The technology landscape of payment services is transforming at a rapid pace. While this transformation brings significant benefits to the payments ecosystem, it also increases exposure of Payment Institutions (EMIs, PSOs, and PSPs) to a range of technology risks, including cyber risks. If these risks are not managed appropriately, Payment Institutions may experience heightened operational vulnerabilities.

2.     In order to provide baseline technology governance and risk management requirements for Payment Institutions, SBP has decided to issue Technology Risk Management Framework for Payment Institutions. The objective of the framework is to enable Payment Institutions to adopt robust and sound practices for managing technology and cyber security risks. The framework is not a "one-size-fits-all", and implementation of the same needs to be risk-based and commensurate with size, nature and types of payment services as well as complexity of technology operations of the individual payment institution.

3.     Payment institutions shall ensure compliance with the relevant requirements of this Framework by March 31, 2026. Non-compliance of these instructions shall attract penal action under the relevant provisions of the laws/regulations.

Encl:

       Technology Risk Management Framework for Payment Institutions