Staff Reporter

Karachi

State Bank of Pakistan (SBP) on Wednesday issued guidelines to safeguard banks/Microfinance Banks and their customers from potential losses due to cyber-crimes and online banking frauds.

The SBP directed Banks/MFBs to immediately carryout extensive vulnerability assessment and penetration testing to identify potential weaknesses in their Alternate Delivery Channels (ADCs) and payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/Branchless Banking etc

The assessment reports along with action plans and timelines to address the vulnerabilities shall be submitted to Payment Systems Department (PSD) latest by March 31, 2019.

In addition to the internal assessments, banks/MFBs shall arrange independent 3rd party review/assessment of their Alternate Delivery Channels (ADCs) and payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/Branchless Banking etc. These assessment reports shall be submitted to PSD latest by December 31, 2019.

With effect from January 01, 2019, Banks/MFBs shall send free of cost transaction alerts to their customers through both SMS and email (where email IDs are available) for all international and domestic digital transactions including but not limited to ATM, POS and Internet banking transactions.

Such transaction alerts shall be generated and relayed to customers immediately after the execution of transaction.

For this purpose, registered mobile phone numbers and valid email addresses (where applicable) of all customers shall be obtained, verified and updated in the bank/MFB’s database well before the deadline.

The SBP said that banks/MFBs shall activate/reactivate online banking services including internet/mobile banking for their customers after biometric verification at any branch of their bank.

At the time of activation of online services, banks’/MFBs’ relevant staff shall educate customers about various types of online banking frauds as well as the corresponding preventive measures.

Banks/MFBs shall be solely responsible for ensuring customer authentication for activation of any ADC and any loss of customer funds due to false activation of any ADCs shall be compensated by the respective bank/MFB.

All card-issuing banks/MFBs shall acquire/upgrade the capability to enable their customers to activate or block their cards for online/cross-border transactions as and when required by them latest by March 31, 2019.

With reference to PSD Circular No. 05 of 2016, all card-issuing banks/MFBs shall replace all existing payment cards (except social transfer cards) with EMV chip-and-PIN payment cards latest by June 30, 2019.

All card issuing/acquiring banks/MFBs shall deploy real-time fraud monitoring tools and alert mechanisms, preferably provided by their Payment Schemes, to detect potential fraudulent activities on their Card Systems latest by January 31, 2019.

