The RBI has recently brought out a circular spelling out the liability of customers in unauthorised electronic banking transactions. With customer grievances relating to unauthorised transactions surging in recent times, this is a welcome move.

Under the new rules, the burden of proving customer liability in case of unauthorised electronic banking transactions shall lie with the bank.

Besides, customer liability has been pegged lower for some account holders than what prevails now.

The RBI has categorised unauthorised electronic banking transactions into three categories. First, third-party breach where the deficiency lies neither with the bank nor with the customer, but elsewhere in the system. Second, contributory fraud or negligence or deficiency on the part of the bank. Third, negligence by a customer.

Third-party breach

In cases of third-party breach, the extent of loss that the customer has to bear is determined by the time period within which he reports the unauthorised transaction, after receiving the communication from the bank.

There will be zero liability if the transaction is reported within three working days of receiving the communication from the bank regarding the unauthorised transaction. If a third-party breach is reported with a delay of four to seven working days after receiving the communication from the bank, the customer’s liability will be the transaction value, subject to a maximum ₹25,000. This upper limit though applies to high value accounts.

The RBI has been lenient towards other account holders — the maximum liability is capped at ₹5,000 for basic savings bank deposit accounts, and at ₹10,000 for all other savings bank accounts, pre-paid payment instruments and gift cards, and credit cards with limit up to ₹5 lakh.

Also, for current accounts, cash credit and overdraft accounts of medium and small enterprises (MSMEs) and individuals with average annual balance/limit of up to ₹25 lakh, the liability in case of third-party breach is capped at ₹10,000.

Things get tricky if the delay in case of third party breach is beyond seven working days — in such instances, the customer’s liability shall be determined as per the bank’s Board approved policy. Customers have to be informed by banks about their policies in this regard.

Says Anand Aras, CEO, Banking Codes and Standards Board of India (BCSBI), “These RBI norms supersede the existing BCSBI codes which capped the customer’s liability at ₹10,000. Thus, these norms are beneficial to basic account holders.”

In essence, the sooner you inform the bank about the third-party breach, the lower is your maximum liability.

The RBI circular has tightened the screws on banks.

Bank fraud or negligence

It holds banks completely responsible if the unauthorised electronic transaction is due to contributory fraud or negligence or deficiency on part of the bank. In such cases, the customer will have zero liability, irrespective of whether or not the transaction is reported by the customer. This, coupled with the fact that the burden of proving customer liability in case of unauthorised electronic banking transactions lies with the bank, is a significant move towards customer protection.

Customer negligence

The RBI doesn’t give you a free run though — it mandates zero liability or limited liability only when you are put to loss for no fault of yours. But if the unauthorised transaction is due to your mistake, it can prove quite expensive. In case of loss from unauthorised transaction due to the negligence of the customer, such as say, sharing payment credentials, the customer has to bear the entire loss until he reports the unauthorised transaction to the bank.

In such cases, any loss after reporting the unauthorised transaction shall be borne by the bank. Even in this scenario, the bank has the discretion to waive off customer liability. But this is not a risk worth taking. It’s better to be safe than sorry. So be discreet about your banking account and card details.

In cases of zero liability and limited liability, banks have to credit the amount involved in the unauthorised transaction to the customer’s account within 10 working days from the date of notification by the customer, without waiting for settlement of insurance claims. Further, banks have to resolve complaints and establish customer liability, if any, within a maximum period of 90 days; if not, the compensation prescribed must be paid to the customer.

Other protection

The RBI has tightened other rules too. Banks have to ask their customers to mandatorily register for SMS alerts and, wherever available, for e-mail alerts for electronic transactions. If you don’t provide mobile numbers to the bank, you will not be allowed electronic transactions facility except ATM cash withdrawal.

Banks have to provide customers 24x7 access through multiple channels to report unauthorised transactions. Also, banks have been instructed to allow you to instantly respond by “Reply” to the SMS and e-mail alerts for fraud reporting.

A direct link for lodging the complaints has to be provided on banks’ websites. Banks have to send an immediate response to the customers acknowledging the complaint along with the registered complaint number.

comment COMMENT NOW