More Stories

Informist, Friday, Mar. 6, 2026

 

NEW DELHI - The Reserve Bank of India Friday issued draft norms to protect customers from digital banking fraud and limit the liability of customers in unauthorised electronic banking transactions. The draft norms are proposed to include a compensation mechanism for small-value transactions and aim to reduce complaint processing time and cover other categories of fraudulent electronic banking transactions.

 

The RBI has invited comments on the draft from regulated entities and members of public or other stakeholders on or before Apr. 6. The draft norms will come into effect from Jul. 1 and will apply to commercial banks, excluding small finance banks, payments banks, regional rural banks and local area banks.

 

According to RBI, an authorised electronic banking transaction includes transactions carried out by customers themselves or by a previously authorised third party through authentication methods such as passwords, one-time passwords, card details, challenge questions or other electronic verification methods.

 

However, the definition has been expanded to also cover cases where transactions occur after fraudsters obtain customer credentials through fraudulent means, where a customer approves a transaction under coercion, or where a customer is tricked into voluntarily transferring money to a scammer posing as a legitimate entity.

 

The central bank has also outlined what would constitute negligence by banks and customers, a key factor in determining liability in digital fraud cases. According to the draft framework, negligence by banks may include failure to implement mandated security systems, not sending mandatory transaction alerts, not providing channels to report fraud or loss of payment instruments, failure to act promptly after customer notification, or system malfunctions and internal frauds leading to unauthorised electronic banking transactions.

 

The draft directions also outlined that customer negligence may include sharing PINs, passwords, OTPs or other credentials for carrying out transactions to another person, failing to report fraudulent transactions promptly, ignoring specific warnings issued by banks about possible scams, or failing to exercise reasonable care in usage of credentials like writing down and storing the PIN or downloading malicious apps.

 

The draft norms also introduced the concept of third-party breach, referring to failures occurring outside the bank or customer – such as issues involving payment gateways, payment aggregators, telecom service providers, or third-party app providers.

 

To improve monitoring and early detection of fraud, the RBI has proposed mandatory instant SMS alerts for all electronic banking transactions above INR 500. For transactions up to INR 500, banks may decide whether to send alerts as per their internal policy.

Banks will also be required to send email alerts for all electronic banking transactions wherever customers have provided email addresses. Customers availing electronic banking services must provide mobile numbers and, where available, email addresses to the bank.

 

Banks will also be required to provide 24×7 channels for reporting fraudulent electronic transactions or loss of payment instruments, including phone banking, SMS, email, interactive voice response systems, toll-free helplines and reporting at the home branch.

The RBI said banks should also provide a direct link on the homepage of their websites for reporting digital fraud and include a dedicated reporting number in transaction alert messages.

 

"A customer shall be entitled to zero liability and reversal of the transaction in cases where the fraudulent electronic banking transaction occurs due to negligence or deficiency on the part of the bank (irrespective of whether the transaction is reported by the customer or not) and in cases of third-party breach where the customer reports the unauthorised fraudulent electronic banking transaction to the bank within five calendar days from the date of its occurrence," the RBI said.

 

If fraud occurs due to customer negligence, the customer will bear the loss until the fraud is reported to the bank. However, any losses occurring after the reporting of the fraud will be borne by the bank, the draft directions said. Banks will be required to examine complaints, determine liability and respond to customers within a maximum of 30 calendar days from the date of receiving the complaint.

 

In a move aimed at supporting victims of small-value digital fraud, the RBI has proposed a compensation mechanism for bona fide individual victims suffering losses of up to INR 50,000 in fraudulent electronic banking transactions. Under the draft proposal, eligible customers will receive 85% of the net loss amount or 25,000, whichever is lower, once during their lifetime.

 

The compensation will be available only if "the victim has reported the fraudulent electronic banking transaction(s) on the National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) and to the bank within five calendar days from its occurrence," the RBI said.   End

 

Reported by Vaishali Tyagi

Edited by Avishek Dutta

 

For users of real-time market data terminals, Informist news is available exclusively on the NSE Cogencis WorkStation.

 

Cogencis news is now Informist news. This follows the acquisition of Cogencis Information Services Ltd. by NSE Data & Analytics Ltd., a 100% subsidiary of the National Stock Exchange of India Ltd. As a part of the transaction, the news department of Cogencis has been sold to Informist Media Pvt. Ltd.

 

Informist Media Tel +91 (22) 6985-4000

Send comments to feedback@informistmedia.com

 

© Informist Media Pvt. Ltd. 2026. All rights reserved.