In a major policy directive for combating the menace of social engineering and other digital banking frauds, State Bank of Pakistan (SBP) has directed commercial banks and Microfinance Banks to improve their digital fraud protection controls and processes in order to prevent the, failing to which they shall be held responsible for loss of any customer funds due to delay on their part in by taking timely remedial and control preventive measures. These new measures are part of wider SBP objective to enhance digital financial inclusion and promote digital financial services by creating and enhancing customer trust in the safety, security & soundness of the digital banking ecosystem.

With the increasing adoption and usage of digital banking in Pakistan by a large number of financial services users, fraudsters have been taking advantage of lack of awareness among customers. SBP has been in constant consultation with the banking industry and other stakeholders to devise controls against sophisticated fraud techniques such as spoofing of banks’ official helpline numbers, SIM swap attacks, identity theft, false registrations, etc. as well as focusing on consumer awareness program by SBP and banks.

It is worth noting that on April 14, 2023, SBP rolled out a new and detailed set of guidelines on enhancing security of digital banking products and services. These guidelines set out a comprehensive control regime for banks to implement by December 31, 2023. The new guidelines restrict Financial Institutions (FIs) to Formulate Digital Fraud Prevention Policy to protect their account holders and ensure effective communication of such policy. Accordingly, they will design, review and continuously improve end-to-end processes of digital fraud risk management and customer complaint management in consultation with relevant stakeholders. According to these guidelines, FIs will design the process and application in such a way that the chances of disclosure of customer information – in whole or partially-are eliminated or minimized. Importantly, FIs will realign their processes for fraud risk management and complaint management to ensure that the dispute against the fraudulent transactions are immediately raised in Fraudulent Transaction Dispute Handling (FTDH) system.

These guidelines cover areas including governance & oversight of digital frauds, implementation of international standards and, fraud risk management solutions. This comprehensive control regime will also cover transactional controls such as reasonable and configurable limits, to prevent, trace and stop fraudulent transactions; device registration, monitoring of fraudulent devices, accounts, transactions and incident-related controls such as post-incident follow-ups, handling of disputed transactions, protection of customer data and information such as encryption, etc. In one of the major interventions to restrict fraudulently transferred funds from leaving the banking system, SBP has directed banks offering branchless banking wallets to restrict cash-out, mobile top-up and or other online purchases from incoming fund transfers for two (2) hours. A new liability shift framework is also part of these instructions, where banks are required to compensate the customers due to delay on their part in taking timely remedial and control measures such as delay in blocking digital channels, delay in raising dispute requests, etc.

The circular issued is available at: https://www.sbp.org.pk/bprd/2023/C4-Annex.pdf