The State Bank of Pakistan (SBP) has instructed all banks and microfinance banks (MFBs) to replace the use of one-time passwords (OTPs) sent via SMS for financial transactions with Transaction PIN (TPIN)/Financial PIN (FPIN) functionality. This directive applies to transactions conducted through banking apps or internet banking portals and aims to enhance security and streamline the user experience.

In a circular issued earlier today, the central bank also mandated banks and MFBs to provide free-of-cost transactional alerts via push notifications, in-app notifications, and email alerts instead of SMS. These notifications will inform customers of transactions conducted through mobile apps.

“The Banks/MFBs shall ensure that in-app/push notifications on mobile apps of their customers shall always remain enabled. Further, Banks/MFBs shall maintain complete logs of transaction notifications sent to their customers and make them available in case of disputes or claims,” the SBP stated in its circular.

The SBP has also directed banks and MFBs to use standardized templates for customer notifications, as outlined in Annexure A of the circular. These instructions will replace the guidelines previously issued in PSD Circular No. 3 dated May 9, 2018.

To protect customers, the SBP has clarified that in cases of fraud or unauthorized transactions conducted through mobile apps, banks and MFBs will be held liable to compensate affected customers. This liability framework is outlined in BPRD Circular No. 04 of 2023.

The new instructions will come into effect from January 1, 2025, giving banks and MFBs time to implement the required changes to their systems and processes.

This move by the SBP is part of its ongoing efforts to enhance digital banking security and improve customer experience by reducing reliance on SMS-based OTPs, which are increasingly vulnerable to fraud and interception.