The State Bank of Pakistan (SBP) has issued a directive requiring commercial banks and financial institutions (FIs) to compensate customers for financial losses within two business days in the event of a data security breach. This measure is part of the central bank’s broader efforts to strengthen consumer protection and enforce fair treatment of customers across the financial sector.
Under the new guidelines, financial institutions must act promptly to safeguard customers whose data has been compromised. Banks are required to inform affected individuals within 48 hours about the measures being taken to prevent further losses. Any delay in implementing remedial actions, such as blocking digital channels or initiating dispute resolutions, will make FIs fully accountable for compensating the resulting losses.
In addition to timely compensation, the SBP has instructed financial institutions to offer transactional insurance to customers at reasonable rates. This insurance is optional and will be activated only upon explicit consent or request from the customer, providing an additional layer of financial security in case of digital fraud or breaches.
The directives align with the SBP’s recently released draft regulatory framework, titled “Business Conduct and Fair Treatment of Consumers Regulatory Framework (BC&FRF).” The draft framework emphasizes responsible business conduct, transparency, accountability, and the fair treatment of customers in all interactions with financial institutions. It also requires FIs to strengthen internal controls, reporting mechanisms, and employee accountability to ensure timely detection and reporting of fraud or security breaches.
As part of enhanced consumer protection measures, the SBP mandates that banks provide free transaction alerts for all financial transactions carried out via RTGS and other digital channels, including ATMs, POS, and internet banking. Alerts must also be sent for activities such as sign-ins from new devices, password resets, failed login attempts, and requests for lending products. Banks are expected to ensure that their systems have sufficient capacity and bandwidth to deliver these alerts instantly.
The draft framework also outlines additional security measures to protect sensitive customer data. These include enabling customers to activate or block cards for online or cross-border transactions, deleting confidential data from caches after use or uninstallation, erasing sensitive data upon logoff or unexpected app termination, and restricting credential resets to registered devices only. Where auto-fetch or auto-fill OTP functionality is unavailable, alternatives like Robo Call Back (RCB), Call Back Confirmation (CBC), or in-app NADRA biometric verification must be implemented for authentication.
Furthermore, the framework requires banks to define policies for PIN/password standards, session timeouts, and account locking/unlocking procedures. By implementing these measures, the SBP aims to enhance digital security, reduce financial losses, and restore customer confidence in Pakistan’s banking ecosystem.
The SBP has invited public feedback on the draft BC&FRF framework, with consultation open until September 30, 2025. Financial institutions and consumers are encouraged to review the framework and submit comments to help refine policies and ensure that customer protection standards are robust, transparent, and enforceable.
Follow the PakBanker Whatsapp Channel for updates across Pakistan’s banking ecosystem.