Unauthorized access of bank accounts has become a grave threat in this digital age. Customer complaints on wrong debits, in their bank accounts and credit cards, have witnessed an increasing trend in recent past.
RBI is deeply concerned about this. Therefore, with a view to protect innocent people, it has drafted a circular on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions; and has sought comments from the public.
What the Reserve Bank of India proposes in this regards, is detailed below:
i. When there is fraud or negligence on part of the bank (even if the customer fails to report the fraudulent transaction)
ii. When there is breach by the third party, where neither the bank nor the customer is at fault; provided the customer notifies the bank within 3 working days of receiving the communication from the bank about the particular transaction.
ii. If the loss occurs due to the system, where neither the bank nor the customer is at fault; AND the same is reported by the customer in 4 to 7 working days, customer's liability would be restricted to Rs.5000 (or the actual transaction value, if it is of lower amount).
If the delay in reporting to the bank exceeds 7 days, the customer's liability would be as per the policy approved by the bank's Board of Directors.
[Banks will have to inform the customers, both existing and new, about the policy formulated by its Board in this regards. Also, this policy should be made available in the public domain so that it is widely circulated.]
To make this work with speed and efficiency, banks will have to provide 24x7 access through various channels such as website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.
Such loss/fraud reporting system should send an immediate response (including auto response) as an acknowledgement to the customer, along with a registered complaint number. It should record the time and date of various communications between the bank and customer. This is critical in determining the proportionate liability of the customer and the bank.
Meanwhile, the customer should not lose out on any interest (in case of debit card or bank account fraud) or bear the burden of extra interest (in case of credit cards).
By the way, banks can at their discretion waive off the customer's liability even in cases where he is the negligent party.
The policy should be transparent and non-discriminatory; and cover aspects such as
- customer protection
- creating awareness
- customer liability
- compensation procedure and mechanism
- timelines
- grievance handling / escalation procedure
Banks have to also ensure that such customer liability cases are reported to the Board or its Committee. In addition, the Standing Committee on Customer Service should review the unauthorized electronic banking transactions and action taken / grievance handling, on a monthly basis.
i) Remote or Online transactions e.g. internet banking, mobile banking, card not present (CNP); which do not require physical payment instruments; and
ii) Face-to-face or proximity transactions e.g. ATM , Point-of-Sale etc.; where physical payment instrument such as a card or mobile phone is required at the point of transaction
Banks must design such systems and procedures which make the customers feel safe while carrying out electronic banking transactions; and both bank and customer are protected against the liabilities arising out of fraudulent transactions. Hence, certain important features such as security; dynamic fraud detection and prevention; and risk assessment and mitigation must be built into the systems.
In short, if you are are fault, you pay for it. If bank is at fault, the bank pays for it. And if none are fault, then the following timeline applies:
You inform within 3 working days - Nil liability for you
You inform within 4 to 7 days of receiving the communication - Maximum loss to you Rs.5,000 or the transaction value, whichever is lower
You inform after 7 days - You pay as per bank's approved policy
This is what you should know about the RBI's proposal on protecting you from unauthorized access to your bank accounts and cards.
You are most welcome to email your comments and suggestions to RBI latest by August 31, 2016. Click here for the same.
RBI is deeply concerned about this. Therefore, with a view to protect innocent people, it has drafted a circular on Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions; and has sought comments from the public.
What the Reserve Bank of India proposes in this regards, is detailed below:
A. Customer's Liability
(a) Cases where the customers will have ZERO liability
Customers will not be liable for any lossi. When there is fraud or negligence on part of the bank (even if the customer fails to report the fraudulent transaction)
ii. When there is breach by the third party, where neither the bank nor the customer is at fault; provided the customer notifies the bank within 3 working days of receiving the communication from the bank about the particular transaction.
(b) Cases where the customers will have LIMITED liability
i. If the loss occurs due to the negligence of the customer (e.g. sharing his payment related details), he will have to bear the "entire" loss till he reports the fraudulent transaction to the bank. Thereafter, the entire loss would be to the bank's account.ii. If the loss occurs due to the system, where neither the bank nor the customer is at fault; AND the same is reported by the customer in 4 to 7 working days, customer's liability would be restricted to Rs.5000 (or the actual transaction value, if it is of lower amount).
If the delay in reporting to the bank exceeds 7 days, the customer's liability would be as per the policy approved by the bank's Board of Directors.
[Banks will have to inform the customers, both existing and new, about the policy formulated by its Board in this regards. Also, this policy should be made available in the public domain so that it is widely circulated.]
Don't just stand there and cry. Report the wrong transaction to your bank NOW. |
B. Reporting of the unauthorized transactions
You will have to compulsorily register to receive alerts (via email or SMS) on all electronic banking transactions in your account / card. Naturally, you must report any unauthorized transaction IMMEDIATELY to the bank. Longer the delay, higher are the chances of loss to you and/or the bank.To make this work with speed and efficiency, banks will have to provide 24x7 access through various channels such as website, phone banking, SMS, IVR, a dedicated toll-free helpline, reporting to home branch, etc.
Such loss/fraud reporting system should send an immediate response (including auto response) as an acknowledgement to the customer, along with a registered complaint number. It should record the time and date of various communications between the bank and customer. This is critical in determining the proportionate liability of the customer and the bank.
C. Burden of Proof
It is bank's job to prove that you are the negligent party for the unauthorized transaction, and hence you have to bear the loss. The bank's policy should specify the time period within which it will establish the customer's liability. Beyond this period, banks will have to compensate the customer.D. Transaction Reversal Timeline
Banks have to credit (shadow reversal) the customer's account within 10 days of receiving his notification about the unauthorized transaction and ensure that the complaint is resolved within 90 days.Meanwhile, the customer should not lose out on any interest (in case of debit card or bank account fraud) or bear the burden of extra interest (in case of credit cards).
By the way, banks can at their discretion waive off the customer's liability even in cases where he is the negligent party.
E. Board Approved Policy
RBI desires that each bank should lay down a policy, that clearly defines the rights and obligations of the customers, in case of unauthorized access to their bank accounts under various scenarios such as customer negligence, banking system failure or third party breaches.The policy should be transparent and non-discriminatory; and cover aspects such as
- customer protection
- creating awareness
- customer liability
- compensation procedure and mechanism
- timelines
- grievance handling / escalation procedure
Banks have to also ensure that such customer liability cases are reported to the Board or its Committee. In addition, the Standing Committee on Customer Service should review the unauthorized electronic banking transactions and action taken / grievance handling, on a monthly basis.
F. System and Procedures
There can, broadly, be two types of electronic banking transactions:i) Remote or Online transactions e.g. internet banking, mobile banking, card not present (CNP); which do not require physical payment instruments; and
ii) Face-to-face or proximity transactions e.g. ATM , Point-of-Sale etc.; where physical payment instrument such as a card or mobile phone is required at the point of transaction
Banks must design such systems and procedures which make the customers feel safe while carrying out electronic banking transactions; and both bank and customer are protected against the liabilities arising out of fraudulent transactions. Hence, certain important features such as security; dynamic fraud detection and prevention; and risk assessment and mitigation must be built into the systems.
In short, if you are are fault, you pay for it. If bank is at fault, the bank pays for it. And if none are fault, then the following timeline applies:
You inform within 3 working days - Nil liability for you
You inform within 4 to 7 days of receiving the communication - Maximum loss to you Rs.5,000 or the transaction value, whichever is lower
You inform after 7 days - You pay as per bank's approved policy
This is what you should know about the RBI's proposal on protecting you from unauthorized access to your bank accounts and cards.
You are most welcome to email your comments and suggestions to RBI latest by August 31, 2016. Click here for the same.