Banks directed to return amount to customers within two days of data breach
The State Bank of Pakistan (SBP) has directed commercial banks and financial institutions (FIs) to reimburse customers for financial losses within two business days in the event of a data security breach.
Under the new instructions, if customers’ data
is compromised, FIs must immediately take preventive measures to protect
accounts and notify affected customers within 48 hours about the steps being
taken.
Financial institutions will be held liable for
any losses resulting from delays in remedial actions—such as blocking digital
channels or raising dispute requests—and must provide full compensation to
customers in such cases.
Read More Complaints
rise against commercial banks in Pakistan in first six months of 2025
SBP has further instructed FIs to offer transactional insurance at competitive rates, but only upon explicit consent from customers.
Draft framework for consumer protection
The directive accompanies the SBP’s newly
issued draft framework, Business Conduct and
Fair Treatment of Consumers Regulatory Framework (BC&FRF), designed to
strengthen consumer protection and promote responsible practices across
Pakistan’s financial sector.
The framework emphasizes fair treatment, transparency, and accountability, requiring FIs to tighten internal controls and reporting mechanisms to detect and disclose fraud or data breaches without delay. It also makes employees directly accountable for failing to report fraud cases promptly to the central bank.
Free transaction alerts
To further safeguard customers, SBP has
mandated free transaction alerts for all payments made via RTGS and digital
channels, including ATMs, POS, and internet banking. Alerts must also be sent
for:
·
Sign-ins from unregistered
devices
·
Password resets
·
Failed login attempts
·
Requests for lending
products
FIs must ensure that these alerts are
prioritized and delivered instantly with adequate system capacity.
Enhanced security standards
The draft framework also requires banks to
adopt stronger security measures, including:
·
Allowing customers to
enable or block cards for online or cross-border transactions.
·
Ensuring confidential data
is erased from memory after use, app uninstallation, or logoff.
·
Restricting credential
resets (e.g., password changes) to registered devices.
·
Implementing OTP
auto-fetch/auto-fill with sender-binding controls. Where not possible,
alternatives such as Robo Call Back, Call Back Confirmation, or in-app NADRA
biometric verification must be used.
Read More Banking
Ombudsman asks public to exercise caution on digital financial transactions
Additionally, FIs must establish clear policies for PIN and password standards, session timeouts, and account locking/unlocking.
The SBP has invited public feedback on the draft framework, with consultation open until September 30, 2025.
Source: Pro Pakistani