Consumer trust is key to the success of Open Banking initiatives. The highest security and consumer-centric standards are required to build the necessary confidence when using Open Banking products and services. Central or key to the success of Open Banking in South Africa would be compliance with the Consumer Protection Act, 2008 ("CPA").
The CPA's scope and application are both extremely wide. Subject to certain exemptions as discussed below, the CPA applies to:
- the promotion of goods and services;
- all transactions for the supply of goods and services concluded in the ordinary course of business (and for consideration); and
- the goods and services themselves once the transaction has been concluded.
The CPA does not apply to transactions that are specifically exempt, including:
- where a consumer is a juristic person whose asset value or annual turnover, at the time of the transaction, equals or exceeds the threshold (currently ZAR2-million rand); and
- credit agreements under the National Credit Act, 2005, where the goods and services provided under the agreement are not excluded.
Notwithstanding the exclusions listed above, section 5(5) provides that if any goods are supplied within South Africa to a person in terms of a transaction that is exempt from the application of the CPA, those goods and the importer or producer, distributor and retailer of those goods, are subject to the safety recall and product liability provisions set out in sections 60 and 61, respectively.
application of the CPA to financial products and services
''Goods'', in terms of CPA, includes any literature, information, data, software, code or other intangible product written or encoded on any medium, or a licence to use any such intangible product.
The definition of "service" in the CPA includes the provision of any information, advice or consultation. This excludes advice that is subject to regulation in terms of the Financial Advisory and Intermediary Services Act, 2002 ("FAIS") and any banking services, or related or similar financial services, or the undertaking, underwriting or assumption of any risk by one person on behalf of another, except to the extent that any such service constitutes advice or intermediary services that is subject to regulation in terms of FAIS or is regulated in terms of the Insurance Acts.
This definition should be read to mean that if the service provided by the supplier is "advice" or "intermediary services" as defined in FAIS or is a service regulated in terms of the Insurance legislation, these services will be regulated by FAIS or the Insurance legislation respectively and not by the CPA.
However, in terms of section 10 of the Financial Sector Regulation Act, 2017 ("FSRA") the CPA does not, apply to, or in relation to:
- a function, act, transaction, financial product or financial service that is subject to the National Payments System Act, 1998 ("NPS Act") or a financial sector law, regulated by the Financial Sector Conduct Authority ("FSCA") in terms of a financial sector law; or
- the South African Reserve Bank ("SARB") or the Prudential Authority of the SARB.
While section 10 of the FSRA is no model of clarity, what is clear is that it ousts the application of the CPA from any function, act, transaction, financial product or financial service that is subject to the NPS Act or FSCA legislation, such as FAIS. The CPA would however apply to general banking products and services not regulated under FSCA legislation.
CPA considerations in Open Banking
Imagine buying a product, say a cell phone, online and making an Open Banking payment. When the cell phone arrives, it is defective and explodes, causing harm to the consumer or his property. The strict liability provisions in respect of defective products under section 61 specifically provides that a "supplier of services who, in conjunction with the performance of those services, applies, supplies, installs or provides access to any goods, must be regarded as a supplier of those goods to the consumer, for the purposes of this section." Would the consumer have a claim against the Open Banking payment provider in terms of section 61?
Consider also the scenario when paying for the cell phone, it is intercepted by a cyber-attacker and diverted to a fraudulent account. Could the consumer claim that the service provided by the payment provider lacked necessary security measures and "the performance of the services [were not] in a manner and quality that persons are generally entitled to expect" in violation of section 54 of the CPA?
Can Open Banking solutions providers, like fintechs, contract out of liability for, or protect themselves against, such claims? In addition, consideration should also be given to providing terms and conditions and disclaimers in plain language and in compliance with the requirements for notice under section 49 of the CPA.
It is essential to consider CPA issues when designing Open Banking solutions
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.