KARACHI — The State Bank of Pakistan (SBP) has instructed commercial banks and financial institutions (FIs) to compensate customers for any financial losses within two business days if a data security breach occurs.
According to the central bank, FIs must take immediate steps to safeguard affected customers from further losses and notify them within 48 hours about remedial measures. Institutions will be held liable for any loss caused by delays in blocking digital channels or raising dispute requests and will be required to fully reimburse customers.
In addition, SBP has directed financial institutions to offer transactional insurance at competitive rates, which will be activated only with the explicit consent of customers.
Draft Framework for Consumer Protection
The SBP has also issued a draft regulatory framework titled “Business Conduct and Fair Treatment of Consumers Regulatory Framework (BC&FRF)” aimed at strengthening consumer protection and ensuring fair treatment of consumers.
The framework emphasizes responsible business conduct, fairness, and transparency in dealings with customers. It also requires banks to enhance internal controls, report fraud cases promptly to the SBP, and fix employee accountability for delays in reporting.
Free Transaction Alerts
To further protect consumers, SBP has made it mandatory for financial institutions to provide free transaction alerts for all digital transactions, including RTGS, ATMs, POS, and internet banking. Alerts must also be sent for:
-
Sign-ins from unregistered devices
-
Password resets
-
Failed login attempts
-
Requests for lending products
FIs are required to ensure sufficient capacity and bandwidth for instant delivery of these alerts.
Enhanced Security Measures
The draft framework also introduces strict security protocols, including:
-
Enabling customers to activate or block cards for online or cross-border transactions
-
Automatically deleting sensitive data after use or app termination
-
Restricting password or credential resets to registered devices
-
Introducing OTP auto-fetch with sender binding, or alternatives such as Robo Call Back, Call Back Confirmation, or in-app NADRA biometric verification
Financial institutions must also set clear policies for PIN/password standards, session timeouts, and account locking.
The SBP has invited public feedback on the draft framework, which will remain open for consultation until September 30, 2025.
