From January 1, 2019, all commercial banks and mobile financial service providers (like Easy Paisa and Jazz Cash) will stop charging you for text messages you receive after making financial transactions.
Currently, many banks charge close to Rs100 per month for sending you an SMS after you withdraw cash from an ATM or make an online payment. The service can be useful, as customers can immediately alert their bank in case of unauthorized access, but it is a paid feature that comes with a federal tax, which discourages consumers from availing this security layer. Many people simply don’t want to pay the fee.
The change of policy is the result of a series of instructions the central bank has issued to commercial banks whose poor state of information security was exposed by a recent wave of cyber-attacks.
Banks and other financial service providers shall send free of charge transaction alerts to their customers through both SMS and email for all international and domestic digital transactions, the SBP has said.
Information security experts who have worked with our banks say these commercial entities sit atop big data, customers’ private information, but spend little to nothing to protect it. The SBP, often criticised for not taking strict action, finally woke up and instructed all banks to take strict security measures for better security of their payment and information systems.
The following are some of the points from the SBP’s instructions to the banks.
- All banks shall upgrade their systems by March 31 in a way that enables customers to activate or block their cards for online and international transactions as and when they wish.
- All banks shall replace existing payment cards (debit and credit) with EMV chip-and-PIN payment cards by June 30, 2019. This is technology upgrade will protect customers against skimming attacks, which steal their card information by planting skimming devices at ATMs or point of sale machines — this is what happened to HBL customers last December.
- All banks will carry out internal vulnerability assessment and testing to identify flaws in their payment systems for all local and international transactions and submit a plan by latest March 31 stating how and when they will fix the vulnerabilities.
- All banks will carry out third-party testing of their systems for vulnerabilities and submit their reports by the end of 2019.
- All banks will activate online banking services after biometric verification of their customers.
- All banks shall develop real-time fraud monitoring tools by January 31 and develop a procedure to report threats and their response to the same
- All banks should ensure 24-hour monitoring of online payments and develop a communication system to alert international partners for immediate action
- All banks shall impose a daily transaction limit with international partners for cross-border transactions to minimize their exposure to cyber threats
- All banks should report to customers within 48 hours in case their data is compromised and compensate them in two business days. The breach should also be reported to the SBP within 48 hours.
- All banks shall continue to educate customers about prevailing banking fraud, such as SMS spoofing, impersonation by fraudsters — like those BISP and Jeeto Pakistan messages that ask for your personal information and tempt you into believing that you won some money.
Failure to comply with these instructions will lead to a penalty including but not limited to the suspension of non-compliant digital payment products and services of the banks and financial service providers.