The State Bank of Pakistan (SBP) has issued directives to commercial banks and Microfinance Banks in the country to enhance their digital fraud protection controls and processes.
The aim is to prevent fraud and protect customer funds, and banks failing to comply may be held responsible for any losses incurred by customers due to their delay in implementing necessary measures.
The SBP is focused on promoting digital financial services and improving customer trust in the safety and security of the digital banking ecosystem. With the increasing adoption of digital banking in Pakistan, fraudsters have been exploiting the lack of awareness among customers. To address this issue, the SBP has been working with the banking industry and other stakeholders to develop controls against various sophisticated fraud techniques, including spoofing of banks’ helpline numbers, SIM swap attacks, identity theft, and false registrations. Additionally, both the SBP and banks are actively engaged in consumer awareness programs.
On April 14, 2023, the SBP released detailed guidelines to enhance the security of digital banking products and services. These guidelines establish a comprehensive control regime that banks must implement by December 31, 2023. Key aspects of these guidelines include the formulation of a Digital Fraud Prevention Policy by financial institutions (FIs) to protect their account holders and ensure effective communication of the policy. FIs are required to design, review, and continuously improve end-to-end processes for digital fraud risk management and customer complaint management in collaboration with relevant stakeholders. The guidelines also emphasize minimizing the chances of customer information disclosure and prompt reporting of fraudulent transactions through the Fraudulent Transaction Dispute Handling (FTDH) system.
The guidelines cover various areas, including governance and oversight of digital fraud, implementation of international standards, fraud risk management solutions, and transactional controls. Transactional controls involve implementing reasonable and configurable limits to prevent, trace, and halt fraudulent transactions. Other measures include device registration, monitoring of fraudulent devices, accounts, and transactions, as well as incident-related controls like post-incident follow-ups, handling of disputed transactions, and safeguarding customer data through encryption, among others.
To prevent fraudulently transferred funds from leaving the banking system, the SBP has directed banks offering branchless banking wallets to restrict cash-out, mobile top-up, and other online purchases from incoming fund transfers for a period of two hours. Furthermore, the SBP has introduced a liability shift framework, whereby banks are obligated to compensate customers for delays in taking timely remedial and control measures, such as blocking digital channels or raising dispute requests.
Overall, these measures aim to strengthen digital fraud protection, enhance customer trust, and ensure the security and soundness of the digital banking environment in Pakistan.