September 5th, 2016
In an age of increasing electronic banking transactions and the risks attached with such transactions, the RBI has come out with a draft circular on customer protection in case of unauthorized electronic banking transactions.
As Factly reported earlier, Electronic Banking transactions have doubled in the last 3 years and this is only going to increase if the trends are any indication. Against this background, the Reserve Bank of India (RBI) has recently issued a draft circular on ‘Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions’. Feedback on the draft circular may be sent before 31st August, 2016.
The RBI issued a circular in April 2002 directing various Banks to reverse erroneous debits arising out of Fraudulent or Other Transactions. The RBI noted in 2002 that complaints of fraudulent encashment by unscrupulous persons opening deposit accounts in the names similar to already established concerns were being received. In that circular, the RBI advised that in cases where banks are at fault, the banks should compensate customers without demur, and in cases where neither the bank is at fault nor the customer at fault but the fault lies elsewhere in the system, then also the banks should compensate the customers ( up to a limit). Similar circulars were issued by RBI in 1978 and 1995.
Banks are directed to design robust systems to prevent fraud
The current draft circular by the RBI sets out of the criteria for determining customer liability in case of fraudulent electronic transactions. The draft circular categorizes the electronic banking transactions into two categories:
- Remote/ Online payment transactions (transactions that do not require physical payment instruments to be present at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions)
- Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM , POS, etc.)
The circular directs banks to design systems in such a way that customers feel safe about carrying out electronic banking transactions. The banks are directed to put in place adequate safety & security systems, robust & dynamic fraud detection mechanism, mechanism to assess risks resulting from fraudulent transactions and measures to mitigate risks against liabilities.
Customer’s liability in unauthorized transactions
The circular notes that banks must ask their customers to mandatorily register for alerts for electronic banking transactions. The alerts shall be sent to the customers through different channels (email or SMS) offered by the banks. The customers must be advised to notify the bank concerned of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction. The longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer. To facilitate this, banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting fraudulent transactions that have taken place and/or loss or theft of payment instrument such as card, etc. The loss/fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses must record the time and date of delivery of the message and receipt of customer’s response to them. This shall be important in determining the extent of the customer’s liability.
Zero Liability of a Customer
A customer’s entitlement to zero liability will arise where the security architecture and systems of the bank for electronic banking transactions are not able to protect the customer in the following events:
- Fraud/ negligence on the part of the bank (irrespective of whether the loss/fraudulent transaction is reported by the customer or not)
- Third party breach where the fault lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorized transaction.
Limited Liability of a Customer
A customer shall be liable for the loss occurring due to fraudulent transactions in the following cases:
- In cases involving negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
- In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days) on the part of the customer in notifying the bank of such a transaction, the customer liability shall be limited to the transaction value or Rs 5000/-, whichever is lower. Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per bank’s Board approved policy.
Reversal Timeline for Zero & Limited Liability
On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer. Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.
The banks will also ensure that:
- A complaint is resolved within 90 days from the date of reporting; and
- In case of debit card/bank account the customer does not lose out on interest, and in case of credit card the customer does not bear any additional burden of interest.
Importantly, the burden of proving customer liability in case of unauthorised electronic banking transactions will lie on the bank.