Karachi, April 25, 2025 – The Banking Mohtasib Pakistan has ordered a major commercial bank to refund Rs1,295,000 to a customer after it allowed fraudulent transfers from his account through a mobile device that was not verified using biometric authentication, violating key security protocols.
The complainant reported that on April 18, 2024, he received email alerts from the bank about the addition of new beneficiaries to his internet banking account. Shortly afterward, a series of unauthorized Inter-Bank Funds Transfers (IBFT) totaling Rs1.29 million were made without his consent.
An investigation revealed that the bank had permitted these transfers from a newly registered mobile device. While an OTP (one-time password) was sent to the complainant’s registered mobile number during device registration, the bank failed to perform biometric verification through NADRA – a mandatory security step outlined in the State Bank of Pakistan’s (SBP) BPRD Circular #4 dated April 14, 2023.
The complainant, who regularly accessed his account via his registered iPhone, confirmed that he neither registered a new device nor authorized the transfers in question. Although the bank argued that the customer had clicked on a phishing link and compromised his credentials, the Banking Mohtasib concluded that the real issue was the bank’s failure to implement biometric authentication before enabling a new device to initiate transfers.
By bypassing critical verification procedures, the bank exposed the account to unauthorized access and enabled fraudulent transfers. The Mohtasib held the bank accountable for this lapse, ruling that the absence of biometric verification was a direct cause of the loss.
Consequently, the bank was instructed to refund the full amount of Rs1.295 million to the customer. The bank has since complied with the directive.
This incident underscores the need for strict adherence to digital banking security protocols, particularly biometric verification, to prevent unauthorized transfers and protect customer assets.