4 days ago
- Business
- Business Recorder
The State Bank's role in regulating emerging technology
The State Bank of Pakistan, traditionally known as regulator of the country's credit ecosystem and implementer of its monetary policy, has now found itself operating in unchartered waters, beyond its statutory obligations documented in the SBP Act, 1956 and the Banking Companies Ordinance, 1962.
With rapid digitalization of the financial sector and increasing adoption of cross-border payment solutions, Pakistanis facing rising concerns with cybersecurity and protection of sensitive consumer data. The country is witnessing an unprecedented technological revolution, whilst being regulated by outdated consumer data protection laws.
The State Bank has taken significant steps to encourage adoption of innovative financial technology in Banks and DFIs, whilst ensuring protection of sensitive consumer data through well-structured frameworks.
However, the central banks recent initiative to foster innovation in SECP-regulated and non-regulated entities, goes beyond the scope of its frameworks and is grounded by the outdated Payment Systems & Electronic Fund Transfer (PS&EFT) Act, 2007, a statute brought to law before the advent of modern technology such as Generative AI, Cloud Computing and Big Data.
With the absence of modern data protection laws,and the rapid adoption of third-party digital solutions in the financial sector, the State Bank is forced to navigate these statutory gaps on its own.
In May 2025, the State Bank issued guidelines for inviting applicants to its newly-launched Regulatory Sandbox.
The sandbox is a controlled environment where tech innovators can test novel digital solutions using real consumer data, without being suppressed by regulatory red tape.
The sandbox is open to 1) SBP regulated entities such as banks and DFIs, 2) Entities licensed by other regulators such as SECP and 3) Non-licensed entities. This initiative hits the jackpot for fintech solution providers, start-up founders and digital innovators, however, being legally backed by the PS&EFT Act, this leads to concerns for protection of sensitive consumer information.
With underdeveloped data protection laws, the State Bank is compelled to serve a dual role: upholder of economic stability, as per its statutory obligations, and now as a de-facto technology regulator.
In response to this added responsibility SBP released the Enterprise Technology Governance & Risk Management (ETGRM) Framework in 2017. The framework covers areas such as cybersecurity, third party risk and consumer data protection obligations for licensed banks and DFIs.
The regulatory sandbox, however, is legally confined by the PS&EFT Act 2007, a federal statute primarily designed to govern electronic transfers and digital payments, with outdated provisions related to consumer data protection.
It fails to address data privacy concerns arising from the technology being developed in the modern digital age. The State Bank is now in a position where its own security standards, developed for SBP regulated entities, have surpassed federal legal obligations, in terms of data protection and cybersecurity provisions.
In the EU, UK and other developed countries, regulatory sandboxes have played a pivotal role in successfully launching full-scale neobanks, AI-based financing tools and cross border payment systems.
The central banks in these developed countries are not expected to work in regulatory silos and are supported by robust legislation, such as the European Union's AI Act 2024, General Data Protection Regulation (GDRP) and the recently enacted Digital Operational Resilience Act (DORA). In Pakistan, policy failure at federal legislative level, has placed the burden of regulating digital innovation in the financial sector entirely on the central bank.
In developed countries, a regulatory sandbox serves as a launchpad, an innovation enabler where fintech products undergo detailed scrutiny to de-risk any shortcomings in their business model before full-scale launch in the market. The central banks, with robust consumer protection laws, are then able to focus on innovation rather than regulation.
On the surface, the State Bank of Pakistan's decision to enable fintech experimentation under its supervisory guidance seems to be a significant step towards enhancing digitalization and financial inclusion in the country.
However, it is evident the regulator ishaving to use the regulatory sandbox to help identify operational grey areas in the emerging tech landscape. With the absence of historical data and regularity clarity – particularly around consumer data protection and fintech – SBPs sandbox, instead of being a proactive driver of innovation, is a learning tool for assessing new technology in a controlled environment, to understand its scope, enabling its governance after full-scale launch.
The Asian Development Bank, in its 2025 diagnostic report on Pakistan's Digital Ecosytem, recommends formalization of an inclusive data governance framework, with clearly defined procedures for data security, privacy and data sharing.
Policymakers must recognize the importance of a coherent and future-ready regulatory environment to enable timely adoption of emerging technology whilst safeguarding sensitive consumer information through adoption of a comprehensive digital governance and cybersecurity legislation.
The future of financial digitalization in the country depends on the proactive formalization and implementation of an all-encompassing legal framework. With the absence of such reforms, the State Banks non-traditional role in enabling fintech reform risks becoming a bottleneck rather than a pathway to a digitalized economy.
The article does not necessarily reflect the opinion of Business Recorder or its owners.
