Almost a year back, Reserve Bank of India had circulated 'draft guidelines' on protecting the customers against unauthorized transactions in their bank accounts and credit cards. The trigger was the increasing number of wrongful debits.
After a rather long delay, RBI has finally issued the final 'notification' on Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions.
The key features of these guidelines are discussed below.
You should surely know how to limit or nullify your loss, in case you become an unfortunate victim of online banking or credit card fraud.
A. Reporting unauthorized transactions to banks
It is now compulsory for you to register your mobile number for SMS alerts from your bank (and also email alerts wherever available).
And, it is your responsibility to notify unauthorized transaction(s) to your bank at the earliest. The more you delay, the more is the risk of loss to you as well as the bank.
In this regards, banks will provide you 24x7 access through multiple routes such as
- website
- phone banking
- SMS
- e-mail
- IVR
- a dedicated toll-free helpline
- reporting to home branch
- and more.
In fact the SMS or email alert sent to you, will have a ready REPLY option. This would enable you to respond to the alert immediately. You don't have to search for the bank's phone, email ID or web page to notify the fraud. In addition, all banks have to create a dedicated link on their homepage, where you can lodge such complaints.
Banks have to respond immediately to your complaint (including an auto response), acknowledging the receipt with a unique complaint number. To determine customer's liability, if any, this loss / fraud reporting system must also record
a) the date and time of the alert sent; and
b) the date and time of the customer's response.
If you do not register your mobile number, banks can refuse to provide you the facilities of electronic transactions, except ATM cash withdrawal.
B. Limited Liability of the Customer
Scenario 1. If the bank is at fault, your liability is Zero (even though you may not have reported the transaction).
Scenario 2. Where it is your mistake or negligence (for example you shared your payment credentials) you have to bear the entire loss — till such time you report the fraudulent transaction to the bank. Thereafter, the loss, if any, becomes the banks' liability.
Scenario 3. When it is a third-party breach — where neither you nor the bank is at fault — the following timeline shall apply.
Case i. Unauthorized transactions reported to the bank within three working days : Your liability is zero.
Case ii. Unauthorized transactions reported with a delay of four to seven days : Your liability is limited to the following amount [or the actual loss, if lower].
(a) Rs.5000 for : Basic Savings Bank Deposit Accounts
(b) Rs.10,000 for
- All other Savings Bank Accounts
- Credit cards with limit up to Rs.5 lakh
- Pre-paid Payment Instruments and Gift Cards
- Current / Cash Credit / Overdraft Accounts of Micro, Small and Medium Enterprises
- Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance limit up to Rs.25 lakh
(c) Rs.25,000 for
- Credit cards with limit above Rs.5 lakh
- All other Current / Cash Credit / Overdraft Accounts
Case iii. Unauthorized transactions reported after seven days : Your liability would be as per the policy approved by the Board of the particular bank.
New customers will be provided with the details of such Board-approved policy at the time of account opening. Meanwhile, banks have to individually inform the policy details to all their existing customers. Further, it has to be made available in the public domain, so that the same is widely circulated.
C. Timeline to reverse the unauthorized banking transaction
Within 10 days from you informing the bank about the unauthorized transaction, the amount involved has to be credited back to your account.
The date of credit will be the same as date of the unauthorized transaction. This is to ensure that you neither lose out on any interest (in case of debit card or bank account fraud) nor bear the burden of extra interest (in case of credit cards).
In cases where it is your fault and hence are liable for the losses, banks have to resolve the complaint and fix your liability maximum within 90 days. If not, then your liability would be as discussed earlier under different scenarios.
It is the bank's responsibility to prove your negligence in any unauthorised electronic banking transaction.
By the way, banks have been given the discretion to waive off the customer's liability, even in cases where s/he is the negligent party.
D. Board Approved Policy
As per the RBI guidelines, each bank has to lay down a policy, that clearly defines the rights and obligations of the customers, in case of unauthorized access to their bank accounts. This should include various possibilities such as customer negligence, banking system failure or third party breaches.
The policy should be transparent and non-discriminatory; and cover aspects such as
- customer protection
- creating awareness
- customer liability
- compensation procedure and mechanism
- timelines
- grievance handling / escalation procedure
Banks have to report such cases of unauthorized fraudulent transaction to the Board or its Committee. The Standing Committee on Customer Service has to review such transactions and action taken / grievance handling, on a regular basis. Further, the bank's internal auditors too have to review all such transactions.
E. System and Procedures
There can, broadly, be two types of electronic banking transactions:
i) Remote or Online transactions e.g. internet banking, mobile banking, card not present (CNP); which do not require physical payment instruments; and
ii) Face-to-face or proximity transactions e.g. ATM , Point-of-Sale etc.; where physical payment instrument such as a card or mobile phone is required at the point of transaction
Banks must design such systems and procedures which make the customers feel safe while carrying out electronic banking transactions; and both bank and customer are protected against the liabilities arising out of fraudulent transactions. Hence, certain important features such as security; robust fraud detection and prevention; and risk assessment and mitigation must be built into the systems.
After a rather long delay, RBI has finally issued the final 'notification' on Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions.
The key features of these guidelines are discussed below.
You should surely know how to limit or nullify your loss, in case you become an unfortunate victim of online banking or credit card fraud.
A. Reporting unauthorized transactions to banks
It is now compulsory for you to register your mobile number for SMS alerts from your bank (and also email alerts wherever available).
And, it is your responsibility to notify unauthorized transaction(s) to your bank at the earliest. The more you delay, the more is the risk of loss to you as well as the bank.
In this regards, banks will provide you 24x7 access through multiple routes such as
- website
- phone banking
- SMS
- IVR
- a dedicated toll-free helpline
- reporting to home branch
- and more.
In fact the SMS or email alert sent to you, will have a ready REPLY option. This would enable you to respond to the alert immediately. You don't have to search for the bank's phone, email ID or web page to notify the fraud. In addition, all banks have to create a dedicated link on their homepage, where you can lodge such complaints.
Banks have to respond immediately to your complaint (including an auto response), acknowledging the receipt with a unique complaint number. To determine customer's liability, if any, this loss / fraud reporting system must also record
a) the date and time of the alert sent; and
b) the date and time of the customer's response.
If you do not register your mobile number, banks can refuse to provide you the facilities of electronic transactions, except ATM cash withdrawal.
 |
| Don't just stand there and cry. Report the wrong transaction to your bank NOW. |
B. Limited Liability of the Customer
Scenario 1. If the bank is at fault, your liability is Zero (even though you may not have reported the transaction).
Scenario 2. Where it is your mistake or negligence (for example you shared your payment credentials) you have to bear the entire loss — till such time you report the fraudulent transaction to the bank. Thereafter, the loss, if any, becomes the banks' liability.
Scenario 3. When it is a third-party breach — where neither you nor the bank is at fault — the following timeline shall apply.
Case i. Unauthorized transactions reported to the bank within three working days : Your liability is zero.
Case ii. Unauthorized transactions reported with a delay of four to seven days : Your liability is limited to the following amount [or the actual loss, if lower].
(a) Rs.5000 for : Basic Savings Bank Deposit Accounts
(b) Rs.10,000 for
- All other Savings Bank Accounts
- Credit cards with limit up to Rs.5 lakh
- Pre-paid Payment Instruments and Gift Cards
- Current / Cash Credit / Overdraft Accounts of Micro, Small and Medium Enterprises
- Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance limit up to Rs.25 lakh
(c) Rs.25,000 for
- Credit cards with limit above Rs.5 lakh
- All other Current / Cash Credit / Overdraft Accounts
Case iii. Unauthorized transactions reported after seven days : Your liability would be as per the policy approved by the Board of the particular bank.
New customers will be provided with the details of such Board-approved policy at the time of account opening. Meanwhile, banks have to individually inform the policy details to all their existing customers. Further, it has to be made available in the public domain, so that the same is widely circulated.
C. Timeline to reverse the unauthorized banking transaction
Within 10 days from you informing the bank about the unauthorized transaction, the amount involved has to be credited back to your account.
The date of credit will be the same as date of the unauthorized transaction. This is to ensure that you neither lose out on any interest (in case of debit card or bank account fraud) nor bear the burden of extra interest (in case of credit cards).
In cases where it is your fault and hence are liable for the losses, banks have to resolve the complaint and fix your liability maximum within 90 days. If not, then your liability would be as discussed earlier under different scenarios.
It is the bank's responsibility to prove your negligence in any unauthorised electronic banking transaction.
By the way, banks have been given the discretion to waive off the customer's liability, even in cases where s/he is the negligent party.
D. Board Approved Policy
As per the RBI guidelines, each bank has to lay down a policy, that clearly defines the rights and obligations of the customers, in case of unauthorized access to their bank accounts. This should include various possibilities such as customer negligence, banking system failure or third party breaches.
The policy should be transparent and non-discriminatory; and cover aspects such as
- customer protection
- creating awareness
- customer liability
- compensation procedure and mechanism
- timelines
- grievance handling / escalation procedure
Banks have to report such cases of unauthorized fraudulent transaction to the Board or its Committee. The Standing Committee on Customer Service has to review such transactions and action taken / grievance handling, on a regular basis. Further, the bank's internal auditors too have to review all such transactions.
E. System and Procedures
There can, broadly, be two types of electronic banking transactions:
i) Remote or Online transactions e.g. internet banking, mobile banking, card not present (CNP); which do not require physical payment instruments; and
ii) Face-to-face or proximity transactions e.g. ATM , Point-of-Sale etc.; where physical payment instrument such as a card or mobile phone is required at the point of transaction
Banks must design such systems and procedures which make the customers feel safe while carrying out electronic banking transactions; and both bank and customer are protected against the liabilities arising out of fraudulent transactions. Hence, certain important features such as security; robust fraud detection and prevention; and risk assessment and mitigation must be built into the systems.
