As online banking, electronic transactions and debit or credit cards find greater acceptance, the room for electronic banking frauds also grows.
RBI has come out with a circular that details the scope of customer liability in case of an unauthorized transaction. It is a welcome and a long-awaited move from the banking regulator.
The regulator had come out with draft regulation in the middle of 2016. Wonder what it took to release the final circular. Never too late.
What are Electronic Banking Transactions?
Can be classified into two categories.
- Remote/Online transactions refer to such transactions that do not require physical payment instruments to be presented at the point of transaction e.g. net banking, mobile banking, online payments, wallets etc.
- Face-to-Face/Proximity payment transactions are those transactions that require the presence of credit/debit card, mobile phone at the point of transaction e.g. ATM transactions, point of sale etc.
What is your Liability in case of a fraud?
RBI circular clearly spells out the customer liability in the event of an unauthorized electronic banking transaction. Your liability will depend on who is responsible for the fraud/unauthorized transaction.
Any unauthorized transaction can be due to your negligence, deficiency/fault in the banking system or due to a third party breach. Let’s look at what your liability will be in each of these cases.
1. When you are fault
If the fraudulent transaction has happened due to your negligence (say, sharing your payment details with someone), you will have to bear the entire loss until you report the transaction to the bank. Makes sense too.
Any loss after reporting of the transaction will have to be borne by the bank.
2. When the bank or its systems are at fault
If the fraudulent/unauthorized transaction happens due to the negligence of the bank, you will have Zero Liability.
It does not matter whether you report the transaction to the bank or not. Your liability is NIL.
3. When it is a third party breach
Third party breach refers to those cases where the deficiency lies neither with the bank, nor with the customer (you).
In such cases, your liability depends on when you report the issue:
- Within 3 days after receiving communication from the bank: Your Liability will be Zero. (Zero liability)
- Within 4-7 days after receiving communication from the bank: Your per transaction liability will be capped at the transaction value or the amounts as provided in the following table. Note that this liability is per transaction (the capping is not on Overall Transaction amount).
- After 7 days from the date of receiving communication from the bank: To be decided as per the policy approved by the bank’s board.
What does Receiving Communication from the Bank mean?
As per the notification, the number of days shall be counted as per the working schedule of the home branch excluding the date of receiving communication.
Date of receiving communication means the date when you received SMS, e-mail or the bank statement with details of the transaction. If you receive information in multiple modes, the earliest communication shall be considered.
Who decides whose responsibility is this?
This is very important.
As discussed above, your liability depends on who (or whose negligence) is responsible for this fraudulent transaction.
Banks will clearly want the customer to share the bulk of the loss.
However, the onus of proving customer’s fault lies with the bank.
The banks must conclusively prove that the customer (or a third party) was at fault or else the customer will have zero liability.
If it can be proved that it was a third-party breach, then the customer liability will be limited (as discussed above).
If the bank can prove that the transaction happened due to customer negligence, then the customer will be liable for loss incurred till the date of reporting of such transaction.
It remains to be seen how this is put into action or how effective such a move will be. Banks are quite good at bulldozing their customers’ arguments.
Reversal Timelines
As per the RBI Circular, banks must credit the customer account with unauthorized transaction amount within 10 days from the date of intimation by the customer. As I understand, this will be after adjustment for potential customer liability.
Banks have the discretion to waive off any customer liability even in cases of customer negligence. Don’t bet on it though.
The customer complaint should be resolved within 90 days. Suitable adjustments (credit/debit) shall be made to the customer account depending upon the result of the investigation (i.e. after actual liability is established).
The value date of credit shall be the date of unauthorized transaction.
Banks must ensure that you do not incur any loss of interest (in case of a bank account/debit card fraud) or additional burden of interest in case of a credit card fraud.
How to report such Fraudulent/Unauthorized transactions?
The circular mentions about simplification of processes for reporting and recording such transactions.
It provides for 24X7 access through multiple channels including but not limited to website, phone banking, SMS, e-mail, IVR, dedicated toll-free helpline and reporting to home branch.
What should you do?
Clearly, this circular is a step in the right direction. However, you must still do the following:
- Register for SMS/e-mail transaction alerts (SMS registration is mandatory now)
- Check those SMSes/e-mails regularly (otherwise subscription is no use).
- In case you notice an unauthorized/fraudulent transaction, report it to the bank. Any delay, as discussed above, will only increase your liability.
- Make note of bank communication about how to report such transactions.
Additional Read
RBI Circular: Limiting Liability of Customers in Unauthorized Electronic Banking Transactions
ReLakhs: RBI’s new Guidelines on Customer’s Liability & Unauthorized Electronic Banking Transactions
10 thoughts on “What is your Liability in a Credit Card or Online Banking Fraud?”
Dear Mr.Deepesh,
I have a debit card for a savings account with Bank ‘A’.I have withdrawn amount from ATM of bank ‘B’ ,where a fraudster obtained the data from my card by skimming and withdrew money elsewhere(ATM of bank ‘C’) fraudulently using this data.I have informed the bank A to block my card the very next day and as per their instruction,lodged an FIR at the local police station.
As per my understanding,Bank ‘A’ should provide me the money which I will have lost in the above scam.Am I correct?What is the maximum time that I should wait for them for them to credit this money to my account?Is the bank supposed to pay me the interest till this time?Please advise.
Dear Reshma,
If you can establish that the fraud happened due to skimming at Bank B ATM, I believe it will be a third part breach.
In that case, your liability should be limited.
Must say these things are not easy to prove.
I am not sure if this circular applies retrospectively.
Banks are never that kind to easily return money.
What steps have you taken till now (apart from FIR)? How has Bank A responded? Have you taken up the matter with Bank B too?
Sir,
The AGM of the Bank B has said that Bank A has to provide me the money.I have spoken to the Manager of the branch of Bank A where I have the account.He has said that he will take up the matter with superiors in the head office at Chennai.The fraudster in the case have been caught and the charge sheet has been filled by the police.I have submitted a letter from the police to manager of Bank A confirming the above.
Is there anything else that I am supposed to do?Please advise.
Sir,a number of people like me have lost a lot of money in the above fraud.As per the AGM of the Bank B,all have been given their money by the respective banks where they have their accounts.Hence according to him Bank A has to provide my money.Is this information correct sir?
There are a few ifs and buts. To be honest, I am not too sure about these things.
Since you are an account holder with Bank A, Bank A should pay you back.
In this case, Bank B seems to be at fault. Quite surprising AGM of Bank B is passing the buck on to Bank A.
In such cases, e-mail always help. There is a better track of communication and automatic acknowledgement.
Keep following up and escalating.
Thank you very much Mr.Deepesh.
Respected Sir,
Subject: Cyber Fraud from my HDFC Credit Card.
Kindly note that, I got message of fraud transactions in name of GEICO*AUTO MACON D on my HDFC Bank Credit Card without my knowledge & information. When I called to HDFC Bank credit card customer care, they told me that they have blocked my card and confirmed someone used your Credit Card in favor of GEICO*AUTO MACON D around 00.26.09 hours on 25.08.2017 and expended Rs. 110444.32/-. I received message midnight when I am sleeping at home. I never heard name of GEICO*AUTO MACON D in my life. These all happen without my Credit Card, OTP and password. This is international merchant.
Requested to please suggest how to proceed further step.
Thanks & Regards
Suryakant Chaudhary
Mobile 9376222336
Bhavnagar, Gujarat, India
Email: skt1111@rediffmail.com
Dear Suryakant,
International transactions don’t require OTP.
Firstly, have a written record of the communication with HDFC Bank. E-mail is the best mode.
In my opinion, since it is a third party breach (unless HDFC Bank can prove your involvement) and you have reported the next day, your liability should be zero.
Keep following up with the bank.
Dear sir,
If i have shared the otp in the fraud transaction in unknowingly way as they told that they are from that bank and they are manager or may be anything then have i to bear whole money Or bank will settle in some other way.
What is the role of FIR. If investigation proves that this is fraudulent transaction then what will be the chances of getting money back.
One more question if i refuse to pay money then what will happen?
Dear Nirankar,
I am not aware of the facts of the case. Therefore, please consider my opinion in that light.
Reporting is important as it can limit your liability. Moreover, the culprits need to be brought to justice.
The key is not whether the transaction is fraudulent. Ofcourse, it is.
The key is who is resonsible for the loss.
If you can prove that the call was from the bank, the bank is liable. The money will be credited back.
However, in this case, you shared OTP. In this case, it seems there is no breach in the banking system or any fault from the bank’side.
IF you don’t pay, your credit history will be adversely affected.