News

RBI Revises Customer Protection Framework for Fraudulent Transactions

On June 24, 2026, the Reserve Bank of India (RBI) issued its Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Third Amendment Directions, 2026, revising the regulatory framework governing customer protection in electronic banking transactions.

The directions amend the Reserve Bank of India (Commercial Banks – Responsible Business Conduct) Directions, 2025 (the “Principal Directions”) and replace the earlier framework on “Limiting Liability of Customers in Unauthorised Electronic Banking Transactions” with a broader regime addressing fraudulent electronic banking transactions. They will apply to electronic banking transactions undertaken by customers on or after January 1, 2027.

The amendments introduce the concept of “fraudulent electronic banking transactions”, which includes transactions executed by a third party using customer credentials obtained through fraudulent means and transactions approved by customers under coercion or duress, as well as unauthorised electronic banking transactions.

Further to operationalise the revised customer protection framework, the directions insert definitions for “electronic banking transaction”, “fraudulent electronic banking transaction”, “unauthorised electronic banking transaction”, “negligence by a bank”, “negligence by a customer”, “shadow reversal” and “third-party breach” into the Principal Directions.

Banks are required to formulate a transparent and non-discriminatory customer protection policy covering electronic banking transactions. Such a policy must address customer rights and obligations, complaint resolution timelines, fraud reporting channels and customer awareness mechanisms. They are further required to implement appropriate systems and procedures to ensure the safety and security of electronic banking transactions, establish robust fraud detection and prevention mechanisms, assess fraud-related risks, adopt appropriate risk mitigation measures, and continuously educate customers about evolving digital payment frauds and preventive measures.

The directions require banks to obtain customers’ mobile numbers and, wherever available, email addresses at the time of onboarding and verify such details periodically in accordance with their policy. They are further required to issue mandatory SMS alerts for all electronic banking transactions exceeding ₹500 and email alerts for all electronic banking transactions where an email address has been provided.

The banks must further ensure that the customers have access to channels for reporting fraudulent transactions on a 24 x 7 basis, including phone banking, SMS, instant messaging, dedicated email, IVR, toll-free helplines, home branches, websites and mobile applications. Customers are advised to report fraudulent electronic banking transactions to both the bank and the National Cyber Crime Reporting Portal or the National Cyber Crime Helpline (1930) at the earliest. Upon receiving such a report, banks are required to acknowledge the complaint and promptly initiate action to prevent further unauthorised electronic banking transactions in the customer’s account.

It has been clarified that the customers will have zero liability where the fraudulent transaction occurs due to negligence on the part of the bank, even if the customer has not reported it. Even when there is a third-party breach, the customer will have zero liability, provided the customer reports the fraudulent electronic banking transaction to the bank within five calendar days of its occurrence. However, where loss occurs due to negligence by the customer, they will have to bear the entire loss until reporting it to the bank. Any loss occurring after reporting shall be borne by the bank. Banks have been directed to resolve the customer complaint within 45 days in case of domestic fraudulent transactions and 60 in case of cross-border fraudulent transactions.

A compensation framework for small-value domestic fraudulent electronic banking transactions has been introduced. Individual customers, including sole proprietors, who suffer a gross loss of up to ₹50,000 may be eligible to receive compensation equal to 85% of the net loss or ₹25,000, whichever is lower, subject to prescribed conditions.

The concept of “shadow reversal” has also been introduced in respect of fraudulent credit card transactions. The banks have to provide shadow reversal in the customer’s account equivalent to the disputed amount within five calendar days of receipt of notification from the customer. However, the customers cannot use the reversed amount until the complaint is resolved or settled.

The Directions also require banks to establish appropriate mechanisms for periodic reporting of fraudulent electronic banking transactions to the Board or a Committee of the Board and to maintain records relating to compensation claims for supervisory, audit and inspection purposes.