Ombudsman cites failures in fraud monitoring, transaction limits and regulatory compliance after customer loses savings to scammers
KARACHI: The Banking Mohtasib Pakistan has held a commercial bank liable for a customer’s loss of Rs1.76 million in an online banking fraud case, ruling that the bank failed to comply with key regulatory requirements relating to fraud detection, transaction monitoring and customer protection.
According to the Banking Mohtasib’s findings revealed in the Annual Report 2025, the complainant, a widow and housewife with limited knowledge of digital banking services, had maintained a savings account with the bank since October 2019.
On December 13, 2022, fraudsters impersonating bank officials contacted her through a spoofed telephone call and persuaded her to disclose her internet banking credentials and one-time passwords (OTPs). Using the stolen information, the scammers executed 16 unauthorised online transactions, including eight Inter Bank Funds Transfer (IBFT) transactions, resulting in a total loss of Rs1,757,842.
The customer immediately reported the fraud to the bank. However, after receiving neither reimbursement nor a satisfactory resolution, she filed a complaint with the Banking Mohtasib Pakistan.
In its defence, the bank argued that the customer had voluntarily activated internet banking and that all disputed transactions had been authenticated through valid OTPs sent to her registered mobile number. It maintained that the customer had willingly disclosed her confidential credentials to fraudsters and that there was no evidence of any unauthorised access by bank employees.
The bank further contended that customers bear responsibility for safeguarding their banking credentials under the terms and conditions governing digital banking services.
After examining the evidence and hearing both parties, the Banking Mohtasib rejected the bank’s arguments.
The Ombudsman observed that the complainant had never previously carried out IBFT transactions and had used the account mainly for low-value mobile phone top-ups. The sudden execution of 16 high-value online transfers within a short period was found to be wholly inconsistent with her normal banking behaviour.
The decision noted that the bank failed to explain why the customer’s digital banking transaction limits had been increased and did not maintain an effective real-time monitoring system capable of identifying and responding to suspicious transactions.
The Banking Mohtasib held that the bank had violated Section 30 of the Payment Systems and Electronic Fund Transfer Act, 2007, which requires financial institutions to clearly explain the terms and conditions governing electronic fund transfers in a manner that customers can understand.
The Ombudsman also found the bank in breach of Paragraph (x) of State Bank of Pakistan PSD Circular No. 9 of 2018, which requires banks to establish reasonable daily transaction limits based on a customer’s risk profile.
In addition, the decision concluded that the bank failed to comply with Paragraph (VIII) of SBP PSD Circular No. 9 of 2018, which mandates continuous transaction monitoring and prompt customer contact whenever unusual or suspicious transaction patterns are detected.
The Banking Mohtasib further ruled that the bank had failed to establish the legitimacy of the disputed transactions as required under Section 41 of the Payment Systems and Electronic Fund Transfer Act, 2007, particularly regarding customer disclosure, risk assessment, transaction limits and fraud monitoring.
In light of these regulatory breaches and deficiencies in the bank’s internal controls, the Banking Mohtasib held the bank responsible for the customer’s financial loss.
Following the ruling, the bank complied with the Ombudsman’s order and compensated the customer for the amount lost in the online fraud.