State Bank of Pakistan (SBP) Wednesday issued "Regulations for the Security of Internet Banking" to mitigate the risks associated with internet banking and safeguard the interests of customers. In view of increasing usage of internet banking in the country and to protect and safeguard the interests of its customers and users, SBP has issued regulations for the security of internet banking under Sections (3) and (15) of the Payment Systems and Electronic Fund Transfers Act, 2007.
According to SBP, these regulations outline minimum set of operational, administrative, technical and physical safeguards to secure internet banking offered by banks in Pakistan and will be effective from 1st April, 2016. It will help minimise the security risks associated with the internet banking and will introduce international best practices for safeguarding this important delivery channel.
Further banks under these regulations are required to implement two factor authentication and initiate a formal customer awareness programme to increase awareness of the security threats and other risks associated with internet banking as well as liabilities, roles and responsibilities of the customers and banks related to internet banking. The SBP said these regulations are applicable to all banks in Pakistan providing financial and/or non-financial transactions through internet irrespective of software tool used by bank and access devices used by its customers.
Under the regulations, banks have been directed to develop, implement and regularly review Internet Banking Security Framework based on the key security objectives including integrity of data and systems While developing the Internet Banking Security Framework, the bank should take into account the complexity of systems, applications and products/services offered while at the same time ensuring the ease of usage and customers' convenience.
Further the framework should clearly define the roles and responsibilities of Board of Directors (BoDs), senior management and employees with regard to its approval, development and implementation. This framework and any reviews thereafter should be duly approved by the BoDs. The internet banking security framework shall include the components of security risk assessment, implementation of security controls and monitoring of security controls.
Under the regulations, the bank shall conduct and document a formal security risk assessment for internet banking with a view to identifying, estimating and prioritising risks to which its operations are exposed due to internet banking The BoDs should review the risk assessment document and any reviews conducted thereafter. The bank shall ensure that appropriate security arrangements and security controls to protect IT assets (such as systems, applications, networks, data, and information and communication systems) are in place. Banks shall develop a set of controls based on the security risk assessment document, commensurate with the risk levels to meet the control objectives.
All established security breaches have been asked to be reported to Payment Systems Department, State Bank of Pakistan. The incident and analysis reports of security breaches should be furnished on a quarterly basis to PSD as per Annexure-I. Impact of security breach on institution's business, systems, applications and customers should also be submitted in detail, it added.
Service providers of outsourced functions relating to internet banking are contractually bound to implement these regulations. However, outsourcing does not relieve the bank from its responsibility of complying with these regulations. A formal customer awareness programme regarding internet banking threats and safeguards to minimise frauds and identity theft risks should be developed and implemented by banks.
Comments
Comments are closed.