The Reserve Bank of India (RBI) on Thursday issued a circular to banks across the country to ensure protection of their customers from unauthorized and fraudulent electronic banking transactions.
In its circular, the RBI said that with the increased thrust on financial inclusion and customer protection, and considering the recent surge in customer grievances relating to unauthorized transactions resulting in debits to their accounts/cards, it had undertaken a review of criteria for determining customer liability.
It was decided after the review that there was a need for strengthening of systems and procedures.
It said electronic banking transactions can be divided into two
categories: (i) Remote/online payment transactions (internet banking, mobile banking, card not present (CNP) transactions) and Pre-paid Payment Instruments (PPI), and
(ii) Face-to-face/ proximity payment transactions (transactions which require the physical payment instrument such as a card or mobile phone to be present at the point of transaction e.g. ATM, POS, etc.)
The RBI informed banks that systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions.
To achieve this, banks must put in place: (i) Appropriate systems and procedures to ensure safety and security of electronic banking transactions carried out by customers;
(ii) Robust and dynamic fraud detection and prevention mechanism; (iii) A mechanism to assess the risks (for example, gaps in the bank’s existing systems) resulting from unauthorised transactions and measure the liabilities arising out of such events;
(iv)Introduce appropriate measures to mitigate the risks and protect themselves against the liabilities arising there from; and (v) A system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.
The RBI further stated that banks must ask their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions. The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered. The customers must be advised to notify their bank of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction, and informed that the longer the time taken to notify the bank, the higher will be the risk of loss to the bank/ customer.
To facilitate this, banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free helpline, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc.
Banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.
Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website. The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.
It also said that a customer’s entitlement to zero liability shall arise where the unauthorized transaction occurs in the following events:
- Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer)
- Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction.
- It said that a customer shall be liable for the loss occurring due to unauthorized transactions in cases
- Where the loss is due to negligence by a customer such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
- In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.
RBI to banks: Ensure customer protection during electronic transactions