Download the amendment directions here.
The Reserve Bank of India (RBI) has overhauled its rules on customer protection in fraudulent electronic banking transactions, introducing revised directions that redefine liability, expand banks’ obligations and create a compensation mechanism for certain victims of digital payment fraud.
Among the changes, customers will receive zero liability in specified cases involving bank negligence or third-party breaches, while banks will have to establish customer liability in fraud complaints. The revised directions also require banks to strengthen fraud reporting systems, send transaction alerts, and compensate eligible customers in certain small-value fraud cases. The directions apply to electronic banking transactions undertaken by customers of commercial banks on or after January 1, 2027.
Important definitions:
- Electronic banking transaction (EBT): Electronic funds transfers under the Payment and Settlement Systems Act, 2007, including both card-present and card-not-present transactions.
- Fraudulent EBT: An EBT carried out by a third party using credentials obtained fraudulently, carried out by a customer under coercion or duress, or an unauthorised EBT.
- Unauthorised EBT: An EBT not authorised by the customer, including transactions resulting from bank negligence or a third-party breach.
- Shadow reversal: A temporary or provisional credit provided by a bank after a customer reports a fraudulent EBT. Customers cannot use the amount, but they will not incur interest or additional charges.
Who is negligent, and what is a third-party breach?
- Bank negligence includes:
- Failing to implement mandated systems and procedures to secure EBTs.
- Not sending mandatory transaction alerts.
- Failure to provide 24×7 channels to report fraudulent transactions or lost cards.
- Not acting diligently after a customer reports fraud or card loss.
- System failures, security breaches or internal fraud leading to unauthorised EBTs.
- Customer negligence includes:
- Sharing or failing to protect credentials such as PINs, passwords or OTPs.
- Delaying reporting of fraudulent transactions or lost cards.
- Ignoring specific and clear scam warnings issued by the bank.
- Downloading malicious applications.
- Not updating registered mobile numbers or email addresses.
- Third-party breach refers to deficiencies outside the bank and customer, including failures by entities such as Third-Party Application Providers (TPAPs), Payment Aggregators (PAs), Payment Gateways (PGs) and Telecom Service Providers (TSPs).
Policy, alerts, and reporting requirements: Banks must adopt a customer protection policy that covers reporting channels, customer rights and obligations, complaint resolution timelines, and awareness measures. The policy must be published on the bank’s website.
Additionally, banks must:
- Verify customers’ mobile numbers and email addresses during onboarding and periodically thereafter.
- Send instant SMS alerts for all EBTs above Rs 500. SMS alerts for transactions of Rs 500 or less remain optional and incur no charges.
- Send email alerts for all EBTs where an email address is available.
- Include transaction details such as amount, time, transaction channel and beneficiary in alerts.
- Provide 24/7 reporting channels, including phone banking, SMS, email, IVR, toll-free helplines and website or app reporting.
- Acknowledge complaints immediately with a complaint number and timestamp.
- Advise customers to report fraudulent transactions via the National Cyber Crime Reporting Portal or by calling 1930.
Liability and complaint resolution:
- Customers will have zero liability for fraud resulting from bank negligence, regardless of when it is reported.
- Customers will also have zero liability for third-party breaches if they report the fraudulent transaction within five calendar days of its occurrence.
- Where customer negligence caused the fraud, the customer bears losses until the transaction is reported. The bank must bear any unauthorised transaction after reporting.
- Banks must establish customer liability in fraudulent EBT complaints.
- Banks must resolve complaints within 45 calendar days for domestic cases and 60 calendar days for cross-border cases.
- Banks must value-date reversals to the original transaction date. For fraudulent credit card transactions, banks must provide a shadow reversal within five calendar days of notification.
Compensation for small-value fraudulent EBTs:
The RBI has introduced a one-time compensation mechanism for eligible individuals, including sole proprietors.
- It applies to bona fide victims who suffer losses of up to Rs 50,000 due to fraudulent EBTs involving customer negligence.
- Customers must report the fraud to both the bank and the National Cyber Crime Reporting Portal or 1930 within five calendar days.
- Eligible customers will receive 85% of the net loss or Rs 25,000, whichever is lower, once in their lifetime.
- Banks must pay compensation within five calendar days of receiving a completed application from an eligible customer.
- The compensation mechanism will apply to fraudulent EBTs occurring for one year from the date the directions come into effect.
Why does this matter? India lost an estimated Rs 22,495 crore to cyber fraud in 2025. Yet, the RBI’s new compensation mechanism covers losses only up to Rs 50,000, leaving victims of larger scams with no recourse under these directions. Even within that ceiling, customers must report fraud within five calendar days to qualify. Meanwhile, the burden-of-proof shift, banks must now establish customer liability, not the other way around, marks a genuine structural change. But with 2.81 million fraud complaints filed last year, the framework’s protections remain far smaller than the problem they are designed to solve.
Also read: