Subject: Review of Framework for Limiting Customer Liability in Digital Transactions.
Effective Date: July 1, 2026
The Reserve Bank of India has issued draft amendment directions to overhaul the customer protection framework in electronic banking. The amendments significantly expand the definition of “unauthorised transactions” (including scams and coercion), mandate strict alert mechanisms, reduce grievance resolution timelines to a maximum of 30 days, and introduce a unique Reserve Bank-backed compensation sharing mechanism for small-value frauds (up to ₹50,000).
1. Applicable Entities
These amendments apply universally across the Indian banking ecosystem. The specific circulars cover the following regulated entities:
- Commercial Banks (excluding Payments Banks, SFBs, RRBs, LABs)
- Small Finance Banks (SFBs)
- Payments Banks (PBs)
- Local Area Banks (LABs)
- Regional Rural Banks (RRBs)
- Urban Co-operative Banks (UCBs)
- Rural Co-operative Banks (RCBs)
2. Specific Changes Required & Management Action Plan
Below is the detailed breakdown of each major amendment theme, the specific regulatory changes required, and the corresponding action plan for the Bank’s Management and IT teams.
A. Expansion of Definitions (Scams, Coercion, and Negligence)
Specific Changes Required:
- Fraudulent Transactions Expanded: Now includes transactions executed by third parties using fraudulently obtained credentials, transactions under coercion/duress, and scams where the customer is tricked into willingly sending money.
- Bank Negligence Defined: Includes failure to implement security procedures, not sending mandatory alerts, malfunctioning channels, or internal breaches.
- Customer Negligence Defined: Includes sharing credentials, downloading malicious apps, ignoring specific bank warnings, or delaying reporting.
Management Action Plan:
- Risk & Compliance: Update the Bank’s Fraud Risk Management Policy to categorize these new definitions. Create a risk matrix specifically for “social engineering/scam” cases.
- Operations/Fraud Desk: Retrain dispute resolution teams to investigate claims of coercion and trickery, as standard “OTP was shared” responses will no longer automatically absolve the bank if specific scam warnings weren’t provided.
- IT & Security: Implement dynamic transaction monitoring that triggers “specific, directed, and clear warnings” (as required by the RBI) when a transaction fits a scam profile.
B. Alert Mechanisms and Reporting Channels
Specific Changes Required:
- Mandatory SMS: Instant SMS alerts are mandatory for transactions > ₹500. Banks cannot charge customers for SMS sent for regulatory compliance or fraud awareness.
- Interactive Alerts: Alert SMS must contain a phone number/shortcode allowing the customer to instantly reply to register an objection/fraud.
- 24×7 Channels & Homepage Link: Must provide 24×7 reporting (IVR, toll-free, SMS, email) and a direct link on the homepage of the bank’s website for reporting frauds.
Management Action Plan:
- IT & Core Banking: Configure the SMS gateway to include an automated reply tracking system (e.g., “Reply FRAUD to 56767 if unauthorized”). Integrate this directly into the core system to auto-freeze the account/card instantly upon receipt.
- Product / Pricing: Revise the schedule of charges. Waive all fees associated with mandatory SMS alerts to ensure strict compliance.
- Digital/Web Team: Redesign the website homepage to feature a prominent, above-the-fold “Report Fraud/Unauthorized Transaction” button.
C. Revised Liability and 30-Day Turnaround Time (TAT)
Specific Changes Required:
- Zero Liability: Customer has zero liability if the bank is negligent, or if a third-party breach is reported within 5 calendar days.
- 30-Day Resolution: Complaints must be resolved, liability established, and responses sent within 30 calendar days.
- Reversals: Must be value-dated so the customer suffers no interest loss or charges. Rejection letters must include supporting logs (OTP, SMS, etc.).
Management Action Plan:
- Customer Support / Grievance Redressal: Overhaul the CRM workflow to enforce a hard stop at 25 days, allowing 5 days for final communication.
- IT & Data Teams: Automate the generation of evidence logs (OTP delivery timestamps, IP addresses) for disputed transactions so they can be seamlessly attached to rejection emails.
- Finance & Accounts: Create an automated backend process for value-dated reversals to recalculate and refund associated overdraft fees or lost interest instantly upon claim approval.
D. Compensation for Small Value Frauds (Up to ₹50,000)
Specific Changes Required:
- Eligibility: Applies to third-party breaches reported after 5 days, or customer negligence (up to the point of reporting), capped at a gross loss of ₹50,000. Customer must lodge a complaint on National Cyber Crime Portal (1930) within 5 days of occurrence.
- Payout Formula: Victim is compensated 85% of net loss or ₹25,000 (whichever is less). Limited to once per lifetime per customer.
- Funding Ratio: The payout is split: 65% borne by RBI, 10% by customer’s bank, 10% by beneficiary bank (exact fixed amounts apply for losses near ₹50k).
- Strict TAT: Bank must pay the customer within 5 calendar days of receiving the Annex II(1) claim application.
Management Action Plan:
- Branch Operations: Train all branch managers on the new “Annex II(1) Application Form”. Ensure branches verify the National Cyber Crime Portal complaint number before processing.
- Centralized Claims Department: Establish a dedicated “Small Value Fraud Compensation Unit” to process these specific claims within the strict 5-day window. Build an internal database to ensure the “once-in-a-lifetime” rule is enforced per PAN/Aadhaar.
- Treasury / Finance: Set up a quarterly reconciliation and reimbursement pipeline with the Reserve Bank of India to claim back the RBI’s 65% share of the compensated amounts.
3. Board Reporting & Governance Monitoring
The RBI has mandated strict Board oversight. The Management must immediately implement a mechanism for periodic reporting to the Board (or a designated Committee) detailing:
- Volume and aggregate value of fraudulent transactions.
- Distribution across channels (Card Present, Card Not Present, UPI, Internet/Mobile Banking).
- Status of the grievance redressal and functioning of the new small-value compensation mechanism.
Immediate Next Step: Present the revised “Customer Protection Policy” incorporating these amendments to the Board for approval prior to the July 1, 2026 effective date.