The proposed changes widen the framework beyond unauthorised transactions, seek faster complaint handling by banks, and introduce a one-year compensation mechanism for small-value fraudulent electronic banking transactions. Here is a lowdown.
What is the extent to which customers can be compensated for small-value fraudulent electronic banking transactions?
Under the draft framework, a bonafide individual victim can get compensation for fraudulent electronic banking transactions involving a gross loss of up to ₹50,000. The compensation is capped at 85 per cent of the net loss, or ₹25,000, whichever is lower. Net loss means the loss after reducing any recovery already made, whether before or after compensation is paid. This compensation can be claimed only once in a lifetime. In a joint account, only one account holder can claim it, and that person cannot later claim it again in an individual capacity.
But this is not an automatic payout in every fraud case. The bank must first be satisfied that the claim is bona fide under its internal policy. The customer must also report the transaction on the National Cyber Crime Reporting Portal or Helpline 1930, and to the bank, within five calendar days of the transaction.
Which are the electronic banking transactions covered by the rules?
The draft directions widen the scope of the framework beyond unauthorised transactions. They now cover “fraudulent electronic banking transactions”, which include both certain authorised transactions tainted by fraud and unauthorised transactions. In other words, the rules are no longer confined only to unauthorised electronic banking transactions.
An authorised electronic banking transaction includes one done by the customer, or by a previously authorised third party, using a standing instruction, mandate, OTP, password, card details or another bank-provided electronic authentication method. But the draft also says some fraud-hit authorised transactions will still fall within the protection framework. These include cases where a third party uses credentials obtained from the customer through fraud, where the customer approves a transaction under coercion or duress, and where the customer is tricked into sending money to a scammer posing as a legitimate recipient.
The draft also links “electronic banking transaction” to the Payment and Settlement Systems Act definition of electronic funds transfer, and specifically includes both card-not-present and card-present transactions.
It also envisages reporting and review across categories such as card present, card not present, internet banking, mobile banking and ATM transactions.
What facilities should banks provide for reporting of fraudulent electronic banking transactions?
The draft is quite specific on this point. Banks must provide customers with 24×7 access through multiple reporting channels. These can include phone banking, SMS, email, IVR, a dedicated toll-free helpline and reporting through the home branch. These facilities are meant both for reporting fraudulent electronic banking transactions and for reporting loss or theft of a payment instrument such as a card.
The bank must also build an alert system. The transaction alert SMS must carry a number to which the customer can immediately send an objection SMS. The bank must also place a direct reporting link on its website home page.
The draft also requires a clear audit trail. The communication system used for alerts and customer responses must record the date and time when the alert was delivered and when the customer’s response was received.
When is a customer entitled to zero liability and reversal of transaction? What are the timelines prescribed?
The draft gives a customer zero liability in two broad situations.
First, if the fraudulent electronic banking transaction happened because of negligence or deficiency on part of the bank, the customer gets zero liability and reversal, regardless of whether it was reported by the customer.
Second, in cases of third-party breach, the customer gets zero liability and reversal if the unauthorised fraudulent electronic banking transaction is reported to the bank within five calendar days of the transaction.
Where reversal is required, the bank must reverse the transaction with value dating from the original transaction date. That means the customer should not lose interest or bear any extra interest or charges because of the delay in reversal.
The bank must examine the complaint, establish liability and issue its response within the timeline in its policy, but in any case not later than 30 calendar days from receipt of the complaint. If the case qualifies for zero liability, the response must include details of reversal. Also, once the customer has reported the fraudulent transaction, any further unauthorised transaction after that point must be borne by the bank.
What is third party breach under these rules?
The draft defines third-party breach as a situation where the deficiency lies neither with the bank nor with the customer, but elsewhere in the system.
The directions also spell out who this “elsewhere in the system” could be. This includes intermediaries such as a Third-Party Application Provider, Payment Aggregator, Payment Gateway and Telecom Service Provider. So, if the failure arose at one of these layers rather than within the bank or because of customer negligence, the case may fall within the third-party breach category.
Why does this matter in practice? Because if a third-party breach leads to an unauthorised fraudulent electronic banking transaction and the customer reports it within five calendar days, the customer gets zero liability and reversal. If it is reported after five calendar days, the customer may still get compensation in eligible cases under the small-value compensation mechanism, subject to the stated conditions.
How is the compensation shared between the RBI, customer’s bank and beneficiary bank?
The draft lays down a fixed sharing formula for the proposed small-value compensation mechanism, with the exact contributions specified separately for the two loss bands.
For losses below ₹29,412, where compensation at 85 per cent is paid, the draft says 65 per cent shall be borne by RBI, 10 per cent by the customer’s bank and 10 per cent by the beneficiary bank.
Where the loss amount is ₹29,412 or more but not more than ₹50,000, the compensation is capped at ₹25,000. In that case, the contribution is fixed at ₹19,118 from RBI, ₹2,941 from the customer’s bank and ₹2,941 from the beneficiary bank.
The bank must pay the customer within five calendar days of receiving the compensation application and then seek reimbursement from RBI on a quarterly basis. RBI’s March 6 press release adds that this arrangement is proposed only for one year initially and may later be reviewed with the aim of increasing banks’ share and reducing or eliminating RBI’s share.
How does lost amount recovery affect compensation?
The draft makes it clear that compensation is based on net loss, not just the amount first reported as lost. So, if some money is recovered before compensation is paid, the customer’s loss comes down and compensation is calculated on that reduced amount. If money is recovered after compensation has already been paid, the customer’s bank must recalculate compensation based on the revised net loss and apportion the recovered amount accordingly.
For example, if a customer reports a fraudulent loss of ₹40,000 and ₹15,000 is recovered before compensation is paid, the net loss becomes ₹25,000. Compensation then works out to 85 per cent of net loss, or ₹21,250. RBI’s illustration says the Reserve Bank would bear ₹16,250, while the customer’s bank and the beneficiary bank would bear ₹2,500 each.
If compensation of ₹25,000 has already been paid on a ₹40,000 loss and recovery happens later, the bank must recalculate the payout on the revised net loss and redistribute the recovered amount among the customer, RBI, the customer’s bank and the beneficiary bank in the manner set out in the draft illustrations.
What are the banking transactions for which banks have to send alerts to customers?
The draft says banks must require customers using electronic banking transaction facilities, other than ATM cash withdrawals, to provide a mobile number and, where available, an email address. Once that is in place, banks must send instant SMS alerts for all electronic banking transactions above ₹500. For electronic banking transactions of up to ₹500, the bank may decide on instant SMS alerts based on its internal policy.
Banks must also send email alerts for all electronic banking transactions where the customer has provided an email address. These SMS and email alerts are not a substitute for other alert mechanisms. The draft says these are in addition to any other forms of alert, such as in-app alerts or push notifications, that the bank may choose to send.
In practice, the mandatory alert requirement is linked to electronic banking transactions generally, not just suspected fraud cases. Since the definition of electronic banking transaction includes both card-not-present and card-present transactions, the alert obligation extends across a wide range of covered digital payment modes.
Published on March 10, 2026