The State Bank of Pakistan (SBP) has ordered commercial banks and financial institutions to reimburse customers for any financial loss resulting from a data breach within two business days. The central bank has made clear that banks must take immediate measures to protect affected customers and to prevent further loss.
Banks must notify customers within 48 hours of any confirmed data compromise and outline the remedial steps being taken. If a bank delays actions such as blocking digital channels or raising dispute requests, and the customer suffers a financial loss, the bank must pay full compensation without delay.
The SBP also wants banks to offer optional transactional insurance at reasonable rates. This insurance will be provided only when a customer opts in or requests it. The move is part of a wider draft regulatory framework called the Business Conduct and Fair Treatment of Consumers Regulatory Framework (BC&FRF), which the SBP has released for public comment.
The draft framework sets out rules for fraud reporting and employee accountability. Banks will be required to strengthen internal controls and to report fraud and data breaches promptly to the SBP. The central bank has said that staff responsible for delays in reporting will be held accountable.
The SBP has mandated free transaction alerts for all RTGS and digital channel transactions. Alerts must be sent for ATM and POS transactions, internet banking, sign-in from new devices, password reset requests, failed login attempts, and lending product requests. Banks must ensure that alert systems have sufficient capacity for instant delivery.
Security rules in the draft require banks to let customers block or enable cards for online or cross-border transactions. Confidential data must be deleted from caches and memory after use or when an app is uninstalled. Sensitive data must be erased on logoff or when an app terminates unexpectedly. Credential resets will be allowed only from registered devices.
The SBP expects banks to use secure OTP handling. Where OTP auto fetch is not possible, banks must deploy alternatives such as robo call back, call back confirmation, or in-app biometric verification via NADRA. Banks should establish efficient regulations on PIN and password requirements, time and lapse of time, lock and unlock of accounts.
The framework is in draft and will be open to feedback up to September 30, 2025. The SBP has invited comments from consumers and banks before issuing final rules.