SBP Issues New Guidelines for Battling Online Fraud

In light of recent events, SBP has issued new guidelines to combat cybercrime and online fraud with policies going in effect as soon as January 1, 2019. These include an extensive review and upgradation of the current systems.

SBP has directed Banks/MFBs to submit reports to the Payment Systems Department (PSD) which will be assessing existing Alternate Delivery Channels (ADCs) and various payment systems for potential vulnerabilities by March 31st, 2019. In addition to these reports, banks are also required to have third parties assess their systems and submit that report by December 31st, 2019. These reports will also include a detailed action plan with timelines to implement them.

SBP has instructed banks to develop new SOPs for events related to suspicious online activities. Starting January 1, 2019 banks will be required to send the users confirmation of their transactions via SMS and email them where possible. Banks will be required to monitor all sorts of activities on their online platforms 24/7 and in case of any abnormality, they are to inform the users within 48 hours and take corrective steps. In case of any loss, the banks will be required to compensate them to the user. Banks will need to implement systems to enable customers to activate or block online transactions by March 31, 2019.

Banks are to immediately coordinate with their Payment Schemes and third parties to make sure that all systems including POS and ATMs are running the latest security patches. They are to ensure that all their existing agreements with the payment schemes are free from all sorts of potential, financial, legal and operational risks which might be caused due to cyber attacks.

To mitigate online fraud, banks have been instructed to implement the EMVCo’s 3D Secure Security Protocol. The 3D secure protocol is a protocol designed to act as an additional security layer for online credit and debit card transactions. EMVCo’s messaging protocol enables users to authenticate with their banks when making card-not-present (CNP) purchases. Detailed plans for its implementation are to be submitted to PSD by January 31, 2019. Finally, banks have been tasked with replacing existing payment cards, excluding social transfer cards, with EMV chip and PIN payment based cards by June 30, 2019.