Over the past few years, more and more Indians have begun using online banking services. Such services are now being provided to the vast majority of the unbanked population under the central government’s different financial inclusion schemes. Additionally, a sharp increase in online transactions has occurred post demonetization. The spurt in use of online banking has however also resulted in a concurrent increase in banking frauds.
In the past the process of getting your back your money that was lost to banking frauds was tedious and time consuming, and often the consumer ended up not getting his/her money back. That is all about to change now with the new guidelines laid down by the RBI.
India’s central bank has laid down rules which state that banks will need to pay the entire amount lost by a customer if he/she notifies the bank about the fraudulent or unauthorized transaction within a stipulated time period. The central bank has made use of the draft measures on consumer liability in instances of fraudulent online transactions issued by it in the month of August in 2016. The RBI took into account the rapid rise in customer grievances in the recent past related to unsanctioned/unauthorized electronic transaction and subsequently issued a notification which laid down more specific ‘rules and regulations’ to safeguard customers from different instances of misuse and fraud.
Due to the new guidelines of the RBI, banks will now have to install robust and well-protected frameworks involving early warning systems and fraud identification encompassing the digital and online banking and financial services space.
The obligation of banking frauds now lies with the banks
Earlier, the responsibility of banking frauds was with the customer wherein he/she had to prove that she/he had not divulged the details of his bank account to others. Now after the new RBI guidelines, the bank is responsible for proving that the fault lay with the customer and that he/she was not sufficiently careful when making use of the online facilities of the bank. With the older system, either the customer ended up taking the brunt of the monetary loss caused by fraudulent transactions, or they had to wait for long periods before the bank paid the lost money to the customer. This was due to the fact that there were no clearly laid guidelines that stipulated a timeframe for refunds. There was and continues to be apprehension amongst customers with regards to online banking transactions. The new guidelines from RBI will go a long way in alleviating the apprehension and building trust amongst customers of banks. Many financial experts feel that the new rules are a huge step forwards as it will promote the use of enhanced fraud monitoring mechanisms by banks.
Since the obligation of banking frauds lay with customer, the expense incurred for setting up an enhanced fraudulent transactions monitoring system was higher as compared to the expense incurred due to the actual fraudulent transactions for varied banks. Due to this, only a few major banks invested in setting up robust fraud monitoring mechanisms while the rest of the banks did not do so. The new guidelines by the central bank currently mandate banks to create dynamic and solid fraud identification and prevention systems as well as evaluate and fill all the gaps that may be present.
Full refund to be given to customers
After the new guidelines notified by the RBI, banks will need to pay the entire money loss suffered by customers in the below listed cases:
The occurrence of a fraudulent transaction because of negligence or deficiency on the part of the concerned bank, regardless of whether or not a customer has reported the fraudulent transaction. It is known that any digital, online, electronic transaction passes via different intermediary systems like the payment gateway, the payer bank, and the payee bank, etc. Also, there is mandatory encryption of the transaction. Additionally, there should be storage of no data by any of the intermediaries, but only transfer of data. Hence, in all instances of fraud during such a process, the liability should not fall on the customer. According to the recommendations of the central bank, it is the banks that will have to offer the refund of lost money to the customer.
Occurrence of some breach by a third party, wherein associated deficiency does not lie with the customer or the bank, but some other place with the system, and notification of the fraudulent transaction by the customer to the bank within a period of 3 business days.
For instance, it is known the processing of ATM transactions of some banks has been outsourced to the Hitachi Payment Service systems. In 2017, some of these Hitachi systems were hacked resulting in compromise of over 3 million cards associated with different banks like SBI, ICICI, HDFC, and YES bank.
In the above mentioned situation, if a fraudulent transaction was notified by the customer to the bank within 3 business days of the receipt of SMS/email of other bank communication about the transaction, then the bank will have to pay the entire amount back to the customer.
When a fraudulent transaction has occurred because of negligence on part of the customer, then the entire monetary loss has to be borne by the customer till information about the transaction is passed onto the bank.
- If confidential bank account data such as card number, ATM PIN, etc., is unknowingly or knowingly shared by a customer with someone else, then the entire amount lost will have to be borne by the customer till the bank is notified about the fraudulent transaction.
- In case the onus of a fraudulent transaction lies neither with a customer nor with the bank, but on some kind of fault within the system, and if information about it is passed by the customer to the bank within a period of 4 to 7 days, then the liability of the customer will be restricted to INR 10,000 or the value of the transaction, whichever amount is lower. This limit is applicable for bank savings accounts, current accounts having average annual balance of up to INR 25 lakhs, and credit cards with upper spending limit of up to INR 5 lakhs. The entire amount lost has to be refunded to a customer if he/she informs the bank about the fraud within 3 days. For overdraft accounts, current accounts, and credit cards with a limit of over INR 5 lakhs, the upper limit is INR 25,000.
The limit for a savings bank basic deposit account, i.e., a no-frills account, is INR 5,000.
- In case of delay of over 7 days in passing information about the fraudulent transaction, the liability of the customer will be calculated according to the policy guidelines laid down by the board of the bank.
Information about every transaction is passed on by banks via SMS and/or email to all the customers who have provided their email address and mobile number to the bank. The central bank has advised all banks to register the mobile number of a customer if he/she wants to avail of the facility of online banking transactions. Taking the mobile number will help the banks notify the customer about all transactions done on the account. Banks may provide the option of just cash withdrawals from ATM, and not other facilities of electronic transactions, to those customers who do not give their mobile numbers to the bank. Currently, SMS is a chargeable service of the banks. The guidelines of RBI however do not offer any clarification about who will bear the charges of the SMS service. As of now, the account holders bear the SMS charges.
The option of reply
In addition to different contact channels for the customer such as phone banking, website, email, SMS, IVR, home branch reporting, and a toll-free dedicated helpline for informing banks of frauds, banks also have to offer customers an option to reply to email and SMS alerts. The Central Bank has also asked the banks to offer a direct link to customers to lodge their complaints, with a specified option on their website’s home page for reporting fraudulent/unauthorized transactions.
The fraud reporting mechanisms of banks need to make sure that an immediate answer, which includes auto responses, is sent to the client acknowledging the registered complaint of the customer. This response shall also have the complaint number. The varied communication platforms used by banks for sending alerts and getting customer responses must therefore record the time and date of the delivery of the alert/message as well as the date and time of any response by the customer to that alert/message. This aspect of communication will be vital in ascertaining the extent of the liability of the customer.
The time period for refunds
As per the new RBI guidelines, after information about a fraudulent transaction has been passed by a customer to his/her bank, it is mandatory for banks to credit the sum to the account of the customer within a period of ten working days.
In addition to the above rule, in instances where the liability of a customer is determined by the board of the bank, the complaint has to be resolved within 90 days. In case the liability of the customer cannot be decided by the board within the stipulated timeframe, then compensation according to the provisions of limited liability and zero liability has to be offered to the customer by the bank.