As online banking, electronic transactions and debit or credit cards find greater acceptance, the room for electronic banking frauds also grows.
RBI has come out with a circular that details the scope of customer liability in case of an unauthorized transaction. It is a welcome and a long-awaited move from the banking regulator.
The regulator had come out with draft regulation in the middle of 2016. Wonder what it took to release the final circular. Never too late.
What are Electronic Banking Transactions?
Can be classified into two categories.
- Remote/Online transactions refer to such transactions that do not require physical payment instruments to be presented at the point of transaction e.g. net banking, mobile banking, online payments, wallets etc.
- Face-to-Face/Proximity payment transactions are those transactions that require the presence of credit/debit card, mobile phone at the point of transaction e.g. ATM transactions, point of sale etc.
What is your Liability in case of a fraud?
RBI circular clearly spells out the customer liability in the event of an unauthorized electronic banking transaction. Your liability will depend on who is responsible for the fraud/unauthorized transaction.
Any unauthorized transaction can be due to your negligence, deficiency/fault in the banking system or due to a third party breach. Let’s look at what your liability will be in each of these cases.
1. When you are fault
If the fraudulent transaction has happened due to your negligence (say, sharing your payment details with someone), you will have to bear the entire loss until you report the transaction to the bank. Makes sense too.
Any loss after reporting of the transaction will have to be borne by the bank.
2. When the bank or its systems are at fault
If the fraudulent/unauthorized transaction happens due to the negligence of the bank, you will have Zero Liability.
It does not matter whether you report the transaction to the bank or not. Your liability is NIL.
3. When it is a third party breach
Third party breach refers to those cases where the deficiency lies neither with the bank, nor with the customer (you).
In such cases, your liability depends on when you report the issue:
- Within 3 days after receiving communication from the bank: Your Liability will be Zero. (Zero liability)
- Within 4-7 days after receiving communication from the bank: Your per transaction liability will be capped at the transaction value or the amounts as provided in the following table. Note that this liability is per transaction (the capping is not on Overall Transaction amount).
- After 7 days from the date of receiving communication from the bank: To be decided as per the policy approved by the bank’s board.
What does Receiving Communication from the Bank mean?
As per the notification, the number of days shall be counted as per the working schedule of the home branch excluding the date of receiving communication.
Date of receiving communication means the date when you received SMS, e-mail or the bank statement with details of the transaction. If you receive information in multiple modes, the earliest communication shall be considered.
Who decides whose responsibility is this?
This is very important.
As discussed above, your liability depends on who (or whose negligence) is responsible for this fraudulent transaction.
Banks will clearly want the customer to share the bulk of the loss.
However, the onus of proving customer’s fault lies with the bank.
The banks must conclusively prove that the customer (or a third party) was at fault or else the customer will have zero liability.
If it can be proved that it was a third-party breach, then the customer liability will be limited (as discussed above).
If the bank can prove that the transaction happened due to customer negligence, then the customer will be liable for loss incurred till the date of reporting of such transaction.
It remains to be seen how this is put into action or how effective such a move will be. Banks are quite good at bulldozing their customers’ arguments.
As per the RBI Circular, banks must credit the customer account with unauthorized transaction amount within 10 days from the date of intimation by the customer. As I understand, this will be after adjustment for potential customer liability.
Banks have the discretion to waive off any customer liability even in cases of customer negligence. Don’t bet on it though.
The customer complaint should be resolved within 90 days. Suitable adjustments (credit/debit) shall be made to the customer account depending upon the result of the investigation (i.e. after actual liability is established).
The value date of credit shall be the date of unauthorized transaction.
Banks must ensure that you do not incur any loss of interest (in case of a bank account/debit card fraud) or additional burden of interest in case of a credit card fraud.
How to report such Fraudulent/Unauthorized transactions?
The circular mentions about simplification of processes for reporting and recording such transactions.
It provides for 24X7 access through multiple channels including but not limited to website, phone banking, SMS, e-mail, IVR, dedicated toll-free helpline and reporting to home branch.
What should you do?
Clearly, this circular is a step in the right direction. However, you must still do the following:
- Register for SMS/e-mail transaction alerts (SMS registration is mandatory now)
- Check those SMSes/e-mails regularly (otherwise subscription is no use).
- In case you notice an unauthorized/fraudulent transaction, report it to the bank. Any delay, as discussed above, will only increase your liability.
- Make note of bank communication about how to report such transactions.