The State Bank of Pakistan (SBP) has put banks on notice: if customers lose money due to a data breach, reimbursement must happen within two working days. The move is aimed at tightening consumer protection in an increasingly digital financial landscape where breaches and fraud attempts are on the rise.
Faster Response, Mandatory Compensation
Under the new draft framework, banks will have no excuse for delays. If a customer’s account is compromised and the bank fails to promptly block digital channels or file dispute requests, the institution will be liable for the entire loss. Customers must also be informed of confirmed breaches within 48 hours, along with the measures being taken to secure their accounts.
Optional Insurance for Customers
To give users more choice, the SBP has directed banks to offer optional transactional insurance at affordable rates. This coverage will be available only if a customer specifically opts in, ensuring it doesn’t become another hidden fee or default charge.
Strengthening Internal Accountability
The draft, titled Business Conduct and Fair Treatment of Consumers Regulatory Framework (BC&FRF), also lays out rules for reporting fraud and holding employees accountable. Bank staff who delay reporting incidents to the SBP will face consequences—a step clearly aimed at discouraging negligence inside institutions themselves.
Alerts for Every Digital Transaction
A key requirement is mandatory, free-of-charge alerts for transactions made through RTGS and all digital channels. Notifications must cover ATM withdrawals, POS payments, internet banking logins, password reset attempts, and even sign-ins from new devices. The central bank has emphasized that these alerts should be instantaneous, not delayed.
Security Features to Protect Customers
The draft also pushes for stronger customer controls. Users should be able to block or enable their cards for online or international use at will. Sensitive information must be deleted from memory caches after use, and account credentials can only be reset from registered devices.
For one-time passwords (OTPs), SBP wants banks to adopt more secure handling. If automatic OTP fetching isn’t possible, alternatives like robo-callbacks, biometric verification through NADRA, or in-app confirmations must be available.
Open for Feedback
These proposals are not yet final. The SBP has opened the draft for consultation until September 30, 2025, inviting both banks and consumers to provide feedback before the regulations are officially enforced.
By putting strict timelines on compensation and accountability, the regulator is signaling that customer protection in digital banking will no longer be treated as an afterthought.