Consumer liability in case of fraud or Cyber-attack on banking system

Bank fraud can be defined as an unethical and/or criminal act by an individual or organization to illegally attempt to possess or receive money from a bank or financial institution. Let's take a look at several types of bank fraud which exist:

Credit card fraud is when a person or organization tries to use a credit or debit card without the proper authorization for financial gain. One of the more common forms of credit card fraud occurs after having a debit or credit card stolen or lost. In these situations, an unauthorized party has access to another individual's credit or debit card numbers.

Electronic fraud can be described as the type of fraud that occurs with the use of the internet. Although non-existent for quite some time, the rise and evolution of the internet over the past few decades has made electronic fraud a playground for those looking to obtain some type of gain illegally and without authorization.

E-mail scams are one example of electronic fraud. For example, an individual may receive an email asking them to provide their personal banking information in order to process a loan or some other excuse. The intent is to illegally obtain banking or financial information to use for personal gain.

Fake websites are another type of electronic fraud. The purpose of the fake websites is to look as real as possible with the hope that unsuspecting individuals will make a purchase and submit their banking or financial information. Once this information is confiscated, it can be used without any prior authorization for financial gain.


If you lose money through an unauthorized electronic banking transaction such as a cyber-attack on the bank or hacking of your online account, your extent of liability will be limited, even zero if you inform the bank immediately. Now the RBI will extend this safety net to unauthorized electronic transactions involving Prepaid Payment Instruments (PPIs) such as digital wallets Mobikwik, Oxigen and Amazon Pay.


In its 'Statement on Developmental and Regulatory Policies' issued, the RBI said, "The Reserve Bank has issued instructions on limiting customer liability in respect of unauthorized electronic transactions involving banks and credit card issuing non-banking financial companies (NBFCs). As a measure of consumer protection, it has been decided to bring all customers up to the same level with regard to electronic transactions made by them and extend the benefit of limiting customer liability for unauthorized electronic transactions involving Prepaid Payment Instruments (PPIs) issued by other entities not covered by the extant guidelines on the subject. The guidelines will be issued by the end of December 2018.


In its Annual Report 2017-18, the RBI had explained the framework on limiting liability of customers in unauthorized electronic banking transactions. There were several limits on liability depending on several conditions.


What should be done in case of fraud? 

A customer need not bear any loss if the deficiency is on the part of the bank and in cases where the fault lies neither with the bank nor with the customer but lies elsewhere in the system and the customer notifies the bank within three working days of receiving the communication from the bank about the unauthorised transaction.


Where the loss is due to customer’s negligence, the customer has to bear the entire loss until the unauthorized transaction is reported to the bank. In cases where the fault lies neither with the customer nor with the bank but lies elsewhere in the system and the customer reports the unauthorized transaction with a delay of four to seven working days after receiving the communication about the transaction, the maximum liability of the customer ranges from Rs 5,000 to Rs 25,000, depending on the type of account/instrument.


If the unauthorised transaction is reported beyond seven working days, the customer liability shall be determined as per the bank’s Board-approved policy. The bank is required to credit (shadow reversal) the amount involved in the unauthorised electronic transaction to the customer’s account within 10 working days from the date of notification by the customer. The bank has to resolve the complaint and establish the liability of the customer, if any, within 90 days of the receipt of the complaint. Further, banks have been mandated to require the customers to register their mobile numbers for SMS alerts and for electronic transactions.


Reporting and Monitoring Requirements

The banks shall put in place a suitable mechanism and structure for the reporting of the customer liability cases to the Board or one of its Committees. The reporting shall, inter alia, include volume/ number of cases and the aggregate value involved and distribution across various categories of cases viz., card present transactions, card not present transactions, internet banking, mobile banking, ATM transactions, etc. The Standing Committee on Customer Service in each bank shall periodically review the unauthorised electronic banking transactions reported by customers or otherwise, as also the action taken thereon, the functioning of the grievance redress mechanism and take appropriate measures to improve the systems and procedures. All such transactions shall be reviewed by the bank’s internal auditors.