On 28th July 2021, CFTC received a complaint on alleged unconscionable conduct by First Capital Bank.

Allegedly, on 7th July, 2021, the complainant received a phone call from a person who alleged that he works with the Respondent. The person invited the Complainant to join Mobile App service offered by the Respondent; which would enable her to remotely transact on her bank account. This process was done and accordingly, she received a message that her phone number was now connected to her bank account.

The Complainant was also sent a passcode for transacting on her account using the Mobile App, which she was told to keep secret. On 9th July 2021, at around 10:50 am, the Complainant received two notifications which indicated that her account had been debited K500,000.00; and then K11,000.00.  During this period, she had not conducted any transaction through her account.

The Complainant engaged the Respondent, through the Lilongwe – Gateway Mall branch, where she was advised to fill in the complaint form; which she duly did. The Respondent assured the Complainant that the matter would be addressed at the soonest possible.  However, despite her continued pursuit of the matter, the Complainant did not receive any substantive feedback or effective remedy from the Respondent.

CFTC investigated the matter under Section 43(1)(g) of the CFTA and found that the Respondent was negligent in implementing some of its security and control measures. The Respondent has introduced a new feature of delaying the activation of the customers’ credentials on the Mobile App by 48 hours in order to verify the authenticity of its customers’ transactions.

In the case of the Complainant, this test failed, but the Respondent went on to activate the Complainant’s credentials without proper confirmation. Failure to adequately implement the safety and control measures makes the Respondent liable in this regard.

Furthermore, the manner in which the Respondent handled the Complainant’s case was negligent; including the fact that the Complainant was not given substantive update on the progress of her complaint.

Following deliberations, the Commission noted that the conduct by the Respondent was unconscionable, and hence in contravention of section 43(1)(g) of the CFTA. Further that there are lapses in security control measures by the Respondent’s bank, which results in their systems being frequently breached; and that there are several cases reported against the Respondent’s Mobile App.

The Commission resolved and ordered as follows:

  • The Respondent should refund the Complainant a sum of MK511,000.00;
  • The Respondent should review its customer handling processes and ensure that customers are provided timely and sufficient information on their requests;
  • The Respondent to promptly review and strengthen the security and control measures in the usage of the Mobile App;
  • The Respondent should undergo a Compliance Programme with the Commission.
  • The Secretariat should report the Respondent to the Registrar of financial services.