After the infamous Bank Islami Hacking incident, that took place in October, the State Bank of Pakistan’s Payment System Department (PSD) released a circular last week in a concerted effort to fortify the security systems under which all banks in the country operate. As well intentioned as these new measures may be it is the belief of many in the industry that they will slow down the growth of the banking sector; specifically in terms of customer growth and its pace of innovation.
The full circular can be read here.
Let us begin by first discussing the positive elements of the circular which indeed will strengthen the integrity of banks and offer customers more protection. The PSD is to be commended on its actions regarding the following concepts.
Undeniably, measures had to be introduced to protect banks and their customers and the PSD has done very well in enacting article 3 stipulating free transactional sms and emails to be sent to all customers. This will greatly help in the detection of fraud on an immediate basis. It also promotes a constant dialogue between the banks and their respective customers reducing any existing barriers between them.
In the same spirit article 17 stipulates that banks should inform customers within 48 hours of any breach and make reparations within the same timeline. This ensures that no bank could ever try to hide any possible breach from its customers therefore complete transparency will be the norm for the future.
Both of these measures will help establish a strong platform of trust and provide customers with the rights they need in order to further their existing financial service requirements.
Articles 6 states that the majority of plastic cards in the country be replaced with new cards supporting an EMV chip and pin complaint system. This will be a major breakthrough as current magnetic based cards can be duplicated while chip and PIN formats cannot. This will also replace the act of requiring a signature at the point of sales with the requirement of typing in a PIN number instead. Many believe this to be a far more secure method of payment and it provides customers with the confidence that their cards are less likely to be misused if lost.
Finally, article 13 states that banks must submit an implementation plan for 3D Secure protocol on online payments. If implementations for all banks are completed within the next 2 years, this could be very helpful for the growth of the eCommerce market in Pakistan.
As commendable as their efforts have been the PSD has in all earnest implemented a few troubling measures which could seriously threaten the future development of Pakistan’s financial sector.
Article 4: Activating mobile banking at branch offices
iv) Henceforth, banks/MFBs shall activate/reactivate online banking services including internet/mobile banking for their customers after biometric verification at any branch of their bank. At the time of activation of online services, banks’/MFBs’ relevant staff shall educate customers about various types of online banking frauds as well as the corresponding preventive measures. Banks/MFBs shall be solely responsible for ensuring customer authentication for activation of any ADC and any loss of customer funds due to false activation of any ADCs shall be compensated by the respective bank/MFB.
This paragraph alone will hurt a lot of the micro-finance banks and large banks that were doing online activation of customers to create accounts without the need of visiting a branch. How are digital banks supposed to operate when such a stringent requirement is put on activating customer accounts? Small banks that do not have a large footprint in terms of branches have now also been put at a severe disadvantage.
** Correction. Wallets which operate under the branchless banking regulation’s are not specifically mentioned as having to comply with these regulations. Therefore wallets such as SimSim and others are not required to enact these measures. This might even give them an advantage in the short run, and in the medium term we might see the larger banks opting to create wallets under the branchless banking act. **
̶W̶a̶l̶l̶e̶t̶s̶ ̶s̶u̶c̶h̶ ̶a̶s̶ ̶J̶a̶z̶z̶c̶a̶s̶h̶ ̶a̶n̶d̶ ̶S̶i̶m̶S̶i̶m̶ ̶w̶h̶o̶ ̶w̶e̶r̶e̶ ̶o̶n̶b̶o̶a̶r̶d̶i̶n̶g̶ ̶f̶u̶l̶l̶y̶ ̶w̶i̶t̶h̶i̶n̶ ̶t̶h̶e̶i̶r̶ ̶a̶p̶p̶s̶ ̶w̶i̶l̶l̶ ̶n̶o̶w̶ ̶h̶a̶v̶e̶ ̶t̶o̶ ̶t̶e̶l̶l̶ ̶c̶u̶s̶t̶o̶m̶e̶r̶s̶ ̶t̶o̶ ̶g̶o̶ ̶t̶o̶ ̶a̶ ̶b̶r̶a̶n̶c̶h̶ ̶t̶o̶ ̶c̶o̶m̶p̶l̶e̶t̶e̶ ̶r̶e̶g̶i̶s̶t̶r̶a̶t̶i̶o̶n̶.̶ ̶J̶S̶ ̶B̶a̶n̶k̶ ̶w̶h̶i̶c̶h̶ ̶h̶a̶d̶ ̶v̶e̶r̶y̶ ̶i̶m̶p̶r̶e̶s̶s̶i̶v̶e̶l̶y̶ ̶i̶n̶t̶r̶o̶d̶u̶c̶e̶d̶ ̶a̶n̶d̶ ̶d̶e̶p̶l̶o̶y̶e̶d̶ ̶f̶i̶n̶g̶e̶r̶p̶r̶i̶n̶t̶ ̶s̶c̶a̶n̶n̶i̶n̶g̶ ̶v̶i̶a̶ ̶s̶m̶a̶r̶t̶p̶h̶o̶n̶e̶ ̶c̶a̶m̶e̶r̶a̶s̶ ̶f̶o̶r̶ ̶i̶d̶e̶n̶t̶i̶t̶y̶ ̶v̶e̶r̶i̶f̶i̶c̶a̶t̶i̶o̶n̶ ̶w̶i̶l̶l̶ ̶n̶o̶w̶ ̶s̶a̶d̶l̶y̶ ̶n̶o̶t̶ ̶b̶e̶ ̶a̶b̶l̶e̶ ̶t̶o̶ ̶c̶a̶p̶i̶t̶a̶l̶i̶s̶e̶ ̶o̶n̶ ̶t̶h̶e̶i̶r̶ ̶i̶n̶n̶o̶v̶a̶t̶i̶o̶n̶.̶ ̶T̶h̶e̶s̶e̶ ̶a̶r̶e̶ ̶j̶u̶s̶t̶ ̶a̶ ̶f̶e̶w̶ ̶e̶x̶a̶m̶p̶l̶e̶s̶ ̶o̶f̶ ̶a̶ ̶f̶i̶n̶t̶e̶c̶h̶ ̶s̶e̶c̶t̶o̶r̶ ̶t̶h̶a̶t̶ ̶w̶a̶s̶ ̶o̶n̶ ̶t̶h̶e̶ ̶v̶e̶r̶g̶e̶ ̶o̶f̶ ̶b̶l̶o̶s̶s̶o̶m̶i̶n̶g̶ ̶t̶h̶a̶t̶ ̶i̶s̶ ̶n̶o̶w̶ ̶b̶e̶i̶n̶g̶ ̶h̶e̶l̶d̶ ̶b̶a̶c̶k̶ ̶b̶y̶ ̶t̶h̶e̶ ̶s̶h̶a̶c̶k̶l̶e̶s̶ ̶o̶f̶ ̶p̶r̶o̶t̶e̶c̶t̶i̶v̶e̶ ̶m̶e̶a̶s̶u̶r̶e̶s̶.̶ ̶L̶e̶g̶i̶s̶l̶a̶t̶i̶o̶n̶ ̶n̶e̶e̶d̶s̶ ̶t̶o̶ ̶w̶o̶r̶k̶ ̶t̶o̶g̶e̶t̶h̶e̶r̶ ̶w̶i̶t̶h̶ ̶t̶e̶c̶h̶n̶o̶l̶o̶g̶y̶ ̶i̶n̶ ̶o̶r̶d̶e̶r̶ ̶f̶o̶r̶ ̶P̶a̶k̶i̶s̶t̶a̶n̶’̶s̶ ̶f̶i̶n̶a̶n̶c̶i̶a̶l̶ ̶m̶a̶r̶k̶e̶t̶s̶ ̶t̶o̶ ̶b̶e̶ ̶t̶r̶u̶l̶y̶ ̶e̶f̶f̶e̶c̶t̶i̶v̶e̶ ̶a̶n̶d̶ ̶p̶r̶o̶d̶u̶c̶t̶i̶v̶e̶ ̶i̶n̶ ̶a̶ ̶s̶a̶f̶e̶ ̶a̶ ̶s̶e̶c̶u̶r̶e̶ ̶f̶a̶s̶h̶i̶o̶n̶.̶
Article 10: Banks to decide daily spending limits
x) All payment-card issuing banks/MFBs shall immediately set reasonable per-day transaction limits commensurate with their risk appetite and transaction volume with the Payment Schemes especially for cross-border usage. Banks/MFBs shall ensure that their risk exposure remains within the pre-agreed limits set with the international/domestic payment schemes through legally binding contractual arrangements.
Article 10 should be a concern for customers because it takes rights directly away from them. Why can a customer not decide and set their own limits on their daily spending. Why must it be dictated to them as if they were children unable to know what is best for them. Surely this disregards the customers’ rights to the amount he or she wishes of his or her own money on a daily basis if it, perchance exceeds the dictated norm. The daily limit is not set to the customers’ requirements but instead in order to comply with the risk appetite of the bank. This is a perfect example of institutional dictates which hold a market back from prospering to the level of success it could naturally attain. The implementation of spending limits will be a huge impediment to future growth and should be seriously reconsidered by existing authorities.
Smarter options are available which have been employed by multiple fintechs in Europe. It is the hope of many in our industry that Pakistan will follow the examples of success stories where banking systems worked closely with new technologies to bridge gaps in security and verification methods. In this highly competitive era if we are to see Pakistan achieve it’s true potential as the financial giant it could very really be, we need to learn from the best.
Examples of great digital banks
Challenger banks which are emerging in the UK and Europe are some of the most user friendly, interactive and secure financial service institutions currently in place. They allow a whole host of security features that not only make transactions more secure but they also empower customers at the same time.
The offer very in-depth security features and all of them are available directly to consumers through their app. Features which allow you to freeze your card, set spending limits, allow ATM or online transactions are available as options directly to the customer without the need to call their bank.
We should be using these as examples and asking our banks to be innovative and customer oriented while also ensuring that their database security features are top notch. Pakistan’s financial sector can not risk hampering its development at this crucial stage when on the sheer size of it population alone we could stand to be at the forefront of technological innovation. We need to get more and more customers onboard with online financial services in the best most effective and secure methods possible.
Example of how Revolut gives its customer power over features
Security settings for each card within Revolut
Additional spending restrictions per card and instant notifications on payments
Successful companies do not have to choose between customer security and ease of use; they do both. The best of companies are those which are able to reduce the friction a customer feels when interacting with their products, while at the same time ensuring a high level of security and data protection.
When problems do come up, we should not look to over-regulate but instead use it as way to foster innovate change and move forward with smart solutions. Only then will our un-banked and under-banked populations come to trust the industry and use the banking channels available to them more regularly and with greater ease. We are a nation of more than two hundred million minds and we need to create a digital infrastructure that will ultimately lead to a safer and more secure future together – with customers and financial service providers alike!