RBI limits customer liability in third party breaches in digital transactions
06 July 2017
Reserve Bank of India has asked banks to strengthen systems and procedures of digital transactions in order to make customers feel safe about carrying out electronic banking transactions. To achieve this, banks must put in place appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers, RBI said.
The central bank wants banks to introduce a robust and dynamic fraud detection and prevention mechanism and also a mechanism to assess the risks (for example, gaps in the bank's existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events.
Besides RBI has asked banks to take appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom besides introducing a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.
RBI said banks must ask their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions. The SMS alerts should mandatorily be sent to the customers, while email alerts may be sent, wherever registered.
Customers must be advised to notify their bank of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/customer. To facilitate this, banks must provide customers with 24x7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc.
Banks shall also enable customers to instantly respond by "Reply" to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.
Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions should be provided by banks on home page of their website. The loss/ fraud reporting system should also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.
The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer's response, if any, to them. This would be important in determining the extent of a customer's liability.
The banks may not offer facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank.
On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorised transactions in the account.
RBI said a customer will be entitled to zero liability where the unauthorised transaction occurs in the events of contributory fraud, negligence or deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.
A customer will be liable for the loss occurring due to unauthorised transactions in cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction should be borne by the bank.
In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer will be limited to the transaction value or as prescribed, whichever is lower.
Maximum liability of a customer on BSBD accounts will be Rs5,000.
For all other savings bank accounts, pre-paid payment instruments and gift cards, current/ cash credit/ overdraft accounts of MSMEs, current accounts/ cash credit/ overdraft accounts of individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs25 lakh and credit cards with limit up to Rs5 lakh the maximum liability of the customer will be Rs10,000.
All other current/ cash credit/ overdraft accounts and credit cards with limit above Rs5 lakh, the maximum customer liability will be Rs25,000.
Further, if the delay in reporting is beyond seven working days, the customer liability may be determined as per the bank's board approved policy. Banks should provide the details of their policy in regard to customers' liability formulated in pursuance of these directions at the time of opening the accounts. Banks should also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank's policy.