RBI’s circular for protection of customers in

case of unauthorized electronic banking

transactions
RBI’s circular for protection of customers in case of unauthorized electronic banking
transactions2018-02-17T21:17:57+00:00

RBI’s circular for protection of customers in case of unauthorized electronic banking

transactions

RBI/2017-18/15

DBR.No.Leg.BC.78/09.07.005/2017-18

July 6, 2017

All Scheduled Commercial Banks (including RRBs)

All Small Finance Banks and Payments Banks

Dear Sir/ Madam,

Customer Protection – Limiting Liability of Customers in Unauthorized Electronic

Banking Transactions

1. Please refer to our circular DBOD. Leg.BC.86/09.07.007/2001-02 dated April 8,

2002 regarding reversal of erroneous debits arising from fraudulent or other transactions.

2. With the increased thrust on financial inclusion and customer protection and considering the
recent surge in customer grievances relating to unauthorized transactions resulting in debits to
their accounts/ cards, the criteria for determining the customer liability in these circumstances
have been reviewed. The revised directions in this regard are set out below.

Strengthening of systems and procedures

3. Broadly, the electronic banking transactions can be divided into two categories:

(i) Remote/ online payment transactions (transactions that do not require physical payment
instruments to be presented at the point of transactions
e.g. internet banking, mobile banking, card not present (CNP) transactions), Pre-paid Payment
Instruments (PPI), and

(ii) Face-to-face/ proximity payment transactions (transactions which require the physical
payment instrument such as a card or mobile phone to be
present at the point of transaction e.g. ATM, POS, etc.).
4. The systems and procedures in banks must be designed to make customers feel safe about
carrying out electronic banking transactions. To achieve this, banks
must put in place:

(i) appropriate systems and procedures to ensure safety and security of electronic banking
transactions carried out by customers;

(ii) robust and dynamic fraud detection and prevention mechanism;

(iii) mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting
from unauthorized transactions and measure the
liabilities arising out of such events;

(iv) appropriate measures to mitigate the risks and protect themselves against the liabilities
arising therefrom; and

(v) a system of continually and repeatedly advising customers on how to protect themselves
from electronic banking and payments related fraud.

Reporting of unauthorized transactions by customers to

banks
5. Banks must ask their customers to mandatorily register for SMS alerts and wherever
available register for e-mail alerts, for electronic banking transactions. The
SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever
registered. The customers must be advised to notify their bank of any unauthorized electronic
banking transaction at the earliest after the occurrence of such transaction, and informed that
the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/
customer. To facilitate this, banks must provide customers with 24×7 access through multiple
channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free
helpline, reporting to home branch, etc.) for reporting unauthorized transactions that have taken
place and/ or loss or theft of payment instrument such as card, etc. Banks shall also enable
customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers
should not be required to search for a web page or an e-mail address to notify the objection, if
any. Further, a direct link for lodging the complaints, with specific option to report unauthorized
electronic transactions shall be provided by banks on home page of their website. The loss/
fraud reporting system shall also ensure that immediate response (including auto response) is
sent to the customers acknowledging the complaint along with the registered complaint number.
The communication systems used by banks to send alerts and receive their responses thereto
must record the time and date of delivery of the message and receipt of customer’s response, if
any, to them. This shall be important in determining the extent of a customer’s liability. The
banks may not offer facility of electronic transactions, other than ATM cash withdrawals, to
customers who do not provide mobile numbers to the bank. On receipt of report of an
unauthorized transaction from the customer, banks must take immediate steps to prevent further
unauthorized transactions in the account.
Limited Liability of a Customer
(a) Zero Liability of a Customer

6. A customer’s entitlement to zero liability shall arise where the unauthorized transaction
occurs in the following events:

(i) Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether
or not the transaction is reported by the
customer).

(ii) Third party breach where the deficiency lies neither with the bank nor with the customer
but lies elsewhere in the system, and the customer notifies
the bank within three working days of receiving the communication from the bank regarding
the unauthorized transaction.

(b) Limited Liability of a Customer

7. A customer shall be liable for the loss occurring due to unauthorized transactions in the
following cases:

(i) In cases where the loss is due to negligence by a customer, such as where he has shared the
payment credentials, the customer will bear the
entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after
the reporting of the unauthorized transaction shall be
borne by the bank.

(ii) In cases where the responsibility for the unauthorized electronic banking transaction lies
neither with the bank nor with the customer, but lies
elsewhere in the system and when there is a delay (of four to seven working days after receiving
the communication from the bank) on the part of the customer in notifying the bank of such a
transaction, the per transaction liability of the customer shall be limited to the transaction
value or the amount mentioned in Table 1, whichever is lower.
Further, if the delay in reporting is beyond seven working days, the customer liability shall be
determined as per the bank’s Board approved policy. Banks shall
provide the details of their policy in regard to customers’ liability formulated in pursuance of
these directions at the time of opening the accounts. Banks shall also
display their approved policy in public domain for wider dissemination. The existing customers
must also be individually informed about the bank’s policy.

8. Overall liability of the customer in third party breaches, as detailed in paragraph 6 (ii) and
paragraph 7 (ii) above, where the deficiency lies neither with the
bank nor with the customer but lies elsewhere in the system, is summarized in the Table 2:

The number of working days mentioned in Table 2 shall be counted as per the working schedule
of the home branch of the customer excluding the date of receiving
the communication.
Reversal Timeline for Zero Liability/ Limited Liability of
customer
9. On being notified by the customer, the bank shall credit (shadow reversal) the amount
involved in the unauthorized electronic transaction to the customer’s account within 10 working
days from the date of such notification by the customer (without waiting for settlement of
insurance claim, if any). Banks may also at their discretion decide to waive off any customer
liability in case of unauthorized electronic banking transactions even in cases of customer
negligence. The credit shall be value dated to be as of the date of the unauthorized transaction.

10. Further, banks shall ensure that:

(i) a complaint is resolved and liability of the customer, if any, established within such time, as
may be specified in the bank’s Board approved
policy, but not exceeding 90 days from the date of receipt of the complaint, and the customer
is compensated as per provisions of paragraphs 6 to 9 above;

(ii) where it is unable to resolve the complaint or determine the customer liability, if any, within
90 days, the compensation as prescribed in paragraphs 6 to 9 is paid to the customer; and

(iii) in case of debit card/ bank account, the customer does not suffer loss of interest, and in
case of credit card, the customer does not bear any additional burden of interest.

Board Approved Policy for Customer Protection

11. Taking into account the risks arising out of unauthorized debits to customer accounts owing
to customer negligence/ bank negligence/ banking system frauds/
third party breaches, banks need to clearly define the rights and obligations of customers in case
of unauthorized transactions in specified scenarios. Banks shall
formulate/ revise their customer relations policy, with approval of their Boards, to cover aspects
of customer protection, including the mechanism of creating customer awareness on the risks
and responsibilities involved in electronic banking transactions and customer liability in such
cases of unauthorized electronic banking transactions. The policy must be transparent, non-
discriminatory and should stipulate the mechanism of compensating the customers for the
unauthorized electronic banking transactions and also prescribe the timelines for effecting
such compensation keeping in view the instructions contained in paragraph 10 above.
The policy shall be displayed on the bank’s website along with the details of
grievance handling/ escalation procedure. The instructions contained in this circular shall
be incorporated in the policy.

Burden of Proof
12. The burden of proving customer liability in case of unauthorized electronic banking
transactions shall lie on the bank.
Reporting and Monitoring Requirements
13. The banks shall put in place a suitable mechanism and structure for the reporting of the
customer liability cases to the Board or one of its Committees. The
reporting shall, inter alia, include volume/ number of cases and the aggregate value involved
and distribution across various categories of cases viz., card present
transactions, card not present transactions, internet banking, mobile banking,
ATM transactions, etc. The Standing Committee on Customer Service in each bank
shall periodically review the unauthorized electronic banking transactions reported
by customers or otherwise, as also the action taken thereon, the functioning of the grievance
redress mechanism and take appropriate measures to improve the systems and procedures. All
such transactions shall be reviewed by the bank’s
internal auditors.

14. The instructions contained in this circular supersede some of the instructions contained in
our Master Circular DBR.No.FSD.BC.18/24.01.009/2015-16 dated July 1, 2015 on Credit
Card, Debit Card and Rupee Denominated Co-branded Pre-paid Card Operations of Banks and
Credit card issuing NBFCs as detailed in the Annex.

Yours faithfully,

(Prakash Baliarsingh)
Chief General Manager