Lost money in digital fraud? RBI’s new rules promise faster relief, up to ₹25,000 compensation

The Reserve Bank of India (RBI) on Wednesday announced a wider protection framework for bank customers who fall victim to digital fraud, saying banks will have to deal faster with complaints and, in some cases, customers will also get compensation of up to ₹25,000.

The existing RBI rules mainly deal with unauthorised electronic banking transactions.

But with online banking and digital payments growing rapidly, the central bank has now widened the rules to cover a larger set of frauds.

Under the revised framework, RBI has introduced the term fraudulent electronic banking transactions (Fraudulent EBT). This includes not only transactions done without the customer’s permission, but also cases where fraudsters trick a customer into sharing bank details, passwords or OTPs, or force the customer to approve a transaction.

The new rules -- applicable to commercial banks, small finance banks, payments banks, regional rural banks, local area banks and cooperative banks -- will come into effect from January 1, 2027 on pilot basis but may be extended in the future.

The central bank said a customer will continue to have zero liability if the fraud happened because of the bank’s fault. This could include cases where the bank failed to put proper security systems in place, did not send mandatory alerts, did not provide round-the-clock channels to report fraud, or did not act quickly after a customer reported a problem.

Zero liability will also apply in cases of a third-party breach as long as the fraud is reported to the bank within five calendar days. In a third-party breach, the problem lies with a payment gateway, telecom service provider or third-party app.

However, if the fraud happened because of the customer’s negligence, the customer will bear the loss till the fraud is reported to the bank.

Sharing a PIN, password or OTP, ignoring a bank warning that a transaction may be a scam, downloading a malicious app, or not updating the bank about a changed mobile number can be deemed as customer negligence.

Even in such cases, RBI has now created a new compensation mechanism for small-value frauds.

The central bank said a genuine victim who is an individual customer, including a sole proprietor, and loses up to ₹50,000 in a fraudulent digital banking transaction caused by customer negligence, will be eligible for compensation of 85% of the net loss or ₹25,000, whichever is lower.

This benefit can be availed only once in a lifetime.

To get the compensation, the customer has to report the fraud not only to the bank but also to the National Cyber Crime Reporting Portal or helpline 1930 within five calendar days of the fraudulent transaction.

The RBI said this compensation scheme will be available for losses arising from fraudulent digital banking transactions that take place for one year from January 1, 2027, which is the date the new directions come into force.

The central bank has also explained how the compensation amount will be shared among different entities.

In domestic fraudulent transactions where the loss is below ₹29,412 and the customer is paid 85% of the net loss, 65% of the compensation amount will be borne by RBI, 10% by the customer’s bank and 10% by the beneficiary bank.

For domestic fraud cases where the loss is ₹29,412 or more but up to ₹50,000, the customer will get a flat ₹25,000 as compensation. In such cases, RBI will contribute ₹19,118, while the customer’s bank and the beneficiary bank will contribute ₹2,941 each.

If a customer reports a fraud of ₹40,000 and ₹15,000 is recovered before compensation is paid, the customer’s net loss comes down to ₹25,000. In that case, the customer will get ₹21,250, which is 85% of the net loss. Out of this, RBI will pay ₹16,250, while the customer’s bank and the beneficiary bank will pay ₹2,500 each.

Giving another example, the RBI said if a customer is first paid ₹25,000 as compensation on a fraud loss of ₹40,000, and later the entire ₹40,000 is recovered, then the recovered amount will be divided between the customer, RBI and the banks based on the amount each had borne earlier. In this case, the customer will get ₹15,000 from the recovery, RBI will get back ₹19,118, and the customer’s bank and beneficiary bank will get back ₹2,941 each.

In case the customer is paid ₹25,000 compensation on a ₹40,000 fraud loss, but only ₹15,000 is recovered later, the customer’s final net loss becomes ₹25,000. So the actual compensation payable works out to ₹21,250.

Since the customer had already received ₹25,000 earlier, the recovered amount will be redistributed in such a way that the customer gets ₹11,250, RBI gets ₹2,868, and the customer’s bank and beneficiary bank get ₹441 each.

The RBI has said that once a bank is satisfied that the complaint is genuine, it must give the customer an application form to claim compensation. After receiving the application, the bank will have to pay the eligible compensation within five calendar days.

The customer’s bank can later seek reimbursement from RBI and the beneficiary bank on a quarterly basis.

The RBI has also tightened the timelines for handling fraud complaints. Banks will now have to examine the complaint, decide who is liable and send a response to the customer within 45 calendar days in domestic fraud cases and within 60 calendar days in cross-border fraud cases.

The RBI has also directed that if a fraudulent transaction has to be reversed, the bank must treat it as reversed from the original transaction date so that the customer does not lose any interest or end up paying extra charges.

In case of fraudulent credit card transactions, the bank will have to provide a shadow reversal within five calendar days of receiving the complaint. This means the disputed amount will be temporarily credited back while the investigation is going on, but the customer will not be allowed to use that money during this period.

The new rules also put more responsibility on banks to alert customers and make reporting easier.

Banks will have to send instant SMS alerts for all electronic banking transactions above ₹500. For transactions of ₹500 or less, banks may decide their own SMS policy, but no charge can be levied on the customer for such alerts. Email alerts will have to be sent for all transactions wherever the customer has registered an email address.

Banks will also have to provide 24x7 channels for customers to report fraudulent transactions or loss of debit and credit cards.

The RBI said banks must immediately register such reports as complaints and send an acknowledgement to the customer with the complaint number and the date and time of complaint.

The revised directions also place the burden of proving customer liability on the bank. This means if a bank wants to say that the customer was at fault, it will have to establish that.

The central bank has also asked banks to put in place a proper monitoring system and report complaints related to digital fraud to their boards or a designated committee from time to time.