By: Murray Collyer
Soon, South Africans could have the option of placing their retirement fund contributions in two ‘pots’ – the one being the retirement pot and the other being a savings pot that can be accessed by members while still in employment.
A group of accounting firms, BDO recently referred to this as three pots, in fact, with the third pot being the funds that are vested. This means that fund members can draw down a third of their retirement savings before retirement as opposed to waiting to access the money at retirement.
However, while this development was originally slated for March 2024, The National Treasury has called for a postponement until 2025 to give the investment industry time to have the systems in place to process swift and safe transactions. During this preparation period, one of the key considerations pension funds need to bear in mind is how to protect consumers from fraudulent, high-value withdrawals of their hard-earned pension money.
We support a considered approach to the rollout of the two-pot pension system. Once introduced, it provides the potential for easier access to valuable investments. It is the perfect target for fraudsters, who can use the latest technology to prey on unsuspecting transactors. Traditional methods of authentication are not enough. As pension funds navigate this new system, they have a duty of care to protect consumers from fraud. This means having the right processes in place to ensure that retirement savings are protected from cyber-criminals.
What funds are at stake?
It’s important to note that while fund members’ saving pots will be given a boost of 10% of what they have already saved in the fund when this legislation becomes effective, up to a specified limit of R25,000 currently (this cap may change, with the National Treasury currently proposing a limit of R30 000). Savings pots will continue to grow with one-third of contributions on an ongoing basis. There will be rules around accessing the savings pot, such as an R2 000 minimum amount and access only being allowed once in a tax year. While fraudsters would not be able to drain entire pensions, the savings in a pot is still a significant amount of money to many South Africans. The risk is also set against the context of a difficult economic climate in which 89% of South Africans are planning to continue working after they retire owing to a lack of pension monies.
Consumers and pension funds need to be aware that fraudsters are highly attuned to trends and new opportunities to access lump sums of capital. Cybercriminals have already pounced on car, property, and legal companies where large sums of money are exchanged and regularly capitalise on seasonal activity or trends such as the South African Revenue Services (Sars) rebate season. A loss from a fund-saving pot not only sets back consumers in terms of savings and lost future compound interest, but it also damages the reputation of the pension funds tasked with keeping the money safe.
How safe will savings withdrawals from a fund savings pot be?
South African pension funds have not yet announced the process for drawing down on a pension savings pot, stating that the official process will be shared closer to when the two-pot system goes live. The potential of a delayed implementation date gives financial institutions further time to prepare. Already, funds are being prudent in educating members on how accessing the savings pot will ultimately impact retirement savings. As with any financial service, members also need to be educated on keeping their personal identifying data safe to protect them from fraud.
Pension funds need to prioritise identity verification in preparation for the two-pot pension system. When it comes to any financial services provider, a fault line emerges when it comes to proving that a person is whom they say they are. Signatures can be faked. OTPs are vulnerable to interception from criminals who can use them to access a person’s account. Legacy biometrics such as fingerprints or retina scanning can be spoofed. Through cheap and easily available AI tools, criminals can use AI to mimic a person’s voice and conduct a fraudulent transaction on their behalf.
Even static face verification is not enough. Although biometrics offer a more secure means of verification (something you are, instead of something you have, like a password or OTP), fraudsters are becoming increasingly adept at staging attacks that, if successful, could give them access to those pension savings. Essentially, fraudsters posing as a person’s likeness by spoofing easy-to-replicate biometrics could give them access to that person’s pension savings.
How pension funds can ensure the safety of consumers
As the two-pot pension system comes into effect, funds can focus on both financial education and security. Many consumers are vulnerable to the increasingly sophisticated social engineering scams that are designed to extract identifying information such as passwords, account numbers, and more.
While consumers need to ensure they don’t give out sensitive personal account information, pension funds have a responsibility to have security in place that is immune to security breaches.
In conclusion, like any new development in access to savings, the two-pot pension scheme potentially introduces a new risk frontier to the financial services landscape. If not secured correctly, fraudsters can assume the identity of consumers and access large sums of money, with potentially life-changing results for members. In their preparation for the two-pot pension scheme’s ultimate rollout, pension funds need to protect members and insurers need to put cover in place to protect against substantial loss of savings. Part of this includes ensuring that their biometrics sufficiently protect against criminals. Having this in place will ensure financial security for consumers.
*Murray Collyer is the Chief Operating Officer at iiDENTIFii.
PERSONAL FINANCE