LEGAL ASPECTS
OF
ELECTRONIC BANKING
Introduction

Technology, in the banking industry has progressed a lot faster especially in the last
twenty years. A notable development in the industry is the adoption of information
and communication technologies (ICT) in providing banking services and goods
and the trend has shifted to the use of the internet as a medium, to electronically
perform transactions for both customers and banks.

Examples of ICT-based products include Automated Teller Machine (ATMs)
transactions, mobile banking and internet banking, among others, which form the
subject of electronic banking, or electronic funds transfers (EFTs).

Electronic funds transfers speed up processing of transactions, reduce costs, are
more convenient and help attract and retain customers.
Electronic Banking (“E-Banking”) definition of terms
Electronic banking

The Bank for International Settlements defines “Electronic banking”, or “e-banking” to include the provision of
retail and small value banking products and services through electronic banking channels as well as large
value electronic payments, and other wholesale banking services delivered electronically.

In other words, e-banking is the use of electronic delivery channels for banking products and services. It is a
subset of e-finance. The most common electronic delivery channels are the Internet, wireless communication
networks, automated teller machines (ATMs), telephones and mobile phones.
Internet banking

is an electronic payment system, that allows the bank account holder to execute the monetary transaction,
such as bill payments, fund transfer, stop payment, balance enquiries, etc. anytime and anywhere using the
bank’s website. Online banking is part and parcel of the core banking system handled by the bank.

Any customer of the bank can avail this facility by registering, with the concerned bank for the facility and set
up the password and other credentials for account holder’s verification. After that, the bank will allocate
customer number called as Personal Identification Number (PIN), user name etc which is linked to the bank
account, held by the customer.
E-Banking definition of terms
Mobile banking

Mobile banking is defined as ...financial services delivered via mobile networks and performed on a
mobile phone / handheld device.
Mobile payments

refer to the provision of payment services through the use of mobile phones, mostly electronic funds
transfer between a customer’s own accounts, transfers to a third party (beneficiary) or would be
mobile money. A mobile payment may also refer to the process of two parties exchanging financial
value using a mobile device in return for goods and services.
Mobile money

is a form of electronic money and refers to “services that connect consumers financially through
mobile phones. Mobile money allows for any mobile phone subscriber, - whether banked or
unbanked – to deposit value into their mobile account, send value via a simple handset to another
mobile subscriber, and allow the recipient to turn that value back into cash easily and cheaply. In this
way, m-money can be used for both money transfers and mobile payments.
E- Banking definition of terms

Our National Payment Systems Act does not have a definition of electronic banking. It does have
a definition of “payment instruction” which means an instruction to a financial institution to
transfer funds or make a payment, and includes (a) a cheque; and (b) a bank draft; and (c) a
banker’s acceptance; and (d) an instruction made by electronic means.

The Act thus recognizes electronic payments but we have a gap in our laws given that we do not
have a statute that deals with e-banking per se despite its prevalence in our market and the
world over.

The most distinguishing feature of e-banking is that it is a kind of banking that involves the
transmission of money in electronic form using an electronic device. Banking services are fully
automated such that transactions are concluded without visiting the banking hall or having any
physical interaction with a bank personnel.

A bank customer can perform both transactional and non-transactional tasks through e-banking
or online banking including viewing account balances, recent transactions, downloading bank
statements, funds transfers, paying third parties, including bill payments and third party fund
transfers etc

Banks have even gone further to facilitate transactions such as loan applications, credit & debit
card applications via electronic banking.
E-Banking and bank/customer relationship

Before the emergence of e-banking, banks dealt with cash & coins and cheque payments/ transactions.

The use of cash and cheques necessitated the use of banking halls since there was need for customers to be physically
present to facilitate transactions. This by implication dictated the nature of the banker-customer relationship as at that time.

In the Judgment of Lord Atkins in the case of Joachimson Vs. Swiss Bank (1921) 3 KB 110 at 127, Lord Atkins describes the
relationship between the bank and its customers as one involving obligations on both sides and includes the following
conditions:
a)
The bank undertakes to receive money and to collect cheques for its customer’s account;
b)
The proceeds so received are not to be held in trust for the customer, but the bank borrows the proceeds and
undertakes to repay them;
c)
The promise to repay is to repay at the branch of the bank where the account is kept;
d)
It includes a promise to repay any part of the amount due against the written order of the customer addressed to the
bank at the branch;
e)
Such written orders may be outstanding in the ordinary course of business for two or three days;
f)
The bank will not cease to do business with the customer except upon reasonable notice;
g)
The customer undertakes to exercise reasonable care in executing written orders so as not to mislead the bank or
facilitate forgery;
h)
The bank is not liable to pay the customer the full amount until he demands payment from the bank at the branch at
which the current account is kept.
E-Banking and bank/customer relationship

The emergence of electronic banking has changed banking business and altered the
nature of the banker customer relationship all over the world by providing bank customers
with, among others, the following benefits:
a)
Twenty-four-hour access to their accounts – customers are no longer restricted to
branches.
b)
Payments need not be made upon written orders – PIN verification.
c)
Widespread use of digital signatures – physical signatures / the requirement to be
physically present at a branch no longer there.
d)
Payments may be made through public access terminals, for instance, Automated
Teller Machines – no need to visit the branch;
E-Banking and bank/customer duties

Electronic banking is rigged with complexities and difficulties in view of the fact that the risks of the modern
technology are unforeseeable and some are unavoidable. Consequently there is a paradigm shift in the
general contractual terms and conditions.

The use of ICT in banking business has added more duties like the duty to inform customers about
foreseeable system failures, interruptions by scheduled maintenance services and so on.

The current practice by nearly all banks operating electronic banking is to transfer the risk to the customer
by a combined use of general terms and conditions.
1.
Banks are obliged not only to establish the identity of their Customers (KYC principle) but also enquire about
their integrity and reputation.

Section 15 - (1) of the Money Laundering and Proceeds of Crime Act provides that ‘Every financial
institution and designated non-financial business or profession shall identify every one of their customers
and verify a customer’s identity by means of an identity document, when— (a) opening an account for
or otherwise establishing a business relationship with a customer;

Section 16 - The identification and verification of the identity of each customer, and obtaining of other
information required by section 15, shall take place before the establishment of an account, or of a
business relationship – banks are opening instant accounts online – customers supply IDs and banks are
linked to the Registrar so once the ID is verified to be authentic accounts are opened.
E-Banking and bank/customer duties
2.
The use of digital signatures in Zimbabwe – while we do not have legislation that provides for the legal
recognition of electronic instructions, communications and signatures these are being used in
Zimbabwe
and this increased during the Covid-19 pandemic. Our Electronic Transactions and
Electronic Commerce Bill has taken long to be finalized, this statute is necessary to provide legal
certainty / validity for electronic
transactions in Zimbabwe.
3.
There is an obligation on banks to maintain secrecy and confidentiality of customer’s accounts. In ebanking scenario, there is the risk of banks not meeting the above obligation. Banks may be exposed
to enhanced risk of liability to customers on account of breach of secrecy, denial of service etc
because of hacking /other
technological failures. Banks should, therefore, institute adequate risk
control measures to manage such risks.

Banks should protect the privacy of the customer’s data by ensuring:
(i)
that customer’s personal data are used for the purpose for which they are compiled.
(ii)
consent of the customer must be sought before the Data is used
(iii)
data user may request for an amendment of inaccurate data or enforce a remedy against breach of
confidentiality
(iv)
processing of children’s data must have the consent of the parents.
E-Banking and bank/customer duties
4.
The Cyber and Data Protection Act amends the provisions of sections 163-166 of the
Criminal
Law
(Codification and Reform) Act [Chapter 9:23] by criminalising offences such as unlawful acquisition
of data, unlawful interference of data, unlawful disclosure of data
and data codes. These criminal
activities attract penalties in the form of fines and
custodial sentences ranging from ten to fifteen
years.
5.
In e-banking, there is very little scope for the banks to act on stop payment instructions from
the
customers.Hence, banks should clearly notify the customers the time frame and
the circumstances
in which any stop-payment instructions could be accepted. Sec 11 of
the
National
Payment
Systems Act provides that:

“Notwithstanding any other law but subject to this section, a payment or transfer which is effected in
accordance with a recognised payment system or a settlement system and which is intended to settle (a) the
payment obligations or settlement obligations of a participant in the system; or

(b) what are believed by the person making the payment or transfer to be the payment obligations or settlement
obligations of a participant in the system; shall be final and irrevocable and shall not be reversed or set aside for
any reason whatever: Provided that, if it subsequently appears that any amount or property so paid or transferred
was not in fact due, it shall constitute a fresh debt owed by the payee or transferee, as the case may be, to the
person who made the payment or transfer.
E-Banking and wrong payments

If a wrong payment is made recourse lies in condictio sine causa – no cause for the transfer in the first place /
condictio in debiti- payment made by mistake.

Take and Save Trading CC v Standard Bank of South Africa [2004] 1 All SA 597 (SCA) 10 – funds cannot be
reversed unless with the consent of the recipient.

Pestana v Nedbank 2009 2 SA 189 – fraud and theft grounds for reversal not erroneous transfer unless if third party

Please read ‘Electronic Fund Transfers and the Bank's Right to Reverse a Credit Transfer: One Big Step (Backwards) for
Banking Law, One Huge Leap (Forward) for Potential Fraud: Pestana v Nedbank (Act One, Scene Two) WG SCHULZE
(2008) 20 SA Merc U 290-297.

Schulze Argues that there could be a number of valid reasons why a bank would be entitled to reverse a credit transfer
unilaterally: for example,
consents.
i.
in the case of mistaken identity (ie, the money was transferred to the wrong person);
ii.
or where the wrong amount has been transferred;
iii.
or where the right amount was transferred to the right person but on the wrong date (ie, prematurely);
iv.
or where the right amount was transferred to the right person on the right day (as has happened in the Pestana case) but the
bank was not entitled to effect the transfer (because the s 99 notice by SARS had already reached Nedbank at the time
when it transferred the money).
E-Banking and wrong payments

Sec 12 of the National Payment Systems Act provides that:

“Notwithstanding any other law, no interdict or other order of any court shall operate to stay any payment or transfer
which is required to be made in accordance with a recognised payment system or a settlement system and which is
intended to settle (a) the payment obligations or settlement obligations of a participant in the system; or (b) what are
believed, by the person who is required to make the payment or transfer, to be the payment obligations or settlement
obligations of a participant in the system.

Payments and transfers within settlement system not subject to interdict or stay – meant to address systemic risk to avoid
an entity failing to settle due to an interdict or court order.

Unauthorised transactions are a key issue in electronic banking and the question of who bears liability for unauthorised
transactions depends on the circumstances.

Unauthorised transactions occur when another individual other than the customer initiates a transfer without the actual
authority of the account holder and from which the customer receives no benefit.

In determining liability the question becomes whether the unauthorised transaction occurred as result of negligence or
fraud. Where the unauthorised transaction is as a result of the customers’ negligence, then the liability lies with the
customer. For example if a customer keeps their PIN with their card or they disclose their PIN to a third party. A customer
has a duty not to facilitate fraud / and to inform the bank of forgery so where a customer notices their card is missing for
instance or transactions which they have not authorised going through their account they have an obligation to
immediately advise their bank and failing to do so may then be considered as negligence. London Joint Stock Bank Ltd v
Macmillan and Arthur (1906) AC 439; in Greenwood v Martins Bank Ltd(1918) AC 777
E- Banking and fraud

Where the loss is as a result of fraud, e.g card skimming liability may lie with the bank if for instance
the bank has not put in place adequate risk management measures and strategies to prevent the
fraud.

Commencing 1 January 2022 all banks in Zimbabwe are required to ensure their cards and POS
machines are EMV compliant. In the event that a customer suffers loss where a bank’s cards or
machine is not EMV compliant then liability for such loss lies with the bank.

Banks owe a duty of care to their customers (Lipkin Gorman, Quincecare cases) so there are instances where if a
customer suffers loss from fraud a bank may be found liable for failing to exercise reasonable skill and care or where a
customer did not actively authorise the transaction. For example if a customer has a USD debit card and a bank fails to
put in place measures to ensure there are limits on the card per day / per transaction then such a bank may be found
liable if the customers card / details are used for unauthorised transactions. Further if a customer suffers loss say where their
card details are used without them being negligent then the bank is liable for such loss.

McCarthy Ltd v ABSA Bank Ltd 2010 (2) SA 321 – contract between a bank and customer imposes duty on the bank to act
prudently.

Selangor United Rubber Estates Ltd v Craddock 1968 2 All ER 1073 the court held that the bank’s duty of care to its
customers does not only require the bank to interpret the customer’s instructions but may in certain circumstances require
that the bank should make enquiries before acting.

Sometimes customers suffer loss due to fraud but they would have authorised the transaction, in such instances banks are
ordinarily not liable for such loss. Tidal Energy v Bank of Scotland plc [2014] EWCA Civ 1107, Philipp v Barclays Bank [2021]
EWHC 10.
E-Banking and fraud

In Galactic Auto (Pty) Ltd v Venter [2019] JOL 45546 (LP) a businessman bought a Ford
Ranger that he urgently needed for a new business project. He did an EFT in response to
an email that he received and was expecting from the car dealership. He took delivery of
the Ford Ranger, with it later emerging that the transfer had gone into a fraudulent
account. The dealership then claimed the R380 000 purchase price from him. In this case,
the court found that he should have verified the account number, before making the
transfer and that he still owed the car dealer the money.

In the case of Fourie v Van der Spuy and De Jongh Inc [2019] JOL 45848 (GP) the client
put funds into the attorneys’ trust account, but due to a fraudulent email, the attorneys
paid over R1,7 million into an account from which the money disappeared. The court
noted that the Attorneys Fidelity Fund had issued a risk alert to attorneys, warning that
cyber risks were increasing and that attorneys must take adequate risk mitigation
measures. The court found that the attorneys should have taken precautions and that
they were liable, especially based on their duty of care towards the client.
E-banking and Cyber and Data Protection Act [Chapter
12:07]

Data protection relates to the lawful use of information concerning or about people. This
information is protected as it is recognised that individuals have a right to privacy, in that
their information must not be shared, accessed or used without their approval or in the
absence of other lawful grounds.

Sec 57 of the Constitution of Zimbabwe, 2013 protects every citizens right to privacy –
‘Every person has the right to privacy, which includes the right not to have - (a) their home, premises or
property entered without their permission; (b) their person, home, premises or property searched; (c)
their possessions seized; (d) the privacy of their communications infringed; or (e) their health condition
disclosed.’
E-Banking and Cyber and Data Protection Act

Data controller is a legal or natural person who determines the purpose and means of processing data.

Banks are therefore data controllers in terms of the Act.

Data processor is a legal or natural person who processes data for and on behalf of the controller and under the
controller’s instructions.

This comes with certain responsibilities in the processing of data.

Section 8 of the Act requires that the Data controller ensures that processing of data is necessary, and that data is
processed fairly and lawfully. Necessary: is the data required and if so, what purposes is the data required for. In
addition, the data collected must not be more than is required. For instance, if the purpose of the data is for
opening a bank account, there is no necessity for asking personal information on data subject’s trade union
affiliations. Fairly: in processing data, the data controller must abide by principles of natural justice which allows for
a data subject to know of the decisions made; identity of the data controller; reasons for the data processing.
Fairness requires one to consider all different issues in relation on how data processing is handled. Being informed of
the data collection and providing consent if required constitutes fair processing. Lawfully: This means that
processing must comply with the provisions of the Act. However, lawfulness goes beyond a single law or the Act,
but to include the Constitution, other laws for instance the Banking Act. In addition, lawfulness covers other
international obligations and instruments that Zimbabwe has ratified and domesticated.
E-Banking and Cyber and Cyber and Data Protection Act

Section 9 of the Act requires that the data controller ensures that data collection is
specified, explicit and for legitimate purposes.

• Specified: The type of data to be collected is known, or clear

• Explicit: The data controller must be clear why they are collecting personal data

• Legitimate: The data controller must indicate what they will use the data for.

In addition to the above, the data controller must document compliance with all the
requirements for processing and meet and comply with the expectations of the data
subject as laid out in legal provisions for lawfulness, and fairness.
E-Banking and Cyber and Cyber and Data Protection Act

The data controller must ensure that if data is then used for other processes different from the initial reason for
collection, that additional use must be compatible with the original collection process.

The data subject must ensure that they are not accepting additional uses without reading terms and conditions
of services for instance when opening accounts, you might be asked if you accept promotional materials to be
sent to your address or credit facilities asking if they can share your details with other loan providers.

While the law prohibits further processing, if the new purpose is compatible with the original purpose, then it’s
acceptable, if the data subject agrees or gives specific consent to further processing though incompatible with
original collection then it becomes lawful or if there are legal grounds allowing for further processing in the
public interest then such is lawful.

It is also possible that data might have multiple purpose when collected. Then the data controller must for each
purpose be specific, meaning compliance with all data processing requirements for each purpose.

Section 10 of the Act provides for conditions of processing non-sensitive data. This is personal information as
defined in Part I of the Act.

Personal information relating to an identifiable data subject includes the person’s name, address or telephone
number, the person’s race, national or ethnic origin, colour, religious or political beliefs or associations, the
person’s age, sex, marital status or family status, an identifying number, symbol or other particulars assigned to
that person such as a national identity number.
E-Banking and Cyber and Cyber and Data Protection Act

Section 10 (1) starts off with consent as a condition of processing, for a data subject or consent
of guardian of minor. Consent is required but can be implied.

Section 10 (2) of the Act allows for consent not to be specific or explicit, but it can be implied, if
data subject is an adult.

There is a category of personal information that is considered sensitive or sensitive data or
sensitive personal information. This data refers to information of a specific type or class whose
disclosure can lead to specific targeted harms against the data subject and even harming
others associated with the data subject if the information is processed without satisfying certain
requirements at law.

Section 11 (1) provides that consent is required, and it must be explicit, and in writing from the
data subject for the processing of sensitive information.

Further, Section 11 (2) of the Act allows for consent to be withdrawn, at any time free of
charge.
E-Banking and Cyber and Cyber and Data Protection Act

Section 13 of the Act provides that processing of personal information shall ensure that:

(a) processing is in accordance with the right to privacy of the data subject, meaning the first priority is privacy
preservation before pursuit of data controller interests

(b) processing is lawful, fair, and transparent for the data subject: these are fundamental provisions of data
processing

(c) processing of data is for explicit, specified, and legitimate purposes and not further processed for original
incompatible processes

(d) processing is adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed

(e) collection is only where valid explanation is given for family and private affairs

(f) personal or sensitive data must be accurate, and inaccurate personal data is erased or rectified without delay;

(g) data or information must be kept in eligible format but not beyond the purposes of the collection, meaning that
any further storage should be anonymised
E-Banking and Cyber and Protection Act

Section 14 of the Act provides for the rights of data subjects as follows:

(a) right to be informed: requiring that the use of the personal information is known to the
data subject;

(b) rights to access personal information in custody of data controller or processor;

(c) right to object to processing, allowing for data subject to object or refuse to have their
personal data processed

(d) right to correction of false or misleading information, requires that if information is
incorrect, inaccurate then it must be corrected

(e) right to deletion of false or misleading data.
E-Banking and Cyber and Cyber and Data Protection Act

Section 15 provides for disclosures that should be made by data controllers when collecting data
from data subjects unless if the data subjects already has such information including:

Name and address of data controller;

Purpose of processing;

the right of the data subject to object, by request and free of charge, to the intended processing of
data relating to him or her, if it is obtained for the purposes of direct marketing;

whether compliance with the request for information is compulsory or not, as well as what the
consequences of the failure to comply are;

(e) taking into account the specific circumstances in which the data is collected, any supporting
information, as necessary to ensure fair processing for the data subject, such as— (i) the recipients or
categories of recipients of the data; (ii) whether it is compulsory to reply, and what the possible
consequences of the failure to reply are (iii) the existence of the right to access and rectify the data
relating to him or her except where such additional information, taking into account the specific
circumstances in which the data is collected is not necessary to guarantee accurate processing.
E-Banking and Cyber and Cyber and Data Protection Act

Section 18 provides for security of data collected from data subjects and provides that:

‘In order to safeguard the security, integrity and confidentiality of the data, the controller or his
or her representative, if any, or the processor, shall take the appropriate technical and
organisational measures that are necessary to protect data from negligent or unauthorised
destruction, negligent loss, unauthorised alteration or access and any other unauthorised
processing of the data.

(2) These measures referred to in subsection (1) must ensure an appropriate level of security
taking into account the state of technological development and the cost of implementing the
measures on the one hand, and the nature of the data to be protected and the potential risks
to the data subject on the other hand.

This calls for banks to have adequate cyber security systems in place to protect customers data.

Sec 19 – when there is a security breach, the data controller should advise the Authority of this
breach within 24 hours.
E-Banking and Cyber and Cyber and Data Protection Act

Section 20 of the Act provides for the appointment of a Data Processing Officer. Section 20(5)
of the Act requires every data controller to notify the Authority (Potraz is the Data Control
Authority in Zimbabwe in terms of section 5 of the Act) on the appointment of the DPO whose
qualifications must meet the criteria set out under Section 20(6) and conduct specified tasks.

The DPO should be independent, capable and qualified for this position to ensure compliance
of the Act by the data controller;

The DPO must be involved in all critical processes relating to protection of personal data so that
they are able to respond to requests.

The DPO must be well resourced to play this role and must not be penalised for either
whistleblowing or in the performance of their duties.

The DPO must be accessible, known and contactable; this is important as the DPO will be the
contact person for data subjects, data controller or data representative officials/employees of
the Authority.
E-Banking and Cyber and Cyber and Data Protection Act

Section 28 provides for the transfer of personal information outside Zimbabwe.

In terms of section 28 (1) a data controller may not transfer personal information about a
data subject to a third party who is in a foreign country unless an adequate level of
protection is ensured in the country of the recipient or within the recipient international
organisation and the data is transferred solely to allow tasks covered by the competence
of the controller to be carried out.

Banks that are part of regional / international banking groups need to be cognisant of this
section.