How South Africa's Social Grants System Was Defrauded On A Massive Scale
Activist Israel Nkuna has for years been warning of fraudulent applications for the SRD grant, and that these fraudulent applications have been squeezing out legitimate applicants by using their ID numbers without permission. GroundUp, too, has reported this problem. Then in October, we published an article by Stellenbosch University students who discovered a massive number of fraudulent applications for the SRD grant, and evidence that at least some of these fraudulent applications were succeeding.
Since then, it has become clearer how the SRD grant system has been defrauded at scale. It involves six steps:
First, obtain ID numbers and their associated names from one of the various large leaks of South African data.
Second, open improperly verified accounts with Shoprite or TymeBank, or possibly some other banks as well. This could be done on a laptop or phone without leaving one's home. Shoprite and TymeBank have in recent months tightened up their bank account application processes, so fraudsters can no longer continue to do this.
Third, obtain improperly verified Sim cards. This is easily done by simply going to a local dodgy cellphone shop. But until recently it could even be done entirely online by registering free electronic Sim cards through Me You Mobile . This, too, has since been stopped.
Fourth, use the ID number, telephone number and bank account obtained in the first three steps to apply for an SRD grant.
Fifth, wait for the grant to be paid into the account opened in step two. It seems that every month, Sassa sends ID numbers of applicants to the banks, Sars and Nsfas to check if applicants pass the means test. If the applicant isn't paying income tax, doesn't receive money from Nsfas and has income to their bank account of less than R625/month, the grant is paid.
Sixth, launder the SRD money by transferring it out of the bank account. There are various ways to do this, which we do not describe here.
Doing the above for one SRD grant is not worth the effort. But a determined fraudster or group of fraudsters could make dozens or even hundreds of applications a day. At one point it was possible to carry out the entire process described above using only a laptop. It would also be possible to write a computer program to automate the process, but such sophistication would be unnecessary: going to a shop to buy Sim cards and manually making lots of applications would be very profitable.
Insist banks only accept SRD grants for biometrically verified people who have been validated with a fingerprint or facial scan.
Remove third-party access to the Sassa grant application system, except to authorised institutions that have a legitimate need to access the system. Sassa says it has now done so.
Limit the number of requests a single computer device can make to the Sassa website so that programs making tens, hundreds or thousands of requests to it per second fail. Sassa says it has now done so.
Audit all current SRD grant applications to identify the scale of the fraud, remove fraudulent applications - identifying these might be difficult - and insist that suspicious applications undergo verification. Sassa says an audit "would not assist". But TymeBank says it is "conducting an analysis of transacting behaviour on accounts opened prior to August 2024 that receive grant payments to identify those that are non-legitimate grant beneficiaries".
With regards to the banks mentioned, Sassa works with all banks that are willing to cooperate with us. However, it would not be appropriate for us to comment on fraud within an individual bank's environment.
Sassa unfortunately can't manage a bank's operations, or direct how they choose to engage with their clients. However, we do factor in a bank's risk profile into our fraud risk mitigation measures.