SBP issues regulations for security of internet banking.
The State Bank of Pakistan (SBP) has issued the regulations for the security of internet banking to provide a minimum set of operational, administrative, technical and physical safeguards to secure internet banking offered by the banks in Pakistan. These regulations will be effective from April 01, 2016, said SBP in a statement. SBP has taken this action in view of increasing usage of internet banking in the country, and to protect and safeguard the interest of its customers and users.
These regulations will help in minimizing the security risks associated with the internet banking and will introduce international best practices for safeguarding this important delivery channel.
Further banks under these regulations are required to implement two factor authentications and initiate a formal customer awareness program to increase awareness of the security threats and other risks associated with Internet Banking as well as liabilities, roles and responsibilities of the customers and banks related to internet banking.
Internet Banking has become an important delivery channel for banking services enabling banks to offer traditional banking services like access to one or multiple accounts for fund transfers, bill payments and card payments etc through internet. The security of Internet Banking has become a major concern for the regulatory authorities because of increasing IT security risks which may lead to serious financial and reputation risks in case of any major security breach. These regulations, therefore, would help banks in Pakistan to develop a formal Internet Banking Security Framework containing administrative, technical and physical safeguards based on best international practices.
The major components of the framework would be Security Risk Assessment (of threats, vulnerabilities to systems and customers information), Security Controls Implementation based on the Security Risk Assessment and Security Controls Monitoring. An effective customer awareness program is also necessary to mitigate the risks associated with Internet Banking. Banks, therefore, are encouraged to regularly update their customers about the identity theft and fraud techniques, enabling them to identify these techniques and take appropriate preventive measures.
Scope of the regulations
These regulations are applicable to all banks in Pakistan providing financial and/or non financial transactions through internet irrespective of software tool used by the bank and access devices used by its customers.
Internet banking security framework
Bank shall develop, implement and regularly review Internet Banking Security Framework based on the following key security objectives:
a) Security and integrity of data and systems, to ensure that customers' information has not been modified and systems are free from unauthorized access;
) Confidentiality of customers' data in storage, during processing and in transit;
c) Reliability and availability of Internet Banking systems to provide prompt access to systems for registered users and maintaining operational effectiveness;
d) Accountability by designing SOPs, policies and controls to ensure traceability of all transactions;
e) Proactive approach to detect unauthorized access and identification of potential fraudulent transactions.
While developing the Internet Banking Security Framework the bank should take into account the complexity of systems, applications and products /services offered while at the same time ensuring the ease of usage and customers' convenience. Further the framework should clearly define the roles and responsibilities of Board of Directors (Bods), senior management and employees with regard to its approval, development and implementation. This Framework and any reviews thereafter should be duly approved by the BoDs.
Security Risk Assessment
The bank shall conduct and document a formal Security Risk Assessment for Internet Banking with a view of identifying, estimating and prioritizing risks to which its operations are exposed due to Internet Banking. The BoDs should review the risk assessment document and any reviews conducted thereafter. The Security Risk Assessment should be reviewed at least once a year; however, in case of a major security breach, significant changes to the infrastructure and introduction of a new product or service, an immediate review of risk assessment should be carried out. Further, in case of a major security breach, risk assessment review should include a detailed analysis of the factors that cause such security breaches.
Security controls implementation
The bank shall ensure that appropriate security arrangements and security controls to protect IT assets (such as systems, applications, networks, data, and information and communication systems) are in place. Bank shall develop a set of controls based on the Security Risk Assessment document, commensurate with the risk levels to meet the control objectives. Bank shall define its set of minimum baseline Security Controls that include Access Controls (Access Rights Management, Electronic Authentication etc), Network Access Controls, Operating System Access Controls, Application Access and Remote Access Controls.
Security controls monitoring
Bank shall develop and implement a formally approved mechanism for the monitoring of Security Controls. An analysis of the effectiveness of existing or proposed Security Controls Monitoring methods shall be part of this monitoring mechanism.
A formal customer awareness program regarding Internet Banking threats and safeguards to minimize frauds and Identity Theft risks should be developed and implemented by the banks.
All established security breaches should be reported to Payment Systems Department, State Bank of Pakistan. The incident and analysis reports of security breaches should be furnished on quarterly basis to PSD as per Annexure-I. Impact of security breach on institution's business, systems, applications and customers should also be submitted in detail.
These regulations are subject to all relevant laws, rules and regulations issued by SBP from time-to-time including but not limited to the following: a) Guidelines on the Outsourcing Arrangements (BPRD Circular No 9 dated July 13, 2007); b) Guidelines on the Information Technology Security (BSD Circular No 15 dated September 29, 2004); c) Information Systems: Guidelines on Audits and System Switchover Planning (BSD Circular No 8 dated December 12, 2005); d) Compliance of "Guidelines on Business Continuity Planning" (BSD Circular No 13 dated September 04, 2004).
|Printer friendly Cite/link Email Feedback|
|Date:||Nov 30, 2015|
|Previous Article:||Mobilink illuminates Minar-e-Pakistan to spread breast cancer awareness.|
|Next Article:||PTA releases 3G/4G QoS survey results.|