By Satyendra Sharma & Triveni Singh
RBI has issued a circular dated 06-July-2017 on “Customer Protection– Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” which states the liability of customer
The electronic banking transactions can be divided into two categories:
- Remote/ online payment transactions (transactions that do not require physical payment instruments to be presented at the point of transactions e.g. internet banking, mobile banking, card not present (CNP) transactions), Pre-paid Payment Instruments (PPI).
- Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM, POS, etc.)
Reporting of unauthorised transactions by customers to banks
Banks must ask their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions. The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered. The customers must be advised to notify their bank of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/ customer. To facilitate this, banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc. Banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any. Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website. The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them. This shall be important in determining the extent of a customer’s liability. The banks may not offer facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank. On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorised transactions in the account.
Limited Liability of a Customer
(A) Zero Liability of a Customer
A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:
- Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
- Third-party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.
(B) Limited Liability of a Customer
A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:
- In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
- In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in below table, whichever is lower.
Maximum Liability of a Customer | |
Type of Account | Maximum liability (₹) |
• BSBD Accounts | 5,000 |
• All other SB accounts • Pre-paid Payment Instruments and Gift Cards • Current/ Cash Credit/ Overdraft Accounts of MSMEs • Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs.25 lakh • Credit cards with limit up to Rs.5 lakh |
10,000 |
• All other Current/ Cash Credit/ Overdraft Accounts • Credit cards with limit above Rs.5 lakh |
25,000 |
Reversal Timeline for Zero Liability/ Limited Liability of customer
On being notified by the customer, the bank shall credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of such notification by the customer (without waiting for settlement of insurance claim, if any). Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence. The credit shall be value dated to be as of the date of the unauthorised transaction.
Further, banks shall ensure that a complaint is resolved and liability of the customer, if any, established within such time, as may be specified in the bank’s Board approved policy, but not exceeding 90 days from the date of receipt of the complaint.
Summary-
If bank customer shares his payment credentials to someone else and unauthorised electronic transactions have done in his bank account, then bank is not responsible and customer will bear the entire loss until he reports the unauthorised transaction to the bank. Payment credentials means details which are used to complete electronic transactions such as card number, expiry date, CVV, login ID, password, MPIN, UPI PIN, OTP etc. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank (This situation may be occurred only if bank did not block/disable the alternate delivery channel through which unauthorised electronic transactions have been done after receiving the complaint from customer).
In case of card cloning, liability does not lie at the customer level and in this case bank will be responsible.
Bank customer should report unauthorised electronic transactions immediately to the bank so that further loss can be stopped.
Writer- Satyendra Sharma is Senior Manager- IT, PNB & Prof. Triveni Singh IPS, SP Cyber Crime, Lucknow