Regulatory Hotline
July 14, 2017
Boost to e-payments - customers given protection for fraudulent transactions

  • Customer not liable for amounts lost in fraudulent / unauthorized transactions where default not attributed to the customer, if reported to the bank within 3 working days.
  • Mechanism set out to determine customer liability arising out of unauthorized transactions based on time taken to report such transactions to the bank.
  • Banks to shadow reverse credit amounts lost by customers through unauthorized transactions within 10 working days from notification by the customer.
  • Onus of proving liability of customers arising out of unauthorized transactions lies with the bank.

BACKGROUND

India’s central bank, i.e. the Reserve Bank of India (“RBI”) had issued a circular1 last week pertaining to customer protection and limiting the liability of customers in unauthorised electronic banking transactions (“Circular”). The Circular was issued pursuant to a recent surge in customer grievances relating to fraud and unauthorized transactions.

The objective of the Circular appears to be two fold - a clearer mechanism to determine and mitigate the liability of customers in the event of unauthorized transactions; and to ensure that banks devise policies, systems and procedures in promoting customer awareness on electronic transactions, resolving customer complaints and crediting amounts due to customers on occurrence of unauthorized transactions.

SALIENT FEATURES OF THE CIRCULAR

Key highlights from the Circular are summarized below:

I. Reporting of unauthorized transactions

  • Banks must ask their customers to mandatorily register for SMS alerts and email alerts wherever available, for electronic banking transactions,

  • Banks must advise customers to notify the bank of any unauthorized electronic banking transaction at the earliest after occurrence of a transaction. The Circular provides that the longer the time taken by the customer to inform the bank, higher will be the risk of loss to the customer,

  • Banks must provide customers with 24x7 access through multiple channels (such as its website, phone banking, SMS, email, interactive voice response, dedicated toll-free helpline, reporting to home branch) for reporting unauthorized transactions that have taken place and / or loss or theft of payment instruments such as credit / debit cards,

  • The loss / fraud reporting system of the bank should ensure an immediate response is sent to customer acknowledging the complaint along with the registered complaint number,

  • Banks should not offer facilities of electronic transactions other than ATM cash withdrawals, to customers who do not provider their mobile numbers to the bank.

II. Liability of the customer

The Circular provides that the liability of a customer pursuant to the occurrence of unauthorized transactions should be determined based on the following events:

Customer liability

Events

Zero liability

  1. Contributory fraud / negligence / deficiency on the part of the bank – irrespective of whether the transaction is reported by the customer.

  2. Breach by a third party where the deficiency lies neither with the bank nor the customer but lies somewhere in the system, and the customer notifies the bank within 3 (three) working days of receiving the communication from the bank regarding the unauthorized transaction.

If any one of the above events occur, the customer will not be liable for amounts debited from their account from an unauthorized transaction.

Limited liability

  1. If the loss is due to the negligence by a customer, the customer would bear the entire loss until the customer reports the unauthorized transaction to the bank. Losses occurring after the reporting of the unauthorized transaction would be borne by the bank.

  2. If the responsibility for the unauthorized transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and where there is a delay of between 4 (four) to 7 (seven) working days after receiving the communication from the bank on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer will be limited to the transaction value or the amount in the table below, whichever is lower.

 

Type of account

Maximum liability of the customer

  • Basic savings and deposit accounts

INR 5,000

(approx. USD 75)

  • Other savings bank accounts

  • Pre-paid payment instruments and gift cards

  • Current / cash credit / overdraft accounts of micro, small and medium enterprises

  • Current / cash credit / overdraft accounts individuals with annual average balance (during 365 days preceding the incidence of fraud) / limit up to INR 25,00,000 (approx. USD 38,750)

  • Credit cards with limits up to INR 5,00,000 (approx. USD 7,750)

INR 10,000

(approx. USD 150)

  • Other current / cash credit / overdraft accounts

  • Credit cards with limits above INR 5,00,000 (approx. USD 7,750)

INR 25,000 (approx. USD 375)

Hence, the customer will be liable to a limited extent (as per the table above) for amounts debited from their account from an unauthorized transaction occurring under any one of the above events.

Liability as per the bank’s policy

If the delay in reporting of the unauthorized transaction is beyond 7 (seven) working days.

It is pertinent to note that the Circular provides that banks may also at their discretion waive off any customer liability in case of unauthorized electronic banking transactions even in cases of customer negligence.

III. Reversal of amounts by banks to customers’ accounts

In the event the customer’s liability is zero / limited to certain amounts as per the table above, banks should credit (shadow reverse) the amount involved in the unauthorized transaction to the customer’s account within 10 (ten) working days from the date of such notification by the customer (without waiting for settlement of an insurance claim, if any).

However, if the customer is found to be liable to a limited extent, such amount payable by the customer to the bank may be debited by the bank from the customer’s account.

IV. Strengthening of policies, systems and procedures by banks

Banks should put in place:

  • appropriate systems and procedures to ensure safety and security of electronic banking transactions,

  • robust and dynamic fraud detection and prevention mechanisms,

  • mechanisms to assess risks resulting from unauthorized transactions and measure the liabilities arising out of such events,

  • appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom,

  • systems to continually and repeatedly advise customers on how to protect themselves from electronic banking and payments related fraud,

  • Customer relation policies2 that define the rights and obligations of customers in case of unauthorized transactions.

V. Resolution of complaints

Banks should ensure that a complaint is resolved and the liability of a customer (if any) is established in accordance with the bank’s policy, but no later than 90 (ninety) days from the date of receipt of the complaint. If such complaint is not resolved or customer’s liability is not determined within 90 (ninety) days, the amount due to the customer as per the customer’s liability should be paid to the customer.

The Circular provides that the burden of proving customer liability in case of unauthorized electronic banking transactions should lie on the bank.

CONCLUSION

India has seen a rapid increase in the use of digital payments post the demonetization era, with the value of transactions via debit and credit cards being INR 41,062 Crores (approx. USD 6 billion), mobile banking being INR 149,923 Crores (approx. USD 21 billion) and pre-paid instruments being INR 2,148 Crores (approx. USD 300 million), for the month of March this year alone.3

However, the Indian financial services sector has also coincidentally been prone to fraudulent / unauthorised transactions in the recent past. Approximately 3.2 million debit cards were compromised last year as several customers reported unauthorized usage of such instruments from locations outside India4.

The Circular issued by the RBI would aid in securing the trust of banking customers engaged in electronic transactions along with facilitating further use of electronic and digital modes of payments as opposed to traditional cash payments.

However, the Circular does not specify the recourse that a customer may have if the customer is aggrieved with the determination of his/her liability by the bank and if amounts are subsequently debited from his/her account owing to such liability. In such an event, the aggrieved customer may need to follow the general procedure prescribed under the RBI regulations, i.e. filing a complaint with the ‘banking ombudsman5 for resolution of his/her grievance or undertake the filing of a civil suit.

Nevertheless, the introduction of this Circular is a welcome step reflecting a progressive approach by the Indian government to encourage electronic / online payments in India.

 

– Aaron Kamath & Huzefa Tavawalla

You can direct your queries or comments to the authors


1Circular on Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions, dated July 6, 2017. Available at: https://rbi.org.in/Scripts/BS_CircularIndexDisplay.aspx?Id=11040. Last accessed: July 11, 2017.

2To be displayed on the bank’s website along with details of a grievance handling / escalation procedure.

3Card and mobile banking volumes see decline, steep rise in UPI transactions, dated April 6, 2017. Available at: http://www.business-standard.com/article/economy-policy/card-and-mobile-banking-volumes-see-decline-steep-rise-in-upi-transactions-117040501530_1.html. Last accessed: July 11, 2017.

43.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit, dated October 20, 2016. Available at: http://economictimes.indiatimes.com/industry/banking/finance/banking/3-2-million-debit-cards-compromised-sbi-hdfc-bank-icici-yes-bank-and-axis-worst-hit/articleshow/54945561.cms. Last accessed: July 11, 2017.

5As appointed under The Banking Ombudsman Scheme 2006.


Disclaimer

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender's contact information, which this mail does. In case this mail doesn't concern you, please unsubscribe from mailing list.


Regulatory Hotline

July 14, 2017

Boost to e-payments - customers given protection for fraudulent transactions


  • Customer not liable for amounts lost in fraudulent / unauthorized transactions where default not attributed to the customer, if reported to the bank within 3 working days.
  • Mechanism set out to determine customer liability arising out of unauthorized transactions based on time taken to report such transactions to the bank.
  • Banks to shadow reverse credit amounts lost by customers through unauthorized transactions within 10 working days from notification by the customer.
  • Onus of proving liability of customers arising out of unauthorized transactions lies with the bank.

BACKGROUND

India’s central bank, i.e. the Reserve Bank of India (“RBI”) had issued a circular1 last week pertaining to customer protection and limiting the liability of customers in unauthorised electronic banking transactions (“Circular”). The Circular was issued pursuant to a recent surge in customer grievances relating to fraud and unauthorized transactions.

The objective of the Circular appears to be two fold - a clearer mechanism to determine and mitigate the liability of customers in the event of unauthorized transactions; and to ensure that banks devise policies, systems and procedures in promoting customer awareness on electronic transactions, resolving customer complaints and crediting amounts due to customers on occurrence of unauthorized transactions.

SALIENT FEATURES OF THE CIRCULAR

Key highlights from the Circular are summarized below:

I. Reporting of unauthorized transactions

  • Banks must ask their customers to mandatorily register for SMS alerts and email alerts wherever available, for electronic banking transactions,

  • Banks must advise customers to notify the bank of any unauthorized electronic banking transaction at the earliest after occurrence of a transaction. The Circular provides that the longer the time taken by the customer to inform the bank, higher will be the risk of loss to the customer,

  • Banks must provide customers with 24x7 access through multiple channels (such as its website, phone banking, SMS, email, interactive voice response, dedicated toll-free helpline, reporting to home branch) for reporting unauthorized transactions that have taken place and / or loss or theft of payment instruments such as credit / debit cards,

  • The loss / fraud reporting system of the bank should ensure an immediate response is sent to customer acknowledging the complaint along with the registered complaint number,

  • Banks should not offer facilities of electronic transactions other than ATM cash withdrawals, to customers who do not provider their mobile numbers to the bank.

II. Liability of the customer

The Circular provides that the liability of a customer pursuant to the occurrence of unauthorized transactions should be determined based on the following events:

Customer liability

Events

Zero liability

  1. Contributory fraud / negligence / deficiency on the part of the bank – irrespective of whether the transaction is reported by the customer.

  2. Breach by a third party where the deficiency lies neither with the bank nor the customer but lies somewhere in the system, and the customer notifies the bank within 3 (three) working days of receiving the communication from the bank regarding the unauthorized transaction.

If any one of the above events occur, the customer will not be liable for amounts debited from their account from an unauthorized transaction.

Limited liability

  1. If the loss is due to the negligence by a customer, the customer would bear the entire loss until the customer reports the unauthorized transaction to the bank. Losses occurring after the reporting of the unauthorized transaction would be borne by the bank.

  2. If the responsibility for the unauthorized transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and where there is a delay of between 4 (four) to 7 (seven) working days after receiving the communication from the bank on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer will be limited to the transaction value or the amount in the table below, whichever is lower.

 

Type of account

Maximum liability of the customer

  • Basic savings and deposit accounts

INR 5,000

(approx. USD 75)

  • Other savings bank accounts

  • Pre-paid payment instruments and gift cards

  • Current / cash credit / overdraft accounts of micro, small and medium enterprises

  • Current / cash credit / overdraft accounts individuals with annual average balance (during 365 days preceding the incidence of fraud) / limit up to INR 25,00,000 (approx. USD 38,750)

  • Credit cards with limits up to INR 5,00,000 (approx. USD 7,750)

INR 10,000

(approx. USD 150)

  • Other current / cash credit / overdraft accounts

  • Credit cards with limits above INR 5,00,000 (approx. USD 7,750)

INR 25,000 (approx. USD 375)

Hence, the customer will be liable to a limited extent (as per the table above) for amounts debited from their account from an unauthorized transaction occurring under any one of the above events.

Liability as per the bank’s policy

If the delay in reporting of the unauthorized transaction is beyond 7 (seven) working days.

It is pertinent to note that the Circular provides that banks may also at their discretion waive off any customer liability in case of unauthorized electronic banking transactions even in cases of customer negligence.

III. Reversal of amounts by banks to customers’ accounts

In the event the customer’s liability is zero / limited to certain amounts as per the table above, banks should credit (shadow reverse) the amount involved in the unauthorized transaction to the customer’s account within 10 (ten) working days from the date of such notification by the customer (without waiting for settlement of an insurance claim, if any).

However, if the customer is found to be liable to a limited extent, such amount payable by the customer to the bank may be debited by the bank from the customer’s account.

IV. Strengthening of policies, systems and procedures by banks

Banks should put in place:

  • appropriate systems and procedures to ensure safety and security of electronic banking transactions,

  • robust and dynamic fraud detection and prevention mechanisms,

  • mechanisms to assess risks resulting from unauthorized transactions and measure the liabilities arising out of such events,

  • appropriate measures to mitigate the risks and protect themselves against the liabilities arising therefrom,

  • systems to continually and repeatedly advise customers on how to protect themselves from electronic banking and payments related fraud,

  • Customer relation policies2 that define the rights and obligations of customers in case of unauthorized transactions.

V. Resolution of complaints

Banks should ensure that a complaint is resolved and the liability of a customer (if any) is established in accordance with the bank’s policy, but no later than 90 (ninety) days from the date of receipt of the complaint. If such complaint is not resolved or customer’s liability is not determined within 90 (ninety) days, the amount due to the customer as per the customer’s liability should be paid to the customer.

The Circular provides that the burden of proving customer liability in case of unauthorized electronic banking transactions should lie on the bank.

CONCLUSION

India has seen a rapid increase in the use of digital payments post the demonetization era, with the value of transactions via debit and credit cards being INR 41,062 Crores (approx. USD 6 billion), mobile banking being INR 149,923 Crores (approx. USD 21 billion) and pre-paid instruments being INR 2,148 Crores (approx. USD 300 million), for the month of March this year alone.3

However, the Indian financial services sector has also coincidentally been prone to fraudulent / unauthorised transactions in the recent past. Approximately 3.2 million debit cards were compromised last year as several customers reported unauthorized usage of such instruments from locations outside India4.

The Circular issued by the RBI would aid in securing the trust of banking customers engaged in electronic transactions along with facilitating further use of electronic and digital modes of payments as opposed to traditional cash payments.

However, the Circular does not specify the recourse that a customer may have if the customer is aggrieved with the determination of his/her liability by the bank and if amounts are subsequently debited from his/her account owing to such liability. In such an event, the aggrieved customer may need to follow the general procedure prescribed under the RBI regulations, i.e. filing a complaint with the ‘banking ombudsman5 for resolution of his/her grievance or undertake the filing of a civil suit.

Nevertheless, the introduction of this Circular is a welcome step reflecting a progressive approach by the Indian government to encourage electronic / online payments in India.

 

– Aaron Kamath & Huzefa Tavawalla

You can direct your queries or comments to the authors


1Circular on Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions, dated July 6, 2017. Available at: https://rbi.org.in/Scripts/BS_CircularIndexDisplay.aspx?Id=11040. Last accessed: July 11, 2017.

2To be displayed on the bank’s website along with details of a grievance handling / escalation procedure.

3Card and mobile banking volumes see decline, steep rise in UPI transactions, dated April 6, 2017. Available at: http://www.business-standard.com/article/economy-policy/card-and-mobile-banking-volumes-see-decline-steep-rise-in-upi-transactions-117040501530_1.html. Last accessed: July 11, 2017.

43.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit, dated October 20, 2016. Available at: http://economictimes.indiatimes.com/industry/banking/finance/banking/3-2-million-debit-cards-compromised-sbi-hdfc-bank-icici-yes-bank-and-axis-worst-hit/articleshow/54945561.cms. Last accessed: July 11, 2017.

5As appointed under The Banking Ombudsman Scheme 2006.


Disclaimer

The contents of this hotline should not be construed as legal opinion. View detailed disclaimer.

This Hotline provides general information existing at the time of preparation. The Hotline is intended as a news update and Nishith Desai Associates neither assumes nor accepts any responsibility for any loss arising to any person acting or refraining from acting as a result of any material contained in this Hotline. It is recommended that professional advice be taken based on the specific facts and circumstances. This Hotline does not substitute the need to refer to the original pronouncements.

This is not a Spam mail. You have received this mail because you have either requested for it or someone must have suggested your name. Since India has no anti-spamming law, we refer to the US directive, which states that a mail cannot be considered Spam if it contains the sender's contact information, which this mail does. In case this mail doesn't concern you, please unsubscribe from mailing list.