Onus on banks for customer losses in fraudulent card transactions: RBI

Banks will have to bear any losses caused to customers from any misuse of credit or debit cards issued by them after the stipulated 30 September deadline for setting up secure electronic transactions technology, the Reserve Bank of India said on Friday.

RBI said it has decided against extending the time limit for banks to comply with its directive on securing necessary technology infrastructure for mitigation of risks in electronic payment transactions beyond the prescribed 30 September deadline.

RBI had, in a circular issued on 22 September 2011, asked banks to set up the `Unique Key Per Terminal (UKPT)' or the `Derived Unique Key Per Transaction (DUKPT)/ Terminal Line Encryption (TLE)' technology infrastructure to make electronic transactions safe and secure.

RBI said banks continue to approached it, seeking further extension of the time line beyond 30 September 2013 for complying with the task of securing the technology infrastructure.

RBI said the timelines for installing the technology infrastructure were decided after a series of meetings/discussions with the stakeholders. The central bank had also, in its circular issued on 24 June 2013, made it clear that no further extensions would be granted.

In addition, it was also indicated that in the event of a customer complaining of misuse of card after the date stipulated in this circular, the issuer or the acquirer who has not adhered to the timelines should bear the loss.

Accordingly, banks not complying with the requirements should compensate loss, if any, incurred by the card holder using card at POS terminals not adhering to the mandated standards, RBI said.

RBI has prescribed the following course of action by issuing banks in cases of a card holder approached it for any fraudulent POS transaction in India occurred after the 30 September 2013 deadline:

  • The issuing bank would ascertain, within 3 working days from the date of cardholder approaching the bank, whether the respective POS terminal/s where the said transaction / s occurred is / are compliant with TLE and UKPT / DUKPT as mandated;
  • In case the POS terminals are non-compliant, the issuing bank should pay the disputed amount to the customer within 7 working days, failing which a compensation of Rs100 per day will be payable to the customer from the 8th working day;
  • The issuing bank should claim the amount paid by it to the customer from the respective bank/s which have acquired the POS transaction/s in question.
  • The acquiring banks have to pay the amount paid by the issuing bank without demur within 3 working days of the issuing bank raising the claim, failing which the RBI would compensate the issuing bank by debiting the account of the acquiring bank maintained with it.

RBI has advised banks to send a status report of compliance with respect to TLE and UKPT/DUKPT as of 30 September 2013, duly approved by the CMD/CEO of the bank on or before 7 October 2013. Banks should also put up to their respective boards their position in its next meeting, and send a duly approved copy of it to the RBI.

RBI said it would also consider invoking the penal provisions under the Payment and Settlement Systems Act, 2007 for banks that have failed to adhere to the timeline of 30 September 2013.