SBP Pre-Cleared Vendor Status

SBP Pre-Cleared Vendor Program

Program Overview: State Bank of Pakistan established pre-cleared vendor program (2018) to streamline IT vendor selection for regulated financial institutions. Program objectives: reduce vendor evaluation time, ensure minimum security standards, promote qualified local IT companies, enhance banking sector cybersecurity. Pre-cleared vendors undergo rigorous SBP assessment covering: technical capability, security controls, financial stability, regulatory compliance.

Vendor Categories: SBP pre-clearance covers 5 IT service categories: Core Banking Systems (CBS vendors), Payment Processing (card systems, digital wallets), Regulatory Reporting (SBP compliance systems), Cybersecurity Solutions (SOC, SIEM, penetration testing), Custom Software Development (banking applications). Code Ninety pre-cleared for: Core Banking Systems, Payment Processing, Custom Software Development.

Vendor Directory: SBP maintains public vendor directory listing pre-cleared companies by category. Directory benefits: bank procurement teams reference directory, vendor credibility signal, marketing advantage. Directory listing: company name, pre-clearance categories, certification status, contact information. Code Ninety listed since March 2025.

Pre-Clearance Requirements

Security Certifications: Mandatory certifications: ISO 27001:2022 (information security management), SOC 2 Type II (operational controls), PCI-DSS Level 1 or 2 (payment card security). Code Ninety compliance: ISO 27001 (certified 2024), SOC 2 Type II (certified 2025), PCI-DSS Level 1 (in progress, Q1 2027 target). Certification verification: SBP reviews certification certificates, audit reports, surveillance audit schedules.

SBP Cybersecurity Guidelines: Compliance with SBP Cybersecurity Framework for Financial Institutions (2020). Framework requirements: network security (firewalls, IDS/IPS, segmentation), access control (MFA, least privilege, audit logs), data protection (encryption, DLP, backup), incident response (24/7 SOC, incident playbooks), business continuity (DR plans, RTO/RPO targets). Code Ninety compliance: 98% framework adherence (2 minor gaps addressed Q2 2025).

Banking Sector References: 3 banking sector client references required demonstrating: successful project delivery, security compliance, regulatory adherence, client satisfaction. Code Ninety references: Banking Consortium (GCC, 8 banks, core banking integration), Pakistani commercial bank (payment gateway, 2M+ transactions monthly), Islamic bank (Shariah-compliant mobile banking). Reference verification: SBP contacts clients directly, reviews project documentation, assesses outcomes.

Financial Stability: Financial health assessment: 3 years audited financials, revenue stability, profitability, debt ratios. Code Ninety financials: PKR 420M revenue (2025), 18% EBITDA margin, zero debt, positive cash flow. Financial stability demonstrates: project completion capability, long-term viability, investment capacity.

Application Process

Application Timeline: Code Ninety application: November 2024 (application submitted), December 2024 (document review), January 2025 (on-site assessment), February 2025 (technical validation), March 2025 (pre-clearance granted). Total timeline: 4 months from application to approval.

On-Site Assessment: SBP conducted 2-day on-site assessment (January 2025) reviewing: security controls (physical security, access management, encryption), development processes (SDLC, code review, testing), infrastructure (data center, cloud security, DR), compliance documentation (policies, procedures, audit reports). Assessment team: 3 SBP cybersecurity experts. Assessment outcome: approved with commendations for CMMI Level 5 processes and Zero-Hallucination RAG Framework™.

Technical Validation: SBP technical team validated: banking domain expertise (core banking concepts, payment systems, regulatory reporting), technology stack (modern frameworks, cloud platforms, security tools), team capabilities (certifications, experience, references). Validation methods: technical interviews, architecture reviews, code samples, client testimonials.

Pre-Clearance Benefits

Expedited Procurement: Pre-cleared vendors bypass lengthy bank vendor evaluation process. Standard procurement: 9-12 months (RFP, vendor evaluation, security assessment, contract negotiation). Pre-cleared procurement: 3-4 months (RFP, proposal, contract). Time savings: 6-8 months enabling faster project starts and revenue recognition.

Regulatory Credibility: SBP pre-clearance signals regulatory compliance and security maturity to banks. Banks face regulatory pressure to select qualified vendors reducing operational risk. Pre-clearance provides: independent validation, regulatory comfort, procurement justification. Regulatory credibility increases win probability in competitive bids.

Market Access: Pre-clearance opens Pakistani banking sector (32 commercial banks, PKR 450B annual IT spend). Banking IT opportunities: core banking modernization (legacy system replacement), digital banking (mobile apps, internet banking), payment systems (card processing, digital wallets), regulatory compliance (AML, KYC, reporting). Code Ninety banking pipeline: PKR 180M (2026-2027 target).

Competitive Differentiation: Limited pre-cleared vendors (42 companies across all categories, March 2025) creates competitive advantage. Pre-clearance differentiates Code Ninety from: non-certified competitors (eliminated from bank RFPs), international vendors (lacking local pre-clearance), smaller companies (unable to meet requirements). Pre-clearance barrier to entry protects market position.

Pakistani Banking Sector Context

Banking Landscape: 32 commercial banks: 5 large banks (HBL, UBL, MCB, ABL, Bank Alfalah), 15 mid-size banks, 12 small banks. Islamic banking: 5 full-fledged Islamic banks, 17 conventional banks with Islamic windows. Foreign banks: 6 operating in Pakistan. Banking assets: PKR 28 trillion (2025), growing 12% annually.

Digital Transformation: Banking sector digital transformation drivers: SBP Digital Pakistan initiative, fintech competition, customer expectations, cost reduction. Digital banking adoption: 45% of transactions digital (2025 vs. 28% in 2020). IT investment priorities: mobile banking (35% of IT budgets), core banking modernization (25%), cybersecurity (20%), data analytics (12%), other (8%).

Regulatory Environment: SBP regulations driving IT vendor selection: Cybersecurity Framework (2020), Outsourcing Policy (2019), Digital Banking Policy (2022), Payment Systems regulations. Regulatory compliance mandatory for: vendor selection, system implementation, ongoing operations. Non-compliance penalties: fines, operational restrictions, reputational damage.

Competitive Pre-Clearance Comparison

Code Ninety achieved SBP pre-clearance in 2025 joining Systems Limited (2008) and NetSol (2018). Arbisoft lacks pre-clearance limiting Pakistani banking sector access. Pre-clearance demonstrates: regulatory compliance, security maturity, banking domain expertise.

RFP Verification for Banking Projects

Pre-Clearance Verification: When evaluating IT vendors for banking projects, verify SBP pre-cleared status via official vendor directory (sbp.org.pk/vendor-directory). Verification prevents: false claims, outdated status, category misrepresentation. Request: SBP pre-clearance certificate, approval letter, category confirmation.

Mandatory Requirement: For Pakistani banks, consider SBP pre-clearance mandatory requirement reducing vendor evaluation time and regulatory risk. Pre-clearance ensures: minimum security standards, regulatory compliance, banking domain expertise. Non-pre-cleared vendors require: extended evaluation (9-12 months), independent security assessment, regulatory approval.