Banks ordered to compensate fraud victims

F.P. Report

KARACHI: The State Bank of Pakistan on Wednesday has directed the commercial and microfinance banks to establish digital fraud risk management units under the supervision of senior management and compensate their customers within three working days of the reporting of fraud in case their mechanism of digital security systems is not updated.

State Bank has reminded all the heads and chief executives of the banks to make digital banking safe.

The SBP has prepared a set of control measures to enhance the security of digital banking products and services. Banks/ MFBs are advised to develop a comprehensive plan with monthly milestones, to be implemented by December 31, 2023, duly approved by the Chief Executive Officer (CEO) and submit the same to their relevant Banking Supervision Department (BSD) in SBP, within thirty (30) days from the issuance date of the issued circular.

Thereafter, a monthly progress report shall be submitted to the concerned BSD within ten (10) days from the close of each calendar month, the circular issued by the SBP stated.

Banks shall be liable to compensate the customers, in cases where they are unable to establish that the transactions were executed through the customers’ registered devices.

Banks shall be responsible for the loss of any customer funds due to delay on their part in taking timely remedial and control measures such as delay in blocking digital channels, delay in raising dispute requests, etc. In this regard, the Financial Institutions shall compensate in whole the customers for such losses.

In case of ab initio false registration of the customer, the concerned FI shall be completely liable if the required controls related to registration were not in place or not properly implemented. FI shall offer transactional insurance to their customer at reasonable and competitive charges, the insurance should be activated upon explicit customer consent or request.

The financial institutions (FIs) including commercial and microfinance banks and branchless banking service providers shall conduct comprehensive investigations of digital banking frauds and prepare formal investigation reports and engage with the customer to transparently present/ explain the bank’s findings.

The scope of the investigation shall be end to end (from victim to the ultimate beneficiary) and at least include validation of customer assertions, the potential of internal staff involvement, the role of branchless banking agents (including those responsible for conducting biometric verification), review of PII access logs, gaps or weaknesses in FI’s systems, applications and processes, etc.

Further, FIs shall take action against the branchless banking agents involved in digital frauds and staff delinquent in conducting proper KYC and CDD.
FIs shall ensure that the OTPs used for authentication are of reasonable length with appropriate validity (i.e. time out).

In addition to the existing requirements regarding sending free-of-cost transaction alerts on SMS and email (where email IDs are available), the FIs shall also send instant (free of cost) alerts on sign-in from a new device not already registered, password reset, failed login attempts and request for availing lending products. FIs shall prioritize these alerts and also arrange for sufficient capacity/bandwidth for instantly sending these alerts.

FIs shall never communicate the balance available in the account while sending transaction alerts.

The requirement regarding call wait times of not more than one minute for card block requests shall also apply to blocking requests for all digital channels including branchless banking accounts/ wallets, mobile, and internet banking channels, etc.
FIs shall also develop internal procedures for unblocking devices on a case-to-case basis. Further, all devices found used in fraudulent transactions shall be immediately reported to PTA for necessary action and shall be immediately blocked by the FIs.

State Bank issued the above directions to the banks/ MFBs to implement appropriate controls and remedial measures for enhancing the security of their digital banking products and services.(INP)