In a major policy directive for combating social engineering and other digital banking frauds, the State Bank of Pakistan (SBP) has directed commercial banks and microfinance banks to improve their digital fraud protection controls and processes by taking timely remedial and control preventive measures.
In case the banks fail to improve their digital fraud protection controls, they will be held responsible for the loss of any customer funds due to delay on their part.
These new measures are part of the wider central bank objective to enhance digital financial inclusion and promote digital financial services by creating and enhancing customer trust in the safety, security & soundness of the digital banking ecosystem, the SBP said in a statement.
The central bank highlighted that with the increasing adoption and usage of digital banking in Pakistan by a large number of financial services users, fraudsters have been taking advantage of a lack of awareness among customers.
SBP said that it has been in constant consultation with the banking industry and other stakeholders to devise controls against sophisticated fraud techniques such as spoofing of banks’ official helpline numbers, SIM swap attacks, identity theft, false registrations, etc. as well as focusing on consumer awareness program by SBP and banks.
The central bank highlighted that on April 14, 2023, it rolled out a new and detailed set of guidelines for enhancing the security of digital banking products and services. These guidelines set out a comprehensive control regime for banks to implement by December 31, 2023.
The new guidelines restrict financial institutions (FIs) to Formulate Digital Fraud Prevention Policies to protect their account holders and ensure effective communication of such policies. Accordingly, they will design, review and continuously improve end-to-end processes of digital fraud risk management and customer complaint management in consultation with relevant stakeholders.
According to these guidelines, FIs will design the process and application in such a way that the chances of disclosure of customer information – in whole or partially-are eliminated or minimized. Importantly, FIs will realign their processes for fraud risk management and complaint management to ensure that the disputes against the fraudulent transactions are immediately raised in Fraudulent Transaction Dispute Handling (FTDH) system.
The central bank said that these guidelines cover areas including governance and oversight of digital frauds, implementation of international standards, and, fraud risk management solutions.
This comprehensive control regime will also cover transactional controls such as reasonable and configurable limits, to prevent, trace, and stop fraudulent transactions; device registration, monitoring of fraudulent devices, accounts, transactions, and incident-related controls such as post-incident follow-ups, handling of disputed transactions, protection of customer data and information such as encryption.
In one of the major interventions to restrict fraudulently transferred funds from leaving the banking system, SBP has directed banks offering branchless banking wallets to restrict cash-out, mobile top-up, and other online purchases from incoming fund transfers for two hours.
A new liability shift framework is also part of these instructions, where banks are required to compensate the customers due to delays on their part in taking timely remedial and control measures such as delay in blocking digital channels, and delay in raising dispute requests.