The State Bank of Pakistan (SBP) has directed commercial banks and financial institutions (FIs) to compensate customers for financial losses within two business days in the event of a data security breach.
In cases where customers’ data has been compromised, FIs must immediately take steps to protect their customers from further losses and inform them within 48 hours about the measures being taken.
FIs will be held responsible for any financial loss incurred by customers due to delays in taking timely remedial actions, such as blocking digital channels or raising dispute requests. In such cases, FIs are required to fully compensate customers for their losses.
The SBP has also instructed FIs to offer transactional insurance to customers at reasonable and competitive rates. This insurance will only be activated upon the explicit consent or request of the customer.
Draft Framework for Consumer Protection
Recently, the SBP released a draft regulatory framework titled “Business Conduct and Fair Treatment of Consumers Regulatory Framework (BC&FRF)” as part of its ongoing efforts to strengthen consumer protection and ensure the fair treatment of consumers (FTC).
The draft framework outlines principles and rule-based instructions aimed at promoting responsible business conduct, accountability, and fairness within Pakistan’s financial sector. It emphasizes that customers must be treated with respect, fairness, and transparency in all interactions with financial institutions.
The framework also requires FIs to strengthen their internal controls and reporting mechanisms to ensure that fraud and data breaches are detected and reported to the SBP without delay. Employee accountability must be fixed for any delays in reporting fraud cases to the central bank.
Free Transaction Alerts for Customers
The SBP has mandated that financial institutions send free transaction alerts for all financial transactions performed using RTGS and other digital channels, including ATMs, POS, and internet banking. Additionally, free alerts must be sent for:
- Sign-ins from new devices not already registered.
- Password resets.
- Failed login attempts.
- Requests for availing lending products.
FIs are required to prioritize these alerts and ensure sufficient capacity and bandwidth for their instant delivery.
Enhanced Security Measures
The draft framework also outlines several security measures for FIs, including:
- Enabling customers to activate or block their cards for online or cross-border transactions as needed.
- Ensuring confidential data is deleted from caches and memory after use or uninstallation.
- Erasing sensitive data stored in temporary or permanent memory during logoff or unexpected app termination.
- Restricting credential resets (e.g., user ID/password changes) to registered devices only.
To further enhance security, FIs must implement OTP auto-fetch or auto-fill functionality with sender binding control to restrict manual OTP entry. Where this is not feasible, alternatives such as Robo Call Back (RCB), Call Back Confirmation (CBC), or in-app NADRA biometric verification must be used to authenticate customers.
The draft framework also requires FIs to define and implement rules for managing PIN/password standards, session timeouts, and account locking/unlocking policies. The SBP has invited public feedback on the draft framework, which is open for consultation until September 30, 2025.
Stay Connected with ProPakistani
Get the latest business news, market insights, and economic updates wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.
In short , cash is king
Good initiative.
Just an eyewash. The bank has many reason to refuse to compensate, as they don’t attange good insurance policies.
A great customer protective measure by SBP.