Daily Times

KARACHI: In order to safeguard banks and their customers from potential losses due to cyber-crimes and online banking frauds, the State Bank of Pakistan (SBP) has directed all the banks to immediately take corrective measures.

In this regard, the SBP on Wednesday issued a circular directing the banks/microfinance banks (MFBs) to carryout extensive vulnerability assessment and penetration testing immediately. In case of a financial loss to customers due to such incidents, the bank/MFB shall compensate them within two business days, the central bank said.

The SBP directed all card-issuing banks/MFBs to replace all existing payment cards (except social transfer cards) with EMV chip-and-PIN payment cards latest by June 30, 2019. “The banks are directed to perform the said exercise in order to identify potential weaknesses in their Alternate Delivery Channels (ADCs) and payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/Branchless Banking, etc,” it said.

The central bank directed the banks to submit the assessment reports along with action plans and timelines to address the vulnerabilities to Payment Systems Department (PSD) latest by March 31, 2019. “In addition to the internal assessments, banks/MFBs shall arrange independent third-party review/assessment of their ADCs and payment systems including but not limited to Card Systems, RTGS, SWIFT, Internet/mobile banking and agent-based/branchless banking, etc. These assessment reports shall be submitted to PSD latest by December 31, 2019,” the circular added.

The SBP directed that with effect from January 01, 2019, all banks/MFBs will send free of cost transaction alerts to their customers through both SMS and email for all international and domestic digital transactions including but not limited to ATM, POS and Internet banking transactions. “Such transaction alerts shall be generated and relayed to customers immediately after the execution of transaction.

For this purpose, registered mobile phone numbers and valid email addresses of all customers shall be obtained, verified and updated in the bank/MFB’s database well before the deadline,” the circular read. “Henceforth, banks/MFBs shall activate/reactivate online banking services including internet/mobile banking for their customers after biometric verification at any branch of their bank,” it added.

“All card issuing/acquiring banks/MFBs shall deploy real-time fraud monitoring tools and alert mechanisms, preferably provided by their payment schemes, to detect potential fraudulent activities on their card systems latest by January 31, 2019,” the circular read. “Further, card-issuing/acquiring banks/MFBs shall develop standard operating procedures (SOPs) for threat reporting and escalation as well as actions to be taken in case suspicious activity is reported or identified,” it added.

“All banks/MFBs shall immediately review their existing agreements with payment schemes to identify clauses that may expose them to potential financial, legal and operational risks arising due to cyber-attacks/crimes and take appropriate risk mitigation measures with the approval of their board/senior management,” the circular read. “All payment card issuing banks/MFBs shall immediately set reasonable per day transaction limits commensurate with their risk appetite and transaction volume with the payment schemes especially for cross-border usage. Banks/MFBs shall ensure that their risk exposure remains within the pre-agreed limits set with the international/domestic payment schemes through legally binding contractual arrangements,” it added.

“Banks/MFBs shall start assessing the feasibility of implementing Payment Card Industry Data Security Standards (PCIDSS) and Payment Application Data Security Standard (PADSS) for their digital payment systems and adoption of the same standards by their third-party technology service providers. Banks/MFBs shall submit their assessment reports in this regard to PSD latest by January 31, 2019,” the circular read. “Failure to comply with the instructions will lead to penal action by SBP including but not limited to the suspension of non-compliant digital payment products and services of the banks/MFBs,” it concluded.

Published in Daily Times, November 29^th 2018.