You get an SMS saying Rs 18,000 has been debited from your account. You did not authorise it. Your hands are shaking as you call your bank’s customer care, and the question that follows is always the same one: will I ever see this money again?
For years, the answer depended almost entirely on how the bank classified the fraud, and customers often found themselves stuck arguing with their own bank about whose fault it really was.
The Reserve Bank of India has now stepped into that argument directly, and for the first time, the central bank itself is putting money on the table to help victims.
On June 24, 2026, the issued the Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026.
The rules apply to all commercial banks, other than small finance banks, payments banks, regional rural banks and local area banks, and come into effect from January 1, 2027, for any electronic banking transaction made on or after that date.
Throughout the notification, the RBI uses the term EBT, short for Electronic Banking Transaction.
In simple terms, this covers almost every kind of digital payment you make today, UPI transfers, net banking, mobile banking, debit and credit card payments, both the kind where you swipe or tap a card in person and the kind where you enter card details online without the card physically present. If you moved money digitally, it counts as an EBT.
Here is what it means for you, in plain language.
The entire notification is built around one question: when a fraudulent transaction happens, who is responsible for the loss, you, the bank, or someone else entirely?
The RBI has now spelt out exactly how that responsibility gets decided, and crucially, who has to prove what.
The circular states plainly: “The burden of proving customer liability in complaints involving fraudulent EBTs shall lie on the bank.” In other words, your bank cannot simply assume you were careless and refuse to pay up. It has to actually establish that.
There are three broad situations the RBI lays out.
If the fraud happened because the bank messed up, say, a security lapse, a system glitch, or the bank failing to send you fraud alerts, the rule is unambiguous: “A customer shall be entitled to zero liability and reversal of the transaction in cases where the fraudulent EBT occurs due to negligence or deficiency on the part of the bank, irrespective of whether the transaction is reported by the customer or not.” You get your full money back, even if you never reported it yourself.
If the fraud happened because of a third party, like a payment app, a payment gateway or a telecom provider, and not because of anything you or the bank did, you still get zero liability and a full reversal, but only “where the customer reports the unauthorised fraudulent EBT to the bank within five calendar days from the date of its occurrence.”
Report after five days, and your liability gets decided by the bank’s own internal policy instead.
If the fraud happened because you were careless, say you shared your OTP, ignored a clear scam warning from your bank, or downloaded a dodgy app, the rules are more nuanced, and this is where the genuinely new part of this notification comes in.
This is the most consumer-friendly part of the entire notification, and it did not exist in this form before.
Under the new rules, even if you were technically negligent, say you clicked a phishing link or shared an OTP you should not have, you can still get compensated, as long as the loss is small and you acted fast.
The circular states: “A bona fide victim, being an individual person, including a sole proprietor, and having lodged a complaint involving gross loss of an amount up to Rs 50,000 on account of fraudulent EBTs… shall be compensated 85 per cent of the net loss amount, or Rs 25,000, whichever is less, once during her or his lifetime.”
There are two conditions attached. First, the loss has to be genuine and not a false claim, something the bank verifies internally. Second, and this is important, you must report the fraud “on the National Cyber Crime Reporting Portal or National Cyber Crime Helpline (1930) and to the bank within five calendar days from its occurrence.”
Miss that five-day window, and this compensation is off the table.
Here is a simple example of how this plays out. Say you lose Rs 40,000 to a fraud and report it within five days. The bank later recovers Rs 15,000 of that amount and returns it to you. Your actual net loss is now Rs 25,000. As per the RBI’s own illustration in the circular, you would be entitled to a compensation of Rs 21,250, which is 85 per cent of your net loss.
Here is the part that makes this notification genuinely different from anything before it. The RBI is not just telling banks to pay customers and absorb the cost themselves. The central bank is sharing the bill.
For smaller frauds, specifically those involving a loss of less than Rs 29,412, where the compensation works out to 85 per cent of the loss, the circular specifies: “65 per cent shall be borne by the Reserve Bank, 10 per cent by the customer’s bank and the remaining 10 per cent by the beneficiary bank,” for domestic fraud cases. The beneficiary bank, in simple terms, is the bank that received your stolen money in the first place.
For slightly larger losses, between Rs 29,412 and Rs 50,000, where the compensation is capped at a flat Rs 25,000, the RBI, the customer’s bank and the beneficiary bank contribute Rs 19,118, Rs 2,941 and Rs 2,941 respectively, again for domestic cases.
This is unusual. RBI rarely puts its own money directly into compensating individual fraud victims. Here, it explicitly is.
One thing worth noting: this compensation scheme is not permanent. The rule clearly states it covers “losses incurred on fraudulent EBTs occurring up to one year from the effective date of these Directions,” meaning it currently applies only to frauds happening within the first year after the rule kicks in.
Speed is everything in this new framework. The five-calendar-day window shows up again and again across the notification, for third-party breach cases and for the compensation scheme alike.
To make reporting easier, the RBI has directed banks to provide round-the-clock complaint channels.
The circular requires banks to give customers “24×7 access through channels such as phone banking, SMS, instant messaging, dedicated email address, IVR, a dedicated toll-free helpline, reporting to home branch, etc.”
Banks must also put a number directly in the transaction alert SMS itself, so you can report a fraud the moment you see a suspicious message, and a direct link must be available on the bank’s website and mobile app.
Once you report it, the bank must send you an immediate acknowledgement along with a complaint number. The bank then has 45 calendar days to fully resolve a domestic fraud complaint, and 60 calendar days for a cross-border one.
Investigations take time, but the RBI has made sure you are not left empty-handed while one is ongoing.
The notification introduces something called a shadow reversal, defined in the circular as “the temporary or provisional credit, of the amount involved in fraudulent EBTs, provided by a bank to a customer on receipt of notification from the customer, before the completion of internal investigation.”
You cannot spend this money yet, but you will not be charged any interest or fees on it either while the investigation is on. For credit card fraud specifically, the rule requires the bank to provide this shadow reversal “within five calendar days from the date of receipt of notification from the customer.”
If the bank does eventually find that the fraud was genuine and reverses the transaction permanently, the reversal has to be backdated. The circular says the bank “shall ensure that the reversal is value dated to its original date of occurrence and the customer does not suffer loss of interest or bear any additional burden of interest or charges.”
The RBI has also tightened the rules on transaction alerts, the SMS and email notifications banks send every time money moves out of your account.
Banks must “mandatorily send instant SMS alerts to its customers for all EBTs of value more than Rs 500.” For anything below that amount, sending an SMS is left to the bank’s discretion, but the circular is clear that if they choose to send it, “the bank may decide to send instant SMS as per its internal policy but without any charge to the customer.”
The RBI has also banned banks from charging customers for these alerts altogether, stating that a bank “shall not levy any charges on its customers for SMS sent in compliance to extant regulations or those sent for promotional, marketing or customer awareness purposes.”
Put simply, the rules now reward speed. If you notice an unauthorised transaction, the single most important thing you can do is report it within five calendar days, both to your bank and on the National Cyber Crime Reporting Portal or by calling 1930.
Do that, and depending on how the fraud happened, you could either get your entire money back with zero liability, or, even if some of the fault lies with you, walk away with a meaningful chunk of your loss compensated, partly funded by the RBI itself.
Wait too long to report it, and you lose access to almost every protection this notification offers.