By Johnathan Paoli
Postbank is at the centre of a multi-million rand fraud scandal, with a sophisticated criminal syndicate involving internal employees and external suppliers siphoning over R92 million from the state-owned institution.
Parliament’s economic development and trade committee has condemned the failure to detect the fraud, voicing serious concerns over the institution’s internal controls, oversight and accountability.
Acting committee chair Bones Modise said this week that the revelation added to the growing disillusionment with state employees who were exploiting vulnerabilities and undermining public confidence in government institutions.
“It is unfortunate that Postbank’s system was exposed to outside criminality by employees who work for state entities. The people that one least expects to undo the good work of the government become the same persons who frustrate that good work,” he said.
The scandal surfaced following an extensive forensic investigation conducted by the auditing firm KPMG.
Postbank CEO Ntomoxolo Mbengashe said the probe revealed that R92 million was lost over four separate instances, each involving manipulation of internal processes and unauthorised access to financial systems.
Mbengashe outlined how a coordinated network of internal employees and an external supplier exploited these security gaps, indicating a level of planning that evaded detection for a substantial period.
According to the report, in May 2022, a fraud incident revealed a loss of R1.3 million through unauthorised withdrawals across 49 ATMs, involving 257 bank cards. They were unblocked by an internal user at specific branches, allowing beneficiaries to withdraw funds before the cards were re-blocked.
In October that year, a critical delay in blocking compromised SA Social Security Agency cards led to extensive fraudulent withdrawals across Gauteng, exposing failures in Postbank’s fraud prevention and IT protocols.
In what has been referred to as the “Durban incident”, branch managers, who were suspected of collaborating with skilled attackers, opened fraudulent accounts and made continuous deposit and withdrawal transactions for nearly five hours without detection.
In December last year, Postbank commissioned KPMG to investigate potential “ghost employees” on its payroll. It showed discrepancies, with the audit involving a detailed cross-examination of payroll records, employee directories and credit bureau verification.
Postbank was the main subsidiary of the SA Post Office until last year. Sapo asked for another bailout (R3.8 billion) from the government earlier this year, but it was denied.
Modise raised questions about the protection of employees who detected fraud. He asked if junior staff would feel safe reporting suspicious activity, underscoring a culture within Postbank that may discourage whistleblowing.
He said Postbank’s failure to implement adequate internal controls and proactive security measures left it susceptible to internal fraud.
Communications and Digital Technologies Minister Solly Malatsi flagged these concerns after receiving anonymous letters detailing theft and contract mismanagement.
The correspondence accused Postbank’s management and board of overlooking internal threats, failing to scrutinise service contracts, and even paying for services already rendered in previous contracts, all of which the investigation substantiated.
In response, Postbank’s leadership assured the committee on Wednesday that they had begun taking corrective action to address the breaches.
Mbengashe said several implicated employees were facing disciplinary action, and consequence management protocols were being strengthened.
However, Modise emphasised that disciplinary actions taken after the fact were insufficient to protect public funds, calling instead for a preventative approach to detect and deter potential fraud.
“While we appreciate the efforts being made, this issue goes beyond consequence management. We need a proactive culture that prevents these breaches before they occur, especially within state-owned entities where trust and accountability are paramount,” he said.
The chair reiterated that the committee supported Postbank’s objective of becoming a fully-fledged bank capable of expanding services, especially for the marginalised of the country.
However, despite these assurances, Modise said the committee remained unconvinced of its readiness to operate independently as a bank without overhauling its internal security and governance structures.
The KPMG findings revealed that while 390 employees were legitimate, discrepancies surfaced regarding six former employees with no recorded login activity post-termination, suggesting possible lingering access. Five current employees lack corresponding active directory accounts, raising questions about their system access.
Modise has advocated for stringent measures against employees who misuse their positions for personal enrichment.
“This kind of fraud clearly shows that the government must apply a firm hand on thieves in the system who sometimes are dangerous to their colleagues who are able to identify these kinds of transgressions,” the chair said.
He recommended the immediate implementation of tighter security protocols, stronger whistleblower protections and an internal culture of integrity.
INSIDE POLITICS
