Standard Bank’s migration to a new online business banking platform has come under scrutiny after a technical flaw reportedly granted some clients unauthorised access to accounts they were not permitted to manage, raising renewed concerns over governance and cybersecurity controls at South Africa’s largest lender by assets.
The issue emerged during the bank’s ongoing migration of business banking customers to a redesigned digital platform introduced in 2024. The upgrade forms part of a broader push by South African banks to modernise digital infrastructure as corporate clients increasingly shift towards self-service online banking, integrated payments and real-time transaction processing.
One affected client told News24 that, after migrating her business account to the new system, she discovered she had been granted full access to the bank account of a trust in which she was listed as a trustee, despite having no operational authority over the account.
According to the client, the account had automatically been linked to her profile through identity verification processes that matched her name and ID number to records associated with the trust. The concern was not merely visibility of account details, but the possibility that the system recognised her device as trusted, potentially allowing transactions to proceed without additional fraud checks or verification steps.
READ – Data Breach at Standard Bank Exposes Client Account Details
The client said she immediately alerted a bank consultant, who removed the account linkage and escalated the issue internally. However, she questioned how many other corporate, trust or body corporate accounts may have been exposed through similar profile-linking errors without the knowledge of account holders.
The incident adds pressure to a banking sector already confronting heightened cybersecurity and data-governance risks. South African financial institutions have accelerated digital transformation programmes in recent years as online transaction volumes surged following the pandemic. According to the South African Reserve Bank, digital banking usage has grown sharply across both retail and commercial clients, with electronic payments now dominating transactional banking activity.
At the same time, cyber threats targeting financial institutions have intensified globally. IBM’s 2025 Cost of a Data Breach report found that the financial services sector remains among the most targeted industries worldwide, with breaches carrying some of the highest remediation and reputational costs. Locally, banks are also operating under tighter scrutiny from regulators enforcing the Protection of Personal Information Act (POPIA), which places strict obligations on institutions handling sensitive client data.
Standard Bank acknowledged that the issue arose during the migration process and stated that, in limited cases, individuals linked to accounts through card usage permissions may have been incorrectly assigned broader profile-level access. The bank said it had proactively engaged affected clients to verify permissions and strengthen controls.
However, the client involved disputed the explanation, maintaining that she had never been an authorised card user on the trust account and had not signed any documentation connected to it.
The bank has not disclosed how many accounts or clients may have been affected, nor when the flaw was first detected internally. It said anomalies were identified through a combination of monitoring systems and direct customer engagement during the migration process.
Following media enquiries, Standard Bank confirmed it had initiated further reviews of migrated profiles and planned additional validation measures to ensure user permissions correctly aligned with formal account mandates.
READ – Inside Job: Standard Bank Backs its own Bench
The development comes only weeks after Standard Bank disclosed a separate cybersecurity incident involving compromised client information, including ID numbers, company registration details and certain credit card data. The breach also affected Liberty, the insurer wholly owned by the banking group.
The succession of incidents is likely to sharpen focus on operational resilience within South Africa’s banking sector at a time when financial institutions are investing billions into digital infrastructure upgrades. According to Statista estimates, South Africa’s digital payments market is expected to exceed US$150 billion in transaction value by 2027, increasing pressure on banks to balance rapid innovation with stronger cybersecurity and governance safeguards.
Industry analysts note that large-scale banking migrations are among the most operationally sensitive processes undertaken by financial institutions because customer permissions, mandates and identity structures are often deeply interconnected across retail, commercial and fiduciary accounts.
Below is a summary of the key issues raised in the Standard Bank incident:
| Issue | Potential Risk |
|---|---|
| Incorrect account linking | Unauthorised account access |
| Trusted device recognition | Potential unverified transactions |
| Migration system flaw | Weak mandate validation |
| Delayed client notification | Governance concerns |
| Recent prior data breach | Increased reputational risk |
| Regulatory exposure | Potential POPIA scrutiny |
The Information Regulator’s potential involvement may become significant if investigations determine that personal or financial information was exposed beyond authorised users. Under POPIA, organisations are required to notify both regulators and affected individuals when security compromises involving personal information are identified.
Standard Bank said it remains committed to maintaining security, governance and customer trust while continuing the migration of business banking clients onto the new platform.