Illustrative image: Bank cards. (Photo: Freepik) | Microchip. (Image: Freepik) | Magnifying glass. (Image: Freepik) | Torn paper. (Image: Freepik) | (By Daniella Lee Ming Yesca) Part 4 of a four-part Daily Maverick series. Read part 1, part 2 and part 3
Midway through the research for this series, an email arrived containing an arresting sentence.
“As far as we know, we are the only bank in the world that can claim zero card fraud and zero phishing,” it said.
The claim came from Lezanne Human, one of the founders of Bank Zero: a South African mutual bank launched in 2021 with a technology architecture built from scratch rather than inherited from decades of legacy systems. Daily Maverick has not been able to independently verify the claim, although it’s been widely reported on.
Bank Zero’s fraud record rests on design decisions that Human describes with the enthusiasm of someone who has thought about little else for years.
Bank Zero’s bank cards can be entirely disabled for use at ATMs. A card patent distinguishes between transactions processed via chip, magnetic stripe or online channel – meaning that the most common form of card cloning, which copies chip data and replays it on a magnetic stripe, is blocked regardless of whether the fraudster has the correct PIN for the card.
A personalised subscriptions list blocks any transaction for a merchant that doesn’t use 3D-Secure authentication on first attempt, adding it to a customer-controlled approval queue rather than simply letting it through.
And on phishing, the bank starts from a deliberately pragmatic assumption.
“We assume you will accidentally divulge your login details at some point, and designed for that,” Human said.
Any unrecognised device attempting to access an account immediately triggers a biometric re-pairing. No one, Human says, can access a Bank Zero profile without the account holder’s live face.
The staffing model matters as much as the technical one. Bank Zero’s support agents cannot conduct transactions or make changes on a customer’s behalf: they cannot load a beneficiary, alter contact details or initiate a transfer, even if working in groups to do so.
“No person has to date been dismissed for having committed fraud against any customers, or for divulging internal information which can be used by external parties to commit customer fraud,” Human told Daily Maverick.
“And the reason for that is because we have straight-through automated processing of all transactions.”
There is, however, a significant catch. Bank Zero’s fraud-free record has been achieved in conditions that no large South African bank actually faces.
Since launching four years ago, Bank Zero had accumulated only around 40,000 funded accounts and R400-million in deposits by 2025. These are figures that a Financial Mail analysis described as respectable for a start-up but “tiny” in relative terms, when compared with digital peers GoTyme Bank’s 12 million customers and Discovery Bank’s 1.2 million – though the latter two banks launched around two years earlier.
Bank Zero’s customer base is also a baked-in advantage from a fraud prevention perspective. These are people already comfortable with digital-only banking, with no branches, no call centres and no physical fallback. Their tech-savviness probably renders them less vulnerable to types of fraud such as phishing from the get-go.
Yet despite these caveats, what the Bank Zero example does demonstrate is that some of the system design decisions that allow fraud to occur are choices, not inevitabilities – and that some of those choices could arguably be made differently without rebuilding everything from scratch.
Discovery Bank makes a similar structural claim about employee access: its staff cannot process transactions or alter account details on a customer’s behalf, and it told Daily Maverick there have been no instances of staff dismissals for client-related fraud.
Discovery’s payment authorisations are blocked during active phone calls: a direct counter to the vishing attacks that the South African Banking Risk Information Centre (Sabric) identified as one of the dominant fraud vectors of 2024. Discovery also has a patented “panic code” which allows customers under duress by criminals – for instance, being made to access their banking app at gunpoint – to enter a secret code rather than their normal password, which alerts the bank.
Both institutions demonstrate what is possible – even if neither operates at the scale of the legacy banks, where that demonstration becomes truly challenging.
“Newer banks have an advantage,” confirms North West University Business School’s forensic expert Albert van Zyl.
He gives another example: information-sharing.
“In the legacy banks, they’re dealing with old systems; the fraud division may sit in a different building and not have access to all the information.”
/file/attachments/orphans/lowcaseB_930447.jpg)
By design: How SA banking puts fraud risk on the customer
One of the characteristics of the South African banking system touched on throughout this series has been the extent to which it ends up making bank fraud the problem of the customer rather than the bank.
Forensic investigator Craig Pedersen has a number of suggestions for how regulatory reform could make a dent in the current South African banking fraud epidemic.
“Much of the problem can be resolved with forced name matching on accounts, more stringent rule-sets applied to new accounts receiving high-value deposits, and verification of the beneficial controller of the account,” Pedersen told Daily Maverick.
The name-matching point deserves emphasis. When a South African makes an EFT payment, the bank processes the transaction on account number and bank identifiers alone. The payee name entered by the sender is not verified against the name on the receiving account.
Standard Bank does offer an optional Account Verification Service at R2 per transaction, but this places the burden of fraud prevention on the individual rather than embedding it in the system.
In the United Kingdom, by comparison, Confirmation of Payee – a mandatory name-checking service that flags mismatches before a payment is sent – has been in force since 2020, with more than two billion checks conducted in 2024 alone. The EU is implementing a comparable requirement.
South Africa has none, and its courts have upheld the principle that the legal risk of paying into the wrong account sits with the sender.
Overseas banking regimes offer further possibilities for re-imagining how South Africa’s institutions approach the problem of bank fraud.
In October 2024, the UK introduced a mandatory reimbursement scheme for the victims of what the UK terms “authorised push payment” fraud, in which a customer is tricked into authorising a payment to a criminal themselves – as is the case in circumstances when the criminal is posing as a representative of the bank’s fraud unit. This form of fraud is very common in South Africa, too.
According to the new rules, payment firms have to reimburse victims up to £85,000 – almost R2-million – except in cases of “gross negligence”, with costs split equally between the sending and receiving institution.
By making banks share in the cost of fraud, the scheme creates a direct financial incentive to more rigorously scrutinise the accounts they open, lowering the possibility for the opening of “money mule” accounts, used to store the proceeds of crime, which Pedersen identifies as the critical enabling layer of the fraud ecosystem.
/file/attachments/orphans/6I1A7208_722878.jpg "Capitec Bank in Midrand. (Photo: Felix Dlangamandla)")
To get a sense of the scale of the mule account problem, Capitec told Daily Maverick that between January 2025 and March 2026 alone, this single bank identified and stopped more than 64,000 mule accounts.
South Africa has no equivalent regulation to the UK’s. Its framework in practice places the burden of proof on the customer to demonstrate they did not enable the fraud, and the National Financial Ombud, as previously mentioned in this series, finds in favour of the banks in 79% of cases.
/file/attachments/orphans/How-to-lower-your-risk-of-bank-fraud_796558.jpg)
How bank clients can fight back
Van Zyl identifies several further areas where the banking sector could do more: stronger collaboration through private bodies like Sabric and the South African Fraud Prevention Service; a genuinely aggressive posture at board level towards technologically enabled financial crime; better integration of fraud risk into new product development; and meaningful investment in both staff and customer education.
He means that customers should be better educated about fraud risks and prevention methods, but there is also an argument to be made that bank clients should learn more about their options when trying to claw back money lost to fraud.
One of the major takeaways of this series, however much banks may officially deny this, is that making as public as possible a stink about fraud appears to heighten victims’ chances of being reimbursed, due to the banks’ reputational sensitivity.
When Ncumisa Fandesi, founder of wildly popular consumer advocacy group 1 Family 1 Stockpile, used her million-member Facebook platform to lobby on behalf of a Ladismith gogo who had seen more than R2-million disappear fraudulently from her account overnight, the relevant bank seemed to change course within days.
The extent to which customers find themselves disempowered when trying to challenge bank decisions on fraud is also not a load-bearing pillar of the current South African system, as much as it may seem that way.
In the third article of the series, we presented the Information Regulator with the arguments local banks routinely use to deny victims access to investigative reports into fraud on their own accounts. The Information Regulator had a different legal opinion on the matter: a position which warrants more consideration.
As we reported, it has also become routine for many of the major South African banks to pair fraud settlement agreements with confidentiality clauses. This is problematic because every victim who accepts those terms is one fewer data point in the public record, and one more case whose details – including, potentially, evidence of systemic failure – is kept entirely from public scrutiny.
Yet this, too, is not an immutable feature of the system, as evidenced by the fact that it is not a universal practice.
Both Capitec and GoTyme Bank told Daily Maverick that they do not require customers to sign non-disclosure agreements when resolving fraud matters. Other major banks should be pushed on why they cannot adopt the same approach.
A failed investigation — and why it failed
This has, in one major respect, been a failed investigation.
We set out to discover why one particular crime category – commercial crime – had almost doubled in police statistics over the decade, when all other categories of crime except kidnapping were following a downward trajectory.
There are many potential answers to that question. One is the advent of AI, which has made it exponentially easier to produce fraudulent documents and scam messages at scale. Another is the scarcity of police investigators and state prosecutors with the necessary forensic knowledge and experience to work on fraud cases – a weakness criminals doubtless exploit.
But Daily Maverick was unable to pry even a general definition of “commercial crime” – one shared by the Hawks, SAPS and the NPA – out of authorities, let alone the full disaggregated dataset of what this crime category actually looks like in practice in South Africa in 2026. The paltry, partial prosecution figures we did obtain provide no reassurance whatsoever that the criminal justice system offers any meaningful backstop to this dangerous epidemic.
Financial institutions, meanwhile, stay mum on all but the broadest brushstrokes of the risk their clients actually face; bundling their fraud losses into categories like “operational risk” in their annual reports. The only useful publicly available figures are for types of fraud specifically affecting banks.
Yet even here, the institution mandated to monitor crimes involving banks, Sabric, is funded by the banks themselves – and judging by Daily Maverick’s difficulties in securing substantive comment from Sabric, is highly wary of releasing any information which could ultimately be damning to the banks’ bottom lines.
It is simultaneously important to acknowledge that banks are easy scapegoats for public unhappiness about wider socioeconomic conditions.
“Banks are vilified, but they really do try,” one anonymous banking veteran stressed to Daily Maverick.
But the real victims of financial crime are not banks. In the past financial year – termed by Business Day a “blockbuster” year for the sector – the top four banks alone reported combined headline earnings exceeding R135-billion.
What lingers instead are the haunting personal stories which continue to pour into Daily Maverick’s inboxes daily.
The impoverished Pilates teacher left to pay off a credit card debt, growing interest monthly, run up by scammers. The terminally ill woman whose dormant account was drained by fraudulent debit orders while her life waned. The grandfather whose life savings were transferred out of his account in a single morning by criminals, leaving him penniless and totally reliant on his children for the money on which to live.
Behind each of those stories is an institution that conducted an investigation the victim was not permitted to see, reached a conclusion the victim was not permitted to challenge with full information, and in some cases offered money the victim was not permitted to talk about.
The public interest in understanding how and why this keeps happening is not served by that arrangement. Nor, ultimately, are the banks themselves – whose greatest long-term asset remains the trust of the people whose money they hold. DM