The has tightened customer protection norms for digital banking frauds, requiring banks to prove customer negligence in disputed transactions and introducing a compensation mechanism for victims of small-value cyber frauds.
The revised framework, issued through amendments to the RBI’s Responsible Business Conduct Directions, will apply to electronic banking transactions undertaken on or after 1 January 2027. It covers internet banking, mobile banking, card transactions and other electronic banking channels.
The move comes amid a sharp rise in digital payment fraud and expands on the RBI’s earlier framework on customer liability for unauthorised transactions.
Banks, not customers, must now prove who was at fault
One of the biggest changes is the shift in the burden of proof. Under the revised directions, banks will be responsible for establishing customer liability in complaints involving fraudulent electronic banking transactions.
The RBI has also expanded the definition of bank negligence. It includes failure to maintain mandated security systems, failure to send transaction alerts, failure to provide round-the-clock reporting channels, delays in responding to customer complaints, security breaches, system failures, and internal fraud.
Customers will have no liability for fraudulent transactions caused by a bank’s negligence, regardless of whether the customer reported the transaction.
Similarly, customers will not bear losses arising from third-party breaches, such as failures at payment gateways, telecom service providers, or payment aggregators, if the unauthorised transaction is reported within 5 calendar days of its occurrence.
RBI creates a safety net for fraud losses up to ₹50,000
For the first time, the central bank has introduced a compensation mechanism for customers who suffer losses from small-value fraud.
Individual customers, including sole proprietors, who suffer losses of up to ₹50,000 due to fraudulent electronic banking transactions will be eligible for compensation of 85% of the net loss amount, subject to a maximum payout of ₹25,000. The benefit can be availed of only once during a customer’s lifetime.
The compensation framework applies to cases where the fraud is found to have occurred due to customer negligence. Under the earlier regime, such losses were largely borne by customers themselves.
The RBI will bear the largest share of the compensation. In domestic fraud cases, the customer’s bank will contribute 65% of the compensation amount, with the customer’s bank and the beneficiary bank sharing the remaining portion.
Report within five days to qualify for compensation
The compensation benefit is subject to a strict reporting condition.
To qualify, customers must report the fraudulent transaction to their bank and to the National Cyber Crime Reporting Portal or the Cyber Crime Helpline (1930) within 5 calendar days of the fraud. The claim must also be established as bona fide under the bank’s internal assessment process.
The RBI has repeatedly stressed that delays in reporting increase the risk of losses and reduce the chances of recovering funds. Banks have been directed to educate customers on the importance of prompt reporting.
Banks must offer 24/7 fraud reporting and instant acknowledgements
The revised framework imposes several new obligations on banks to improve fraud detection and customer response.
Banks must provide customers with round-the-clock channels for reporting fraudulent transactions, including phone banking, SMS, dedicated email addresses, IVR systems, toll-free numbers and branch-based reporting facilities. They must also provide direct fraud-reporting links on their websites and mobile applications.
Every fraud complaint must be immediately registered and acknowledged with a complaint number and timestamp.
The RBI has also mandated instant SMS alerts for all electronic banking transactions exceeding ₹500 and email alerts for all transactions when customers have registered an email address. Banks will not be allowed to charge customers for regulatory SMS alerts.
Fraud complaints must be settled within 45 days
The central bank has prescribed stricter timelines for complaint resolution.
Banks must determine liability and resolve complaints involving domestic fraudulent transactions within 45 calendar days. Cross-border fraud complaints must be resolved within 60 calendar days.
Where customers are entitled to a reversal, banks must ensure that it is value-dated to the original transaction date so that customers do not lose interest or incur additional charges.
For fraudulenttransactions, banks must provide a shadow reversal of the disputed amount within 5 calendar days of receiving the complaint, ensuring that customers do not incur additional interest while the case is under investigation.
The new framework marks the RBI’s most significant overhaul of digital fraud protection norms in recent years, placing greater accountability on banks while creating a financial safety net for customers who fall victim to cyber fraud.