Almost everyone in Pakistan at one in their life has received scam calls and messages — from those becoming a Benazir Income Support Programme beneficiary to those pretending to be from “sensitive” state institutions. With growing penetration of digital financial services, such incidents — referred to as social engineering — have gone up sharply.

The whole thing has become a serious headache for banks because these incidents erode customer trust and raise questions about their security vulnerabilities. However, unlike some other types of fraud, it can be tricky to determine the liability. Should the customer bear losses for, well, their naivety? Or do the financial institutions deserve the blame for not creating a robust cybersecurity structure?

Last week, we got somewhat closer to this answer as the State Bank of Pakistan warned financial institutions to “improve their digital fraud protection controls and processes by taking timely remedial and control preventive measures failing which they shall be held responsible for loss of any customer funds due to delay on their part.”

This comes just a month after guidelines on a Digital Fraud Prevention Policy for banks, which largely is built around the premise of making social engineering tougher. While no standardised data is available regarding the prevalence of this practice, Habib Bank Limited’s COO Sagheer Mufti was once quoted in 2021 about how it costs the industry over a billion rupees per year.

According to Banking Mohtasib, 18pc of complaints during Jan-March 2023 were related to fraud which is almost twice the share compared to the same period in 2021

We don’t really know where that number is coming from because, according to Banking Mohtasib reports, the annual “relief” granted to customers — also, the losses for banks — stay below a billion rupees. And that’s for all types of complaints, not just social engineering. Perhaps Mr Mufti was incorporating the expenses incurred by financial institutions as preventive measures — from upgrading the technology infrastructure to something as simple as an SMS cost.

That doesn’t reveal the extent of damage borne by the customers because 1) not all of them approach the Mohtasib 2) even those who do, may not necessarily get “relief”.

According to the ombudsman’s latest report, there were 15,440 complaints in total during Jan-March 2023, with almost half new and the remaining carried from the last year. Of these, 18 per cent are related to frauds — which is almost twice the share compared to the same period of 2021.

Under this head, there were 1,038 complaints (some possibly carried forward) in 2022. This may seem like a gross understatement — technically underreporting as many Pakistanis have such little faith in state or affiliated institutions that they rather bear the loss than go through the humiliating experience of a public office. But the reason could possibly be the absence of standardisation of categories.

More than twice as many complaints — 2,574 — were received under “Internet Banking/Inter Bank Funds Transfers/E-commerce”, which may also include elements of social engineering. The actual number may still be much higher, at least going by social media anecdotes. In this context, the State Bank of Pakistan’s recent policy initiatives are welcome, for they lay out a comprehensive list of measures that need to be taken, which then becomes the criterion for determining responsibility.

The controls include two-factor authentication, in-app National Database Regulatory Authority biometric verification and restricting the manual entry of one-time passwords. It even proposes instructions on post-incident follow-up, stipulating a maximum time limit of 30 minutes in which financial institutions must raise the issue in their Fraudulent Transaction Dispute Handling system.

No longer will the banks be able to hide behind liability ambiguity. And the guidelines are fairly comprehensive too, such as the liability structure subsequent to a social engineering scam. For example, if a customer gets delayed transaction alerts — as is often the case with a particular tech company with a banking license that shall not be named — the financial institutions will be liable to compensate for the entire loss.

While indeed positive, don’t get your hopes up so soon. After all, the regulator puts out such guidelines on various topics every second month and quite often, nothing really comes out of it. Remember the financial inclusion or the banking on equality policies which had set out very specific targets for banks to meet? Don’t worry, no one does. The paper those documents were printed on is probably being used to serve samosas by a shop owner who is still out of the formal net.

Published in Dawn, The Business and Finance Weekly, May 22nd, 2023

Opinion

Editorial

Noshki killings
Updated 14 Apr, 2024

Noshki killings

It must be asked why Baloch separatists continue to target civilians as well as security men despite large deployment.
Upholding the law
14 Apr, 2024

Upholding the law

THE recent discord in Bahawalnagar offers a chance to reflect on the sanctity of the law and its enforcement across...
Tragic travels
14 Apr, 2024

Tragic travels

FOR those embarking on road and boat journeys, the probability of fatal accidents has seen a steady rise. The recent...
Security lapses
Updated 13 Apr, 2024

Security lapses

Ensuring the safety of foreign citizens is paramount, not just for diplomatic relations but for our economic future.
An eventful season
13 Apr, 2024

An eventful season

THE Senate chairman and deputy chairman were elected unopposed, and 41 new senators were sworn in on Tuesday,...
Living rough
13 Apr, 2024

Living rough

WE either don’t see them or don’t want to see them — not even when they are actively trying to get our...