and cellular phone fraud may still occur are
where a system malfunction occurs, where employees or agents of the mobile
cellular electronic communications service provider perform swaps, where
customers' details or statements are forged or not properly verified, and
where hackers gain access to the personal particulars of mobile banking
customers.

63 Section 42(l)(a)-(d).
64Section 52 read with s 51(1)(b)(ii).
65 Section 53(1) read with s 51(l)(b)(ii).
66 Section 54(l)(a) and (b) read with s 51(1)(b)(i).
67 The penalty in such case is a fine not exceeding R2 000 000 or imprisonment for a period not
exceeding 10 years (s 51(1)(b)(i)). See also ss 2-9, which also regulate interceptions of communication.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 1/1

4 Conclusion
There are inherent risks in the use of banking services. Self-regulation and
a number of regulatory measures are aimed at attempting to curb mobile
banking and SIM-card fraud. In allocating liability for the loss caused by
unauthorised mobile banking transactions and SIM-card fraud, such loss
could possibly be apportioned between the parties. 68 In the case of ATMs, the
banks will usually manage the system, but in Internet banking (as would be
the case with mobile phone banking) the customer and bank are both
subscribers of a telecommunications or mobile cellular electronic communi-
69 70
cations service provider company. As Munir states:
'Like the customer, the bank is simply a user of the telecommunications service and the
technical aspects of the system may be beyond the bank's control .... Fairness requires
the apportionment of liabilities among all parties involved ... depending on the relative
degree of fault.'
Munir's suggested approach could perhaps be used to allocate the risk of
loss between the various parties. In resolving which of the parties should bear
the risk of unauthorised transactions, such determination could depend on
whether the unauthorised transaction occurred within or outside a specific
party's control, the degree of fault displayed by the parties, or whether an
offence has been committed in terms of legislation by a specific party or not.
Statutory intervention is possibly the best solution to regulate this position by
providing for apportionment or distribution of liability in such cases to the
extent that the acts or omissions of the various parties have contributed to
71
such loss.
In Pakistan a regulatory framework provides a guideline that deals with
privacy protection, network security and complaint redressal. 72 In regulating
instances of SIM-card fraud, one could also possibly have regard to the
Financial Services Authority (FSA) approach to consumer protection
followed in the United Kingdom, which concentrates on the different degrees

6' See discussion by Munir op cit note 4 at 232-5 (UK), 252-5 (Australia), 295-6 (Malaysia).
69 Idem at 233.
70 Ibid. See also Gita Radhakrishna 'Liability Issues in Intemet Banking in Malaysia' (2009) 7
Communications of the IBIMA at 2, available at http://www.ibima.org (visited on 3 August 2009).
7' Munir op cit note 4 at 233. The same or similar principles of apportionment used in the law of
delict could be used for guidance. See my discussion in Van der BijI op cit note 22 at 342-4 in this
regard. It could conceivably be argued that the risk of fraud is reasonably foreseeable when mobile
banking services are used and that reasonable steps need to be taken to prevent such loss. A standard of
reasonableness should be expected from a client, mobile cellular electronic communications service
provider or bank. See further Krugerv Coetzee 1966 (2) SA 428 (A) at 430E-F; Mkhatswa v Ministerof
Defence 2000 (1) SA 1104 (SCA) at 1111-4; Mukheiber v Raath & Another 1999 (3) SA 1065 (SCA);
Sea Harvest Corporation(Pry) Ltd & Another v Duncan Dock Cold Storage (Pty) Ltd & Another 2000
(1) SA 827 (SCA); J Neethling, JM Potgieter & PJ Visser Law of Delict 5 ed (2006) at 126-33; Michelle
Kelly 'The Apportionment of Damages between a Negligent Collecting Bank and a Thief of Cheques:
Does the Apportionment of Damages Act Apply?' (2001) 13 SA Merc LI 509 at 510.
72 See Banking Policy & Regulations Department State Bank of Pakistan 'Draft: Policy Paper on
Regulatory Framework for Mobile Banking in Pakistan' at 6, available at http:/Avww.Sbp.Org.Pk/Bprd/
2007/PolicyPaper_RfMobile anking07-Jun-07 (visited on 28 January 2009). This draft policy is
useful because it examines regulatory issues pertaining to mobile banking related to consumer
protection, suggested models of banking, the effect of m-banking on stability of banking and payment
systems, e-money regulations and the legal definition of deposit.
172 (2009) 21 SA Merc U

of risk attached to different transactions, the expertise that some customers

may have, and the requirement for consumers to take responsibility for their
73
decisions.
If a client responds to an unauthorised e-mail in the form of phishing, it
could perhaps be established whether the client took reasonable steps to
protect the password or PIN. Reasonable steps can perhaps be established by
examining whether the security measures or steps suggested by the banks
have been followed, eg,
* whether the PIN is not a number easy to guess;
* whether the website has been verified by typing in the website and not
merely opening links from e-mails;
* whether the site security certificate is checked when verifying details on
the Internet;
* whether the browser facility has not been used to store the password; and
* where the client's cellular phone does not have a signal follow up with the
bank, whether the Internet banking services have been suspended to help
74
prevent fraud.
In Australia, the Electronic Funds Transfer (EFT) Code of Conduct of 2002
regulates fund transfers. In cases of losses due to unauthorised transactions in
Internet banking, it takes into account that an 'unauthorised transaction leaves
a loss to be distributed between two relatively innocent parties - the account
institution and the user'. 75 Clause 5.2 of the Code provides that an
account holder will not be liable for losses caused by the negligent or
fraudulent conduct of the employees or agents of the account institution;
faulty, forged or cancelled access methods; losses that occur before the code
has been received by the user if the latter needs the code to use the. access
76
method; or if the same transaction is incorrectly debited twice.
In the event of a dispute relating to the receipt of a device or code it may be
presumed that the user did not receive it unless the bank can prove otherwise.
Similarly, such provision could also apply in the case of SIM-card and mobile
78
phone banking fraud. 77 Some security measures suggested by Muir include:
• The use of a single-use PIN code for each banking transaction that is in
line with the use of Digitag products;
* Double key secure authentication where the user must authenticate two
systems;

13 Howard & Masefield op cit note 2 at 594.

14 'Absa Warns Internet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007,
available at http://www.absa.co.za. See also 'Protect Yourself from Fraud' hutp://standardbank.co.za/
Fraud prevention (visited on 9 October 2008).
75 Munir op cit note 4 at 252-3.
76 Idem at 253 for a discussion of cl 5.3 (where an account holder will not be liable for losses after the
institution has been notified of a breach of a code) and cll 5.5-5.6 (where such account holder will be
liable for losses).
" Munir op cit note 4 at 253.
7 Muir op cit note 4 at 149.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 1 /3

The use of Public Key Infrastructure used for smart phones that consists
of two keys (a public and a private key) that are used to authenticate the
user and encrypt the data.
To limit the risk further, unique information relating to the handset could be
used as an authentication mechanism, or voice biometrics (instead of the use
of a PIN or password) might well provide a potential solution for secure
79
authentication of banking and payment transactions.

79 ATMIA (ATM Industry Association) 'Best Practices for Device Banking Security: International
Minimum Security Guidelines for Device Banking Applications' at 22, 24, and 33, available at
http://www.atmia.com (visited on 3 October 2008).