SBP Asks Banks to Compensate Customers’ Losses Within 2 Days

The State Bank of Pakistan (SBP) has directed commercial banks and financial institutions (FIs) to compensate customers for financial losses within two business days in the event of a data security breach. In cases where customers’ data has been compromised, FIs must immediately take steps to protect their customers from further losses and inform them within 48 hours about the measures being taken. FIs will be held responsible for any financial loss incurred by customers due to delays in taking timely remedial actions, such as blocking digital channels or raising dispute requests. In such cases, FIs are required to fully compensate customers for their losses. The SBP has also instructed FIs to offer transactional insurance to customers at reasonable and competitive rates. This insurance will only be activated upon the explicit consent or request of the customer. Recently, the SBP released a draft regulatory framework titled “Business Conduct and Fair Treatment of Consumers Regulatory Framework (BC&FRF)” as part of its ongoing efforts to strengthen consumer protection and ensure the fair treatment of consumers (FTC). The draft framework outlines principles and rule-based instructions aimed at promoting responsible business conduct, accountability, and fairness within Pakistan’s financial sector. It emphasizes that customers must be treated with respect, fairness, and transparency in all interactions with financial institutions. The framework also requires FIs to strengthen their internal controls and reporting mechanisms to ensure that fraud and data breaches are detected and reported to the SBP without delay. Employee accountability must be fixed for any delays in reporting fraud cases to the central bank. The SBP has mandated that financial institutions send free transaction alerts for all financial transactions performed using RTGS and other digital channels, including ATMs, POS, and internet banking. Additionally, free alerts must be sent for: FIs are required to prioritize these alerts and ensure sufficient capacity and bandwidth for their instant delivery. The draft framework also outlines several security measures for FIs, including: To further enhance security, FIs must implement OTP auto-fetch or auto-fill functionality with sender binding control to restrict manual OTP entry. Where this is not feasible, alternatives such as Robo Call Back (RCB), Call Back Confirmation (CBC), or in-app NADRA biometric verification must be used to authenticate customers. The draft framework also requires FIs to define and implement rules for managing PIN/password standards, session timeouts, and account locking/unlocking policies. The SBP has invited public feedback on the draft framework, which is open for consultation until September 30, 2025.