Narendra Pal, a government school teacher in Zirakpur near Chandigarh, got the shock of his life when he received an sms just before midnight that Rs 10,000 has been withdrawn from his account through an ATM in Surat. By the time he could realise what was happening, he got two more messages about withdrawal of Rs 10,000 and Rs 20,000. He had fallen victim to online fraud. As the first debit happened a few minutes before 12 midnight, the fraudster was able to transact again immediately as withdrawal limit for the next day set in.
As more and more people use online banking services, which are now reaching the unbanked under the financial inclusion programmes of the government, banking frauds are rising. Also, post demonetisation, there has been a sharp rise in online transactions. Pal informed his bank about the transactions immediately by calling on the helpline number. He also wrote to the bank branch and the RBI that he had not shared details of his bank account and ATM card with anyone. He also filed a complaint with the crime branch's cyber cell. The officers took him to the petrol pump where he had last used the card but nothing came out of it. Pal says the bank staff was cooperative but still it took him more than two months and two-three visits to the branch to get his money. He had to forgo the interest.
People like Pal need not worry now. The RBI has come out with guidelines that say the bank will have to make good the entire loss if the customer notifies it about the unauthorised/fraudulent transaction within a stipulated period. The RBI has taken forward the draft guidelines on customer liability in case of online fraudulent transactions that it had issued in August 2016. "Considering the recent surge in customer grievances associated with unsanctioned electronic transactions, the recent notification shared by RBI entails a more specific guideline to protect customers from potential cases of fraud or misuse.
Banks will therefore have to set up robust frameworks around fraud identification and early warning mechanisms covering the online and digital space", says Vikram Babbar, Partner, Fraud Investigation & Dispute Services, EY India.
Onus on Bank
While earlier, the onus was on the customer to prove that he or she has not shared his bank details with anyone, now it is the bank that has to prove that the customer was at fault and not careful enough while using online banking facilities. The earlier system used to result in the customer suffering losses or the bank taking long to pay the money as there were no clear guidelines or stipulated period for refunds. "Many people are apprehensive about online transactions. These guidelines will build trust among bank customers," says Kalpesh J. Mehta, Partner, Deloitte Haskins and Sells.
This is a big step, believes Mahesh Patel, President and CTO, AGS Transact Technologies, as this will encourage banks to use better fraud monitoring systems.
"As the onus was on the customer, the cost of a good fraud monitoring system was more than the cost of actual fraud for banks. As a result of this, barring the top few banks, the rest refrained from investing in fraud monitoring systems," says Patel. The RBI guidelines ask banks to implement a robust and dynamic fraud detection and prevention mechanism and assess and fill gaps if any.
Customer to get full refund
Banks will pay for the entire loss in the following cases.
- When a fraudulent transaction has happened due to deficiency or negligence on the part of the bank irrespective of the fact that the customer has reported it or not. "A digital transaction goes through various intermediary platforms such as the payer bank, the payee bank, the payment gateway, etc, and the transaction has to be encrypted. No data should be stored with either of the intermediaries but only transferred. Therefore, if a fraud happens during this process, the customer should not be held liable. As per RBI recommendations, the bank will have to refund to the customer," says Mehta of Deloitte Haskins and Sells.
- When there is a third-party breach where the deficiency lies neither with the bank nor the customer but with the system somewhere else and the customer notifies the bank regarding the transaction within three working days.
For example, last year, the systems of Hitachi Payment Service, to which some banks had outsourced their ATM transaction processing, were compromised, affecting around 3.2 million cards across banks such as ICICI, SBI, YES and HDFC.
In this scenario, if the customer informs the bank about the fraudulent transaction within three working days after receiving the communication, the bank will have to make good the entire loss to the customer.
Limited liability If the fraud has happened due to the negligence of the customer, he or she will have to bear the entire loss till the bank is informed about the transaction.
- If the customer shares confidential information like ATM PIN, card number, etc, with somebody knowingly or unknowingly, he or she will have to bear the entire loss till the bank is informed about the transaction.
- If neither the bank nor the customer is responsible but the fraud has happened due to the fault in the system and the customer informs the bank within four or seven days, the customer liability will be limited to the transaction value or Rs 10,000, whichever is less. The limit applies in case of savings bank accounts, credit cards with limit of up to Rs 5 lakh, and current accounts with annual average balance limit up to Rs 25 lakh. If a person informs within three days, the entire amount is paid back. For current accounts, overdraft accounts and credit cards with limit above Rs 5 lakh, the maximum limit is Rs 25,000.
For basic saving bank deposit accounts, that is, no-frills accounts, the limit is Rs 5,000.
- If there is a delay of more than seven days, the customer's liability will be decided as per the policy approved by the bank's board.
Banks convey to their customers who have registered their mobile number and email with banks about every transaction through email and sms. Now, the RBI has advised banks to ask for a mobile number if the customer wants to take the online transaction facility so that he or she is notified about every transaction. The banks may not offer the facility of electronic transactions, other than ATM cash withdrawals, to customers who do not provide mobile numbers to the bank. At present, banks charge for the SMS service. However, RBI guidelines do not mention anything about who will bear the SMS charges. At present, the charges are borne by account holders.
Apart from multiple channels like website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to the home branch, etc, for reporting fraudulent transactions, banks will have to provide the customer an option to reply to an SMS and email alerts. Further, the RBI has directed banks to provide a direct link for lodging complaints, with specific option to report unauthorised electronic transactions on home page of bank's website.
The fraud reporting system of banks shall also ensure that immediate response (including auto response) is sent to customers acknowledging the complaint along with the registered complaint number. The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer's response, if any, to them. This shall be important in determining the extent of a customer's liability.
Timeline for refund
After the customer has informed the bank about the transaction, the bank shall credit the amount to the customer's account within 10 working days as per the new guidelines.
Apart from this, in cases where the customer liability is to be decided by the bank's board, the complaint should be addressed within 90 days and if the board is unable to decide the customer liability, he or she should be compensated as per zero liability and limited liability provisions.