Page 53 - CMA Journal (July-August 2025)
P. 53
Focus Section
Working in the gray areas of hybrid Table 6: Iden fied Gap
peer-to-peer lending, crowdfunding, and Regulatory Element Current Status in Pakistan Global Best Prac ce
blockchain has become especially Unified Data Protec on Law Dra pending approval GDPR (EU), DPDPA (India)
uncertain. These weaknesses are further Mandatory Breach No fica on Not legally enforced Within 72 hours (GDPR)
aggravated by the Draft Personal Data Fintech-specific Cyber Oversight Fragmented, sector-based Unified fintech regulators (e.g.,
Protection Bill (2023), introduced several MAS in Singapore)
Real-Time Monitoring Limited SOCs and threat Federated CERT model (US, EU)
years late; unless enacted, fintechs will not intelligence sharing
be under a binding legal obligation to Cloud Risk Management Standards Guidelines only for NBFCs Mandated cloud audit trails and
inform users about breaches or uphold encryp on (Singapore, UK)
data sovereignty, exposing millions of Source: Author
users to the risk of their data being
misused with no definite solution in law. Although Pakistan has significantly advanced its position
in the region in terms of cybersecurity regulation, the
In the Pakistani fintech sector, compliance with
current approach of the state is more reactive than
cybersecurity is typically reactive rather than systematic.
A third-party audit is conducted by many firms only proactive. The governance framework for fintech should
be transformed into a proactive, risk-oriented system,
when necessary to raise funds or renew licenses, but it is
not a continuous security measure. Although the State rooted in strong data protection regulations, predictive
Bank of Pakistan has begun experimenting with supervision, and healthy cross-sectoral alignment.
RegTech-based supervision, its impact is currently limited Reference
to scheduled banks, where a general environment of
under-monitoring fintech persists. [1] Financial Stability Review – 2024 State Bank of Pakistan
https://www.sbp.org.pk/FSR/2024/Overview.pdf
In comparison, other regulatory frameworks on privacy https://www.sbp.org.pk/FSR/2024/index.htm
principles, such as the EU’s General Data Protection [2] Invest2Innovate (2025), The Fintech Landscape in Pakistan: Progress and
Potential https://invest2innovate.com/the-fintech-landscape-in-
Regulation (GDPR), Singapore’s MAS Technology Risk pakistan-progress-and-potential/
Management Guidelines, and India’s Digital Personal [3] https://tracxn.com/d/explore/fintech-startups-in-pakistan/__
Data Protection Act (2023), are significantly more OOMGzIeyZYPyvEWpfn5a944aEy78_lJ8i3yxi2iu-K8#top-companies
stringent. The lack of incident reporting requirements, as [4] Qaiser, H., & Fahad, M. (2024). Fintech in Pakistan: current landscape,
well as centralized registries of breaches, also contributes challenges, and global insights. Bulletin of Business and Economics (BBE),
13(3), 48-53. https://bbejournal.com/BBE/article/view/953/1015
to the problem, leaving users in the dark. Pakistan is
[5] Neontri. (2025, August 9). Fintech security: How to resist cyber attacks in
severely lagging in three vital aspects: the digital era. https://neontri.com/blog/fintech-security/#:~:text=
This%20trend%20reflects%20a%20sad,should%20keep%20on%20their
• Data portability and user consent procedures:
%20radar.
There is no binding procedure specifying how users [6] Siddiqui, S. A., & Ali, M. (2023). Emerging Trends and Challenges in
can maintain control over their financial data in Cybersecurity for Fintech. In Cybersecurity in the FinTech Era(pp 1–20). IGI
terms of collection, sharing, or repurposing. Global. https://www.igi-global.com/chapter/emerging-trends-
and-challenges-of-cyber-security-in-fintech/351207
• Cross-border incident disclosure mechanisms: No [7] State Bank of Pakistan. (2017). Financial Stability Review 2017: Box 6.1 –
rules exist for prompt reporting, especially when Emerging challenge of cyber attacks: Implications for the financial sector.
cyberattacks exploit international networks or cloud Retrieved August 9, 2025 https://www.sbp.org.pk/fsr/2017/boxes/
Box-6.1.pdf
infrastructures. [8] Rizvi, J. (2024, November 19). Cyber threats in Pakistan’s finance sector
• Cyber insurance requirements for fintech surge by 114pc in 2024: Report. The News International https://www.
thenews.com.pk/print/1252393-cyber-threats-in-pakistan-s-finance-sect
companies: There is no obligation for companies to or-surge-by-114pc-in-2024-report?utm_source
have cyber insurance, thus exposing both businesses [9] Iqbal, S. (2024, November 26). 90% of bankers see cybercrimes as the
and customers to financial risks. biggest threat. Dawn https://www.dawn.com/news/1874847
[10] The Times of India+4Daily Lead Pakistan+4Asia Times+4Reddit
Policy Recommendations [11] https://pakobserver.net/cyber-attack-on-nbp/?utm_source
[12] https://www.csidb.net/csidb/incidents/5172a73d-59d6-
• Pass and implement the Personal Data Protection 46a3-8148-876b2ea3cfe6/?utm_source
Law to establish enforceable guidelines on data [13] https://www.dawn.com/news/1913465/over-180m-users-passwords-
privacy, user consent, and breach notification. login-credentials-stolen-in-massive-data-breach-says-national-cyber-se
curity-body?utm_source
• Broaden SBP and SECP regulatory scrutiny to all [14] https://tribune.com.pk/story/2423324/cybersecurity-breach-at-nift-
categories of systematic fintech, especially startups puts-national-security-at-risk-1?utm_source
and those not currently under regulatory purview, to [15] https://www.idealsols.com/cybersecurity-vulnerabilities-in-pakistani-
ensure standard conformity. banking-systems/
• Establish a centralized Fintech Cybersecurity Cell About Author: The writer holds a PhD in Economics and has authored
over 23 published articles and presented more than 15 research papers
within the National CERT to enable real-time incident at international and national conferences. With eight years of diverse
reporting and sharing, intelligence exchange, and research experience across multiple organizations, she currently serves
coordinated responses. as Assistant Manager, Research and Publication, at Saviours.
ICMA’s Chartered Management Accountant, Jul-Aug 2025 51
