SBP Issues Warning to Banks Over Unauthorized Access of Customer Data

State Bank of Pakistan (SBP) has observed that customers’ information is being accessed by unauthorized persons within the banking system. It has ordered commercial banks to ensure the secrecy of customers and their data to reinforce the control and checks of the banking system as per law.

The centralization of core banking systems of banks has now made customers’ data accessible across the bank. This access, however, needs to be suitably managed to ensure that only authorized officials access this confidential data for specified purposes. Instances of accessing customer related information by irrelevant bank officials and divulging of same to unauthorized persons have been noted. Such practices on part of banks/DFIs are not appropriate and have been viewed seriously.

Section 33A of the Banking Companies Ordinance, 1962, inter alia, requires that a bank/financial institution shall not divulge any information relating to the affairs of its customers.

Accordingly, all banks/DFIs are strictly advised to incorporate necessary controls, checks and balances in their policies and procedures to stop such practices and ensure meticulous compliance of Section 33A of the Banking Companies Ordinance, 1962 in letter and spirit.

However, banks could divulge information of customers to the authorities, in accordance with the law.

The central bank asked banks to reinforce the secrecy of customers’ data with additional measures within the banks and their branches.

In this regard, proper training instructions should be provided to all staff members to protect confidential information of customers from unauthorized persons.

The right to access of information pertaining to the customers’ account balance and other important information should only be available to the relevant bank official(s) on a need basis, and in accordance with the approved authority, which should be properly documented.

In case of a change in role or responsibilities of a staff member, all IT access rights no more required for the new role should be immediately deleted, and any additional rights should be assigned through an approved process. In addition, regular reviews of staff IT access rights should also be carried out to ensure that there are no anomalies.

The complete log of all the activities relating to the viewing of account balances and/or account statements should be maintained for a certain period, as decided by the bank. Such logs should be regularly monitored by the senior management and reviewed by the internal audit to point out any irrelevant access to the customers’ information.

Any deviation from Section 33A including the above-mentioned instructions shall render the concerned bank and delinquent officials liable for penal action under the relevant provisions of the Banking Companies Ordinance, 1962.