The Reserve Bank of India (RBI) has unveiled a new framework aimed at strengthening customer protection in cases of online banking fraud, introducing clearer rules on liability, mandatory reimbursement timelines and, in some cases, compensation even when the customer is partially at fault.

The changes were announced through the Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026, issued on June 24. The new rules will apply to electronic banking transactions conducted on or after January 1, 2027, and cover most forms of digital payments, including UPI, internet banking, mobile banking, debit card and credit card transactions.

Banks Must Prove Customer Liability

At the heart of the new framework is a clearer allocation of responsibility when a fraudulent transaction occurs. The RBI has stated that the burden of proving customer negligence will rest with banks.

According to the notification, “The burden of proving customer liability in complaints involving fraudulent EBTs shall lie on the bank.”

The rules classify fraud cases into three broad categories. Where a fraudulent transaction results from a security lapse, operational deficiency or failure by the bank, customers will face zero liability.

The RBI said, “A customer shall be entitled to zero liability and reversal of the transaction in cases where the fraudulent EBT occurs due to negligence or deficiency on the part of the bank, irrespective of whether the transaction is reported by the customer or not.”

Customers will also receive full reimbursement when fraud arises from the actions of a third party, such as a payment service provider or telecom operator, provided the unauthorised transaction is reported within five calendar days of occurrence.

If reporting is delayed beyond five days in such cases, customer liability will be determined according to the bank’s approved policy.

Compensation Available Even In Some Cases Of Customer Negligence

One of the most significant provisions in the new directions relates to situations where customers may have contributed to the fraud through negligence, such as sharing an OTP, responding to phishing attempts or downloading malicious applications.

Under the new framework, individual customers, including sole proprietors, may still qualify for compensation if they are considered bona fide victims and the total loss does not exceed Rs 50,000.

The RBI stated, “A bona fide victim, being an individual person, including a sole proprietor, and having lodged a complaint involving gross loss of an amount up to Rs 50,000 on account of fraudulent EBTs… shall be compensated 85 per cent of the net loss amount, or Rs 25,000, whichever is less, once during her or his lifetime.”

To qualify, customers must report the fraud both to their bank and through the National Cyber Crime Reporting Portal or the National Cyber Crime Helpline (1930) within five calendar days of the transaction.

The compensation is calculated on the basis of the customer’s net loss after any recovered funds are returned. For example, if a customer loses Rs 40,000 but later recovers Rs 15,000, the net loss becomes Rs 25,000 and compensation would be calculated on that amount.

RBI To Share Compensation Cost

The framework also introduces an unusual feature under which the RBI itself will contribute to compensation payments in eligible cases.

For domestic fraud cases involving smaller losses, where compensation amounts to 85 per cent of the loss, the RBI will bear 65 per cent of the amount, while the customer’s bank and the beneficiary bank will each contribute 10 per cent.

For larger losses where compensation reaches the maximum cap of Rs 25,000, the RBI’s contribution will be Rs 19,118, while the customer’s bank and the beneficiary bank will each contribute Rs 2,941.

The beneficiary bank refers to the institution where the fraudulently transferred funds were ultimately received.

The compensation scheme will apply only to fraudulent electronic banking transactions occurring during the first year after the new directions come into force.

Faster Reporting And Resolution Requirements

The RBI has repeatedly emphasised the importance of prompt reporting. The five-day reporting window determines eligibility for several key protections under the framework.

To facilitate quicker reporting, banks will be required to provide customers with round-the-clock access to fraud reporting channels, including phone banking, SMS, instant messaging platforms, dedicated email addresses, interactive voice response systems, toll-free helplines and branch-level reporting options.

Banks must also include fraud-reporting contact details in transaction alert messages and provide direct reporting links through their websites and mobile applications.

Upon receiving a complaint, banks must immediately acknowledge it and issue a complaint reference number.

Domestic fraud complaints must be resolved within 45 calendar days, while cross-border cases must be completed within 60 calendar days.

Temporary Credits And Free Transaction Alerts

The RBI has also introduced provisions to protect customers during ongoing investigations.

Under the new framework, banks must provide a “shadow reversal”, a temporary credit of the disputed amount while the complaint is being examined.

Although customers cannot utilise the funds during the investigation, they will not incur interest costs or additional charges on the disputed amount. For credit card fraud cases, banks must provide the shadow reversal within five calendar days of receiving the complaint.

If the fraud claim is ultimately upheld, the bank must permanently reverse the transaction and backdate the correction to the original transaction date, ensuring customers do not suffer any loss of interest or additional charges.

The RBI has also tightened requirements for transaction alerts. Banks will be required to send instant SMS notifications for all electronic banking transactions above Rs 500.

The central bank has additionally prohibited banks from charging customers for regulatory SMS alerts, stating that no fees may be levied for messages sent to comply with regulatory requirements or for customer awareness and safety purposes.

What Changes From January 2027

The new framework significantly strengthens protections available to victims of digital payment fraud, while placing greater responsibility on banks to investigate claims and establish customer negligence.

For customers, the key requirement is speed. Reporting an unauthorised transaction to both the bank and the national cybercrime reporting system within five calendar days will determine eligibility for full reimbursement, reduced liability or compensation under the new rules.

The directions will come into effect from January 1, 2027, and will apply to all commercial banks, excluding small finance banks, payments banks, regional rural banks and local area banks.

Long or Short, get news the way you like. No ads. No redirections. Download Newspin and Stay Alert, The CSR Journal Mobile app, for fast, crisp, clean updates!

App Store –  https://apps.apple.com/in/app/newspin/id6746449540 

Google Play Store – https://play.google.com/store/apps/details?id=com.inventifweb.newspin&pcampaignid=web_share