On Wednesday the State Bank of Pakistan (SBP) issued a press release directing all banks to protect their clients against fraud, skimming and other forms of cyber crime. This development came four weeks after a cyber attack on Pakistani banks that resulted in the data of numerous Pakistani banking accounts being sold on the dark web. According to PakCERT, a cyber security firm in Karachi, the data of 11,000 Pakistani debit cards had been compromised by October 31.
According to the press release, all banks have been instructed to carry out extensive vulnerability assessment to identify and patch up weaknesses in their Alternate Delivery Channels (ADC), which includes card systems, internet banking and agent based or branchless banking. The central bank has ordered that all banks submit their assessment reports and action plans on dealing with vulnerabilities to the SBP’s Payment Systems Department (PSD) by March 31, 2019.
Internal assessments will not be enough however, as banks have also been directed to arrange third party reviews of their ADCs and payment systems. These assessment reports have to be submitted to the PSD by December 31, 2019.
From next year, banks will also have to provide their clients with free of cost transaction alerts through both SMS and E-Mail. Alerts will have to be issued for both domestic and international transactions and will have to be generated and relayed immediately. As such, clients’ valid cell phone numbers and E-Mail addresses will have to be collected, verified and updated before the new year.
Furthermore, bank clients will not be able to activate or reactivate their internet banking services remotely any longer. According to the SBP’s press release, banks will be required to conduct a biometric verification at any branch of their bank before clients internet banking services are activated or reactivated. Additionally, relevant staff will have to educate clients about various forms of online banking fraud and appropriate preventative measures at the time of activation. This includes the importance of clients keeping their personal information confidential.
Clients using banking cards will have to be given the ability to activate or block their cards for online and international transactions as and when required by them to reduce the likelihood of fraudulent transactions. Additionally, all banks have been directed to replace cards using magnetic stripes with EMV chip-and-pin payment cards by June 30, 2019. According to the SBP’s directions, card-issuing banks have to acquire real-time fraud monitoring tools and alert mechanisms to detect all potential criminal activities by January 30. They will also have to develop Standard Operating Procedures (SOP) for threat reporting and escalation in case suspicious activity is reported.
The SBP has also instructed banks to make arrangements to monitor all activity related to payments made through cards or online banking services 24/7. “They will immediately review their existing agreements with payment schemes to identify clauses that may expose them to potential financial, legal and operational risks arising due to cyber-attacks or crimes,” said the central bank. Working with third party service providers, banks will have to ensure that all latest security patches are installed on their digital banking infrastructure (such as ATMs and POS machines) in a timely fashion as soon as they are launched.
The SBP has also told banks to set up reasonable per-day transaction limits on digital banking infrastructure. While doing so, they will have to ensure their risk exposure remains in the ambit of limits set with domestic and international payment schemes through legally binding contractual agreements.
Read more: Cybersecurity: Work in Progress
Finally, banks will have to continuously educate their clients about all prevalent cyber security threats using print, electronic and social media. Here the press release specifically mentions call and SMS spoofing and impersonation by fraudsters. Clients will have to be made aware that an authentic banking officer will never ask for any personal information on the phone or by E-Mail.
In case it comes to the knowledge of any bank that their clients’ data has been compromised, they shall immediately take steps to protect their customers from further losses and inform them within 48 hours about the steps being taken by the bank to protect their accounts. In case of a financial loss to customers due to such incidents, the bank shall have to compensate them within two business days. Furthermore, banks shall report such incidents to the Banking Policy & Regulations Department (BPRD) within 48 hours as stipulated in BPRD Circular No. 05 of 2017 on Enterprise Technology Governance and Risk Management Framework for Financial Institutions.
Banks shall have to ensure diligent compliance with SBP’s instructions in regard to safety and security of digital transactions; especially PSD Circular No. 3 of 2015 and PSD Circular No. 5 of 2016. They will have to submit a fortnightly progress report to the PSD. Failure to comply with the above instructions will lead to penal action by SBP. This includes but is not limited to the suspension of non-compliant products and services.