Ankita Khetan | Feb 17, 2018 |
RBI’s circular for protection of customers in case of unauthorized electronic banking transactions
RBI/2017-18/15
DBR.No.Leg.BC.78/09.07.005/2017-18
July 6, 2017
All Scheduled Commercial Banks (including RRBs)
All Small Finance Banks and Payments Banks
Dear Sir/ Madam,
Customer Protection Limiting Liability of Customers in UnauthorizedElectronic Banking Transactions
1. Please refer to our circular DBOD. Leg.BC.86/09.07.007/2001-02 dated April 8, 2002regarding reversal of erroneous debits arising from fraudulent or other transactions.
2. With the increased thrust on financial inclusion and customer protection andconsidering the recent surge in customer grievances relating to unauthorizedtransactions resulting in debits to their accounts/ cards, the criteria for determiningthe customer liability in these circumstances have been reviewed. The reviseddirections in this regard are set out below.
3. Broadly, the electronic banking transactions can be divided into twocategories:
(i) Remote/ online payment transactions (transactions that do not requirephysical payment instruments to be presented at the point of transactions
e.g. internet banking, mobile banking, card not present (CNP)transactions), Pre-paid Payment Instruments (PPI), and
(ii) Face-to-face/ proximity payment transactions (transactions which requirethe physical payment instrument such as a card or mobile phone to be
present at the point of transaction e.g. ATM, POS, etc.).
4. The systems and procedures in banks must be designed to make customersfeel safe about carrying out electronic banking transactions. To achieve this, banks
must put in place:
(i) appropriate systems and procedures to ensure safety and security ofelectronic banking transactions carried out by customers;
(ii) robust and dynamic fraud detection and prevention mechanism;
(iii) mechanism to assess the risks (for example, gaps in the banks existingsystems) resulting from unauthorized transactions and measure the
liabilities arising out of such events;
(iv) appropriate measures to mitigate the risks and protect themselves againstthe liabilities arising therefrom; and
(v) a system of continually and repeatedly advising customers on how toprotect themselves from electronic banking and payments related fraud.
5. Banks must ask their customers to mandatorily register for SMS alerts andwherever available register for e-mail alerts, for electronic banking transactions. The
SMS alerts shall mandatorily be sent to the customers, while email alerts may besent, wherever registered. The customers must be advised to notify their bank of anyunauthorized electronic banking transaction at the earliest after the occurrence ofsuch transaction, and informed that the longer the time taken to notify the bank, thehigher will be the risk of loss to the bank/ customer. To facilitate this, banks mustprovide customers with 24×7 access through multiple channels (at a minimum, viawebsite, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting tohome branch, etc.) for reporting unauthorized transactions that have taken placeand/ or loss or theft of payment instrument such as card, etc. Banks shall alsoenable customers to instantly respond by “Reply” to the SMS and e-mail alerts andthe customers should not be required to search for a web page or an e-mail addressto notify the objection, if any. Further, a direct link for lodging the complaints, withspecific option to report unauthorized electronic transactions shall be provided bybanks on home page of their website. The loss/ fraud reporting system shall alsoensure that immediate response (including auto response) is sent to the customersacknowledging the complaint along with the registered complaint number. Thecommunication systems used by banks to send alerts and receive their responsesthereto must record the time and date of delivery of the message and receipt ofcustomers response, if any, to them. This shall be important in determining theextent of a customers liability. The banks may not offer facility of electronictransactions, other than ATM cash withdrawals, to customers who do not providemobile numbers to the bank. On receipt of report of an unauthorized transaction fromthe customer, banks must take immediate steps to prevent further unauthorizedtransactions in the account.
(a) Zero Liability of a Customer
6. A customers entitlement to zero liability shall arise where the unauthorizedtransaction occurs in the following events:
(i) Contributory fraud/ negligence/ deficiency on the part of the bank(irrespective of whether or not the transaction is reported by the
customer).
(ii) Third party breach where the deficiency lies neither with the bank nor withthe customer but lies elsewhere in the system, and the customer notifies
the bank within three working days of receiving the communication fromthe bank regarding the unauthorized transaction.
(b) Limited Liability of a Customer
7. A customer shall be liable for the loss occurring due to unauthorizedtransactions in the following cases:
(i) In cases where the loss is due to negligence by a customer, such aswhere he has shared the payment credentials, the customer will bear the
entire loss until he reports the unauthorized transaction to the bank. Anyloss occurring after the reporting of the unauthorized transaction shall be
borne by the bank.
(ii) In cases where the responsibility for the unauthorized electronic bankingtransaction lies neither with the bank nor with the customer, but lies
elsewhere in the system and when there is a delay (of four to sevenworking days after receiving the communication from the bank) on thepart of the customer in notifying the bank of such a transaction, the pertransaction liability of the customer shall be limited to the transaction valueor the amount mentioned in Table 1, whichever is lower.
Further, if the delay in reporting is beyond seven working days, the customerliability shall be determined as per the banks Board approved policy. Banks shall
provide the details of their policy in regard to customers liability formulated inpursuance of these directions at the time of opening the accounts. Banks shall also
display their approved policy in public domain for wider dissemination. The existingcustomers must also be individually informed about the banks policy.
8. Overall liability of the customer in third party breaches, as detailed inparagraph 6 (ii) and paragraph 7 (ii) above, where the deficiency lies neither with the
bank nor with the customer but lies elsewhere in the system, is summarized in theTable 2:
The number of working days mentioned in Table 2 shall be counted as per theworking schedule of the home branch of the customer excluding the date of receiving
the communication.
9. On being notified by the customer, the bank shall credit (shadow reversal) theamount involved in the unauthorized electronic transaction to the customers accountwithin 10 working days from the date of such notification by the customer (withoutwaiting for settlement of insurance claim, if any). Banks may also at their discretiondecide to waive off any customer liability in case of unauthorized electronic bankingtransactions even in cases of customer negligence. The credit shall be value datedto be as of the date of the unauthorized transaction.
10. Further, banks shall ensure that:
(i) a complaint is resolved and liability of the customer, if any, establishedwithin such time, as may be specified in the banks Board approved
policy, but not exceeding 90 days from the date of receipt of thecomplaint, and the customer is compensated as per provisions ofparagraphs 6 to 9 above;
(ii) where it is unable to resolve the complaint or determine the customerliability, if any, within 90 days, the compensation as prescribed inparagraphs 6 to 9 is paid to the customer; and
(iii) in case of debit card/ bank account, the customer does not suffer loss ofinterest, and in case of credit card, the customer does not bear anyadditional burden of interest.
11. Taking into account the risks arising out of unauthorized debits to customeraccounts owing to customer negligence/ bank negligence/ banking system frauds/
third party breaches, banks need to clearly define the rights and obligations ofcustomers in case of unauthorized transactions in specified scenarios. Banks shall
formulate/ revise their customer relations policy, with approval of their Boards, tocover aspects of customer protection, including the mechanism of creating customerawareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorized electronic bankingtransactions. The policy must be transparent, non-discriminatory and should stipulatethe mechanism of compensating the customers for the unauthorized electronicbanking transactions and also prescribe the timelines for effecting suchcompensation keeping in view the instructions contained in paragraph 10 above. Thepolicy shall be displayed on the banks website along with the details of grievancehandling/ escalation procedure. The instructions contained in this circular shall beincorporated in the policy.
12. The burden of proving customer liability in case of unauthorized electronicbanking transactions shall lie on the bank.
13. The banks shall put in place a suitable mechanism and structure for thereporting of the customer liability cases to the Board or one of its Committees. The
reporting shall, inter alia, include volume/ number of cases and the aggregate valueinvolved and distribution across various categories of cases viz., card present
transactions, card not present transactions, internet banking, mobile banking, ATMtransactions, etc. The Standing Committee on Customer Service in each bank shallperiodically review the unauthorized electronic banking transactions reported bycustomers or otherwise, as also the action taken thereon, the functioning of thegrievance redress mechanism and take appropriate measures to improve thesystems and procedures. All such transactions shall be reviewed by the banks
internal auditors.
14. The instructions contained in this circular supersede some of the instructionscontained in our Master Circular DBR.No.FSD.BC.18/24.01.009/2015-16 dated July1, 2015 on Credit Card, Debit Card and Rupee Denominated Co-branded Pre-paidCard Operations of Banks and Credit card issuing NBFCs as detailed in the Annex.
Yours faithfully,
(Prakash Baliarsingh)
Chief General Manager
Annex.
Instructions in our Master Circular on Credit Card, Debit Card and RupeeDenominated Co-branded Pre-paid Card Operations of Banks and Credit cardissuing NBFCs (DBR.No.FSD.BC.18/24.01.009/2015-16 dated July 1, 2015)which stand revised in respect of Scheduled Commercial Banks.
Sr. No. | Existing Instructions | Revised instructions in this circular (Para No.) | |
Para No. | Instructions | ||
1. | I.14.1 | Banks/ NBFCs should set up internal control systems to combat frauds and actively participate in fraud prevention committees/ task forces which formulate laws to prevent frauds and take proactive fraud control and enforcement measures. | 4 |
2. | II.7.(viii)(c) | 7. Terms and conditions for issue of cards to customers: (viii) (c) The terms shall put the cardholder under an obligation to notify the bank immediately after becoming aware: – of the loss or theft or copying of the card or the means which enable it to be used; – of the recording on the cardholders account of any unauthorised transaction; and – of any error or other irregularity in the maintaining of that account by the bank. | 5 |
3. | II.7.(viii)(d) | (viii) (d): The terms shall specify a contact point to which such notification can be made. Such notification can be made at any time of the day or night. | 5 |
4. | II.7.(x) | The terms shall specify that the bank shall be responsible for direct losses incurred by a cardholder due to a system malfunction directly within the banks control. However, the bank shall not be held liable for any loss caused by a technical breakdown of the payment system if the breakdown of the system was recognizable for the cardholder by a message on the display of the device or otherwise known. The responsibility of the bank for the non-execution or defective execution of the transaction is limited to the principal sum and the loss of interest subject to the provisions of the law governing the terms. | 6 & 7 |
5. | II.9.(i) | The bank shall ensure full security of the debit card. The security of the debit card shall be the responsibility of the bank and the losses incurred by any party on account of breach of security or failure of the security mechanism shall be borne by the bank. | 4,6 & 7 |
6. | II.9.(iv) | iv) The cardholder shall bear the loss sustained up to the time of notification to the bank of any loss, theft or copying of the card but only up to a certain limit (of fixed amount or a percentage of the transaction agreed upon in advance between the cardholder and the bank), except where the cardholder acted fraudulently, knowingly or with extreme negligence. | 6 & 7 |
7. | II.9.(v) | Each bank shall provide means whereby his customers may at any time of the day or night notify the loss, theft or copying of their payment devices. | 5 |
8. | II.9.(vi) | On receipt of notification of the loss, theft or copying of the card, the bank shall take all action open to it to stop any further use of the card. | 5 |
In case of any Doubt regarding Membership you can mail us at [email protected]
Join Studycafe's WhatsApp Group or Telegram Channel for Latest Updates on Government Job, Sarkari Naukri, Private Jobs, Income Tax, GST, Companies Act, Judgements and CA, CS, ICWA, and MUCH MORE!"
