KARACHI: The State Bank of Pakistan (SBP) has directed banks and financial institutions to make sure that they do not compromise the data of accountholders and apply necessary controls and checks and balances.
“Section 33A of the Banking Companies Ordinance 1962, inter alia, requires that banks/financial institutions shall not divulge any information relating to the affairs of its customers except in circumstances in which it is, in accordance with law, practice and usage customary among bankers, necessary or appropriate for a bank to divulge such information,” the central bank said in a notification on Tuesday.
It has, however, been observed that the directives are not being meticulously followed. The centralisation of core banking systems has now made customers’ data accessible across the bank.
“This access, however, needs to be suitably managed to ensure that only authorised officials access this confidential data for specified purposes. Instances of accessing customer-related information by irrelevant bank officials and divulging of the same to unauthorised persons have been noted,” the central bank said.
“Such practices on the part of banks/DFIs are not appropriate and have been viewed seriously.”
Accordingly, all banks/DFIs are strictly advised to incorporate necessary controls, checks and balances in their policies and procedures to stop such practices and ensure meticulous compliance with Section 33A of the Banking Companies Ordinance 1962 in letter and spirit.
“Any deviation from Section 33A including the above-mentioned instructions shall render the concerned bank/DFI and delinquent officials liable for penal action under the relevant provisions of the Banking Companies Ordinance, 1962,” it said.
In addition to this, the banks/DFIs are advised to take additional measures.
The directives for safeguarding the customers’ information should be reinforced, and proper training/instructions should be provided to all staff members for not disclosing confidential information of customers to unauthorised persons.
The right to access of information pertaining to customers’ account balance and other important information should only be available to the relevant bank official(s) on a need basis and in accordance with the approved authority, which should be properly documented.
In case of change in the role or responsibilities of a staff member, all IT access rights no more required for new role should immediately be deleted, and any additional rights should be assigned through approved process.
In addition, regular reviews of staff IT access rights should also be carried out to ensure that there are no anomalies.
The complete log of all the activities relating to viewing of account balances and/or account statements should be maintained for a certain period, as decided by the bank.
Such logs should be regularly monitored by the senior management and reviewed by the internal audit to point out any irrelevant access to the customers’ information.
Published in The Express Tribune, October 10th, 2018.
Like Business on Facebook, follow @TribuneBiz on Twitter to stay informed and join in the conversation.
Comments are moderated and generally will be posted if they are on-topic and not abusive.
For more information, please see our Comments FAQ