The State Bank of Pakistan (SBP) has directed commercial and microfinance banks to compensate their customers within three working days of the reporting of the fraud in case their mechanism of digital security systems is not updated as per the given directions.
The rapid growth in Digital Banking Products and Services supports the digital transformation of the financial landscape and enables banks/MFBs to cater to the growing needs of banking customers.
However, the adoption of digitization needs to be supplemented with necessary controls to mitigate the risk of fraudulent activities.
SBP has prepared a set of control measures to enhance the security of digital banking products and services. Banks/ MFBs are advised to develop a comprehensive plan with monthly milestones, to be implemented by December 31, 2023, duly approved by the Chief Executive Officer (CEO) and submit the same to their relevant Banking Supervision Department (BSD) in SBP, within thirty (30) days from the issuance date of the issued circular.
Thereafter, a monthly progress report shall be submitted to the concerned BSD within ten (10) days from the close of each calendar month, the circular issued by the SBP stated.
Banks shall be liable to compensate the customers, in cases where they are unable to establish that the transactions were executed through the customers’ registered devices.
Banks shall be responsible for the loss of any customer funds due to delay on their part in taking timely remedial and control measures such as delay in blocking digital channels, delay in raising dispute requests, etc. In this regard, the FIs shall compensate in whole the customers for such losses.
In case of ab initio false registration of the customer, the concerned FI shall be completely liable if the required controls related to registration were not in place or not properly implemented.
FI shall offer transactional insurance to their customer at reasonable and competitive charges, the insurance should be activated upon explicit customer consent or request.
The financial institutions (FIs) including commercial and microfinance banks and branchless banking service providers shall conduct comprehensive investigations of digital banking frauds and prepare formal investigation reports and engage with the customer to transparently present/explain the bank’s findings.
The scope of the investigation shall be end to end (from victim to the ultimate beneficiary) and at least include validation of customer assertions, the potential of internal staff involvement, the role of branchless banking agents (including those responsible for conducting biometric verification), review of PII access logs, gaps or weaknesses in FI’s systems, applications and processes, etc.
Further, FIs shall take action against the branchless banking agents involved in digital frauds and staff delinquent in conducting proper KYC and CDD.
FIs shall implement Data Loss Prevention Controls to prevent the compromise of data, especially customer data. FIs for convenience of their domestic customers traveling overseas and RDA accountholders may exempt certain digital channel controls on customers’ request.
FIs shall ensure that the OTPs used for authentication are of reasonable length with appropriate validity (i.e. time out).
In addition to the existing requirements regarding sending free-of-cost transaction alerts on SMS and email (where email IDs are available), the FIs shall also send instant (free of cost) alerts on sign-in from a new device not already registered, password reset, failed login attempts and request for availing lending products. FIs shall prioritize these alerts and also arrange for sufficient capacity/bandwidth for instantly sending these alerts.
FIs shall never communicate the balance available in the account while sending transaction alerts.
The requirement regarding call wait times of not more than one minute for card block requests shall also apply to blocking requests for all digital channels including branchless banking accounts/ wallets, mobile, and internet banking channels, etc.
FIs shall also develop internal procedures for unblocking devices on a case-to-case basis. Further, all devices found used in fraudulent transactions shall be immediately reported to PTA for necessary action and shall be immediately blocked by the FIs.
SBP issued the above directions to the banks/MFBs to implement appropriate controls and remedial measures for enhancing the security of their digital banking products and services.
Get the latest business news, market insights, and economic updates wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.