07 Mar, 2026
Regulatory Reference
Document: Draft Reserve Bank of India (Commercial Banks –
Responsible Business Conduct) Third Amendment Directions, 2026
Subject: Limiting Liability of Customers in Unauthorised Electronic Banking
Transactions
Public Comment Deadline: April 6, 2026
Submission Email: mcsdorfeedback@rbi.org.in
or via the RBI Connect 2 Regulate Platform
The Reserve Bank of India has invited public comments on the
draft “Reserve Bank of India (Commercial Banks – Responsible Business Conduct)
Third Amendment Directions, 2026.” The draft revises instructions relating to limiting
liability of customers in unauthorised electronic banking transactions and
forms part of the broader Responsible Business Conduct framework for commercial
banks.
As digital payments become an everyday utility—from UPI
transfers to card-not-present transactions—the question of who bears financial
liability when fraud occurs has become increasingly important. RBI’s latest
consultation reflects the continuing evolution of India’s digital payments
ecosystem, where customer protection, system accountability, and fraud
mitigation must operate together.
A Broader Definition of Electronic Banking Transactions
One of the notable elements of the draft is the clarification
of what constitutes an electronic banking transaction. The definition aligns
such transactions with the concept of electronic funds transfer under the
Payment and Settlement Systems Act, 2007 and explicitly includes both card-present
and card-not-present transactions [Para 4(10D)].
The draft also expands the concept of “authorised electronic
banking transactions.” These may include transactions performed by the customer
directly or those executed through a previously authorised third party using
authentication mechanisms such as OTPs, passwords, PINs, or card credentials [Para 4(3A)].
Importantly, the framework recognises that some transactions
may technically appear authorised but may still involve fraud or coercion—such
as when a customer is tricked into sending money to a scammer posing as a
legitimate recipient [Para 4(3A) (ii)].
This acknowledgement reflects the growing role of social
engineering scams, where fraud occurs not through system breaches but through
manipulation of customer behaviour.
Clarifying Negligence: Bank vs Customer
Another important feature of the draft is the attempt to
clearly define bank negligence and customer negligence.
Bank negligence may include situations such as failure to
implement mandated security systems, not sending transaction alerts, not
providing channels for fraud reporting, or failing to act diligently upon
customer notification [Para 4(20A)].
Customer negligence may include actions such as sharing OTPs
or passwords, ignoring specific fraud warnings issued by the bank, failing to
promptly notify the bank after detecting fraud, or downloading malicious
applications [Para 4(20B)].
These definitions are intended to provide greater clarity when
determining liability in disputes arising from fraudulent transactions.
Strengthening Alerts and Reporting Mechanisms
The draft also proposes stronger transaction alert
requirements.
Banks must send instant SMS alerts for electronic banking
transactions exceeding ₹500 [Para 76D] and
email alerts for all such transactions where the customer has registered an
email address with the bank [Para 76E].
Customers must also be provided 24×7 reporting channels for
fraudulent transactions through multiple mechanisms such as phone banking, SMS,
email, IVR systems, toll-free helplines, or reporting to the home branch [Para 76G].
Banks are further required to ensure that once a complaint is
received, it is automatically registered and acknowledged with a complaint
number and timestamp [Para 76I].
These measures aim to minimise delays in fraud reporting and
ensure that banks can respond quickly to prevent further losses.
Zero Liability and Compensation Framework
The draft reiterates that customers may have zero liability
when fraudulent transactions occur due to negligence on the part of the bank or
due to certain third-party breaches, provided the fraud is reported within five
calendar days [Para 76L].
For small-value fraud cases involving losses up to ₹50,000,
the draft introduces a structured compensation mechanism. Eligible customers
may receive 85% of the net loss amount or ₹25,000, whichever is lower [Para 76T].
However, the compensation framework is subject to two
important conditions [Para 76T (1)]:
- the
loss must be established as bona fide according to the bank’s internal
processes, and
the victim must report the fraudulent transaction both to
the bank and to the National Cyber Crime Reporting Portal or the Cyber Crime
Helpline (1930) within five calendar days of the occurrence.
Interestingly, the compensation structure distributes
responsibility across the Reserve Bank, the customer’s bank, and the
beneficiary bank, reflecting a system-level approach to fraud risk.
Strengthening Trust in Digital Payments
Beyond the technical provisions, the draft directions
highlight RBI’s broader objective: strengthening trust in electronic banking
systems.
India’s digital payments ecosystem has expanded rapidly over
the past decade. With this scale comes the need for frameworks that balance customer
protection, bank accountability, and systemic resilience against fraud.
In a rapidly expanding digital payments ecosystem, clarity
around customer liability and fraud response mechanisms plays an important role
in maintaining public confidence. Frameworks such as these contribute to the
broader goal of ensuring that electronic payments remain both convenient and
safe for everyday users.
RBI has invited comments from stakeholders and the public,
with submissions accepted until April 6, 2026.
In a subsequent post, I plan to examine the illustrations
included in the draft directions, which explain how compensation calculations
work in practice under different fraud scenarios.
The Joy of Digital Transactions
Nayakanti Prashant
Citizen Advocate — Digital Transaction Day (April 11)
👉 https://movethebarrier.blogspot.com/April11
