Business Maverick

#CR17 leaks: How FNB helped us by not helping us

By Tim Cohen 26 August 2019
President Cyril Ramaphosa. (Image sources: Adobestock / EPA-EFE / Yeshiel Panchia)

The rumpus over the #CR17leaks is fascinating for all kinds of reasons. But occasionally a lone voice pops up above the political maelstrom with a different question: what is the response and responsibility of banks to this apparent grotesque invasion of privacy? If the president’s bank accounts are not secure, whose are?

Among all the political arguments and furious debate about the #CR17leaks, a pertinent question pops up: what is the role of the banks in this process?

I asked the question, and the response was desperately unrevealing. So unrevealing, it was revealing. It’s odd, but that’s how it works.

First, some background. Public Protector Busisiwe Mkhwebane requested information from three banks earlier in 2019 in response to a complaint brought by DA leader Mmusi Maimane in 2018 concerning a R500,000 donation from Bosasa’s Gavin Watson to President Cyril Ramaphosa’s party presidency campaign. The EFF subsequently supported the application in January 2019.

The issue was whether Ramaphosa misled Parliament about the donation. There was a bit of a mix-up here because Ramaphosa responded to a parliamentary question thinking, he says, this was not a campaign donation, but a business transaction between Bosasa’s successor company, African Global Operations, and his son Andile’s advisory business. Later, Ramaphosa discovered there had in fact been a R500,000 donation to his campaign by Watson, and he voluntarily issued a press release saying so, adding that the money was in a trust account awaiting the return.

Mkhwebane nevertheless found in July 2019 that Ramaphosa had misled Parliament. The finding is now under review.

The incident might have been a blip in South Africa’s political storm, were it not for the fact that some of the financial statements the public protector requested have ended up on public media. The issue escalated after it became clear who was on the president’s payroll or donation list, and, sensationally, these names include EFF members, some former DA members, and a bunch of other questionables.

The numbers involved are huge. The main leaked account is an FNB account for a company called Linkd Environmental Services, and the period covers 14 months from December 2016 to January 2018. Just over R360-million entered the account – and just as quickly left it. It seems this was the pay-out account of CR17, or at least one of them.

The payments increase gradually through the year, and then explode from June to November 2017, just before the ANC’s elective conference at Nasrec. Watson’s donation does not appear directly in this account, but there are plenty of transfers of R500,000 or thereabouts through the year.

All kinds of legitimate political questions and debates flow from these revelations, and the publication of the statements is a boon for disclosure generally – but an embarrassment for the security of the banking system. What is their responsibility?

In relation to the leaked account, I asked FNB:

  1. Did FNB provide the account details to the public protector?
  2. If so, in terms of what legislation was this done? What period was requested and delivered? Did it concern all the president’s accounts or just a specified account? Was the president informed that his accounts would be handed over to the public protector prior to handing over the accounts?
  3. If not, I presume the account was hacked. If so, how did the hacking take place? Was the hacking performed by an FNB staff member or from outside the bank? Has anyone been confronted/suspended/investigated or fired as a result?
  4. Has the president complained to the bank about the release of the accounts? If so, what has been FNB’s response? Have the accounts in question been closed? Has the president closed his FNB accounts?
  5. The statements released in the public domain, or portions of them, appear to be not drawn as an ordinary customer’s would, but appear to have been drawn from a database. That suggests the details are the work of a bank insider. What does the account format tell us about how they were published?
  6. Why has FNB taken no legal action to secure the contents of the accounts after they were published?
  7. Have you found any inaccuracies in the public record which do not conform with the actual contents of the accounts? It strikes me, it’s quite easy to adapt the account details with Photoshop, for example, to conform to some ideological purpose. Have you checked whether the accounts, as presented to the public, have been changed in any way?

This was the response:

FNB Response

Due to client confidentiality, FNB cannot comment on the bank accounts of individual customers.


The response came from an anonymous account and was unsigned.

I tried again and sent this email:

Forgive me, but that response is ridiculous in the circumstances. We are not dealing with a situation in which a journalist is asking for the bank to reveal the contents of a client’s accounts, in which case I would understand your response. We are dealing with a situation in which the contents of clients’ accounts have already been made public. I think all clients of the bank would legitimately like to know what steps the bank takes if their account information is distributed willy-nilly on social media. The conclusion I draw from your response is that the bank does nothing. Is that correct?

Questions 1, 2, 4 and 6 have nothing to do with the contents of accounts but instead have to do with the actions of the bank in relation to the publication of contents of one of your client’s accounts.

Could you at least please answer these questions individually and specifically?

In addition, could you tell me, is the duty of a bank to keep its client’s information confidential in terms of legislation and if so, what legislation? Or is it a duty the bank imposes on itself?

This was the response:

The Bank has no further comment on the matter.


Nothing intrigues a journalist more than an attempted shut-out. I investigated further and made some discoveries.

First, FNB and two other banks did send the information in respect of this investigation to the public protector. They did so in terms of section 6, and section 7(4) of the Public Protector Act.

The Office of the Public Protector is one of six organisations that does not require a court order before banks will hand over your personal banking transactions, the others being SA’s intelligence services.

The banks furnish this information in terms of a “discovery request” sent either by the public protector herself or via the Financial Intelligence Centre (FIC). In this case, they were first made to the banks directly, but then went via the FIC, because it seems the public protector messed up the request. This tallies with Mkhwebane’s claim that she obtained the contents of the accounts legally.

All the requests were very specific about which accounts were involved over which periods, suggesting the public protector knew beforehand in detail about where the money came from and where it went.

How did the financial statements go from being privately transferred to the public protector to finding their way into the public domain? This is obviously a closely guarded secret, but we can make some educated guesses.

The accounts in the public domain are in what might be described as a client-report format. In other words, they are in monthly blocks: they have neat little summaries of the total deposited and spent in that particular month.

Information provided by the FIC is normally provided in what might be described as a data-dump format, in other words in a continuous flow from the start to the end date.

The implication is that the data in the public domain is not the information that was provided to Makwebane. But this is not the end of the story. Mkhwebane mentions an unnamed “whistle-blower” in the report and talks about certain emails.

It’s possible that the bank account itself was hacked; the monthly statements do come in a single document of 117 pages. But it’s more likely that what was hacked was not the bank account itself, but one of the president’s emails. What has been published, therefore, is simply a collected version of monthly bank statements. That would lift the responsibility for the leak, to a certain extent, off the banks and on to the president himself or his aides.

But it’s not quite that simple. As mentioned, Mkhwebane does say she was relying on some emails and a whistle-blower. The question is whether those emails, which may have included the monthly statements, were legally obtained. The question for the banks is whether an unencrypted bank statement, sent to an email address, sufficiently secures their client’s privacy. This embarrassing incident appears to suggest it does not.

What it also shows, for better or for worse, is how little data protection South Africans have over the contents of their bank accounts. If – and I’m speculating here – the public protector’s office was to become a tool of, say, the EFF or a faction of the ANC, the public’s privacy protection is extremely low because there appears to be no arbitration process between the banks and the public protector or the intelligence services.

There is one other important issue: what Mkhwebane didn’t ask for. She never asked for the contents of the president’s main bank accounts. Was that an oversight? Or something else? BM



SAA’s new wings undermined by pending questions about its funding model

By Ray Mahlaka

WD-40 is not patented as that would force the makers to reveal its formula.