SBP directs banks to formulate digital fraud prevention policy to protect account holders

SBP directs banks to formulate digital fraud prevention policy to protect account holders

The State Bank of Pakistan (SBP) has issued new policy guidelines for banks in the country, instructing them to formulate a digital fraud prevention policy to safeguard their customers’ accounts.

The banks have also been directed to effectively communicate the policy to their customers. The guidelines require the banks to promote a culture of risk control through prudent and ethical practices and behaviors at all levels of the organization, including people, processes, and technology components.

READ MORE: Banking Mohtasib warns customers of new techniques used by fraudsters to steal money

The SBP has recommended that banks establish and strengthen digital fraud risk management units, which would be overseen by senior management officials. The Board or its designated committee would provide effective management control and oversight. Banks have been advised to allocate resources and provide necessary systems and people to build and update the capacity for digital fraud risk management.

The banks have also been advised to identify and implement digital fraud risk controls through compliance assurance and implement fraud control-related key performance indicators (KPIs). They should ensure that customer education and awareness receive special focus from top to bottom to combat fraud in digital banking services through cyber channels.

READ MORE: SBP announces bank holidays for Eid-ul-Fitr 2023

In addition, banks should design, review, and continuously improve end-to-end processes of digital fraud risk management and customer complaint management in consultation with relevant stakeholders. Banks should identify and implement digital fraud risk controls to continuously monitor, prevent, detect, respond and remediate incidents of fraud.

The guidelines further require banks to clearly inform all internal and external participants of the processes for digital fraud risk management, including third-party vendors and service providers and Financial Market Infrastructures (FMIs), regarding fraud prevention, including fraud detection, reporting, investigating, and monitoring requirements. Banks should enforce security mechanisms commensurate with the risks in the respective areas of digital banking and payments products and services (such as using Card, Browser, App, Voice, or e-Commerce) through channels like (Internet or Mobile Banking etc.). They should also ensure that the overall product and service design, development, and operations strictly follow the core principles of information security, i.e., confidentiality, availability, and integrity.

READ MORE: Pakistan raises benchmark rate to 21% to tackle economic challenges: SBP

The SBP has recommended that banks implement ISMS2 using applicable standards of ISO27000 family on the service components. Banks should conduct comprehensive information security reviews of new digital products and services and for any modification in their existing digital products and services, including but not limited to people, complete process, and technology.

The banks have been asked to ensure that the weaknesses and all critical/high and medium vulnerabilities identified from the information security reviews shall be rectified and controlled through validation before deployment to the production/operations and launch of products/services. Furthermore, they should ensure that the applications, payment cards, and channels used by the FIs for such services have to be PCI/DSS 3 and PCI/SSF 4 certified as applicable.

Finally, banks have been advised to conduct regular and spot fraud risk assessments to ensure the implementation of policies and processes governing initial and ongoing fraud risk management. They should use internal and external sources of information to develop insight into the instances of fraud happening in the financial sector, both in Pakistan and other countries. Banks should also ensure effective mutual coordination by efficient mechanism of sharing required logs and exchange of information to trace illegitimate transfers, payments and withdrawals made through suspected accounts and wherever applicable use such authentic information to resolve customer claims and/or complete legal enforcement actions. Banks should maintain oversight of the fraud investigations through senior management periodic reporting.

READ MORE: Pakistan’s banking sector exposed to sovereign borrowing

Overall, the policy guidelines issued by the State Bank of Pakistan aim to improve digital banking security and protect customers from digital frauds. The guidelines provide a comprehensive framework for banks to strengthen their risk control culture and implement effective fraud prevention measures. By following these guidelines, banks can create a safe and secure environment for their customers to conduct digital transactions.