Almost everyone in Pakistan at one in their life has received scam calls and messages — from those becoming a Benazir Income Support Programme beneficiary to those pretending to be from “sensitive” state institutions. With growing penetration of digital financial services, such incidents — referred to as social engineering — have gone up sharply.

The whole thing has become a serious headache for banks because these incidents erode customer trust and raise questions about their security vulnerabilities. However, unlike some other types of fraud, it can be tricky to determine the liability. Should the customer bear losses for, well, their naivety? Or do the financial institutions deserve the blame for not creating a robust cybersecurity structure?

Last week, we got somewhat closer to this answer as the State Bank of Pakistan warned financial institutions to “improve their digital fraud protection controls and processes by taking timely remedial and control preventive measures failing which they shall be held responsible for loss of any customer funds due to delay on their part.”

This comes just a month after guidelines on a Digital Fraud Prevention Policy for banks, which largely is built around the premise of making social engineering tougher. While no standardised data is available regarding the prevalence of this practice, Habib Bank Limited’s COO Sagheer Mufti was once quoted in 2021 about how it costs the industry over a billion rupees per year.

According to Banking Mohtasib, 18pc of complaints during Jan-March 2023 were related to fraud which is almost twice the share compared to the same period in 2021

We don’t really know where that number is coming from because, according to Banking Mohtasib reports, the annual “relief” granted to customers — also, the losses for banks — stay below a billion rupees. And that’s for all types of complaints, not just social engineering. Perhaps Mr Mufti was incorporating the expenses incurred by financial institutions as preventive measures — from upgrading the technology infrastructure to something as simple as an SMS cost.

That doesn’t reveal the extent of damage borne by the customers because 1) not all of them approach the Mohtasib 2) even those who do, may not necessarily get “relief”.

According to the ombudsman’s latest report, there were 15,440 complaints in total during Jan-March 2023, with almost half new and the remaining carried from the last year. Of these, 18 per cent are related to frauds — which is almost twice the share compared to the same period of 2021.

Under this head, there were 1,038 complaints (some possibly carried forward) in 2022. This may seem like a gross understatement — technically underreporting as many Pakistanis have such little faith in state or affiliated institutions that they rather bear the loss than go through the humiliating experience of a public office. But the reason could possibly be the absence of standardisation of categories.

More than twice as many complaints — 2,574 — were received under “Internet Banking/Inter Bank Funds Transfers/E-commerce”, which may also include elements of social engineering. The actual number may still be much higher, at least going by social media anecdotes. In this context, the State Bank of Pakistan’s recent policy initiatives are welcome, for they lay out a comprehensive list of measures that need to be taken, which then becomes the criterion for determining responsibility.

The controls include two-factor authentication, in-app National Database Regulatory Authority biometric verification and restricting the manual entry of one-time passwords. It even proposes instructions on post-incident follow-up, stipulating a maximum time limit of 30 minutes in which financial institutions must raise the issue in their Fraudulent Transaction Dispute Handling system.

No longer will the banks be able to hide behind liability ambiguity. And the guidelines are fairly comprehensive too, such as the liability structure subsequent to a social engineering scam. For example, if a customer gets delayed transaction alerts — as is often the case with a particular tech company with a banking license that shall not be named — the financial institutions will be liable to compensate for the entire loss.

While indeed positive, don’t get your hopes up so soon. After all, the regulator puts out such guidelines on various topics every second month and quite often, nothing really comes out of it. Remember the financial inclusion or the banking on equality policies which had set out very specific targets for banks to meet? Don’t worry, no one does. The paper those documents were printed on is probably being used to serve samosas by a shop owner who is still out of the formal net.

Published in Dawn, The Business and Finance Weekly, May 22nd, 2023