The Reserve Bank of India has said that customers will have zero liability if a fraudulent or unauthorised transaction takes place, in case of negligence or deficiency from the bank, or a third party breach takes place and the customer notifies the bank in three working days, after receiving communication from the bank of the unauthorised transaction.

However, that limited liability of the customer increases as time passes. For example, in case of Mobile Wallets or Credit Cards with a limit of up to Rs 5 lakh, the maximum liability will be of Rs 10,000 if the transaction is reported between 4-7 working days. More details on liability.

What’s also very significant here is that the RBI has recommended that Banks may deny customers the ability to transact digitally, if customers decline to link mobile numbers with their bank accounts.

The change: determining the liability of customers

What is important here is that the RBI has emphasised that the liability for unauthorised transactions lies with the banks, and only a limited liability may be passed on to customers. The burden of proving customer liability in case of unauthorised electronic banking transactions shall also lie with the bank.

Previously, the cardholder had to bear the loss sustained “up to the time of notification to the bank of any loss, theft or copying of the card but only up to a certain limit (of fixed amount or a percentage of the transaction agreed upon in advance between the cardholder and the bank), except where the cardholder acted fraudulently, knowingly or with extreme negligence.” The RBI has now determined that limit.

Banks were also not be held liable for any loss caused by a technical breakdown of the payment system, “if the breakdown of the system was recognizable for the cardholder by a message on the display of the device or otherwise known.”

Limiting customers liability

  • Three working days: Zero liability if a breach is reported within three days.
  • Four to Seven working days:
    – Maximum liability of Rs 5000 in case of BSBD accounts, which have no minimum balance, and minimum banking facilities.
    Maximum liability of Rs 10,000 in case of savings bank accounts, and Wallets and Gift Cards, current accounts/cash credit/overdraft accounts of individual with an annual average balance or limit of up to Rs 25 lakh, or Credit Cards with a limit of up to Rs 5 lakh.
    – Maximum limit of Rs 25,000 in case of Credit Cards with a limit of above Rs 5 lakh, and all other current accounts/cash credit/overdraft accounts other than the ones with a limit of Rs 10,000 (above)
  • More than seven working days: the bank’s board shall approve the policy.

Important: The number of working days calculation excludes the date of the customer receiving the communication.

Reversal Timeline: 10 working days

On being notified the by the customer, the bank must reverse the amount involved in the unauthorised transaction to the customers account within 10 working days from the date of notification by the customer. Banks may also waive liability, at their discretion, in case this is owing to customer negligence.

In case of debit card or bank account, the customer should not suffer any loss of interest. In case of credit card, the customer should not be charged any additional interest (for this transaction).

The resolution, in case the complaint is post 7 working days, needs to be done in a timeframe not exceeding 90 days, and where the bank is unable to resolve the complaint or determine the customers liability within 90 days, the compensation (based on the liability list above) needs to be given to the customer.

What Banks need to do

  • Ask customers to mandatory link mobile numbers to bank accounts: The RBI has told banks that they must mandatorily register customers for SMS alerts, and wherever available, register for email alerts for electronic banking transactions alerts. Customers who do not link mobile numbers to bank accounts may not be allowed digital transactions by banks, other than ATM withdrawals.
  • Send SMS alerts mandatorily to customers, and email alerts where-ever registered
  • Advise customers to notify bank in case of any authorised transaction, and that the longer it takes for them to inform, the higher the risk of loss to the bank/customer.
  • Provide customers with a 24×7 helpline for reporting unauthorised transactions: a website, phone banking, SMS, email, IVR, a toll free helpline and reporting to the home branch, for reporting unauthorised transaction and/or loss of payment instrument such as a card.
  • Enable customers to respond by “Reply” to SMS and email alerts.
  • Websites of banks must provide a direct link for lodging of complaints, with a link on their homepage.
  • Lodging of complaints need to have an immediate response (including auto response), including a complaint number.
  • Communications systems used by banks to send alerts and receive responses should record time and date of delivery and customers response (to determine customer liability).

The RBI Notification: here