Are SA’s pension funds secure enough for the two-pot pension system?

by Lance Fanaroff | 29,May,2024 | iiDENTIFii, Q2 2024, Special Feature

The implementation of the two-pot retirement system edges nearer as the NCOP passed the Pension Funds Amendment Bill on 25 April 2024, incorporating alterations that resolve certain inconsistencies and bringing it one step closer to fruition on September 1st of this year.

However, many experts feel that the infrastructure and systems required to roll out this impactful and high risk financial mechanism are not ready. There are some, including us, who have expressed concerns that retirement administrators may not have the security in place to safely and effectively fulfil withdrawals for the two-pot pension system. Inadequate security will have a significant impact on consumers and the liquidity of the funds themselves.

“The withdrawal of any funds is sensitive from a security point of view, but even more so when it comes to consumers’ hard earned savings,” says Lance Fanaroff, Chief Strategy Officer at iiDENTIFii. “Pension capital is high value and high risk, primarily because it has been accumulated over time and gained interest. For many of those already in retirement, it is money that cannot be earned back. Yet, despite the high value of funds under management, the safety processes required to protect these funds are woefully inadequate.”

Herman van Papendorp

South African pension funds have not yet announced the process for a member to draw down on their savings pot, stating that the official process will be shared closer to when the two-pot system goes live.

 The funds at stake

 When the two-pot pension legislation becomes effective in September, consumers will be able to access a percentage of their retirement savings, at a minimum of R2 000, once every tax year. Fund members’ saving pots will be “seeded” with 10% of what they have already saved in the fund as at 31 August 2024 and will continue to grow with one-third of contributions plus investment return every month thereafter.

 The risk of inadequate security

 “There are several risks to these funds being inadequately protected,” says Fanaroff, “Consumers and pension funds need to be aware that fraudsters are highly attuned to trends and new opportunities to access lump sums of capital. Cyber criminals have already pounced on car, property and legal companies where large sums of money are exchanged and regularly capitalise on seasonal activity or trends such as SARS rebate season. A loss from a fund saving pot not only sets back consumers in terms of savings and lost future compound interest, but it damages the reputation of the pension funds tasked with keeping the money safe.”

 While fraudsters would not be able to drain entire pensions, the savings in a pot is still a significant amount of money to many South Africans. The risk is also set against the context of a difficult economic climate in which 89% of South Africans are planning to continue working after they retire owing to lack of sufficient retirement provisions.

 “Retirement administrators also need to consider risk beyond the individual consumer,” says Fanaroff. “Many digital fraud operations take place at scale. A handful of false withdrawals may not be cause for concern, but what happens when this theft is scaled across all members of the fund? The advent of the two-pot system will present challenges to liquidity as it is. If a bad actor hit the whole fund at scale, it would have catastrophic implications for funds and their ability to meet their obligations.”

 Retirement administrators have a duty of protection to consumers

 “Funds should have stringent protections in place, more so than banks,” says Fanaroff. “When it comes to any financial services provider, a fault line emerges when it comes to proving that a person is who they say they are. Signatures can be faked. OTPs are vulnerable to interception by criminals who can then use them to access a person’s account. Legacy biometrics such as fingerprints or retina scanning can be spoofed. Through cheap and easily available AI tools, criminals can use AI to mimic a person’s voice and conduct a fraudulent transaction on their behalf.”

Even static face verification is not enough. “Although biometrics offer a more secure means of verification (something you are, instead of something you have, like a password or OTP), fraudsters are becoming increasingly adept at staging attacks that, if successful, could give them access to those pension savings.” Fraudsters posing as a person’s likeness by spoofing easy-to-replicate biometrics could give them access to that person’s pension savings.

The latest technology has seen success in protecting several leading South African banks. “This is done through a process that confirms that a person making a transaction is human, who they say they are and transacting live in the present moment. The person withdrawing the funds takes a selfie and, using a unique sequence of flashing coloured lights, the technology is able to determine their liveness. This selfie is then compared with relevant government databases, to accurately authenticates someone’s identity in just seconds. And the advanced algorithms are continually being fine-tuned to stop fraudsters in their tracks,” says Fanaroff.

He concludes, “As pension funds navigate the two-pot pension system, they have a duty of care to protect consumers from fraud. They also need to be prudent when considering the risks to liquidity when fraud is rolled out at scale. This means having the right processes in place to ensure that retirement savings are protected from cyber criminals.”

Lance Fanaroff
Chief Strategy Officer at iiDENTIFii | + posts