Risks, the impact on your privacy and what you can do
In recent times, a concerning trend has emerged among South African banks, particularly Capitec Bank and FNB, where customers are increasingly being prompted to enable location services when using their banking apps. Although the purported aim is to enhance security and assist in fraud prevention, consumers should be wary of the potential for privacy invasions and question how their location data is truly being used and protected.
The Growing Privacy Concern
When a banking app requests access to your location data, it enables the bank to track your whereabouts, pinpointing the exact location of transactions. For Capitec Bank users, this prompt appears immediately after logging into the app, presenting an option to either agree or refuse, the positioning and timing of the message may, however, result in consumers inadvertently granting access. In contrast, FNB does not offer a choice at all—location services must be enabled in order for consumers to proceed with the conclusion of certain transactions, which effectively compels users to agree.
This is even more concerning, since the bank has data on our income and spending, our next of kin, where we work, our proof of identity and residence, and even our fingerprints.
FNB justifies this measure as a security tool to combat fraud. By tracking location data, FNB claims it can better identify and prevent fraudulent transactions, especially in cases where devices are stolen or in incidents of phishing. However, these assurances raise several questions. If the system worked as intended, shouldn’t we see a marked decrease in unauthorised access to FNB’s customers’ accounts and fraudulent transactions? And why do numerous consumers continue to report becoming victims of scams and card fraud despite these measures being in place?
Of greater concern is the broader issue of data security and third-party access to consumers’ location data. The recent case in the Cape Town High Court involving Zane Killian, has highlighted how location data in the hands of third-party contractors can be mishandled and even exploited for nefarious purposes and raises further crucial questions for banking customers: Who else has access to the data banks collect? Are banks contracting with third-party providers to process and store location data, and if so, what safeguards are in place to protect this sensitive information from unauthorised access and distribution? What is stopping bank employees from using our data for nefarious ends, such as stalking, identity theft, fraud, impersonation, etc?
We know that banks have in the past sold their clients’ personal data resulting in much of the spam that consumers still encounter despite tighter regulation, and they may well still be doing so- Trudie recently experienced a huge uptick in spam calls after applying for vehicle finance.
In terms of section 11 of the Protection of Personal Information Act (POPIA) personal information may only be processed with the informed consent of the individual whose personal information is being processed. By not allowing consumers to conduct transactions unless location services are enabled, FNB arguably breaches POPIA, as customers find themselves between a rock and a hard place: either they consent to location tracking, or they lose access to their accounts or the ability to conclude certain transactions.
Capitec Bank, at the very least, presents a more “optional” approach. However, the manner in which it prompts users is also questionable, as many may unknowingly grant location access due to the prompt’s sudden appearance and the lack of immediate transparency regarding the purpose of the request. This approach lacks genuine consent, as users may not fully understand what they are agreeing to.
Furthermore, under POPIA, parties processing personal information are obligated to take reasonable steps to protect such information and to notify both the Information Regulator and affected individuals in the event of a breach. However, it is often the case that breaches go unreported, leaving consumers unaware and vulnerable to risks they cannot protect against.
The Way Forward for Consumers
Ultimately, consumers deserve transparency, choice, and control over their data. If banks insist on accessing such sensitive information, they must implement robust privacy protocols and adhere to POPIA, ensuring that consumers are fully informed and able to make a choice without coercion. Consent should be informed, explicit and retractable. Additionally, a greater level of oversight is needed to ensure that these banks, and others like them, are not overstepping their bounds by sharing or mismanaging data.
In this ever-connected world, it’s important for consumers to recognise their rights and push back against unnecessary intrusions. So, the next time your banking app requests access to your location, consider the following: Is this truly for your security, or is it another instance of your right to privacy slowly being sacrificed for the sake of convenience?
We also encourage any consumer who feels uncomfortable with FNB’s location tracking, to report FNB to the Information Regulator for contravening POPI by completing the form found at this link: https://inforegulator.org.za/wp-content/uploads/2020/07/FORM-5-COMPLAINT-REGARDING-INTERFERENCE-WITH-THE-PROTECTION-OF-AN-ADJUDICATOR.pdf and emailing it to POPIAComplaints@inforegulator.org.za . On the form you can complain that FNB is not complying with sections 10,11, 12 ,13 and 18 of the Protection of Personal Information Act.