All commercial bank shall compensate their customers within two (02) business days in case of a financial loss to them due to online fraudulent incidents, said State Bank of Pakistan (SBP) in its directives.
All commercial and microfinance banks shall report incidents of online fraud to the central bank’s Banking Policy and Regulations Department (BPRD) within 48 hours as that happen hence the criminals could be traced.
The central bank chalked out recently a security plan for bank’s electronic payment services.
All payment-card of banks shall immediately set reasonable per-day transaction limits commensurate with their risk appetite and transaction volume with the payment operators, especially for cross-border usage.
Banks/MFBs shall ensure that their risk exposure remains within the pre-agreed limits set with the international/domestic payment schemes through legally binding contractual arrangements
With effect from January 01, 2019, the central bank asked that commercial and microfinance banks shall send free of cost transaction alerts to their customers through both SMS and email (where email IDs are available) for all international and domestic digital transactions including but not limited to ATM, POS and Internet banking transactions.
Such transaction alerts shall be generated and relayed to customers immediately after the execution of a transaction. For this purpose, registered mobile phone numbers and valid email addresses (where applicable) of all customers shall be obtained, verified and updated in the bank/MFB’s database well before the deadline.
Banks/MFBs shall continuously educate their customers using print, electronic and social media about prevalent banking frauds including but not limited to call and SMS spoofing, impersonation by fraudsters etc. Specifically, customers shall be made aware that the banks/MFBs will never ask about personal information on phone or by email and that they would be liable for any financial losses in case they share their personal credentials with anyone when approached by the person(s) claiming to belong to bank’s staff, law enforcement agencies, SBP, Benazir Income Support Program (BISP) etc.
Acquiring banks/MFBs shall educate their POS retailers as well as their employees regarding risks of theft of customer’s card data at POS terminals as well as a mechanism to monitor such risks. Further, the acquirer banks/MFBs shall discourage the practice of card swiping at merchant’s non-POS terminals especially when the merchant is not PCI DSS compliant.
Henceforth, banks/MFBs shall activate/reactivate online banking services including internet/mobile banking for their customers after biometric verification at any branch of their bank. At the time of activation of online services, banks’/MFBs’ relevant staff shall educate customers about various types of online banking frauds as well as the corresponding preventive measures. Banks/MFBs shall be solely responsible for ensuring customer authentication for activation of any ADC and any loss of customer funds due to false activation of any ADCs shall be compensated by the respective bank/MFB.
The central bank warned banks that non-compliance with these instructions will lead to penal action by SBP including but not limited to the suspension of non-compliant digital payment products and services of the banks/MFBs.