The implementation of the two-pot retirement system edges nearer as the NCOP passed the Pension Funds Amendment Bill (on 25 April 2024), incorporating alterations that resolve certain inconsistencies, and bringing it one step closer to fruition on September 1, 2024.

However, many experts feel that the infrastructure and systems required to roll out this impactful and high-risk financial mechanism are not ready. iiDENTIFii, a leading remote biometric identification provider, has expressed concerns that retirement administrators may not have the security in place to safely and effectively fulfil withdrawals for the two-pot pension system. Inadequate security will have a significant impact on consumers, and the liquidity of the funds themselves. 

“The withdrawal of any funds is sensitive from a security point of view, but even more so when it comes to consumers’ hard-earned savings,” says Lance Fanaroff, Chief Strategy Officer at iiDENTIFii. “Pension capital is high-value and high-risk, first because it has been accumulated over time and gained interest. For many of those already in retirement, it is money that cannot be earned back. Yet, despite the high value of funds under management, the safety processes required to protect these funds are woefully inadequate.” 

South African pension funds have not yet announced the process for drawing down on a pension savings pot, stating that the official process will be shared closer to when the two-pot system goes live.

The funds at stake 

When the two-pot pension legislation becomes effective in September, consumers will be able to access a percentage of their retirement savings, at a minimum of R2 000 and a maximum of R25 000 per tax year. While fund members’ saving pots will be given a boost of 10% of what they have already saved in the fund when this legislation becomes effective, up to a specified limit of R25 000 currently (this cap may change, with the National Treasury currently proposing a limit of R30 000), savings pots will continue to grow with one-third of contributions on an ongoing basis. 

The risk of inadequate security 

“There are several risks to these funds being inadequately protected,” says Fanaroff, “Consumers and pension funds need to be aware that fraudsters are highly attuned to trends and new opportunities to access lump sums of capital. Cyber criminals have already pounced on car, property and legal companies where large sums of money are exchanged and regularly capitalise on seasonal activity or trends such as SARS rebate season. A loss from a fund saving pot not only sets back consumers in terms of savings and lost future compound interest, but it damages the reputation of the pension funds tasked with keeping the money safe.” 

While fraudsters would not be able to drain entire pensions, the savings in a pot is still a significant amount of money to many South Africans. The risk is also set against the context of a difficult economic climate in which 89% of South Africans are planning to continue working after they retire owing to lack of pension monies.

“Retirement administrators also need to consider risk beyond the individual consumer,” says Fanaroff. “Many digital fraud operations take place at scale. A handful of false withdrawals at the limit of R25 000 may not be cause for concern, but what happens when this theft is scaled across all members of the fund, and on an annual, perpetual basis? The advent of the two-pot system will present challenges to liquidity as it is. If a bad actor hit the whole fund at scale, it would have catastrophic implications for funds and their ability to meet their obligations.” 

Retirement administrators have a duty of protection to consumers 

“Funds should have stringent protections in place, more so than banks,” says Fanaroff. “When it comes to any financial services provider, a fault line emerges when it comes to proving that a person is who they say they are. Signatures can be faked. OTPs are vulnerable to interception by criminals who can then use them to access a person’s account. Legacy biometrics such as fingerprints or retina scanning can be spoofed. Through cheap and easily available AI tools, criminals can use AI to mimic a person’s voice and conduct a fraudulent transaction on their behalf.”

Even static face verification is not enough. “Although biometrics offer a more secure means of verification (something you are, instead of something you have, like a password or OTP), fraudsters are becoming increasingly adept at staging attacks that, if successful, could give them access to those pension savings.” Fraudsters posing as a person’s likeness by spoofing easy-to-replicate biometrics could give them access to that person’s pension savings.

iiDENTIFii has seen success in protecting several leading South African banks using its pioneering 4D Liveness® solution. “This is a process that confirms that a person making a transaction is human, who they say they are, and transacting live in the present moment. The person withdrawing the funds takes a selfie and, using a unique sequence of flashing coloured lights, we are able to determine their liveness. By comparing this selfie with relevant government databases, iiDENTIFii’s technology accurately authenticates someone’s identity in just seconds. These advanced algorithms are continually being fine-tuned to stop fraudsters in their tracks,” says Fanaroff.

He concludes, “As pension funds navigate the two-pot pension system, they have a duty of care to protect consumers from fraud. They also need to be prudent when considering the risks to liquidity when fraud is rolled out at scale. This means having the right processes in place to ensure that retirement savings are protected from cyber criminals.”

Posted: May 22nd, 2024