The Reserve Bank of India classifies electronic transactions into two broad categories: online transactions (internet banking, mobile banking and prepaid) and face-to-face transactions (needing a physical payment instrument such as a card or mobile phone at an ATM or a point-of-sale terminal). Banks have been directed to set up systems and procedures to ensure the safety and security of electronic banking and ensure a robust fraud detection and prevention mechanism.What has the RBI directed banks?
Banks must assess any gaps in their systems which could result in unauthorised transactions and measure the possible liabilities arising out of them and take steps to mitigate risks and protect themselves against such liabilities. Banks also have to continually and repeatedly advise customers on how to protect themselves from electronic banking and payments-related fraud. They must also ask customers to mandatorily register for SMS alerts.
What facilities must banks provide for reporting fraud?
Banks must provide customers with facilities of a website, phone banking, SMS, email, IVR and a dedicated toll-free helpline for reporting unauthorised transactions as well as loss/theft of payment instruments such as cards. They should also be given the facility to report these to the home branch. Banks have also been asked to enable customers to instantly respond by replying to SMS and e-mail alerts about fraudulent transactions without being required to search for a web page or an e-mail address. A direct link for lodging the complaints, with specific options to report unauthorised electronic transactions, should be provided on their home page. The reporting system shall also ensure immediate acknowledgement of the complaint. The bank’s communication systems must record the time and date of delivery of the message and receipt of the customer’s response, if any, which will be crucial in determining the extent of a customer’s liability. Banks may offer only an ATM cash withdrawal facility and no other electronic transaction facilities to customers who do not provide mobile numbers. On receipt of the report of an unauthorised transaction, banks must prevent further unauthorised transactions in the account.
When is a customer liable?
Customers have to inform the bank as soon as such a transaction is detected. The longer the time taken, the higher will be the risk of loss to the bank or customer. A customer has zero liability when the unauthorised transaction occurs as a contributory fraud, negligence, or deficiency on the part of the bank irrespective of whether or not the transaction is reported by the customer. RBI rules clearly state that in case of third-party fraud, the customer has zero liability if he or she notifies the bank within three working days of receiving the communication of the unauthorised transaction. The burden of proving customer liability shall lie on the bank.What is the customer’s liability?
A customer is liable for the loss due to unauthorised transactions where it can be proven that payment credentials were shared. But even in this case, the loss will be limited until the customer reports it to the bank. Any loss occurring after reporting shall be borne by the bank. In cases where the unauthorised transaction is due to a systemic issue and the customer notifies the bank within 4-7 working days, the per transaction liability shall be limited to a maximum of Rs 5,000 for a basic savings account and ?10,000 for other savings, current accounts with limits up to Rs 25 lakh and credit cards with a cash credit limit of up to Rs 5 lakh. For accounts above this threshold, the maximum liability is Rs 25,000.